Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 02:15
Static task
static1
Behavioral task
behavioral1
Sample
a283db04904b9d8eae5c34026a062ce0.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a283db04904b9d8eae5c34026a062ce0.exe
Resource
win10v2004-20240611-en
General
-
Target
a283db04904b9d8eae5c34026a062ce0.exe
-
Size
52KB
-
MD5
a283db04904b9d8eae5c34026a062ce0
-
SHA1
3b4aa391b874eff540aa6c4e0e8c723e9b898bfd
-
SHA256
026c43d29fbbe2635acb6815ae80a223174b5aba93f7d2c01f16745782101bfa
-
SHA512
2a405cbf9a073360dd0be2cdd8a783f37aa3fccff0d7a0e6688cf3f4a806b79f74d8177dbbef6f484ed4213195f75635af227ad20b702b155f35dde54909b600
-
SSDEEP
768:oMKF3BqFt1yBQR7FwzIPWTUTAiTDsJ9af:oMQ3ANyeaI3sJwf
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3056 qanhllaok.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\qanhllao.dll a283db04904b9d8eae5c34026a062ce0.exe File created C:\Windows\SysWOW64\qanhllaok.exe a283db04904b9d8eae5c34026a062ce0.exe File opened for modification C:\Windows\SysWOW64\qanhllaok.exe a283db04904b9d8eae5c34026a062ce0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2352 wrote to memory of 3056 2352 a283db04904b9d8eae5c34026a062ce0.exe 82 PID 2352 wrote to memory of 3056 2352 a283db04904b9d8eae5c34026a062ce0.exe 82 PID 2352 wrote to memory of 3056 2352 a283db04904b9d8eae5c34026a062ce0.exe 82 PID 2352 wrote to memory of 2472 2352 a283db04904b9d8eae5c34026a062ce0.exe 87 PID 2352 wrote to memory of 2472 2352 a283db04904b9d8eae5c34026a062ce0.exe 87 PID 2352 wrote to memory of 2472 2352 a283db04904b9d8eae5c34026a062ce0.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe"C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\qanhllaok.exeC:\Windows\system32\qanhllaok.exe ˜‰2⤵
- Executes dropped EXE
PID:3056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe.bat2⤵PID:2472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD54e86e0288408cefe8566776a5f434f7d
SHA17b98b6172199ce8a488b3c90adbf831237f14b7e
SHA25681a5199a6bcea60e07a05466e28c16ebce91815d9a6924b7c2fd6fae15893044
SHA51254c1b9b20ccc28a5a8bd365bfbe2b79b2ef6f219e804f965fcb70cfba13975bad44140f7554b3771b815cc63d88805a0c322d29f6cff6c77eb4733b804e7518c
-
Filesize
52KB
MD5a283db04904b9d8eae5c34026a062ce0
SHA13b4aa391b874eff540aa6c4e0e8c723e9b898bfd
SHA256026c43d29fbbe2635acb6815ae80a223174b5aba93f7d2c01f16745782101bfa
SHA5122a405cbf9a073360dd0be2cdd8a783f37aa3fccff0d7a0e6688cf3f4a806b79f74d8177dbbef6f484ed4213195f75635af227ad20b702b155f35dde54909b600