Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 07:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1452855f38bf6643d8b1415899cdcca.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a1452855f38bf6643d8b1415899cdcca.exe
Resource
win10v2004-20240221-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
a1452855f38bf6643d8b1415899cdcca.exe
-
Size
152KB
-
MD5
a1452855f38bf6643d8b1415899cdcca
-
SHA1
686ecba96fc819d5578fe8b75d80357c25d702df
-
SHA256
b31b11c95a5c479bbe367ce10093a6a83874bf53ac782e65dd49476fd6f8e2a7
-
SHA512
0fbfaf068388abc582553dbebd0d277efbd6e5b256fe0fbfce9a3a88679c381b575f81e79b8eb6ce1b85d1852046c740fe0265cb6867db772f2ac27f173d7394
-
SSDEEP
3072:L3s7vl3Po5+tTjFqV+t3DRGCKBiAKWjE5j4oQ:MQ5+t8+NDR5Aud
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qhcieq.exe Set value (int) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a1452855f38bf6643d8b1415899cdcca.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation a1452855f38bf6643d8b1415899cdcca.exe -
Executes dropped EXE 1 IoCs
pid Process 972 qhcieq.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /b" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /o" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /y" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /Z" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /K" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /u" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /A" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /l" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /e" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /v" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /W" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /E" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /m" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /F" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /U" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /w" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /T" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /R" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /c" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /L" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /n" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /a" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /H" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /P" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /f" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /z" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /t" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /X" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /V" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /C" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /g" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /p" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /s" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /I" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /D" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /r" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /G" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /q" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /N" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /x" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /h" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /d" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /j" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /J" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /Y" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /k" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /S" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /I" a1452855f38bf6643d8b1415899cdcca.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /Q" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /M" qhcieq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qhcieq = "C:\\Users\\Admin\\qhcieq.exe /i" qhcieq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1880 a1452855f38bf6643d8b1415899cdcca.exe 1880 a1452855f38bf6643d8b1415899cdcca.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe 972 qhcieq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1880 a1452855f38bf6643d8b1415899cdcca.exe 972 qhcieq.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1880 wrote to memory of 972 1880 a1452855f38bf6643d8b1415899cdcca.exe 96 PID 1880 wrote to memory of 972 1880 a1452855f38bf6643d8b1415899cdcca.exe 96 PID 1880 wrote to memory of 972 1880 a1452855f38bf6643d8b1415899cdcca.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1452855f38bf6643d8b1415899cdcca.exe"C:\Users\Admin\AppData\Local\Temp\a1452855f38bf6643d8b1415899cdcca.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\qhcieq.exe"C:\Users\Admin\qhcieq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD5a680f530100967c9504ba37e08dd305b
SHA10f510ea5d8b7da07b3efb596f0d3ae76ea55fcb3
SHA256283fb387f8a6aa41a3df44af545081d1cdd146b1db78704f15f2f95482d496b2
SHA512ae91f1a3a9cfdf196e2e0fef142136d2c4ae55548cda83cc4fc4f9a4cd48f35720dfa410fc4bd7fc2956913870f14e983715eba6c3dfd7e2a94a0663d5906eed