Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/01/2025, 00:45

General

  • Target

    QuantumBuilder.exe

  • Size

    2.5MB

  • MD5

    03a4fcff58e8c316ee039f63920e884b

  • SHA1

    6b723644868f4820499a4c9cf254ef9add940f58

  • SHA256

    4736e79e75f24db2a63b318ab7f4119f115389f30064f692a11ae68508beb255

  • SHA512

    a97a68522a50430acdca7c8c6ee441e99e4be7c2b49f3df7cd4ad5801aae58e6603c46f50e026a5a234242325316119494a30aebcd7f5e1f5a40ef3ae6ee896a

  • SSDEEP

    49152:/Ryi81om8kG+WpI+A9GpOQ8y2xKK8Zn8PtgyuI9LS3j12Co:/8i8H8kG+B+A99b1lgyhhC

Score
9/10

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QuantumBuilder.exe
    "C:\Users\Admin\AppData\Local\Temp\QuantumBuilder.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Roaming\exvjkakpysajgwh.exe
      "C:\Users\Admin\AppData\Roaming\exvjkakpysajgwh.exe"
      2⤵
      • Executes dropped EXE
      PID:2776
    • C:\Users\Admin\AppData\Roaming\mpr.exe
      "C:\Users\Admin\AppData\Roaming\mpr.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Executes dropped EXE
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\exvjkakpysajgwh.exe

    Filesize

    871KB

    MD5

    6670d8dba2d02a2a779d089bda99a9e3

    SHA1

    cbf0a573db7fd7613f84178531fcea1210c1da78

    SHA256

    7b9be6b1276fc7fac3d04be2102f81c12eadcb8e09b62ab4aff147f170a0a6fe

    SHA512

    7b07b593581a8a578e07502c7c5398ad7a15758f20c7042064e13259ae83fcc3dab6ee2a35c30484e9666f181c76669d6cc9e0e93c9512312d36f2db9baf730e

  • \Users\Admin\AppData\Roaming\mpr.exe

    Filesize

    91KB

    MD5

    4cf83bb0950ea8f23e9f64ec606dd30e

    SHA1

    0da75437799fc00859460985551c814707dcadf9

    SHA256

    962f79e95d01a06ea9c646c4f935956251e58e7887caf284d06233d2a50c5b09

    SHA512

    28cc2a71b633d20b61f93cde9896b8db68f5f2e2e8a5d180299b3a0558b37bf2807c477fafbcceb8308b463237fbf58ffa8704ab3f2c91cb3f61961647af3766

  • memory/2180-0-0x0000000074551000-0x0000000074552000-memory.dmp

    Filesize

    4KB

  • memory/2180-1-0x0000000074550000-0x0000000074AFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2180-2-0x0000000074550000-0x0000000074AFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2180-17-0x0000000074550000-0x0000000074AFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2776-16-0x0000000000400000-0x00000000004F7000-memory.dmp

    Filesize

    988KB