Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe
-
Size
140KB
-
MD5
7a8f1bfac118b61c8c82f46092e932fa
-
SHA1
587533647ea62f9d57634be5b5bd8f2c77d2420d
-
SHA256
fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b
-
SHA512
452ae25e8b5271719d18a58f964b74126f21f35ac1c1f7263792952c38094c791933c3c36464a5968ab55ff5115c65e4bd96459ce1ef4c2027b00a4c472ea012
-
SSDEEP
3072:Pl2rgl1JmkD73mQtFDPB1P85XvbM7h8bdaqmRIxqeHHNMxiz2:Psr61J/72QtFDPB1P85Xvw7h8boqfqeU
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qioix.exe -
Executes dropped EXE 1 IoCs
pid Process 2236 qioix.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe -
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /n" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /I" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /K" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /Y" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /V" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /U" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /R" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /Z" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /a" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /v" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /u" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /O" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /j" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /J" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /l" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /g" qioix.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /D" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /F" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /i" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /y" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /A" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /f" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /t" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /X" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /b" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /k" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /d" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /o" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /m" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /C" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /r" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /E" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /p" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /q" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /h" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /L" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /G" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /w" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /S" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /P" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /e" qioix.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /z" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /W" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /N" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /H" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /O" fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /B" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /x" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /c" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /s" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /M" qioix.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioix = "C:\\Users\\Admin\\qioix.exe /Q" qioix.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3108 fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe 3108 fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe 2236 qioix.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3108 fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe 2236 qioix.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3108 wrote to memory of 2236 3108 fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe 84 PID 3108 wrote to memory of 2236 3108 fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe 84 PID 3108 wrote to memory of 2236 3108 fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe"C:\Users\Admin\AppData\Local\Temp\fc08850bf8f665229185af91db6b836e04754ac43b66716268503870f1e9bd6b.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\qioix.exe"C:\Users\Admin\qioix.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2236
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD593611d2aacbeb5eecc05d8096ccfcbfc
SHA10eebd1a53ce47231e06577df795c0195cd0d7e16
SHA2565f4d8aa40bf9e00c66b31883872cf54d6b8455c596b8d035e89065ead365f768
SHA51268220fe147846819f2597b23878595cbad0bac8589d5293c3432ee4b457f88e760366715537b3a13310e7a351260012c83a4cddd8e6a1836611db0389e135189
-
Filesize
140KB
MD593611d2aacbeb5eecc05d8096ccfcbfc
SHA10eebd1a53ce47231e06577df795c0195cd0d7e16
SHA2565f4d8aa40bf9e00c66b31883872cf54d6b8455c596b8d035e89065ead365f768
SHA51268220fe147846819f2597b23878595cbad0bac8589d5293c3432ee4b457f88e760366715537b3a13310e7a351260012c83a4cddd8e6a1836611db0389e135189