Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
d6e877128b87282e4534d70de7820334.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d6e877128b87282e4534d70de7820334.exe
Resource
win10v2004-20240226-en
General
-
Target
d6e877128b87282e4534d70de7820334.exe
-
Size
116KB
-
MD5
d6e877128b87282e4534d70de7820334
-
SHA1
bca452473d17be00f3be8686e7d3330289f8012e
-
SHA256
e93845b0415afde51a287be72c4d870c1ffa3384bd439fc025faefb587859cf4
-
SHA512
84d17adf7635ae683d3b86ea915a262ffb67a3a92f4046c862862cf59da473fcfd99080940271e36ff5cce280884d9626bdc8c217eece3a660e2ebb5544067eb
-
SSDEEP
3072:98RTVXDNJqxSA5HDc3I3nNoOsRXurRUQzj+5z/U:SZRcx5VMpOKXur2Qf+5z
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2944 Qrafoa.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Qrafoa.exe d6e877128b87282e4534d70de7820334.exe File opened for modification C:\Windows\Qrafoa.exe d6e877128b87282e4534d70de7820334.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Qrafoa.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Qrafoa.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job d6e877128b87282e4534d70de7820334.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job d6e877128b87282e4534d70de7820334.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main Qrafoa.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\International Qrafoa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe 2944 Qrafoa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1920 wrote to memory of 2944 1920 d6e877128b87282e4534d70de7820334.exe 28 PID 1920 wrote to memory of 2944 1920 d6e877128b87282e4534d70de7820334.exe 28 PID 1920 wrote to memory of 2944 1920 d6e877128b87282e4534d70de7820334.exe 28 PID 1920 wrote to memory of 2944 1920 d6e877128b87282e4534d70de7820334.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6e877128b87282e4534d70de7820334.exe"C:\Users\Admin\AppData\Local\Temp\d6e877128b87282e4534d70de7820334.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\Qrafoa.exeC:\Windows\Qrafoa.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5309fc7d3bc53bb63ac42e359260ac740
SHA12064f80f811db79a33c4e51c10221454e30c74ae
SHA256ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa
SHA51277dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8
-
Filesize
116KB
MD5d6e877128b87282e4534d70de7820334
SHA1bca452473d17be00f3be8686e7d3330289f8012e
SHA256e93845b0415afde51a287be72c4d870c1ffa3384bd439fc025faefb587859cf4
SHA51284d17adf7635ae683d3b86ea915a262ffb67a3a92f4046c862862cf59da473fcfd99080940271e36ff5cce280884d9626bdc8c217eece3a660e2ebb5544067eb
-
Filesize
344B
MD575c6328bcaa211f5c7c50cc457846e88
SHA146c5054e08caf1ccd8df16b6cf1638fc22711b42
SHA256309cf7cc03f1e868e220d7c047a4d8277248a825a0fe0ccccb03aabd69c60b48
SHA5127f6d419d87ba90d01f0fdf2a18f7fa74aae55303b9309af301e0e8bef2a7c24473cb7749d958ba2c659b8fdcb9a8c9ccfdf2e1fb535366c69e7be817da7ab1d5