Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 07:14
Static task
static1
Behavioral task
behavioral1
Sample
d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe
Resource
win10v2004-20220812-en
General
-
Target
d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe
-
Size
252KB
-
MD5
0685fd0e2615fb07d3c73c850bab4d5e
-
SHA1
a7de009ab4bf23efed5dd847617501dcac505617
-
SHA256
d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408
-
SHA512
fc43a3c19df503723dc0868d784951978cc6ecbe694fe9ce09acc2142e3d72ebe55d1940680b25b99e21f38a744f9db3b1589adee8b65d031d87cdef94b7ce29
-
SSDEEP
6144:2jUJ84nmm/zKkj4D6aDWms2U80u9UJ58ajh+fk42+I:R/Wy/m/Uzu9UJ9j0fk7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1680 Qtuvea.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run Qtuvea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\65MWRMP54G = "C:\\Windows\\Qtuvea.exe" Qtuvea.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe File created C:\Windows\Qtuvea.exe d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe File opened for modification C:\Windows\Qtuvea.exe d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main Qtuvea.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International Qtuvea.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe 1680 Qtuvea.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1504 d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe 1680 Qtuvea.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1504 wrote to memory of 1680 1504 d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe 28 PID 1504 wrote to memory of 1680 1504 d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe 28 PID 1504 wrote to memory of 1680 1504 d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe 28 PID 1504 wrote to memory of 1680 1504 d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe"C:\Users\Admin\AppData\Local\Temp\d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\Qtuvea.exeC:\Windows\Qtuvea.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1680
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD50685fd0e2615fb07d3c73c850bab4d5e
SHA1a7de009ab4bf23efed5dd847617501dcac505617
SHA256d339babd6f9ba74660b7c5f9f998878d1b61aa1648af10aa2212aa1f97e30408
SHA512fc43a3c19df503723dc0868d784951978cc6ecbe694fe9ce09acc2142e3d72ebe55d1940680b25b99e21f38a744f9db3b1589adee8b65d031d87cdef94b7ce29
-
Filesize
408B
MD59ee28a90df4db89f0558d2833c97d157
SHA13c85bd84547bffdc47072977ee95ea827d4e5d1a
SHA25676e0577e3cb158e26823aac577534e0462749460cc8a3e6ace717259e558a9c6
SHA51293b71a9fcba9251e5a27ba5c25baaca02b2e118476808d337643aacb7cb03bc15a1f861286373a2188a0d4ce4e8a0fd19505657508fa47bb2261dd17b2111add