Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 08:00
Static task
static1
Behavioral task
behavioral1
Sample
5e0eaae7723b74b3fbc213878f5da4b5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5e0eaae7723b74b3fbc213878f5da4b5.exe
Resource
win10v2004-20231215-en
General
-
Target
5e0eaae7723b74b3fbc213878f5da4b5.exe
-
Size
463KB
-
MD5
5e0eaae7723b74b3fbc213878f5da4b5
-
SHA1
0493a08c2489e2018a592b77a482de7e53f2c6ea
-
SHA256
853371e54bfc9a5f2cfc14648ec870d1f80f2a44dd71577f9c6e028ef0143366
-
SHA512
92d73c0cb832615707d75abd89bbc44493eeff74b24830a151c4c6065b34fab8db946676b4006b044fcd0764d65f2d906ea674234eb71d35c6b02fa0d920fc66
-
SSDEEP
6144:E1GWAE41OQpfx1hhS77EV8mIQxlbIfQ9c8q/NKZ4kJoPo/bSyB:EYSohhS7Y8mZIfQ/ow/bF
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1308 a.exe 2448 QQ.EXE -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e0eaae7723b74b3fbc213878f5da4b5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQ2012 = "C:\\WINDOWS\\QQ.exe" a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQ = "C:\\WINDOWS\\QQ.exe" a.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\WINDOWS\QQ.exe a.exe File created C:\WINDOWS\QQ.exe a.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1308 a.exe 1308 a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2388 wrote to memory of 1308 2388 5e0eaae7723b74b3fbc213878f5da4b5.exe 91 PID 2388 wrote to memory of 1308 2388 5e0eaae7723b74b3fbc213878f5da4b5.exe 91 PID 2388 wrote to memory of 1308 2388 5e0eaae7723b74b3fbc213878f5da4b5.exe 91 PID 1308 wrote to memory of 2448 1308 a.exe 94 PID 1308 wrote to memory of 2448 1308 a.exe 94 PID 1308 wrote to memory of 2448 1308 a.exe 94 PID 1308 wrote to memory of 3596 1308 a.exe 95 PID 1308 wrote to memory of 3596 1308 a.exe 95 PID 1308 wrote to memory of 3596 1308 a.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e0eaae7723b74b3fbc213878f5da4b5.exe"C:\Users\Admin\AppData\Local\Temp\5e0eaae7723b74b3fbc213878f5da4b5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\WINDOWS\QQ.EXEC:\WINDOWS\QQ.EXE3⤵
- Executes dropped EXE
PID:2448
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface ip set address "±¾µØÁ¬½Ó" static3⤵PID:3596
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
860KB
MD5b94b696860dc9b58050a85ceca77d42e
SHA1812d1ef4a9910b655d37f6bb094a22585727e500
SHA2567e91b1cb9b8125e0272b4711436a9270eebf7d562a0691963d8d52942db38e47
SHA51292f9264d95491b1b493e733159e102197ab857e6090b87f8867c9f26e28106ee4646598f681bd154052fb08f07937711ac0a360afcd1193c471121e8215b895e
-
Filesize
985KB
MD52bcd11e69b0e8beecc09cf2b526b6306
SHA100ada1cf104fc3f641c0f512d5f07411f704cfd2
SHA256ab9042eea5656a7095afa92e90790b818d3a7d74e4dca92f64f2c741a3a08ae4
SHA51272e451f97663ea3a596e4797f8d6d89e9f5d5206cc0d03801a8468072962195179086abf285f60ae6bdfe22bea77111a2c62d50ee96145d6425f16482776d045
-
Filesize
768KB
MD5cae8c714021d67d6e1c1cdddd788589b
SHA12ead82ee609fb92bd4797481a84ab517ee2be514
SHA256e7a1d885020d7d21cb71f63c0a889e0c76bed8b2a72c90d10ce3538bd1d971f4
SHA5125ec0614eacc6272de0be50191834607af339d262c95ba3500dcb1d8a5acb76f3c7eb9f62a05927a5a2d8d5d813bed988856f3544075d9220372f5063b239ba0a
-
Filesize
128KB
MD562829045300299c3498759e698f57bfc
SHA19e98d67bb3db2c143de126b850b6d9004eed227d
SHA256b1f41b6526a81695367adfe12565643678b3f1f4f4822e09899b3f52d968056e
SHA5121afbe70357ca853424b069e3b67f4075e146dd43ecf22d70928d013a330030ed389e9d892a4ca04cd44c6e459a0b827b71969c2f06f822ba7c7fc1a177120b3b