Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
84s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 03:09
Static task
static1
Behavioral task
behavioral1
Sample
89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe
Resource
win10v2004-20220901-en
General
-
Target
89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe
-
Size
224KB
-
MD5
6073b3c96cae6b13626e36fecf7d9ff8
-
SHA1
b2f6bf864409f12b222d43449498b187528d0ed2
-
SHA256
89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913
-
SHA512
38ef3e8371f95a4ee08def6ce3b53ac5ff322f1a01f66fcc8a60a09bbb7f2fad1f82c69e264ec3dd25bbc36e915f80bb3dc2cfd667abda4144b1296249497641
-
SSDEEP
3072:0XyqNsMoBum30jZVpl2mclbj4Uvx+8ysNOu+2eRcKksU61JkkX39RLrw4ySKUba9:LqN5hp4LnbmlrZW
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qvheus.exe -
Executes dropped EXE 1 IoCs
pid Process 1304 qvheus.exe -
Loads dropped DLL 2 IoCs
pid Process 1284 89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe 1284 89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /u" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /y" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /f" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /x" qvheus.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /v" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /m" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /l" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /a" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /j" 89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /n" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /d" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /i" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /c" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /q" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /k" qvheus.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /e" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /s" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /p" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /g" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /o" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /j" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /z" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /t" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /h" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /w" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /r" qvheus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvheus = "C:\\Users\\Admin\\qvheus.exe /b" qvheus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1284 89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe 1304 qvheus.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1284 89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe 1304 qvheus.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1284 wrote to memory of 1304 1284 89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe 28 PID 1284 wrote to memory of 1304 1284 89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe 28 PID 1284 wrote to memory of 1304 1284 89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe 28 PID 1284 wrote to memory of 1304 1284 89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe"C:\Users\Admin\AppData\Local\Temp\89830eef5fd5cb2b2bbdf48bd43c37d5479eaa938f0015e561dda18c9223e913.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\qvheus.exe"C:\Users\Admin\qvheus.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1304
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD535cdd740198ce408e566054d7dc24c71
SHA1a79fbf636588a38116c76cc0547537a66ef61469
SHA2563fe5e8cf5fe6692d09bfdf2076cf3e5f10d97ec58cf546f32cec063e11d86e7f
SHA5123a0791ebdd4cb4315024fae13286a14b97befc402609dd4bc0d231c806b7f3662e24fc890f171baea8b9897c1073600d627200626fee158635eea06284c78443
-
Filesize
224KB
MD535cdd740198ce408e566054d7dc24c71
SHA1a79fbf636588a38116c76cc0547537a66ef61469
SHA2563fe5e8cf5fe6692d09bfdf2076cf3e5f10d97ec58cf546f32cec063e11d86e7f
SHA5123a0791ebdd4cb4315024fae13286a14b97befc402609dd4bc0d231c806b7f3662e24fc890f171baea8b9897c1073600d627200626fee158635eea06284c78443
-
Filesize
224KB
MD535cdd740198ce408e566054d7dc24c71
SHA1a79fbf636588a38116c76cc0547537a66ef61469
SHA2563fe5e8cf5fe6692d09bfdf2076cf3e5f10d97ec58cf546f32cec063e11d86e7f
SHA5123a0791ebdd4cb4315024fae13286a14b97befc402609dd4bc0d231c806b7f3662e24fc890f171baea8b9897c1073600d627200626fee158635eea06284c78443
-
Filesize
224KB
MD535cdd740198ce408e566054d7dc24c71
SHA1a79fbf636588a38116c76cc0547537a66ef61469
SHA2563fe5e8cf5fe6692d09bfdf2076cf3e5f10d97ec58cf546f32cec063e11d86e7f
SHA5123a0791ebdd4cb4315024fae13286a14b97befc402609dd4bc0d231c806b7f3662e24fc890f171baea8b9897c1073600d627200626fee158635eea06284c78443