Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

723870cdf0...f5.exe

windows7-x64

10

723870cdf0...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2025, 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    723870cdf04a3d5861b1ab9b2d361f73343cb2eb7e89b9ca45023b6ba0b4f1f5.exe

  • Size

    159KB

  • MD5

    1e2d964910960d4b3333e607b5015721

  • SHA1

    7a1c685838ca87e354dbf2d15e8240a0c2cccaa8

  • SHA256

    723870cdf04a3d5861b1ab9b2d361f73343cb2eb7e89b9ca45023b6ba0b4f1f5

  • SHA512

    2ea9a15d91b79b8de8a0e7284eda2807073c1b5dc2eaa2479047f8abf8a27cc16c1ec7d62b27cda56307246ba9a9997509ade84424fecfbbd8216e8ccf70fda1

  • SSDEEP

    3072:fhfxHNIBdQmNitcrE4mzfOv9lH5ANJaYN2:f1piBdfitcrCDOzHWt2

Score
10/10
qqpassdiscoverypersistencetrojan

Malware Config

Extracted

Family

qqpass

C2

http://www.iceboy.net/iceboy.htm?id=100000

Attributes
  • url

    http://www.iceboy.net/automyexe_up.exe

  • user_agent

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Signatures

  • QQpass

    QQpass is a trojan written in C++..

    trojanqqpass
  • Qqpass family
    qqpass
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\723870cdf04a3d5861b1ab9b2d361f73343cb2eb7e89b9ca45023b6ba0b4f1f5.exe
    "C:\Users\Admin\AppData\Local\Temp\723870cdf04a3d5861b1ab9b2d361f73343cb2eb7e89b9ca45023b6ba0b4f1f5.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\system\rundll32.exe
      C:\Windows\system\rundll32.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:3720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\notepad¢¬.exe
    Filesize

    154KB

    MD5

    e754d0fa8ffdddb571185d6b116b8a6c

    SHA1

    0d21d97ded6b4fdb273e6d0ee9df55e926521baf

    SHA256

    7318ec07cf985ceb16f144a70cc5e738587011542a15dcad44401889ad2dadc8

    SHA512

    654b6d183189ea2e9566646042413fe70d947fff8a68acf379038dac547c244bdf5675ee51ed899ea3a71b0a890ed6b1f868ff22fa7c61c8c43dee75635ccaf5

    Download Submit

  • C:\Windows\System\rundll32.exe
    Filesize

    159KB

    MD5

    4220ad1b3eeca9bf38f50a1dbc1569e5

    SHA1

    a232a59a177809c0142d0fc523a960ac9ac61d74

    SHA256

    921e227bf79f7cb80de25d23e2588a4b84cb54fd6ab14ba208b0c341e523ab16

    SHA512

    99df7accf985c38ab29b73a692f58fb3a2aef16c08eed5af282b1470beeedd7b4638ee3269ab89012d79126c079dd35526cb68302a3aabfa2f8a9fc169e58a0d

    Download Submit