Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 02:15
Static task
static1
Behavioral task
behavioral1
Sample
a283db04904b9d8eae5c34026a062ce0.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a283db04904b9d8eae5c34026a062ce0.exe
Resource
win10v2004-20240611-en
General
-
Target
a283db04904b9d8eae5c34026a062ce0.exe
-
Size
52KB
-
MD5
a283db04904b9d8eae5c34026a062ce0
-
SHA1
3b4aa391b874eff540aa6c4e0e8c723e9b898bfd
-
SHA256
026c43d29fbbe2635acb6815ae80a223174b5aba93f7d2c01f16745782101bfa
-
SHA512
2a405cbf9a073360dd0be2cdd8a783f37aa3fccff0d7a0e6688cf3f4a806b79f74d8177dbbef6f484ed4213195f75635af227ad20b702b155f35dde54909b600
-
SSDEEP
768:oMKF3BqFt1yBQR7FwzIPWTUTAiTDsJ9af:oMQ3ANyeaI3sJwf
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Deletes itself 1 IoCs
pid Process 2632 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2044 qanhllaok.exe -
Loads dropped DLL 2 IoCs
pid Process 2072 a283db04904b9d8eae5c34026a062ce0.exe 2072 a283db04904b9d8eae5c34026a062ce0.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\qanhllao.dll a283db04904b9d8eae5c34026a062ce0.exe File created C:\Windows\SysWOW64\qanhllaok.exe a283db04904b9d8eae5c34026a062ce0.exe File opened for modification C:\Windows\SysWOW64\qanhllaok.exe a283db04904b9d8eae5c34026a062ce0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2044 2072 a283db04904b9d8eae5c34026a062ce0.exe 28 PID 2072 wrote to memory of 2044 2072 a283db04904b9d8eae5c34026a062ce0.exe 28 PID 2072 wrote to memory of 2044 2072 a283db04904b9d8eae5c34026a062ce0.exe 28 PID 2072 wrote to memory of 2044 2072 a283db04904b9d8eae5c34026a062ce0.exe 28 PID 2072 wrote to memory of 2632 2072 a283db04904b9d8eae5c34026a062ce0.exe 29 PID 2072 wrote to memory of 2632 2072 a283db04904b9d8eae5c34026a062ce0.exe 29 PID 2072 wrote to memory of 2632 2072 a283db04904b9d8eae5c34026a062ce0.exe 29 PID 2072 wrote to memory of 2632 2072 a283db04904b9d8eae5c34026a062ce0.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe"C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\qanhllaok.exeC:\Windows\system32\qanhllaok.exe ˜‰2⤵
- Executes dropped EXE
PID:2044
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe.bat2⤵
- Deletes itself
PID:2632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD54e86e0288408cefe8566776a5f434f7d
SHA17b98b6172199ce8a488b3c90adbf831237f14b7e
SHA25681a5199a6bcea60e07a05466e28c16ebce91815d9a6924b7c2fd6fae15893044
SHA51254c1b9b20ccc28a5a8bd365bfbe2b79b2ef6f219e804f965fcb70cfba13975bad44140f7554b3771b815cc63d88805a0c322d29f6cff6c77eb4733b804e7518c
-
Filesize
52KB
MD5a283db04904b9d8eae5c34026a062ce0
SHA13b4aa391b874eff540aa6c4e0e8c723e9b898bfd
SHA256026c43d29fbbe2635acb6815ae80a223174b5aba93f7d2c01f16745782101bfa
SHA5122a405cbf9a073360dd0be2cdd8a783f37aa3fccff0d7a0e6688cf3f4a806b79f74d8177dbbef6f484ed4213195f75635af227ad20b702b155f35dde54909b600