Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 13:50
Static task
static1
Behavioral task
behavioral1
Sample
c43fa4da450d4842afe24a8ac4ab2ae0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c43fa4da450d4842afe24a8ac4ab2ae0N.exe
Resource
win10v2004-20240709-en
General
-
Target
c43fa4da450d4842afe24a8ac4ab2ae0N.exe
-
Size
162KB
-
MD5
c43fa4da450d4842afe24a8ac4ab2ae0
-
SHA1
0b9fce1fd1dd245569d289aa456bffae1877fd33
-
SHA256
819bb81f97d27f729656e8fd0be64a8aaab2a7cdeaedb59eed5ea52a48c16be6
-
SHA512
cd8523b78272498e1b71f24ec9d5bc92f9b6bf4c6687c90b49e57f57977678d87940d480b6dec670054e695f06028bc747b2f04f0d4f855219a6c28213e30a06
-
SSDEEP
3072:51oVtum4WHvjVGr8kgB9s8p+uRcKVHM0lma3UroAew5ak23n2MgN8Dljt:5mtmCjkU9Wu6uFYwsegak22TQlJ
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2484 qrggcen.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\qrggcen.exe c43fa4da450d4842afe24a8ac4ab2ae0N.exe File created C:\PROGRA~3\Mozilla\zwjbghb.dll qrggcen.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1952 c43fa4da450d4842afe24a8ac4ab2ae0N.exe 2484 qrggcen.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1496 wrote to memory of 2484 1496 taskeng.exe 32 PID 1496 wrote to memory of 2484 1496 taskeng.exe 32 PID 1496 wrote to memory of 2484 1496 taskeng.exe 32 PID 1496 wrote to memory of 2484 1496 taskeng.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c43fa4da450d4842afe24a8ac4ab2ae0N.exe"C:\Users\Admin\AppData\Local\Temp\c43fa4da450d4842afe24a8ac4ab2ae0N.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1952
-
C:\Windows\system32\taskeng.exetaskeng.exe {D63957DD-C72B-4B78-AB7E-2C51073D91A9} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\PROGRA~3\Mozilla\qrggcen.exeC:\PROGRA~3\Mozilla\qrggcen.exe -cochpwl2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162KB
MD519be13993a06cf4dfc2b1732d6d5b5a0
SHA132dfde9a2e69c321e21a1934c975eeecdae56997
SHA256e6dd94eb6e603aa2ba42b3dcd7be4edcd9e7d23a008e3dbc893f62e5b5f01652
SHA512e122223c16e11b5e5422f42acc77b2d227711240610c5546cfad5d896d6dcb3e268ddedd42be10b49b73c51981c715af5a6509f659573af30713c4f80d4ea6f4