Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/10/2024, 18:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
General
-
Target
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
-
Size
459KB
-
MD5
0a29918110937641bbe4a2d5ee5e4272
-
SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734
-
SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
-
SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
-
SSDEEP
6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI
Malware Config
Extracted
Family
qakbot
Botnet
tchk06
Campaign
1702463600
C2
45.138.74.191:443
65.108.218.24:443
Attributes
-
camp_date
2023-12-13 10:33:20 +0000 UTC
Signatures
-
Detect Qakbot Payload 13 IoCs
resource yara_rule behavioral1/memory/1940-7-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral1/memory/1940-6-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral1/memory/1940-5-0x0000000000110000-0x000000000013D000-memory.dmp family_qakbot_v5 behavioral1/memory/1940-1-0x0000000000140000-0x000000000016F000-memory.dmp family_qakbot_v5 behavioral1/memory/2828-9-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/1940-29-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral1/memory/2828-15-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2828-33-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2828-32-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2828-31-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2828-30-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2828-34-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2828-37-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 -
Modifies registry class 12 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\hxeiyaoukfislj\17153989 = 27fae37c06d4b874aa41b383dd58c78bf447277758bbf50b740482430eb6dd4266091627e3167cbde05dc4bef2963015975c6464dc1ddf46b715653364df136326 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\hxeiyaoukfislj\dbbf3917 = 071927122401a89d3c4c4395d958f4d7afed89d1117a1da5ae8f988a609f3ec46cf5281165a3984891d04b6cbcb3bf7bb77adee20b88dd12ca61f91a0e12628569 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\hxeiyaoukfislj\8d9771df = 2436258876decde16f5d66dd1a42b221b0f624d2bb5f8b3b84450031d451d6f6e8edc9598f1d8631245bc654c653dd7c74 wermgr.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\hxeiyaoukfislj wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\hxeiyaoukfislj\8c102c58 = 05e7189b03a91ee0d1b560aa294c4cd62a76ed066ebfc6760d30e2143ed49e0fa3faf0b4cb37cd59b491512087f13ff9253d8268b63898578254f1cb8e6e5069ae25a0d05a89b31ad2e2d536691a286b5705ba87ecdeecfaff67362c18db2d291e wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\hxeiyaoukfislj\85a22a2 = 056a8403a4d28b27d5bf390f550e9389b21d43aeae4d2f8eaff78c2078baae99391548f92e1e30e8a4a2f6c5469e7e97b67004780cc234d381e1adac009de7b33a wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\hxeiyaoukfislj\b3094789 = 6651c8df510eb9f90f563cc0f5af37324c68385f0c3e8fa3d5491f89ec324488b72d7f884c3eb4476f937e117ebd65ca52 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\hxeiyaoukfislj\8c102c58 = a7cb6b2bca163e5a71a76d39f3bdb2e83a1d6fe0af8e2edf57814560a0720236a24bcdc3629a35c6f26c66ddbf909d77f9c0f9a51d8dd48160e7294960f28efb1d8aaa6e7bd45e96bdbe9aa0e585b25a590356380af9c8ae1434a49b07a09c9c19cec3ee63f78b734d1fc13c9ab9606c3cb742eb60cded2408b18f901c5458112e wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\hxeiyaoukfislj\da386490 = 45f8b75c6e196edf9559ceff84995f1d778a47262e0f39eea9621b72ed5d43ef1692a841fdf68f21274d3fa3164e9284fd5531a687c1dca8281cb5a72c23c2de6951f17a5e3c927a00644efec796bc57433b28db45c2d47840a2851b1393c2fcc495e1b381cb02ae4397ac37a96f37ee107e1c168ec662eba83d125eda8a1bbc5c431807c5c75bf2b2b19cf0e000561483 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\hxeiyaoukfislj\c4f0223c = c6bbd16a83fdd04f17ca3a1fae4f2f19ddbe5adef300cea5bbd61294fa89e919048a5fa4c491dc785e68a5afe5b5708f54d74dc32c673460010fa76c63a7a9479d05706f256e889fd8348d79a3254e6470848e0c1c98feccafb2c0e4fdb1e60a3826f5ce7c9081075e26f9d36cde5db912 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\hxeiyaoukfislj\1c576d17 = 26ad8cfb08d6335d27cc3cca50a27cb20df1328dcacf1f1982a3ccf0cc583e79d5edfeed97bd4e5a3a359255abcd2b6c9d wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\hxeiyaoukfislj\1692640e = a6b5ee75bb6e4e3bd7d9bd90099f58261e4fffb2f17c1a84cd9c2177a0b51d103b wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1940 rundll32.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe 2828 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2828 1940 rundll32.exe 31 PID 1940 wrote to memory of 2828 1940 rundll32.exe 31 PID 1940 wrote to memory of 2828 1940 rundll32.exe 31 PID 1940 wrote to memory of 2828 1940 rundll32.exe 31 PID 1940 wrote to memory of 2828 1940 rundll32.exe 31 PID 1940 wrote to memory of 2828 1940 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2828
-