Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

e4c01e1887...72.exe

windows7-x64

10

e4c01e1887...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/03/2025, 19:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4c01e18876d4001d0a15f694c267951110f370b652b9eb3cd2705513bd61672.exe

  • Size

    166KB

  • MD5

    9c12af9ae41a52deefa450e8f2dc99ae

  • SHA1

    93ebae1bd6d68f23a4a2289d1ca1e1395de9dd5f

  • SHA256

    e4c01e18876d4001d0a15f694c267951110f370b652b9eb3cd2705513bd61672

  • SHA512

    6074dae4bdf1cf16a91128a76ea88d06d7474856921e73e7562ebc7a39cbbb3e292a8eaf698e5973d56433cba1be7ac86f16d9682b6b7a2fdf74d61180c64e37

  • SSDEEP

    3072:fhfxHNIBdQmNitcrE4mzfOv9lH5ANJaYN2C:f1piBdfitcrCDOzHWt2C

Score
10/10
qqpassdiscoverypersistencetrojan

Malware Config

Extracted

Family

qqpass

C2

http://www.iceboy.net/iceboy.htm?id=100000

Attributes
  • url

    http://www.iceboy.net/automyexe_up.exe

  • user_agent

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Signatures

  • QQpass

    QQpass is a trojan written in C++..

    trojanqqpass
  • Qqpass family
    qqpass
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4c01e18876d4001d0a15f694c267951110f370b652b9eb3cd2705513bd61672.exe
    "C:\Users\Admin\AppData\Local\Temp\e4c01e18876d4001d0a15f694c267951110f370b652b9eb3cd2705513bd61672.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\system\rundll32.exe
      C:\Windows\system\rundll32.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2360

Network

  • flag-us
    DNS
    www.iceboy.net
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    www.iceboy.net
    IN A
    Response
    www.iceboy.net
    IN A
    76.223.54.146
    www.iceboy.net
    IN A
    13.248.169.48
  • flag-us
    GET
    http://www.iceboy.net/iceboy.htm?id=100000
    rundll32.exe
    Remote address:
    76.223.54.146:80
    Request
    GET /iceboy.htm?id=100000 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: www.iceboy.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Tue, 18 Mar 2025 19:39:44 GMT
    content-length: 124
  • 76.223.54.146:80
    http://www.iceboy.net/iceboy.htm?id=100000
    http
    rundll32.exe
    839 B
     358 B
     11
    3

    HTTP Request

    GET http://www.iceboy.net/iceboy.htm?id=100000

    HTTP Response

    200
  • 8.8.8.8:53
    www.iceboy.net
    dns
    rundll32.exe
    60 B
     92 B
     1
    1

    DNS Request

    www.iceboy.net

    DNS Response

    76.223.54.146
    13.248.169.48

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\notepad¢¬.exe
    Filesize

    168KB

    MD5

    02114da62e150096766728cecc6055e5

    SHA1

    0199b965d18a9d732f9b4591edfae026b6e7e8d8

    SHA256

    8dc1e2e43a40846843db6df3edfeb11b0e7277fd7e1ec73603d17590a0d10d98

    SHA512

    9b34e6beca9d48e43247de76d982ab1cb3e4b45c9346cd8492c17f030198010fd21c7a98de6833960bf8e27e3f62032b8141425ed22f489c8c430e12315ef78f

    Download Submit

  • \Windows\system\rundll32.exe
    Filesize

    161KB

    MD5

    27496dbc50bb9b4590d117b0f0d5a089

    SHA1

    4df796e4a089b1b3211e8b9d0c30955e26dc6d10

    SHA256

    d6d5c7d0791f277a5ba296c1aec453290d841094d906a04e7d6443318878daba

    SHA512

    54ea6d55b716cb3754dcdf647df1705661664309fd06027b5ff3a0ea85dd37aae28527d6f50c3dce772a0ff0080eef94376bf54ce295ff1d9519ee165ee0f4b5

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.