Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

764eeede0a...72.exe

windows7-x64

10

764eeede0a...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 23:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    764eeede0a54e0b2b110e695a0795a9f19b0bd661ab491ca29fa550cb55b4472.exe

  • Size

    204KB

  • MD5

    fadcf0429b53e3c6381e6d0046e7722e

  • SHA1

    90842ecb410d8268d7f9d5c46f240caaf96739a1

  • SHA256

    764eeede0a54e0b2b110e695a0795a9f19b0bd661ab491ca29fa550cb55b4472

  • SHA512

    aa5e17d98f0aafed56d926ed2180ccfadd35c89c5f8830792be381d7c8cf0e56c8044fb7fa9c6d2cb103ffddbc5bb7b527a080b0cb5b4f998d57c40ae4f13111

  • SSDEEP

    3072:XmIW8AF0tQ9nLHbB9W0c1TqECzR/mkSYGrl9ymgYUW2PN:Wd14QxL7B9W0c1RCzR/fSmlF1

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\764eeede0a54e0b2b110e695a0795a9f19b0bd661ab491ca29fa550cb55b4472.exe
    "C:\Users\Admin\AppData\Local\Temp\764eeede0a54e0b2b110e695a0795a9f19b0bd661ab491ca29fa550cb55b4472.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Users\Admin\cqwood.exe
      "C:\Users\Admin\cqwood.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4236

Network

  • flag-unknown
    DNS
    ns1.spansearcher.net
    764eeede0a54e0b2b110e695a0795a9f19b0bd661ab491ca29fa550cb55b4472.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spansearcher.net
    IN A
    Response
  • flag-unknown
    DNS
    ns1.spinsearcher.org
    764eeede0a54e0b2b110e695a0795a9f19b0bd661ab491ca29fa550cb55b4472.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spinsearcher.org
    IN A
    Response
  • flag-unknown
    DNS
    ns1.player1352.net
    764eeede0a54e0b2b110e695a0795a9f19b0bd661ab491ca29fa550cb55b4472.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.net
    IN A
    Response
    ns1.player1352.net
    IN A
    35.205.61.67
  • 209.197.3.8:80
    322 B
     7
  • 2.18.109.224:443
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 8.8.8.8:53
    ns1.spansearcher.net
    dns
    764eeede0a54e0b2b110e695a0795a9f19b0bd661ab491ca29fa550cb55b4472.exe
    66 B
     139 B
     1
    1

    DNS Request

    ns1.spansearcher.net

  • 8.8.8.8:53
    ns1.spinsearcher.org
    dns
    764eeede0a54e0b2b110e695a0795a9f19b0bd661ab491ca29fa550cb55b4472.exe
    66 B
     148 B
     1
    1

    DNS Request

    ns1.spinsearcher.org

  • 8.8.8.8:53
    ns1.player1352.net
    dns
    764eeede0a54e0b2b110e695a0795a9f19b0bd661ab491ca29fa550cb55b4472.exe
    64 B
     80 B
     1
    1

    DNS Request

    ns1.player1352.net

    DNS Response

    35.205.61.67

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\cqwood.exe
    Filesize

    204KB

    MD5

    c0501fddeaea42f3612b6e91b4e03711

    SHA1

    9ae943ef0bf8aafeb31f6f01b5657d98441bc5bc

    SHA256

    5e1a5cf9439e1729da82e9e69af0ae1277961ddc49f58bdc8e34cd736f896bbb

    SHA512

    5c266b9a0bc3fa744640784705502f6f9f1e4d8154dae95700d30fbb2acfa03fba69e37b17d008768c8b114e1e7af8ce91017652da1202f6922eed980b9bd3b1

    Download Submit

  • C:\Users\Admin\cqwood.exe
    Filesize

    204KB

    MD5

    c0501fddeaea42f3612b6e91b4e03711

    SHA1

    9ae943ef0bf8aafeb31f6f01b5657d98441bc5bc

    SHA256

    5e1a5cf9439e1729da82e9e69af0ae1277961ddc49f58bdc8e34cd736f896bbb

    SHA512

    5c266b9a0bc3fa744640784705502f6f9f1e4d8154dae95700d30fbb2acfa03fba69e37b17d008768c8b114e1e7af8ce91017652da1202f6922eed980b9bd3b1

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.