Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2023, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
24fb841fd911564455e110be0.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
24fb841fd911564455e110be0.exe
Resource
win10v2004-20230703-en
General
-
Target
24fb841fd911564455e110be0.exe
-
Size
592KB
-
MD5
24fb841fd911564455e110be09838898
-
SHA1
26cd8755406627964ffcabc8a2addb8d1b8e2e48
-
SHA256
8dc089fd8fa7592e92ae50e19b2be9778db70fa4ca84af6f8dda27af4851faf5
-
SHA512
40e5a47a69ff3c673dc702ea4fc1bc7f57c78631846f03e474920fe648d8f742419f4cb150d2036cdaa1a9ce8d0308be05d463a73fd1e39d8d7924e6015d7367
-
SSDEEP
12288:Ig7K2UlLr6wvetUDTIdz0Azy1M9o+71ipwf92umFzUkuI:lZUlL2wveWvUYwb9o+ZiptucUw
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
description pid Process procid_target PID 1076 created 3204 1076 qzbrskye.exe 75 PID 1076 created 3204 1076 qzbrskye.exe 75 PID 1076 created 3204 1076 qzbrskye.exe 75 PID 2328 created 3204 2328 updater.exe 75 PID 2328 created 3204 2328 updater.exe 75 PID 2328 created 3204 2328 updater.exe 75 PID 2328 created 3204 2328 updater.exe 75 -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 3724 Key.exe 1076 qzbrskye.exe 2328 updater.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3724 set thread context of 1728 3724 Key.exe 84 PID 2328 set thread context of 2112 2328 updater.exe 105 PID 2328 set thread context of 4572 2328 updater.exe 106 -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 408 powershell.exe 408 powershell.exe 3724 Key.exe 3724 Key.exe 3724 Key.exe 3724 Key.exe 1076 qzbrskye.exe 1076 qzbrskye.exe 1076 qzbrskye.exe 1076 qzbrskye.exe 3260 powershell.exe 3260 powershell.exe 1076 qzbrskye.exe 1076 qzbrskye.exe 2328 updater.exe 2328 updater.exe 2328 updater.exe 2328 updater.exe 3476 powershell.exe 3476 powershell.exe 2328 updater.exe 2328 updater.exe 2328 updater.exe 2328 updater.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3516 24fb841fd911564455e110be0.exe Token: SeDebugPrivilege 408 powershell.exe Token: SeDebugPrivilege 3724 Key.exe Token: SeDebugPrivilege 1728 InstallUtil.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeShutdownPrivilege 2468 powercfg.exe Token: SeCreatePagefilePrivilege 2468 powercfg.exe Token: SeShutdownPrivilege 5016 powercfg.exe Token: SeCreatePagefilePrivilege 5016 powercfg.exe Token: SeShutdownPrivilege 3712 powercfg.exe Token: SeCreatePagefilePrivilege 3712 powercfg.exe Token: SeShutdownPrivilege 3356 powercfg.exe Token: SeCreatePagefilePrivilege 3356 powercfg.exe Token: SeIncreaseQuotaPrivilege 3260 powershell.exe Token: SeSecurityPrivilege 3260 powershell.exe Token: SeTakeOwnershipPrivilege 3260 powershell.exe Token: SeLoadDriverPrivilege 3260 powershell.exe Token: SeSystemProfilePrivilege 3260 powershell.exe Token: SeSystemtimePrivilege 3260 powershell.exe Token: SeProfSingleProcessPrivilege 3260 powershell.exe Token: SeIncBasePriorityPrivilege 3260 powershell.exe Token: SeCreatePagefilePrivilege 3260 powershell.exe Token: SeBackupPrivilege 3260 powershell.exe Token: SeRestorePrivilege 3260 powershell.exe Token: SeShutdownPrivilege 3260 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeSystemEnvironmentPrivilege 3260 powershell.exe Token: SeRemoteShutdownPrivilege 