Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
17s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 18:27
Static task
static1
Behavioral task
behavioral1
Sample
5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
Resource
win10v2004-20240802-en
General
-
Target
5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
-
Size
208KB
-
MD5
710bf0506b826b66239ea8a924d995a0
-
SHA1
565cfb4743a8a466079c6364ddfc531c890bd389
-
SHA256
5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78
-
SHA512
7ad06ce5c2d247d527c9e6bb1276f52c43488937d046430fb0a30529ff4ca0520b315fc2d815e8dab4c4ea1fa1f8a00fc5eade570405b5dba58186c48d1f23fe
-
SSDEEP
3072:DsfYAYB4nLqk42HkQPKInH1NZGwMZvxPFWTBlg+FpTBi4NLthEjQT6W:Sw6LqmPRnVDGwMDPFWTM+FpViQEjE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2104 QDMMPF.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\windows\QDMMPF.exe 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe File opened for modification C:\windows\QDMMPF.exe 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe File created C:\windows\QDMMPF.exe.bat 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QDMMPF.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2440 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 2104 QDMMPF.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2440 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 2440 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 2104 QDMMPF.exe 2104 QDMMPF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2448 2440 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 28 PID 2440 wrote to memory of 2448 2440 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 28 PID 2440 wrote to memory of 2448 2440 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 28 PID 2440 wrote to memory of 2448 2440 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 28 PID 2448 wrote to memory of 2104 2448 cmd.exe 30 PID 2448 wrote to memory of 2104 2448 cmd.exe 30 PID 2448 wrote to memory of 2104 2448 cmd.exe 30 PID 2448 wrote to memory of 2104 2448 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe"C:\Users\Admin\AppData\Local\Temp\5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\QDMMPF.exe.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\windows\QDMMPF.exeC:\windows\QDMMPF.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2104
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208KB
MD54732588a0e91467a3ca0192121df18f1
SHA144b513354cf8fbd785a23a0d46c618486c821d68
SHA256fb6f37809a5f1ca8fa15320e2776851f3388f94b1253f01c3052db0d9ece0608
SHA512ae52be4ba5324946c208fd65b1bbf25028c0a383e0a05be3bc84c9d2b40d1dd07f0fd9f09f852fad51a491883323c792aee0df4a72aeac82620d65e93185b44c
-
Filesize
58B
MD59009ec5606af751135d46713e84d723b
SHA147c772e1ea202bfbd543ff4021ca7ab5d117fcac
SHA256f882845d11fb35d875335e169845e7b9a7d52a0a6be9191570f7e8585449bbed
SHA512da3e7011ceb0816e826a98184f28dfbde34e1946a084da6fcfaa35e5098dd16b87c87385ddcf3ff3d3d5a723129c48804083188495844f8c0fcab5bab19102db