Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
187s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2022, 03:23
Static task
static1
Behavioral task
behavioral1
Sample
5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe
Resource
win10v2004-20221111-en
General
-
Target
5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe
-
Size
60KB
-
MD5
00b867cca854b8d60b612a43966c2290
-
SHA1
5a7cf6ad96ada971f8797c2124b906ca649d195c
-
SHA256
5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed
-
SHA512
a6b7463bb974854efcd6b7b7418f0e1a78f0c5a5502d782c38ac12343764cb195dc56b0b2dd1d1c2d1982c63bceec14e2d4c64a4587cd1765c5ab46102104e81
-
SSDEEP
768:2Xxx1BUd8aiRssHH2D2n/z/D0lbdfs3OfKDHGqHg6WB8:2X9raifn2a/Dxg6WB8
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" quooxa.exe -
Executes dropped EXE 1 IoCs
pid Process 4500 quooxa.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ quooxa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\quooxa = "C:\\Users\\Admin\\quooxa.exe" quooxa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe 4500 quooxa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1188 5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe 4500 quooxa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1188 wrote to memory of 4500 1188 5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe 83 PID 1188 wrote to memory of 4500 1188 5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe 83 PID 1188 wrote to memory of 4500 1188 5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe 83 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81 PID 4500 wrote to memory of 1188 4500 quooxa.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe"C:\Users\Admin\AppData\Local\Temp\5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\quooxa.exe"C:\Users\Admin\quooxa.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5b2d3bc471a7bcb470aa05f871d8675cd
SHA1c36ea20c9f71177b1ad8098f3914d54b2cae280a
SHA25630c21e08139dd7edf5806b9111b27bddfe936b7404decf79468182309f03961f
SHA512f5f1a5cfe37a1b3944a757f36dcb878c63164eb8669344577572b499e73be5b75b045ebeb5c8c9facd1b874281e89bac567c11f831cf4d2ee9213414ecf9ef7a
-
Filesize
60KB
MD5b2d3bc471a7bcb470aa05f871d8675cd
SHA1c36ea20c9f71177b1ad8098f3914d54b2cae280a
SHA25630c21e08139dd7edf5806b9111b27bddfe936b7404decf79468182309f03961f
SHA512f5f1a5cfe37a1b3944a757f36dcb878c63164eb8669344577572b499e73be5b75b045ebeb5c8c9facd1b874281e89bac567c11f831cf4d2ee9213414ecf9ef7a