Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    187s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 03:23

General

  • Target

    5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe

  • Size

    60KB

  • MD5

    00b867cca854b8d60b612a43966c2290

  • SHA1

    5a7cf6ad96ada971f8797c2124b906ca649d195c

  • SHA256

    5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed

  • SHA512

    a6b7463bb974854efcd6b7b7418f0e1a78f0c5a5502d782c38ac12343764cb195dc56b0b2dd1d1c2d1982c63bceec14e2d4c64a4587cd1765c5ab46102104e81

  • SSDEEP

    768:2Xxx1BUd8aiRssHH2D2n/z/D0lbdfs3OfKDHGqHg6WB8:2X9raifn2a/Dxg6WB8

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe
    "C:\Users\Admin\AppData\Local\Temp\5b04c8ea01f3ddca4852932183f29c9f9045f1e9f691a5ac3c31477be75e44ed.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\quooxa.exe
      "C:\Users\Admin\quooxa.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4500

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\quooxa.exe

    Filesize

    60KB

    MD5

    b2d3bc471a7bcb470aa05f871d8675cd

    SHA1

    c36ea20c9f71177b1ad8098f3914d54b2cae280a

    SHA256

    30c21e08139dd7edf5806b9111b27bddfe936b7404decf79468182309f03961f

    SHA512

    f5f1a5cfe37a1b3944a757f36dcb878c63164eb8669344577572b499e73be5b75b045ebeb5c8c9facd1b874281e89bac567c11f831cf4d2ee9213414ecf9ef7a

  • C:\Users\Admin\quooxa.exe

    Filesize

    60KB

    MD5

    b2d3bc471a7bcb470aa05f871d8675cd

    SHA1

    c36ea20c9f71177b1ad8098f3914d54b2cae280a

    SHA256

    30c21e08139dd7edf5806b9111b27bddfe936b7404decf79468182309f03961f

    SHA512

    f5f1a5cfe37a1b3944a757f36dcb878c63164eb8669344577572b499e73be5b75b045ebeb5c8c9facd1b874281e89bac567c11f831cf4d2ee9213414ecf9ef7a