Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 16:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
06eba72841ac172379cd2d2c137ec5e8.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
06eba72841ac172379cd2d2c137ec5e8.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
06eba72841ac172379cd2d2c137ec5e8.exe
-
Size
152KB
-
MD5
06eba72841ac172379cd2d2c137ec5e8
-
SHA1
027de096f10c982d7db4f26dc20375623f1f61c3
-
SHA256
61d97c95c3bdc62dc5f4bcc43306576b709b526b93b71958e53f9d8fa06824f4
-
SHA512
f9078b519571cfc7690c5ebd07f59f1ee9b750c4f2b0c1faa92c7b9916dc19a6f16a1ac59c28f78d9b01b2405564153d21d62e8738f0e576ae5b9b8447cbf4c6
-
SSDEEP
3072:V5EG3HCzwrCaHHvhtbz0wXtV2eZDEUXni7fo7KSif8xWM33r3k1jTCZU4oQZiEgv:sGXCzwrCW/0AHa8nuo7KSif8xWM33r3Q
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 06eba72841ac172379cd2d2c137ec5e8.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qoeun.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 06eba72841ac172379cd2d2c137ec5e8.exe -
Executes dropped EXE 1 IoCs
pid Process 4544 qoeun.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /h" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /w" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /Y" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /z" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /S" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /u" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /H" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /k" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /f" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /e" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /P" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /N" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /r" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /L" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /j" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /q" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /p" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /X" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /c" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /O" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /i" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /R" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /I" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /D" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /J" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /K" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /T" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /U" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /o" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /y" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /l" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /s" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /d" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /x" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /M" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /G" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /W" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /n" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /a" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /v" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /g" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /A" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /t" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /E" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /b" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /B" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /Z" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /F" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /A" 06eba72841ac172379cd2d2c137ec5e8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /Q" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /V" qoeun.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoeun = "C:\\Users\\Admin\\qoeun.exe /m" qoeun.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4524 06eba72841ac172379cd2d2c137ec5e8.exe 4524 06eba72841ac172379cd2d2c137ec5e8.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe 4544 qoeun.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4524 06eba72841ac172379cd2d2c137ec5e8.exe 4544 qoeun.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4524 wrote to memory of 4544 4524 06eba72841ac172379cd2d2c137ec5e8.exe 89 PID 4524 wrote to memory of 4544 4524 06eba72841ac172379cd2d2c137ec5e8.exe 89 PID 4524 wrote to memory of 4544 4524 06eba72841ac172379cd2d2c137ec5e8.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\06eba72841ac172379cd2d2c137ec5e8.exe"C:\Users\Admin\AppData\Local\Temp\06eba72841ac172379cd2d2c137ec5e8.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\qoeun.exe"C:\Users\Admin\qoeun.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD5e08c89f4861f101e0802f3934ff320ef
SHA15c0aef8d1478abf3e16cd8ed1a809443d92af26f
SHA25681503e015f9e74f74918e21ea1a9d66653277b88d5909b7645abc25ed80a1674
SHA512a56910e0ec399864f8f3082366cf555385b877ffe714a034b60f327b050603adb10443ddfccdbd5ccebf524ac72282170c98829fd9eee7e74dad63048452a578