Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

723870cdf0...f5.exe

windows7-x64

10

723870cdf0...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18/03/2025, 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    723870cdf04a3d5861b1ab9b2d361f73343cb2eb7e89b9ca45023b6ba0b4f1f5.exe

  • Size

    159KB

  • MD5

    1e2d964910960d4b3333e607b5015721

  • SHA1

    7a1c685838ca87e354dbf2d15e8240a0c2cccaa8

  • SHA256

    723870cdf04a3d5861b1ab9b2d361f73343cb2eb7e89b9ca45023b6ba0b4f1f5

  • SHA512

    2ea9a15d91b79b8de8a0e7284eda2807073c1b5dc2eaa2479047f8abf8a27cc16c1ec7d62b27cda56307246ba9a9997509ade84424fecfbbd8216e8ccf70fda1

  • SSDEEP

    3072:fhfxHNIBdQmNitcrE4mzfOv9lH5ANJaYN2:f1piBdfitcrCDOzHWt2

Score
10/10
qqpassdiscoverypersistencetrojan

Malware Config

Extracted

Family

qqpass

C2

http://www.iceboy.net/iceboy.htm?id=100000

Attributes
  • url

    http://www.iceboy.net/automyexe_up.exe

  • user_agent

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Signatures

  • QQpass

    QQpass is a trojan written in C++..

    trojanqqpass
  • Qqpass family
    qqpass
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\723870cdf04a3d5861b1ab9b2d361f73343cb2eb7e89b9ca45023b6ba0b4f1f5.exe
    "C:\Users\Admin\AppData\Local\Temp\723870cdf04a3d5861b1ab9b2d361f73343cb2eb7e89b9ca45023b6ba0b4f1f5.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\system\rundll32.exe
      C:\Windows\system\rundll32.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\notepad¢¬.exe
    Filesize

    173KB

    MD5

    fcde17a2905abdb74a11b89329165c7e

    SHA1

    5771660ddee9a92f7cebf1f2a2fa4d6ca1ffc735

    SHA256

    6e499423b9836fa2b07bef1766445bca446080299a787c1c70d0263aa5a50ca2

    SHA512

    8b94820e5e7f7ad6952918889b1d53ae65b229079a3b7885ea59ef0a13ba4f779e302ee0c6389d885ddadd921c8c942fb5d49e4f8bd4badb888cc396b0830e05

    Download Submit

  • \Windows\system\rundll32.exe
    Filesize

    173KB

    MD5

    f06015931fdebea4df89d5bc5e2ca319

    SHA1

    287c9cca3463fdbeb2810672db5ae572205c6448

    SHA256

    e3d4ffebd9016f6d9ec4b627e6a696328bdcb26d80c0c8b63d9a8a2491524fbf

    SHA512

    7bcca624b96d65d9d74acab6df4df9ef8cf524e69a9486b9dd830a006775a80f0689fafdb47d9d4fb59593bcc7fc3c98cb73cd927f804d6779ef053d0ab15d50

    Download Submit