Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

05b32f60f0...18.exe

windows7-x64

7

05b32f60f0...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05b32f60f010cfbb382be1e0cfe76902_JaffaCakes118.exe

  • Size

    436KB

  • MD5

    05b32f60f010cfbb382be1e0cfe76902

  • SHA1

    45b5c2c71ddd2b525151c4b105baa8429e6d3b73

  • SHA256

    cd8c01a3ba706d486f66da5bf7a9372328547d0800d76bebb0effbe79fd6b0c6

  • SHA512

    8fb301d6bba8b83eec458c565732f1511c323cd985d495c85a44fef051c5716c2cba52eddfb923b60ffad2f2b55b4db045b89d62bc6cab15193aff0e2aeb7851

  • SSDEEP

    3072:21bNhC7NXnSxEBo3GGtPFoncW4DkM4BG1KR1S8i+nwUqeq19MTSkUZ3TAusxT0b1:21qhaGGJTkM4BS94SFaut18XbpH

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05b32f60f010cfbb382be1e0cfe76902_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05b32f60f010cfbb382be1e0cfe76902_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\QmlNu.exe.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\QmlNu.exe.exe"
      2⤵
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Suspicious use of SetWindowsHookEx
      PID:4112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\QmlNu.exe.exe
    Filesize

    156KB

    MD5

    576d8b51266fc80d4468dd04665014b7

    SHA1

    6f71248422091b6d9eb3077483f239cf23c197e8

    SHA256

    17163d436c79b67d8ee6de61c474537ec1a9a991690303d5af2c4ff669f3dbe9

    SHA512

    90effcf85a26effee9a30997b5da9889b4cefd143bdb607a3070ffe5635ecb88b83462921d6687ed478a3f55dffc10a2b55f8053ace18c8b3d90686d78ec6b10

    Download Submit

  • memory/4284-0-0x00007FF943245000-0x00007FF943246000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4284-1-0x000000001B700000-0x000000001B7A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4284-2-0x00007FF942F90000-0x00007FF943931000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4284-11-0x00007FF942F90000-0x00007FF943931000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4284-18-0x00007FF942F90000-0x00007FF943931000-memory.dmp

    Filesize

    9.6MB

    Download