Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 00:59
Static task
static1
Behavioral task
behavioral1
Sample
e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe
Resource
win10v2004-20220812-en
General
-
Target
e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe
-
Size
320KB
-
MD5
a215b4c13d637d8e3432e012101bedc0
-
SHA1
0bee171a83448ef6a7d98320dc89aa76b0f9cc49
-
SHA256
e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7
-
SHA512
132801e15cd9c4aa71510bf67c24705fd2c56b8b1d9a9eb1e8989a6e9f248af0e2c2a60c20f87e88233fff0181e48c8da8e3ba95d96bd63bd7f9b46ee259bec4
-
SSDEEP
3072:lnYiFXctfZoPWML/9qB/MWXPw1/6leXpz8xvQCKljTsuZfu:lYiFXOjg9qVvPBleXN8mVwuZ2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1172 gwqcqk.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1164 PING.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1884 wrote to memory of 2076 1884 e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe 82 PID 1884 wrote to memory of 2076 1884 e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe 82 PID 1884 wrote to memory of 2076 1884 e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe 82 PID 2076 wrote to memory of 1172 2076 cmd.exe 84 PID 2076 wrote to memory of 1172 2076 cmd.exe 84 PID 2076 wrote to memory of 1172 2076 cmd.exe 84 PID 2076 wrote to memory of 1164 2076 cmd.exe 85 PID 2076 wrote to memory of 1164 2076 cmd.exe 85 PID 2076 wrote to memory of 1164 2076 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe"C:\Users\Admin\AppData\Local\Temp\e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kqsxswv.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\gwqcqk.exe"C:\Users\Admin\AppData\Local\Temp\gwqcqk.exe"3⤵
- Executes dropped EXE
PID:1172
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1164
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
MD5e5b01c0029ebf74370940c554802236d
SHA193ba1545cf6b859fbf060af3561a3961bd5f9771
SHA25666f3123d7cf8382a7ce1fb66b0e1e964a24ea7830ec76cbb0c44856bdaef0588
SHA51207648e4d7860f0ee4fc4697632e99511cb18da086b5502b9f4ef578e329ddd7ec31e026ac4887ee955393394bdbbfed3a92b37abe30a963486da4f61fb79ece6
-
Filesize
184KB
MD5e5b01c0029ebf74370940c554802236d
SHA193ba1545cf6b859fbf060af3561a3961bd5f9771
SHA25666f3123d7cf8382a7ce1fb66b0e1e964a24ea7830ec76cbb0c44856bdaef0588
SHA51207648e4d7860f0ee4fc4697632e99511cb18da086b5502b9f4ef578e329ddd7ec31e026ac4887ee955393394bdbbfed3a92b37abe30a963486da4f61fb79ece6
-
Filesize
124B
MD556aec60e4b97c78644e8bd95234834d0
SHA16a72e83de2a48f631482a1edb0388a4cfa8090f7
SHA2560d0640c0f42fdad0b5142628c80c55fb7d752da94ca907a80e730f7d29fedfab
SHA512f7acc308a3409455f0ef75b111b35e598e29e1c4cc4581b7ce42d918fe3440f8802864fb3ffb079a5a4e5f758fc6b772418b783931a278f360d6f0063a0fff8a
-
Filesize
188B
MD54c522216c19ca26a6cac042b763a674f
SHA1163d2a358d6cc0bfc5b7649a11d2210a8dc900fa
SHA2563a3932e05133daa24232943f8e273ea064422d95cebb4189ad76849490a6df73
SHA512901169c1b9c59b6720537f2dce8cb82e614cc6be99591f5c4928ce1b8222c3915842dc0f96798ad834b21bdab2f7e58bcca2bc9aee0fac8440c8c2f55515272e