Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
286s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
-
submitted
18/03/2025, 06:23
General
-
Target
96445ae765d1c9ef741b1987aab10b316fe12d11d7579ec237a0bb221df6f605.exe
-
Size
452KB
-
MD5
07c286fc278d5b87fa2510cbc50691dd
-
SHA1
b4c0166d681b26a44bfd4f18c8a1519d8707f6de
-
SHA256
96445ae765d1c9ef741b1987aab10b316fe12d11d7579ec237a0bb221df6f605
-
SHA512
d9b3ad65bb1748657b3d361eb64cd573865c95c70982552155a6a410f57b37a8038ebfe6a6366ad6a764ac9916c5bc1f6719985639569fed974de552f2546117
-
SSDEEP
6144:/vPBvEQR6H3Udg2FuHRfepwqHpA7b2+yO2COKCZJ:/vpv/R6H3U25fehHpAW+yOBOKCZJ
Malware Config
Extracted
qqpass
-
user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 4 IoCs
-
QQpass
QQpass is a trojan written in C++..
-
Qqpass family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\96445ae765d1c9ef741b1987aab10b316fe12d11d7579ec237a0bb221df6f605.exe"C:\Users\Admin\AppData\Local\Temp\96445ae765d1c9ef741b1987aab10b316fe12d11d7579ec237a0bb221df6f605.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\elxplorervytqe.exe"C:\Users\Admin\AppData\Local\Temp\elxplorervytqe.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452KB
MD506fc833a87febe383cd21746e166e15c
SHA1f2eae5c6fd6ece617f51fd8c86e31a248ea745c4
SHA256a645f2fa6a9dbb807bbbdaf8c25c89293e58d4122a29da03bf0c3c23527ce0e0
SHA512f840cf09ebd7fd1f1b28bf3a94edc4124226e5faedc240c7cc49da60084d11035f464ed75ef316007ac53b9836ff87656a79cdb63dcd3773ca8819072913cfc9
-
Filesize
102B
MD5a00c1612477ac64985dba634ca7a0983
SHA1a1b2da105e5bfa7af71920ded086a76478cb7eb6
SHA2566954d5460e8772a0fbcbb5465b7c252f796c3001e8c708d0dcf32e56d0cbe5f9
SHA51202e158f03b3e3aba4798141ba8beeed2d11458730e4da2e09a03f1d4692b6d24c417a4515e3c7f30a2925dafe9adfdb1bc8859be1268d0ea5a1a6e059bd38cec
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB