Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
81s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2024, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
RFQ ETMT 009462900_pdf(58kb).exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
RFQ ETMT 009462900_pdf(58kb).exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
jjuhibpwa.ps1
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
jjuhibpwa.ps1
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
wnnqrg.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
wnnqrg.exe
Resource
win10v2004-20231222-en
General
-
Target
wnnqrg.exe
-
Size
62KB
-
MD5
ad65f79ab6bd2884461a198e1d77ef76
-
SHA1
f7ac4388da64c17f92f0c10803de57abad060bb9
-
SHA256
c545d7f6a0c7da83bdabf56728c240bca8dc9f86416123efde1a3e60d87626ce
-
SHA512
7da047e3ce0ffe6d01e603092f12acfa98499b0407ba6b328acd94eb7894f7009163804b6fd645ae6b6d0deb98091cacb71b53c0585381fdb962a205e6a8440e
-
SSDEEP
1536:Px+QC21XgNhnNiBiSXM4dmxSxh1eKMNDYVmtM:PxdhgNhNiB7drx6KMNay
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnwsscxhhq = "C:\\Users\\Admin\\AppData\\Roaming\\irrbwwg\\plluqqyiie.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wnnqrg.exe\"" wnnqrg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3980 4968 WerFault.exe 14 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4968 wrote to memory of 1184 4968 wnnqrg.exe 27 PID 4968 wrote to memory of 1184 4968 wnnqrg.exe 27 PID 4968 wrote to memory of 1184 4968 wnnqrg.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 5922⤵
- Program crash
PID:3980
-
-
C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"2⤵PID:1184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4968 -ip 49681⤵PID:1592