Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 23:20

General

  • Target

    a871f746c9a0ac0bc359b01d234cf8369d0a1fd95365d0c7ef40e0d4342d573b.exe

  • Size

    148KB

  • MD5

    488c9654f0fb0b3cb2f0f321c28a1201

  • SHA1

    9aae83f4ed5fa1a5bc80c8d7931ff0597e331461

  • SHA256

    a871f746c9a0ac0bc359b01d234cf8369d0a1fd95365d0c7ef40e0d4342d573b

  • SHA512

    3c83202eaefbd0034b53ea45168b4682ca7dc0400e5fe890e3fb6ffb26de60272778685b78fd195a52450b2008036ae4072f71d3e6cfe179f14580f52994e416

  • SSDEEP

    3072:DiFrQh4mRpDGq7At/yRWr2wA36nbMUq8hFOdhIOTE5j4oQ2:uFkh96F90Wf7nJPwdUd

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 50 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a871f746c9a0ac0bc359b01d234cf8369d0a1fd95365d0c7ef40e0d4342d573b.exe
    "C:\Users\Admin\AppData\Local\Temp\a871f746c9a0ac0bc359b01d234cf8369d0a1fd95365d0c7ef40e0d4342d573b.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\qeowu.exe
      "C:\Users\Admin\qeowu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4716

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\qeowu.exe

    Filesize

    148KB

    MD5

    d7af01e277ca46f4d0e97b7682d7a1ac

    SHA1

    226971b808a5af5e8eab2e344bc8bb901c457c09

    SHA256

    6c5e6cb15c3712081089541a621d1717faa8afc346864b8c9594b167a5733dcf

    SHA512

    feebe9c6b3070a521626357a435924a50fed93ec7af253bb05974bc7e1b4fd4654f71572cbaf14d6faa02d69a473172f3b041f38c85be7764f8c8a3b6b7079b8

  • C:\Users\Admin\qeowu.exe

    Filesize

    148KB

    MD5

    d7af01e277ca46f4d0e97b7682d7a1ac

    SHA1

    226971b808a5af5e8eab2e344bc8bb901c457c09

    SHA256

    6c5e6cb15c3712081089541a621d1717faa8afc346864b8c9594b167a5733dcf

    SHA512

    feebe9c6b3070a521626357a435924a50fed93ec7af253bb05974bc7e1b4fd4654f71572cbaf14d6faa02d69a473172f3b041f38c85be7764f8c8a3b6b7079b8