Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

66e876c02a...bf.exe

windows7-x64

8

66e876c02a...bf.exe

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PROGRAMFI...it.dll

windows7-x64

1

$PROGRAMFI...it.dll

windows10-2004-x64

1

$PROGRAMFI...ge.dll

windows7-x64

1

$PROGRAMFI...ge.dll

windows10-2004-x64

1

$PROGRAMFI...er.dll

windows7-x64

1

$PROGRAMFI...er.dll

windows10-2004-x64

1

qoit.exe

windows7-x64

7

qoit.exe

windows10-2004-x64

7

retook.exe

windows7-x64

8

retook.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2024, 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qoit.exe

  • Size

    197KB

  • MD5

    4a5f97f2d4ba48afb818f4cf45815c7d

  • SHA1

    eea689be8c284615b6a5e68627963392f93f508a

  • SHA256

    086489a8a319c510fcd611d9d5adf08b5b42f977424f6740e968ad33085bfe68

  • SHA512

    b51d93f3925abc7dbfa36f63b1103c9035f2f0e85e7d5ec6817c9b12702d92dd39d26e0a6ec545c4f8bfe4c7c2465e48d62372a725d96d17130d737dcc8f2c05

  • SSDEEP

    3072:8WzpQ31AGXxU829DwivpY/2mp4YqF05luFVgsI5/DuT61m:8MKfXSv90ivpA2IluFVgsI5/

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\qoit.exe
    "C:\Users\Admin\AppData\Local\Temp\qoit.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 544
      2⤵
      • Program crash
      PID:1088
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 892
      2⤵
      • Program crash
      PID:4100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 580
      2⤵
      • Program crash
      PID:4208
    • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
      "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      PID:4460
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 564
        3⤵
        • Program crash
        PID:4804
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 564
        3⤵
        • Program crash
        PID:1552
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 4860
    1⤵
      PID:5004
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4860 -ip 4860
      1⤵
        PID:4276
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4860 -ip 4860
        1⤵
          PID:3656
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4460 -ip 4460
          1⤵
            PID:3508
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4460 -ip 4460
            1⤵
              PID:4852

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
              Filesize

              197KB

              MD5

              4a5f97f2d4ba48afb818f4cf45815c7d

              SHA1

              eea689be8c284615b6a5e68627963392f93f508a

              SHA256

              086489a8a319c510fcd611d9d5adf08b5b42f977424f6740e968ad33085bfe68

              SHA512

              b51d93f3925abc7dbfa36f63b1103c9035f2f0e85e7d5ec6817c9b12702d92dd39d26e0a6ec545c4f8bfe4c7c2465e48d62372a725d96d17130d737dcc8f2c05

              Download Submit

            • memory/4460-14-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4460-15-0x0000000000400000-0x0000000002CC1000-memory.dmp

              Filesize

              40.8MB

              Download

            • memory/4460-18-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4860-1-0x0000000002F20000-0x0000000003020000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4860-2-0x00000000048D0000-0x00000000048F6000-memory.dmp

              Filesize

              152KB

              Download

            • memory/4860-4-0x0000000000400000-0x0000000002CC1000-memory.dmp

              Filesize

              40.8MB

              Download

            • memory/4860-12-0x0000000000400000-0x0000000002CC1000-memory.dmp

              Filesize

              40.8MB

              Download

            • memory/4860-13-0x00000000048D0000-0x00000000048F6000-memory.dmp

              Filesize

              152KB

              Download