Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18/03/2025, 01:05
General
-
Target
16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a.exe
-
Size
440KB
-
MD5
d545053a9c721cc5b9d513264beb92b8
-
SHA1
31bcda7c3aebeae23edbe73782d68416805dd9e8
-
SHA256
16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a
-
SHA512
1eec9db9fdc723d47539801a4bf69dbdbae7670609b8575b4a5e7eec4829909fa8b6f71abc601c19c1f77e876ecbf290c775d98fdabb76b3c781afe60e58cf3e
-
SSDEEP
6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAW:xgXQKSLpOCtV0R8xMSaAW
Malware Config
Extracted
qqpass
http://lol.qq.com/act/a20141212poroking/index.htm?atm_cl=ctips&atm_pos=1257?ADTAG=media.innerenter.client.jump
-
url
http://i2.tietuku.com/ebdef15df1128b31.png
-
user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 1 IoCs
-
QQpass
QQpass is a trojan written in C++..
-
Qqpass family
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a.exe"C:\Users\Admin\AppData\Local\Temp\16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Syslemdhvap.exe"C:\Users\Admin\AppData\Local\Temp\Syslemdhvap.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD5656b79389acc86f45a106eefce342977
SHA16d547a65aeb3012b81bf743bfce1d343c860b126
SHA256c158981c79a88862ca6abbee5e803cdc81f237e68cca8f1689ca8e8aece85660
SHA5123dbde7cd61a9de69351346b22c8001f5468d45e386b64ed8a3ed6e56bfc7ffe16460d86a87898dabe26402308ba1578d8d4ac27c41404c910fcc6563e00b6d4c
-
Filesize
102B
MD5dcbdd25641e21844b2edbc2d5fab7066
SHA1ef8bb78633d5123b09cdf3bb94933aa1b3384bbd
SHA256fbe5d2884ad88173e7bbed99f3acf6b1e9795a8528b577bdd36318b960dd34ae
SHA512e22b49c4bf7d19da0f526d79e535e77a3cb23e6b306a0dea19f573a2a731a6d45d670b169f1bad55f0a70cae55c9982fb24ea30170ef64fd00a8ac6d081c6cf3