Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

16cc88e682...6a.exe

windows7-x64

10

16cc88e682...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    18/03/2025, 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a.exe

  • Size

    440KB

  • MD5

    d545053a9c721cc5b9d513264beb92b8

  • SHA1

    31bcda7c3aebeae23edbe73782d68416805dd9e8

  • SHA256

    16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a

  • SHA512

    1eec9db9fdc723d47539801a4bf69dbdbae7670609b8575b4a5e7eec4829909fa8b6f71abc601c19c1f77e876ecbf290c775d98fdabb76b3c781afe60e58cf3e

  • SSDEEP

    6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAW:xgXQKSLpOCtV0R8xMSaAW

Score
10/10
blackmoonqqpassbankerdiscoverytrojan

Malware Config

Extracted

Family

qqpass

C2

http://lol.qq.com/act/a20141212poroking/index.htm?atm_cl=ctips&atm_pos=1257?ADTAG=media.innerenter.client.jump

Attributes
  • url

    http://i2.tietuku.com/ebdef15df1128b31.png

  • user_agent

    Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • QQpass

    QQpass is a trojan written in C++..

    trojanqqpass
  • Qqpass family
    qqpass
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a.exe
    "C:\Users\Admin\AppData\Local\Temp\16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\Syslemfuyvr.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemfuyvr.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    dcbdd25641e21844b2edbc2d5fab7066

    SHA1

    ef8bb78633d5123b09cdf3bb94933aa1b3384bbd

    SHA256

    fbe5d2884ad88173e7bbed99f3acf6b1e9795a8528b577bdd36318b960dd34ae

    SHA512

    e22b49c4bf7d19da0f526d79e535e77a3cb23e6b306a0dea19f573a2a731a6d45d670b169f1bad55f0a70cae55c9982fb24ea30170ef64fd00a8ac6d081c6cf3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Syslemfuyvr.exe
    Filesize

    440KB

    MD5

    738beb9249468ee9ed19190868347369

    SHA1

    853e1bf406079845e70db4d9e1394f5a4e6b2c45

    SHA256

    8096144219454341a403fcff3de863b33913d066c56da9475f23bbea924c79df

    SHA512

    13a54397002d21b58ecf1c95b53220ebf01faa2a776545743268b2f981a5fe38983700b1eb31cb62c254e84c56928609ec32d37deec81b5fd9e8908c2f2f1a6e

    Download Submit