Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2025, 04:18
Behavioral task
behavioral1
Sample
8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe
Resource
win10v2004-20241007-en
General
-
Target
8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe
-
Size
130KB
-
MD5
ac061b70f93d1a501b40c2b3510e91ce
-
SHA1
5b9cd55e2eeb7646d0038a59b947a82f64ac5380
-
SHA256
8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8
-
SHA512
536e7edeb04c57bd401a9869a925db36be4315acde8fd449668c170f23d1f0bdeba08ead82618cfbef4b21a02ca04ce75938490294a72eb34d58af980762c528
-
SSDEEP
1536:eH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5UROXTmZ5:SKQJcinxphkG5Q6GdpIOkJHhKRyOXKX
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 6 IoCs
resource yara_rule behavioral2/memory/2780-53-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/2780-56-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/2780-49-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/2780-61-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/2780-59-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/2780-67-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe -
Executes dropped EXE 3 IoCs
pid Process 2156 Flaseher.exe 1156 Flaseher.exe 2780 Flaseher.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.Flasfh = "C:\\Users\\Admin\\AppData\\Roaming\\..Flash\\Flaseher.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4508 set thread context of 3648 4508 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 83 PID 2156 set thread context of 1156 2156 Flaseher.exe 103 PID 2156 set thread context of 2780 2156 Flaseher.exe 104 -
resource yara_rule behavioral2/memory/4508-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4508-6-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3648-10-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3648-13-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3648-15-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4508-17-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x0008000000023c8a-32.dat upx behavioral2/memory/2156-39-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3648-44-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2156-43-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2156-45-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2156-46-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2156-60-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3648-64-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1156-65-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaseher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaseher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaseher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe Token: SeDebugPrivilege 1156 Flaseher.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4508 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 3648 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 2156 Flaseher.exe 1156 Flaseher.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4508 wrote to memory of 3648 4508 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 83 PID 4508 wrote to memory of 3648 4508 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 83 PID 4508 wrote to memory of 3648 4508 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 83 PID 4508 wrote to memory of 3648 4508 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 83 PID 4508 wrote to memory of 3648 4508 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 83 PID 4508 wrote to memory of 3648 4508 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 83 PID 4508 wrote to memory of 3648 4508 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 83 PID 4508 wrote to memory of 3648 4508 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 83 PID 3648 wrote to memory of 2316 3648 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 91 PID 3648 wrote to memory of 2316 3648 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 91 PID 3648 wrote to memory of 2316 3648 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 91 PID 2316 wrote to memory of 1796 2316 cmd.exe 95 PID 2316 wrote to memory of 1796 2316 cmd.exe 95 PID 2316 wrote to memory of 1796 2316 cmd.exe 95 PID 3648 wrote to memory of 2156 3648 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 96 PID 3648 wrote to memory of 2156 3648 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 96 PID 3648 wrote to memory of 2156 3648 8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe 96 PID 2156 wrote to memory of 1156 2156 Flaseher.exe 103 PID 2156 wrote to memory of 1156 2156 Flaseher.exe 103 PID 2156 wrote to memory of 1156 2156 Flaseher.exe 103 PID 2156 wrote to memory of 1156 2156 Flaseher.exe 103 PID 2156 wrote to memory of 1156 2156 Flaseher.exe 103 PID 2156 wrote to memory of 1156 2156 Flaseher.exe 103 PID 2156 wrote to memory of 1156 2156 Flaseher.exe 103 PID 2156 wrote to memory of 1156 2156 Flaseher.exe 103 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104 PID 2156 wrote to memory of 2780 2156 Flaseher.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe"C:\Users\Admin\AppData\Local\Temp\8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe"C:\Users\Admin\AppData\Local\Temp\8f45f8be860052d275855c87e90c576adb32c197e1154e1abd061b3ba7d75cd8.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MJJVR.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1796
-
-
-
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1156
-
-
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD5da0cbe87b720a79b294147ed6a4b98be
SHA1ebf0dc9efd7a12cb192e355cda87546acb4ab360
SHA2567ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed
SHA512f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc
-
Filesize
130KB
MD5af0c79be91c88aee8083ec56d137f1f0
SHA1e26b929901448a784c370b3897c019e3f1894c5f
SHA2561f66911127f0d43ad62c6a0422b28b5e016dc1864b183f292e813d9605094a98
SHA512c88fe937719afeb8cc72806c5e62ed3169604034c5f0ee7ea8770a1727542b04672603728d82ad406e5c87620d54eec8820b30e44f398e2e0601a8ecc5783293