Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

4e41422bb2...e1.exe

windows7-x64

10

4e41422bb2...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/03/2025, 03:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e41422bb2b4d06ee9d73a82ddb4bb23d2a57d76f4a04d8fae29293ec3a309e1.exe

  • Size

    366KB

  • MD5

    355d2ded45a14353d8f45b36d2ba98ee

  • SHA1

    caefd74e1104c5f5ffa0d375c043b5974195692c

  • SHA256

    4e41422bb2b4d06ee9d73a82ddb4bb23d2a57d76f4a04d8fae29293ec3a309e1

  • SHA512

    d0f239398b6f33c38d158603ed558ac9f78bd605e04c76835cfbf96299022989c0a7401218a0332c7ac9b74e1dd9b4c6dcc31f342465994b82aad098fa6ca580

  • SSDEEP

    6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1w:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1w

Score
10/10
blackmoonqqpassbankerdiscoverytrojan

Malware Config

Extracted

Family

qqpass

C2

http://lol.qq.com/act/a20141212poroking/index.htm?atm_cl=ctips&atm_pos=1257?ADTAG=media.innerenter.client.jump

Attributes
  • url

    http://i2.tietuku.com/ebdef15df1128b31.png

  • user_agent

    Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • QQpass

    QQpass is a trojan written in C++..

    trojanqqpass
  • Qqpass family
    qqpass
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e41422bb2b4d06ee9d73a82ddb4bb23d2a57d76f4a04d8fae29293ec3a309e1.exe
    "C:\Users\Admin\AppData\Local\Temp\4e41422bb2b4d06ee9d73a82ddb4bb23d2a57d76f4a04d8fae29293ec3a309e1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\Syslemqbabm.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemqbabm.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    039e2e82d3f5b880f6e375c8501dfd05

    SHA1

    4a7034365c968f40f105004af27c957f90af0536

    SHA256

    c3af00f04ce5844b8a5d1dc164b54ff6e13aa59897cf90afecac745c68c645fa

    SHA512

    3a09257f070bb5e19783e6cc2e79e1a6a11f542c569b374663777ed69bcb0b643f3d5b1cc96d5ee0df9e62c9bac6d74a41a028e6ff47568a4656165041a8080a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Syslemqbabm.exe
    Filesize

    366KB

    MD5

    d7187fb563a0cd3e753bd3843f84ab44

    SHA1

    ddd3e0f0b0a7b419edd248149c527e5a7f22f520

    SHA256

    93965d6fb43183b1f16102087fc90feca05b8e40d17016cf1b8e28b17cc5aca2

    SHA512

    56abdd40daccb3cc49cc058cb1ab40b30a943f682338a8c4253ec121912d00b982f8e0f423ca189c4bf0a8d76f6c8faeeda8efaa8234c4a77931a386ec53782c

    Download Submit