Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    17s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 18:27

General

  • Target

    5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe

  • Size

    208KB

  • MD5

    710bf0506b826b66239ea8a924d995a0

  • SHA1

    565cfb4743a8a466079c6364ddfc531c890bd389

  • SHA256

    5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78

  • SHA512

    7ad06ce5c2d247d527c9e6bb1276f52c43488937d046430fb0a30529ff4ca0520b315fc2d815e8dab4c4ea1fa1f8a00fc5eade570405b5dba58186c48d1f23fe

  • SSDEEP

    3072:DsfYAYB4nLqk42HkQPKInH1NZGwMZvxPFWTBlg+FpTBi4NLthEjQT6W:Sw6LqmPRnVDGwMDPFWTM+FpViQEjE

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
    "C:\Users\Admin\AppData\Local\Temp\5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\QDMMPF.exe.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\windows\QDMMPF.exe
        C:\windows\QDMMPF.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\QDMMPF.exe

    Filesize

    208KB

    MD5

    4732588a0e91467a3ca0192121df18f1

    SHA1

    44b513354cf8fbd785a23a0d46c618486c821d68

    SHA256

    fb6f37809a5f1ca8fa15320e2776851f3388f94b1253f01c3052db0d9ece0608

    SHA512

    ae52be4ba5324946c208fd65b1bbf25028c0a383e0a05be3bc84c9d2b40d1dd07f0fd9f09f852fad51a491883323c792aee0df4a72aeac82620d65e93185b44c

  • C:\Windows\QDMMPF.exe.bat

    Filesize

    58B

    MD5

    9009ec5606af751135d46713e84d723b

    SHA1

    47c772e1ea202bfbd543ff4021ca7ab5d117fcac

    SHA256

    f882845d11fb35d875335e169845e7b9a7d52a0a6be9191570f7e8585449bbed

    SHA512

    da3e7011ceb0816e826a98184f28dfbde34e1946a084da6fcfaa35e5098dd16b87c87385ddcf3ff3d3d5a723129c48804083188495844f8c0fcab5bab19102db

  • memory/2104-18-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2104-19-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2440-0-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2440-12-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2448-16-0x0000000000290000-0x00000000002C8000-memory.dmp

    Filesize

    224KB

  • memory/2448-15-0x0000000000290000-0x00000000002C8000-memory.dmp

    Filesize

    224KB