Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 21:56
Static task
static1
Behavioral task
behavioral1
Sample
4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe
Resource
win10v2004-20240802-en
General
-
Target
4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe
-
Size
90KB
-
MD5
3742f3095d0e367a2749fd1e07dbaa06
-
SHA1
45c9a129a088f07570235977a85859880a644880
-
SHA256
4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a
-
SHA512
17a342f4e684a113902b2071016b725d097decdaf60f38174d7371e56f9f96ebaf6a0e688b328bbbbad74c3c194344331e9eef0118cf9f56389ad7945cdb331f
-
SSDEEP
1536:tqA1geNFSvEueL+Tnsx5S0REQO0IcRGgEG43K/p8F7psL:gTRnKSpgpp47q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2724 quuoxa.exe -
Loads dropped DLL 7 IoCs
pid Process 2060 4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe 2060 4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2604 2060 WerFault.exe 29 2748 2724 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language quuoxa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2060 4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe 2724 quuoxa.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2724 2060 4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe 30 PID 2060 wrote to memory of 2724 2060 4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe 30 PID 2060 wrote to memory of 2724 2060 4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe 30 PID 2060 wrote to memory of 2724 2060 4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe 30 PID 2060 wrote to memory of 2604 2060 4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe 31 PID 2060 wrote to memory of 2604 2060 4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe 31 PID 2060 wrote to memory of 2604 2060 4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe 31 PID 2060 wrote to memory of 2604 2060 4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe 31 PID 2724 wrote to memory of 2748 2724 quuoxa.exe 32 PID 2724 wrote to memory of 2748 2724 quuoxa.exe 32 PID 2724 wrote to memory of 2748 2724 quuoxa.exe 32 PID 2724 wrote to memory of 2748 2724 quuoxa.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe"C:\Users\Admin\AppData\Local\Temp\4d808dc1f08e0c700bae4ac0c95132d948e2dd6e5513398e7ef2340b9a7ff03a.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\quuoxa.exe"C:\Users\Admin\quuoxa.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 2803⤵
- Loads dropped DLL
- Program crash
PID:2748
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 5042⤵
- Program crash
PID:2604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5ddab84388138a480e8ffb25421057615
SHA1280b4d327090e27d6bbb9284e2792131f8435a68
SHA256155166b60e813842830ab39e040f3ba60504d47a1d95a925bd1483a11467a461
SHA51232fa207fc1c961f4189b21a90460d010a630bdeb299847f5016285450f0a1d56aeab3094b54e114f6334aa97dc267d0f50ac5e1b5aac240db60769fc988ba8e3