3260 powershell.exe Token: SeUndockPrivilege 3260 powershell.exe Token: SeManageVolumePrivilege 3260 powershell.exe Token: 33 3260 powershell.exe Token: 34 3260 powershell.exe Token: 35 3260 powershell.exe Token: 36 3260 powershell.exe Token: SeIncreaseQuotaPrivilege 3260 powershell.exe Token: SeSecurityPrivilege 3260 powershell.exe Token: SeTakeOwnershipPrivilege 3260 powershell.exe Token: SeLoadDriverPrivilege 3260 powershell.exe Token: SeSystemProfilePrivilege 3260 powershell.exe Token: SeSystemtimePrivilege 3260 powershell.exe Token: SeProfSingleProcessPrivilege 3260 powershell.exe Token: SeIncBasePriorityPrivilege 3260 powershell.exe Token: SeCreatePagefilePrivilege 3260 powershell.exe Token: SeBackupPrivilege 3260 powershell.exe Token: SeRestorePrivilege 3260 powershell.exe Token: SeShutdownPrivilege 3260 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeSystemEnvironmentPrivilege 3260 powershell.exe Token: SeRemoteShutdownPrivilege 3260 powershell.exe Token: SeUndockPrivilege 3260 powershell.exe Token: SeManageVolumePrivilege 3260 powershell.exe Token: 33 3260 powershell.exe Token: 34 3260 powershell.exe Token: 35 3260 powershell.exe Token: 36 3260 powershell.exe Token: SeIncreaseQuotaPrivilege 3260 powershell.exe Token: SeSecurityPrivilege 3260 powershell.exe Token: SeTakeOwnershipPrivilege 3260 powershell.exe Token: SeLoadDriverPrivilege 3260 powershell.exe Token: SeSystemProfilePrivilege 3260 powershell.exe Token: SeSystemtimePrivilege 3260 powershell.exe Token: SeProfSingleProcessPrivilege 3260 powershell.exe Token: SeIncBasePriorityPrivilege 3260 powershell.exe Token: SeCreatePagefilePrivilege 3260 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3724 wrote to memory of 2440 3724 Key.exe 83 PID 3724 wrote to memory of 2440 3724 Key.exe 83 PID 3724 wrote to memory of 2440 3724 Key.exe 83 PID 3724 wrote to memory of 1728 3724 Key.exe 84 PID 3724 wrote to memory of 1728 3724 Key.exe 84 PID 3724 wrote to memory of 1728 3724 Key.exe 84 PID 3724 wrote to memory of 1728 3724 Key.exe 84 PID 3724 wrote to memory of 1728 3724 Key.exe 84 PID 3724 wrote to memory of 1728 3724 Key.exe 84 PID 3724 wrote to memory of 1728 3724 Key.exe 84 PID 3724 wrote to memory of 1728 3724 Key.exe 84 PID 2720 wrote to memory of 2468 2720 cmd.exe 90 PID 2720 wrote to memory of 2468 2720 cmd.exe 90 PID 2720 wrote to memory of 5016 2720 cmd.exe 91 PID 2720 wrote to memory of 5016 2720 cmd.exe 91 PID 2720 wrote to memory of 3712 2720 cmd.exe 92 PID 2720 wrote to memory of 3712 2720 cmd.exe 92 PID 2720 wrote to memory of 3356 2720 cmd.exe 93 PID 2720 wrote to memory of 3356 2720 cmd.exe 93 PID 1040 wrote to memory of 1112 1040 cmd.exe 101 PID 1040 wrote to memory of 1112 1040 cmd.exe 101 PID 1040 wrote to memory of 840 1040 cmd.exe 102 PID 1040 wrote to memory of 840 1040 cmd.exe 102 PID 1040 wrote to memory of 100 1040 cmd.exe 103 PID 1040 wrote to memory of 100 1040 cmd.exe 103 PID 1040 wrote to memory of 3972 1040 cmd.exe 104 PID 1040 wrote to memory of 3972 1040 cmd.exe 104 PID 2328 wrote to memory of 2112 2328 updater.exe 105 PID 2328 wrote to memory of 4572 2328 updater.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\24fb841fd911564455e110be0.exe"C:\Users\Admin\AppData\Local\Temp\24fb841fd911564455e110be0.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3712
