Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
23/03/2025, 05:42
General
-
Target
a09ad657f4de428f42e5844008a2cfed68075ba4fa5413aeb6635cb0aa6d521f.exe
-
Size
28KB
-
MD5
64cdbe318ab8921f4f797545fa28eaba
-
SHA1
c4884a6717dc010ff0af0735a078226734b80307
-
SHA256
a09ad657f4de428f42e5844008a2cfed68075ba4fa5413aeb6635cb0aa6d521f
-
SHA512
d5cc523260bc6b2fc30cbef932757fa062f41beffe98cdb0b2fdb0a34e4a980b9789c17f7c67281dbc68a0eff593bf1b8c2911cb31d5f563da5274264204927c
-
SSDEEP
768:plsh/EIjPBW7LmLq0bv7rox9vXy7xj000k:pr6P8uLq0bvuR+j
Malware Config
Extracted
qqpass
http://www.rongshuxia.com/rss/viewart.rs?aid=1828
-
url
http://www.mxm9191.com/myrunner_up.exe
-
user_agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Signatures
-
QQpass
QQpass is a trojan written in C++..
-
Qqpass family
-
Executes dropped EXE 2 IoCs
-
Modifies system executable filetype association 2 TTPs 5 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a09ad657f4de428f42e5844008a2cfed68075ba4fa5413aeb6635cb0aa6d521f.exe"C:\Users\Admin\AppData\Local\Temp\a09ad657f4de428f42e5844008a2cfed68075ba4fa5413aeb6635cb0aa6d521f.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\DMe.exe"C:\Windows\system32\DMe.exe" C:\Users\Admin\AppData\Local\Temp\a09ad657f4de428f42e5844008a2cfed68075ba4fa5413aeb6635cb0aa6d521f.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD564cdbe318ab8921f4f797545fa28eaba
SHA1c4884a6717dc010ff0af0735a078226734b80307
SHA256a09ad657f4de428f42e5844008a2cfed68075ba4fa5413aeb6635cb0aa6d521f
SHA512d5cc523260bc6b2fc30cbef932757fa062f41beffe98cdb0b2fdb0a34e4a980b9789c17f7c67281dbc68a0eff593bf1b8c2911cb31d5f563da5274264204927c
-
Filesize
27KB
MD54d10e39a848cafcfd43dae2c3b08fc76
SHA1f7f54c4f10edccf8485557f1084371aa4c281900
SHA256d7a978f790d128630a0bdf1816e95e45b8c1ba7d1488810ebecd6e2ef67b0106
SHA512dc959d122c42d4530ac89866e09323ea301f5fb1070973fa1cb1d7e07d41f2d6bad92262675f661252e6e4ca789c4ba58472b55ace98778aab982dbba0a142f3
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB