Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a09ad657f4...1f.exe

windows7-x64

10

a09ad657f4...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    23/03/2025, 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a09ad657f4de428f42e5844008a2cfed68075ba4fa5413aeb6635cb0aa6d521f.exe

  • Size

    28KB

  • MD5

    64cdbe318ab8921f4f797545fa28eaba

  • SHA1

    c4884a6717dc010ff0af0735a078226734b80307

  • SHA256

    a09ad657f4de428f42e5844008a2cfed68075ba4fa5413aeb6635cb0aa6d521f

  • SHA512

    d5cc523260bc6b2fc30cbef932757fa062f41beffe98cdb0b2fdb0a34e4a980b9789c17f7c67281dbc68a0eff593bf1b8c2911cb31d5f563da5274264204927c

  • SSDEEP

    768:plsh/EIjPBW7LmLq0bv7rox9vXy7xj000k:pr6P8uLq0bvuR+j

Score
10/10
qqpassdiscoverypersistencetrojan

Malware Config

Extracted

Family

qqpass

C2

http://www.rongshuxia.com/rss/viewart.rs?aid=1828

Attributes
  • url

    http://www.mxm9191.com/myrunner_up.exe

  • user_agent

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Signatures

  • QQpass

    QQpass is a trojan written in C++..

    trojanqqpass
  • Qqpass family
    qqpass
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a09ad657f4de428f42e5844008a2cfed68075ba4fa5413aeb6635cb0aa6d521f.exe
    "C:\Users\Admin\AppData\Local\Temp\a09ad657f4de428f42e5844008a2cfed68075ba4fa5413aeb6635cb0aa6d521f.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\system\rundll32.exe
      C:\Windows\system\rundll32.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1912
    • C:\Windows\SysWOW64\DMe.exe
      "C:\Windows\system32\DMe.exe" C:\Users\Admin\AppData\Local\Temp\a09ad657f4de428f42e5844008a2cfed68075ba4fa5413aeb6635cb0aa6d521f.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Windows\SysWOW64\notepad¢¬.exe
    Filesize

    27KB

    MD5

    4d10e39a848cafcfd43dae2c3b08fc76

    SHA1

    f7f54c4f10edccf8485557f1084371aa4c281900

    SHA256

    d7a978f790d128630a0bdf1816e95e45b8c1ba7d1488810ebecd6e2ef67b0106

    SHA512

    dc959d122c42d4530ac89866e09323ea301f5fb1070973fa1cb1d7e07d41f2d6bad92262675f661252e6e4ca789c4ba58472b55ace98778aab982dbba0a142f3

    Download Submit

  • \Windows\SysWOW64\DMe.exe
    Filesize

    28KB

    MD5

    64cdbe318ab8921f4f797545fa28eaba

    SHA1

    c4884a6717dc010ff0af0735a078226734b80307

    SHA256

    a09ad657f4de428f42e5844008a2cfed68075ba4fa5413aeb6635cb0aa6d521f

    SHA512

    d5cc523260bc6b2fc30cbef932757fa062f41beffe98cdb0b2fdb0a34e4a980b9789c17f7c67281dbc68a0eff593bf1b8c2911cb31d5f563da5274264204927c

    Download Submit

  • memory/1912-77-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1912-78-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1912-81-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1912-80-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1912-79-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1912-76-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1912-57-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1912-75-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1912-73-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1912-74-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2628-12-0x00000000004A0000-0x00000000004B5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2628-0-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2628-17-0x00000000004A0000-0x00000000004B5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2628-56-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2628-52-0x0000000001D20000-0x0000000001D35000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2628-50-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2844-54-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download