Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 20:55
Static task
static1
Behavioral task
behavioral1
Sample
QQ2006PY381.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
QQ2006PY381.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
安装说明.url
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
安装说明.url
Resource
win10v2004-20240709-en
General
-
Target
QQ2006PY381.exe
-
Size
19.4MB
-
MD5
0b188cc0f2bbe976851ffde4b7df46d7
-
SHA1
0eb0b2c683d107ae06350f54414e64f497636436
-
SHA256
cdffa4dba138b6c14e65cf1979df1381651beb873ec6cf02d05e4ec33b6961db
-
SHA512
a81acbd852a2e0fbb8363f44573a5cbf6d06f519a1e33d47cf9b0a6a25fb3f7f54617734c15ead5a4f9e20e54cc48ce5abab65995ebe14b0023cc909d8aa3909
-
SSDEEP
393216:04ZFGqeRMCT6qQrim1kh7dzP819jyLGF6hq3Lvf++aGGGjkNjusVCb1ia:04ZF1s05OhZzOHF6w3L2t3NjusVpa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5076 is-VL817.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QQ2006PY381.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is-VL817.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4332 wrote to memory of 5076 4332 QQ2006PY381.exe 87 PID 4332 wrote to memory of 5076 4332 QQ2006PY381.exe 87 PID 4332 wrote to memory of 5076 4332 QQ2006PY381.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\QQ2006PY381.exe"C:\Users\Admin\AppData\Local\Temp\QQ2006PY381.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\is-651CF.tmp\is-VL817.tmp"C:\Users\Admin\AppData\Local\Temp\is-651CF.tmp\is-VL817.tmp" /SL4 $B0048 "C:\Users\Admin\AppData\Local\Temp\QQ2006PY381.exe" 20020315 568322⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
MD5c9b98220dd90e04c12560c85bbd83315
SHA194c5d630c08c9f79dee673ed0909b19eae8e6974
SHA256a0915e449823d1e315e92b65f8b4ae94cc773ef3b718a77d7707b7e7ae2d3e28
SHA512af112b3230df5f45efd4b468d6f1b2df76911f02ed27bc96307bf9164926ac3f5c035ac8bcbe7352016006b4e2b92cad0e1a0213b6136377d654dbace960fd81