Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 23:48
Static task
static1
Behavioral task
behavioral1
Sample
8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe
Resource
win10v2004-20240426-en
General
-
Target
8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe
-
Size
86KB
-
MD5
7202600ab0929595c6fb059f6a353466
-
SHA1
1afc916bc125ff8c779419b6f8642f9879a85182
-
SHA256
8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256
-
SHA512
25474643e00c4607b8c1fe24c153568613308273165a83e7c8d988df5f393fee1515c24efbac86692e9c90d0f603a886afe8a0bfae827939be7838abf024e821
-
SSDEEP
1536:8gDktLw4rO10tMrlk3SJDlf98jqP+8il3CxOeZIckWlmypn:uLRrO10TiJD9yjqrilyxOuPpn
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 3 IoCs
resource yara_rule behavioral1/memory/2708-18-0x0000000010000000-0x0000000010023000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral1/memory/2708-19-0x0000000010000000-0x0000000010023000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral1/memory/2708-20-0x0000000010000000-0x0000000010023000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Blocklisted process makes network request 4 IoCs
flow pid Process 5 2708 rundll32.exe 6 2708 rundll32.exe 8 2708 rundll32.exe 12 2708 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2620 kqasc.exe -
Executes dropped EXE 1 IoCs
pid Process 2620 kqasc.exe -
Loads dropped DLL 6 IoCs
pid Process 1248 cmd.exe 1248 cmd.exe 2708 rundll32.exe 2708 rundll32.exe 2708 rundll32.exe 2708 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\ymlxt\\oktuf.dll\",QueryPluginInterface" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\z: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2148 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2708 rundll32.exe 2708 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2708 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2084 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 2620 kqasc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2084 wrote to memory of 1248 2084 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 28 PID 2084 wrote to memory of 1248 2084 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 28 PID 2084 wrote to memory of 1248 2084 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 28 PID 2084 wrote to memory of 1248 2084 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 28 PID 1248 wrote to memory of 2148 1248 cmd.exe 30 PID 1248 wrote to memory of 2148 1248 cmd.exe 30 PID 1248 wrote to memory of 2148 1248 cmd.exe 30 PID 1248 wrote to memory of 2148 1248 cmd.exe 30 PID 1248 wrote to memory of 2620 1248 cmd.exe 31 PID 1248 wrote to memory of 2620 1248 cmd.exe 31 PID 1248 wrote to memory of 2620 1248 cmd.exe 31 PID 1248 wrote to memory of 2620 1248 cmd.exe 31 PID 2620 wrote to memory of 2708 2620 kqasc.exe 32 PID 2620 wrote to memory of 2708 2620 kqasc.exe 32 PID 2620 wrote to memory of 2708 2620 kqasc.exe 32 PID 2620 wrote to memory of 2708 2620 kqasc.exe 32 PID 2620 wrote to memory of 2708 2620 kqasc.exe 32 PID 2620 wrote to memory of 2708 2620 kqasc.exe 32 PID 2620 wrote to memory of 2708 2620 kqasc.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe"C:\Users\Admin\AppData\Local\Temp\8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\kqasc.exe "C:\Users\Admin\AppData\Local\Temp\8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2148
-
-
C:\Users\Admin\AppData\Local\Temp\kqasc.exeC:\Users\Admin\AppData\Local\Temp\\kqasc.exe "C:\Users\Admin\AppData\Local\Temp\8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\ymlxt\oktuf.dll",QueryPluginInterface C:\Users\Admin\AppData\Local\Temp\kqasc.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5ecce033571e81ea33887b23a1f646ca8
SHA10493f26da6ee3c4d1b92ab0e77571ae62b402aff
SHA2564e03f0d3d4921139c7eaec04c464d18c771db3face30c32615684ffadf15070e
SHA5127774231b4ce7af08c76fb35010eaea7a841f5d0c240fb1699bbf805ab44ebf95f855000e03240e3968615158a7309014d9177c50afcfe5d52c55fd7505157244
-
Filesize
44KB
MD50f12a7d509b2c9bb9b4cd6d8a0325e86
SHA1f5fb59ad4f0633d115b06f35a2dc161dc4367157
SHA2569111c1eb1f0b59dcd49cfd5a0abc0ba100ac59a3bcae8623ff091dfdc46fed3c
SHA512e3c84a643ff0a2627daba8a056221985a472aaf07bade61b3e9459db4bfc8792c1347606911e3fcc01581508004b18b5435bcccd5e7617cc6d091f37a5f42e7f