Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 20:24

General

  • Target

    915487b767ed670360d00acc82a116aafffe2a8b481490356429c58c7ae15f99.exe

  • Size

    312KB

  • MD5

    9b99d88cf520d626dd98f25d0d21b0de

  • SHA1

    80739f6c70034d2a39b68f86f4685ee0c4e53248

  • SHA256

    915487b767ed670360d00acc82a116aafffe2a8b481490356429c58c7ae15f99

  • SHA512

    58541272a893109bdd9a9a0fa586f6f8aa00cad8be3fc7a58e3f7c2f7269a76bfb186798ecc1d86444332a24cc2d56e476332ec314d6ee5cdb8e8989e64aa546

  • SSDEEP

    3072:lxKsZ+EoxfWxJYwExxusHwadMX0sQ84O1s4NF/PBEtFjjUcsFP84K6yXX7:bKJfWxJYw4xusHwsY0sQevWuPxnyXX7

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\915487b767ed670360d00acc82a116aafffe2a8b481490356429c58c7ae15f99.exe
    "C:\Users\Admin\AppData\Local\Temp\915487b767ed670360d00acc82a116aafffe2a8b481490356429c58c7ae15f99.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\qiucet.exe
      "C:\Users\Admin\qiucet.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3248

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\qiucet.exe

    Filesize

    312KB

    MD5

    17576c6c61153fed5478181c14815ece

    SHA1

    f0c974f093d398ea348d94419678a342f4db45d5

    SHA256

    302c140742972ad3c6a165c7a12bc50b066ab7520bdfa5117025c042828f910d

    SHA512

    b50cce0f8574afe03b68197ac6ccb8ae88bbbf1bd1c339cbba1f918f8b9c4409219d86fa98596b031c2f0730b1a8bcab08e14b722c58111874b1f21aea2dd9c4

  • C:\Users\Admin\qiucet.exe

    Filesize

    312KB

    MD5

    17576c6c61153fed5478181c14815ece

    SHA1

    f0c974f093d398ea348d94419678a342f4db45d5

    SHA256

    302c140742972ad3c6a165c7a12bc50b066ab7520bdfa5117025c042828f910d

    SHA512

    b50cce0f8574afe03b68197ac6ccb8ae88bbbf1bd1c339cbba1f918f8b9c4409219d86fa98596b031c2f0730b1a8bcab08e14b722c58111874b1f21aea2dd9c4