Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
22s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2023, 16:08
Static task
static1
Behavioral task
behavioral1
Sample
QMEmulatorService.exe
Resource
win7-20230220-en
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
QMEmulatorService.exe
Resource
win10v2004-20230220-en
5 signatures
150 seconds
General
-
Target
QMEmulatorService.exe
-
Size
239KB
-
MD5
758d190704f09e874ec88e172f8d057c
-
SHA1
330aab9d3805c50db6e93b34b8fe96c96c863bb6
-
SHA256
e8384ecdf810ea96621fa117866612477e1af406616f664820593ee22a17ffb6
-
SHA512
5e06253d8a78571a60e615fe67ffedd85e998668b1721c5ff2ab2e5272e67c06916a3b345008715b3348988d9d7ef6378fe89ce21f5ba6f8af043db66174e255
-
SSDEEP
6144:Gxk6UEnZmnbQos3N+bFN33v3a+vGjYEzGOmx:Gx2WmnbQJ3Na3PK+RSmx
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1356 taskmgr.exe Token: SeSystemProfilePrivilege 1356 taskmgr.exe Token: SeCreateGlobalPrivilege 1356 taskmgr.exe Token: 33 1356 taskmgr.exe Token: SeIncBasePriorityPrivilege 1356 taskmgr.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
pid Process 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QMEmulatorService.exe"C:\Users\Admin\AppData\Local\Temp\QMEmulatorService.exe"1⤵PID:2924
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1356