Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 11:46
Static task
static1
Behavioral task
behavioral1
Sample
17747af9c269a5139683b34301029529.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
17747af9c269a5139683b34301029529.exe
Resource
win10v2004-20231222-en
General
-
Target
17747af9c269a5139683b34301029529.exe
-
Size
3.9MB
-
MD5
17747af9c269a5139683b34301029529
-
SHA1
081b2f40014bbc2bbc065e9cd1ffc29fd06151e7
-
SHA256
c91ee5e59b1885f82d1f65cf4ac86721300ba0aa52d6d917f407bad073a5aea4
-
SHA512
a6fb83b0887545e75891803827a0bd1bce45eeea77ba8a018253cd187fac8a7177f4dfc4e66db47d895a300a97cbca6c9fb7202857f70d88949182fa65612822
-
SSDEEP
49152:EQFRHrmQG+yrY+FrBQG+QQG+WQ3+QQGzrmQG+yrY+FrBQG+QQG+WQ3+mQL:EcKHX/GmHX/kk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2916 qnhc.exe -
Loads dropped DLL 2 IoCs
pid Process 2520 17747af9c269a5139683b34301029529.exe 2520 17747af9c269a5139683b34301029529.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main qnhc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2916 qnhc.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2916 qnhc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2916 qnhc.exe 2916 qnhc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2916 2520 17747af9c269a5139683b34301029529.exe 28 PID 2520 wrote to memory of 2916 2520 17747af9c269a5139683b34301029529.exe 28 PID 2520 wrote to memory of 2916 2520 17747af9c269a5139683b34301029529.exe 28 PID 2520 wrote to memory of 2916 2520 17747af9c269a5139683b34301029529.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\17747af9c269a5139683b34301029529.exe"C:\Users\Admin\AppData\Local\Temp\17747af9c269a5139683b34301029529.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\qnhc.exeC:\Users\Admin\AppData\Local\Temp\qnhc.exe -run C:\Users\Admin\AppData\Local\Temp\17747af9c269a5139683b34301029529.exe2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD5145840826452585ba9c74e5cfd3450df
SHA142b20b3735ec08cf702b70326f656a29fa884b2b
SHA25671baab39362ceaaf4a5ad97d74241510179f0d9b0b87370c4c3724d9e0165c9e
SHA51229e1a3aeb6000577c785add473ede4b05e46975c956ec8d12616cc6451b5a2c2300d1b94ee111e5455048c07fc9ab5d01eca0c64b44c40c0bee5db5742d7dd7f
-
Filesize
1024KB
MD53fd05a7fa391443146009bc19712eb09
SHA1b74d9c7228eb52552d88f4eced731a2c8eafb5c1
SHA256c90b1eb70439eacd4d92fe677967fee78c08bb383ce59f298ea3531d526ae3c7
SHA5121636bbe27aa5b2b0fa6666f8bbd74873765b3dab915a489f8d99825688bae41634a88225e61916cb260a83a1de7ca2e28539eb4f3d2e98cfbeb2b0e5d33c4263
-
Filesize
2.8MB
MD57b7aeee780816d1e7cd6dc0ea7a38b94
SHA13e331192bdd6e72db4bcad405ab1096a18fefa5d
SHA256d6d3abd1fb3becf79cd98f288a2e3d4f643c5814807bc2c2e6ac30c00eb49a30
SHA5126f515a57f3c2c919a11b174152eeaf0fbb9a158dbe7a4fe6ab00d07bd002911155b80296b2fdcaf57ca155dbdb257918cfcf7bf41945559926ba88fa9331515b