Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 22:40
Static task
static1
Behavioral task
behavioral1
Sample
7e3153075809929b5f9057852911a159.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7e3153075809929b5f9057852911a159.exe
Resource
win10v2004-20231215-en
General
-
Target
7e3153075809929b5f9057852911a159.exe
-
Size
526KB
-
MD5
7e3153075809929b5f9057852911a159
-
SHA1
8cac2d077d6a0341aa530b0e7a606563f04a0842
-
SHA256
adfea118626d039df9b85e4883893ecd5739db471df35bcad218f6776320019c
-
SHA512
ac3686bfe81f187d144bc7a4f2b973d84a64354856e3654109b42e2d0be3bc03c2213098bd6c3ab2ee9a40d0006217721e1d500a6d6d2215093384d3002bfbd6
-
SSDEEP
12288:abupo70X4yQySH6u40Prkl84/0zGoPqLbI16MMcxwireV:ak+0Xh46N+2czaPE6MHxw7
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe qvodsetuls6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "services.exe" qvodsetuls6.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 7e3153075809929b5f9057852911a159.exe -
Executes dropped EXE 3 IoCs
pid Process 1876 QvodSetup5.exe 2436 qvodsetuls6.exe 3884 ~24070446.exe -
resource yara_rule behavioral2/files/0x000800000002312d-5.dat upx behavioral2/memory/1876-18-0x0000000000400000-0x00000000004E7000-memory.dmp upx behavioral2/files/0x0008000000023131-16.dat upx behavioral2/memory/2436-21-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1876-30-0x0000000000400000-0x00000000004E7000-memory.dmp upx behavioral2/memory/2436-31-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1876-32-0x0000000000400000-0x00000000004E7000-memory.dmp upx behavioral2/memory/1876-33-0x0000000000400000-0x00000000004E7000-memory.dmp upx behavioral2/memory/2436-34-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1876-35-0x0000000000400000-0x00000000004E7000-memory.dmp upx behavioral2/memory/2436-36-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2436-46-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1876-49-0x0000000000400000-0x00000000004E7000-memory.dmp upx behavioral2/memory/1876-57-0x0000000000400000-0x00000000004E7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Windows\\system32\\3mHvM.exe" qvodsetuls6.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\3mHvM.exe qvodsetuls6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 2436 qvodsetuls6.exe 3884 ~24070446.exe 3884 ~24070446.exe 3884 ~24070446.exe 3884 ~24070446.exe 3884 ~24070446.exe 3884 ~24070446.exe 3884 ~24070446.exe 3884 ~24070446.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2436 qvodsetuls6.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1876 QvodSetup5.exe 1876 QvodSetup5.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1876 QvodSetup5.exe 1876 QvodSetup5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3624 wrote to memory of 1876 3624 7e3153075809929b5f9057852911a159.exe 83 PID 3624 wrote to memory of 1876 3624 7e3153075809929b5f9057852911a159.exe 83 PID 3624 wrote to memory of 1876 3624 7e3153075809929b5f9057852911a159.exe 83 PID 3624 wrote to memory of 2436 3624 7e3153075809929b5f9057852911a159.exe 84 PID 3624 wrote to memory of 2436 3624 7e3153075809929b5f9057852911a159.exe 84 PID 3624 wrote to memory of 2436 3624 7e3153075809929b5f9057852911a159.exe 84 PID 2436 wrote to memory of 3884 2436 qvodsetuls6.exe 93 PID 2436 wrote to memory of 3884 2436 qvodsetuls6.exe 93 PID 2436 wrote to memory of 3884 2436 qvodsetuls6.exe 93 PID 3884 wrote to memory of 2616 3884 ~24070446.exe 94 PID 3884 wrote to memory of 2616 3884 ~24070446.exe 94 PID 3884 wrote to memory of 2616 3884 ~24070446.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e3153075809929b5f9057852911a159.exe"C:\Users\Admin\AppData\Local\Temp\7e3153075809929b5f9057852911a159.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe"C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1876
-
-
C:\Users\Admin\AppData\Local\Temp\qvodsetuls6.exe"C:\Users\Admin\AppData\Local\Temp\qvodsetuls6.exe"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\~24070446.exeC:\Users\Admin\AppData\Local\Temp\~24070446.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\cmd.execmd4⤵PID:2616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD559e20e2ec60d5946ad54b64a3deb1c83
SHA17027c9308b7b2d14ff9fd7b81efa81a1c9a0ec68
SHA256538c299746b0afa502968f74f13220069a204e06d008c429a19762ee7ae097bc
SHA512283824f4d63fdef8eba6a078dc7dcaff401cc13aee6e3c970f0505772b4b1525e2ad805dc2e90b3140f3d9523ea7db575eaf860db60f6c2b4a8edb289d447aa9
-
Filesize
29KB
MD55550879adc6a6ebf760cf296f9172f1c
SHA1ab201c39912c03676879b8e62c60c767cc28e6c8
SHA256dac91f0fcc4efb31c8ce2dddb3480ed90f8497cc944e6f3c433a2fc921fdbf8c
SHA5120edc06c780285fb1ab5b55d2f63ace3960da5330f2a92566dd7297411deee5235ec0ea03af3f51096db75ee76d05b8ec47974789799bfdeffda3e8645f51fa56
-
Filesize
8KB
MD594ec28c475c828a7ba7f53e8a72de448
SHA15df58c1c609a04f750d7967510d305867c6748ed
SHA2564150ca7cdbc9bc46c835e4aa230648f1ba497cff0a6b102aa97cdfbe433347b0
SHA5127a5c45baaac5b960fdf2b11b06e3818744878ae9d3dcdfa0a535f4ac43cf6fa7117b75d2512c669d3ba81d4e4e49e4d054b2dec9c8d9da5daa65b9027187080c