Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

f767a3497d...23.exe

windows7-x64

7

f767a3497d...23.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28/12/2023, 20:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f767a3497d399db7888c6cca825caf23.exe

  • Size

    2.8MB

  • MD5

    f767a3497d399db7888c6cca825caf23

  • SHA1

    d5f883b41d83138eb8dd86a96bf1a024955679a9

  • SHA256

    f799be183c8bdc70a4b7559dbba3067d6eec4155913477902a0a7d5de3eb814f

  • SHA512

    17764831a8d2fa24015884b978adda05b0a577cff75225db59fa1cd8c83745878485ef6377da31f07d58e8d9e778159a192d7ec78451688b73e4cef24126ce28

  • SSDEEP

    49152:COyLMf6GLw2kwKSAklUYfHStpoDtbZ3gcUlWnb4x53PL7YXb/6sRNXHctMfm9Y:RyGdXKSGNtpg3gcUlw4/3PL7YXz1TQBY

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 27 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f767a3497d399db7888c6cca825caf23.exe
    "C:\Users\Admin\AppData\Local\Temp\f767a3497d399db7888c6cca825caf23.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Users\Admin\AppData\Local\Temp\is-J7UH5.tmp\f767a3497d399db7888c6cca825caf23.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-J7UH5.tmp\f767a3497d399db7888c6cca825caf23.tmp" /SL5="$7011E,2569358,118784,C:\Users\Admin\AppData\Local\Temp\f767a3497d399db7888c6cca825caf23.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Program Files (x86)\Quia\ut\Optio.exe
        "C:\Program Files (x86)\Quia/\ut\Optio.exe" b3571eccb954ee7b5be0e85bd60ce7c1
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Quia\ut\sqlite3.dll
    Filesize

    630KB

    MD5

    e477a96c8f2b18d6b5c27bde49c990bf

    SHA1

    e980c9bf41330d1e5bd04556db4646a0210f7409

    SHA256

    16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

    SHA512

    335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

    Download Submit

  • \Program Files (x86)\Quia\ut\Optio.exe
    Filesize

    2.4MB

    MD5

    065551e097c8f56369cb8a9c9d1ffd31

    SHA1

    c0a4e795baaafa0db636a0ed07b0f8db85d4e4d9

    SHA256

    867f5cb55416cdc0caed5495b5149041f9bbeaffedbbd89472b68863e0cb5bcd

    SHA512

    5e15ef9a44736af862d949355cc46820ae84f02e12b98370b590144231f48afe72d12d8132e4284ab815d61177009260a2318c2ce6091342b0c72ebcbac03529

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-J7UH5.tmp\f767a3497d399db7888c6cca825caf23.tmp
    Filesize

    1.1MB

    MD5

    b69b348d3ef2973bf1dde47370b7a393

    SHA1

    fea161fd274600613c5e409aa2df15fa62110532

    SHA256

    5caf88d958ea88ffad7493b344f5addcb3b378d735ba81bafe29903f0fa6eec4

    SHA512

    0a347c800e0973ed9a9693c4e58f53828c2301817b9ec1446781fa02839ad680e4122b20384ca80629c24827ccfe2028b80fb12bfeca07e1af7563e2fb89785f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-QBUM7.tmp\_isetup\_iscrypt.dll
    Filesize

    2KB

    MD5

    a69559718ab506675e907fe49deb71e9

    SHA1

    bc8f404ffdb1960b50c12ff9413c893b56f2e36f

    SHA256

    2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

    SHA512

    e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-QBUM7.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • memory/2312-7-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2312-72-0x0000000000400000-0x000000000052B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2612-71-0x0000000060900000-0x0000000060992000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2856-0-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2856-73-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download