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fiukzadu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:4336
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:1112
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:840
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:100
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:3972
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fiukzadu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2112
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe2⤵PID:4572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408
-
C:\Users\Admin\AppData\Local\XsdType\talhzdhf\Key.exeC:\Users\Admin\AppData\Local\XsdType\talhzdhf\Key.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵PID:2440
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\qzbrskye.exeC:\Users\Admin\AppData\Local\Temp\qzbrskye.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1076
-
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
1KB
MD59b91b78e0eb90a88923429ebeda345de
SHA1b3c7af0b3dafaed8a07d0fd895907981f4119099
SHA25659e292eaf38a5264a6a961eb5bb3e040ce5df19215b6ed96a412ef1983800bad
SHA51280867909f049922de2eaf64d1144d3a419f1b5e130583877b0542963da8fa60c37a2c80989310f81d854ef13527bf51d70c430e3ab7e627f38d1366f484530ed
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9.8MB
MD547b23e6a12591b9da45e69c443c60047
SHA1c93142e757e8b433b8399c67c2683109206c38f6
SHA256184b289d4805a2ddb2ffee544da05890b7b9f30569cfceb1b19563b3a98f520e
SHA512bb9882ecd2c1361694709fbb6fe75a8f7c7b184762317d5a639b9f12b80528289c31ba8328514a8d46dfc62f54bf776baa516f97e248d4e1580ac3f43681fcb4
-
Filesize
9.8MB
MD547b23e6a12591b9da45e69c443c60047
SHA1c93142e757e8b433b8399c67c2683109206c38f6
SHA256184b289d4805a2ddb2ffee544da05890b7b9f30569cfceb1b19563b3a98f520e
SHA512bb9882ecd2c1361694709fbb6fe75a8f7c7b184762317d5a639b9f12b80528289c31ba8328514a8d46dfc62f54bf776baa516f97e248d4e1580ac3f43681fcb4
-
Filesize
592KB
MD524fb841fd911564455e110be09838898
SHA126cd8755406627964ffcabc8a2addb8d1b8e2e48
SHA2568dc089fd8fa7592e92ae50e19b2be9778db70fa4ca84af6f8dda27af4851faf5
SHA51240e5a47a69ff3c673dc702ea4fc1bc7f57c78631846f03e474920fe648d8f742419f4cb150d2036cdaa1a9ce8d0308be05d463a73fd1e39d8d7924e6015d7367
-
Filesize
592KB
MD524fb841fd911564455e110be09838898
SHA126cd8755406627964ffcabc8a2addb8d1b8e2e48
SHA2568dc089fd8fa7592e92ae50e19b2be9778db70fa4ca84af6f8dda27af4851faf5
SHA51240e5a47a69ff3c673dc702ea4fc1bc7f57c78631846f03e474920fe648d8f742419f4cb150d2036cdaa1a9ce8d0308be05d463a73fd1e39d8d7924e6015d7367
-
Filesize
9.8MB
MD547b23e6a12591b9da45e69c443c60047
SHA1c93142e757e8b433b8399c67c2683109206c38f6
SHA256184b289d4805a2ddb2ffee544da05890b7b9f30569cfceb1b19563b3a98f520e
SHA512bb9882ecd2c1361694709fbb6fe75a8f7c7b184762317d5a639b9f12b80528289c31ba8328514a8d46dfc62f54bf776baa516f97e248d4e1580ac3f43681fcb4
-
Filesize
9.8MB
MD547b23e6a12591b9da45e69c443c60047
SHA1c93142e757e8b433b8399c67c2683109206c38f6
SHA256184b289d4805a2ddb2ffee544da05890b7b9f30569cfceb1b19563b3a98f520e
SHA512bb9882ecd2c1361694709fbb6fe75a8f7c7b184762317d5a639b9f12b80528289c31ba8328514a8d46dfc62f54bf776baa516f97e248d4e1580ac3f43681fcb4