Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
3ea67267905...18.exe
windows7-x64
8ea67267905...18.exe
windows10-2004-x64
8$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PROGRAMFI...it.dll
windows7-x64
1$PROGRAMFI...it.dll
windows10-2004-x64
1$PROGRAMFI...ge.dll
windows7-x64
1$PROGRAMFI...ge.dll
windows10-2004-x64
1$PROGRAMFI...er.dll
windows7-x64
1$PROGRAMFI...er.dll
windows10-2004-x64
1frey.exe
windows7-x64
7frey.exe
windows10-2004-x64
7vts.exe
windows7-x64
8vts.exe
windows10-2004-x64
8Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 16:19
Static task
static1
Behavioral task
behavioral1
Sample
ea6726790536078f1519a965c44a11e8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ea6726790536078f1519a965c44a11e8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$PROGRAMFILES/foler/olader/acledit.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PROGRAMFILES/foler/olader/acledit.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
$PROGRAMFILES/foler/olader/acppage.dll
Resource
win7-20240215-en
Behavioral task
behavioral14
Sample
$PROGRAMFILES/foler/olader/acppage.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
$PROGRAMFILES/foler/olader/adprovider.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$PROGRAMFILES/foler/olader/adprovider.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
frey.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
frey.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral19
Sample
vts.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
vts.exe
Resource
win10v2004-20240226-en
General
-
Target
vts.exe
-
Size
917KB
-
MD5
bbecb93aeacc1abf8cee9d9b91833900
-
SHA1
97d303be086f700918a9ddf4da58685961526738
-
SHA256
844922b5e7c0681325cfd27ece32c4c8a319c6054d4e2dd6d5b7f22ed31c22db
-
SHA512
af59d9ad84bc3381eb556f78d8578b76db145048fca4bfd48afa31cd03a54d75ae806f30b3f01207a5a75cf188735154c79dc5f494f5785a52b4868979150cc7
-
SSDEEP
12288:KJv3ZOdEktgWXuuHEXqBHaYfdHIXVCvQVW7en0RnK9Fuw69oWQo71abz6cLpm1u:K1gW7ukaBHaOh8V5vsmFdMR4zRLpyu
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 38 1612 WScript.exe 40 1612 WScript.exe 42 1612 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation Quel.exe.com -
Executes dropped EXE 2 IoCs
pid Process 4216 Quel.exe.com 4072 Quel.exe.com -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" vts.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 37 iplogger.org 38 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Quel.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Quel.exe.com -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings Quel.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3980 PING.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 4216 Quel.exe.com 4216 Quel.exe.com 4216 Quel.exe.com 4072 Quel.exe.com 4072 Quel.exe.com 4072 Quel.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 4216 Quel.exe.com 4216 Quel.exe.com 4216 Quel.exe.com 4072 Quel.exe.com 4072 Quel.exe.com 4072 Quel.exe.com -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3944 wrote to memory of 2756 3944 vts.exe 88 PID 3944 wrote to memory of 2756 3944 vts.exe 88 PID 3944 wrote to memory of 2756 3944 vts.exe 88 PID 3944 wrote to memory of 4268 3944 vts.exe 89 PID 3944 wrote to memory of 4268 3944 vts.exe 89 PID 3944 wrote to memory of 4268 3944 vts.exe 89 PID 4268 wrote to memory of 3260 4268 cmd.exe 91 PID 4268 wrote to memory of 3260 4268 cmd.exe 91 PID 4268 wrote to memory of 3260 4268 cmd.exe 91 PID 3260 wrote to memory of 1940 3260 cmd.exe 92 PID 3260 wrote to memory of 1940 3260 cmd.exe 92 PID 3260 wrote to memory of 1940 3260 cmd.exe 92 PID 3260 wrote to memory of 4216 3260 cmd.exe 93 PID 3260 wrote to memory of 4216 3260 cmd.exe 93 PID 3260 wrote to memory of 4216 3260 cmd.exe 93 PID 3260 wrote to memory of 3980 3260 cmd.exe 94 PID 3260 wrote to memory of 3980 3260 cmd.exe 94 PID 3260 wrote to memory of 3980 3260 cmd.exe 94 PID 4216 wrote to memory of 4072 4216 Quel.exe.com 95 PID 4216 wrote to memory of 4072 4216 Quel.exe.com 95 PID 4216 wrote to memory of 4072 4216 Quel.exe.com 95 PID 4072 wrote to memory of 1612 4072 Quel.exe.com 105 PID 4072 wrote to memory of 1612 4072 Quel.exe.com 105 PID 4072 wrote to memory of 1612 4072 Quel.exe.com 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\vts.exe"C:\Users\Admin\AppData\Local\Temp\vts.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵PID:2756
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Giu.mui2⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^kQLkrNVqMvVPjUboJryRqVXWRCKioBIlzPmMjILBcJFMqlgOxKxlShsdTPxBeNRkOLcvxKVqsEcdfkVGhVNnubsunpTbglnIRxYgORx$" Sento.mui4⤵PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quel.exe.comQuel.exe.com h4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quel.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quel.exe.com h5⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qhgoqspnpctk.vbs"6⤵
- Blocklisted process makes network request
PID:1612
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping ETDALPOV -n 304⤵
- Runs ping.exe
PID:3980
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
297B
MD5bd0c2d8e6b0fe0de4a3869c02ee43a85
SHA121d8cca90ea489f88c2953156e6c3dec6945388b
SHA2563a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533
SHA512496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6
-
Filesize
639KB
MD54e8629baecebd43750f2bbe47802bd9f
SHA184f87ce1213739e98d38d9878a535ec130dd2004
SHA256e7f1abdf2fb4607f636e416b062f5b05a23aeba881a4f09a8083ca19a553811f
SHA5123c355d3899100845d04be80b5537881e7ee5fd2516d4c2c89b3f2e511070c5455e8bee5dc6c6b71a0b55d6a9af6cd8a1f97fb4f46ce19a0a1412a5615340724e
-
Filesize
139KB
MD50f8a38c30c0a09f00eaf19395d8a40f2
SHA1298afde1f0db4b527822370df772b7dc0371b92c
SHA256aa12257d1c3ee82287d6c617359aaa2592f3bb9d0cca991f89660bb696ba8183
SHA512ba89f3e76af52d7fb11e0d29c3e68a947611bcf3f18125c3ae2ba4538ff349c0fb13dac573bb3bb76cde231c464f623e266b34cdf58bd0321c96c856795a98be
-
Filesize
501B
MD5c4f3aeb64246483fc44207f319c5b121
SHA1b1ce99afe2e145d6e7a5d419c0b9e5614f680729
SHA2560a718358ad31b418775f66874a055d4174f0f81326cd76513db2e086f908beeb
SHA512deaf054f84f600b122bc7f2bd71e716fc05e0f2818cfe63b38573a9af7789ddd3134a1b2f796ff131ba1c7cd4bf74c82bd7d5136507288e872648fbe0ababd2a
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD584b0184010185fb22db4d7451492ae5f
SHA16f5a12664555342f958030c118db7e5b78d78d7d
SHA256ddabd3d20c02f109925f46c56cba701f2bec2cffbe1f3800b2442a6cd4ab3d2d
SHA5126d38495a4b85862787c7de720d2e0c71762202c770212cc91a389a8768b80fd920f52adf3e0bc0f8d81fedd15be95afa39d14c96a07617eb476908f088aec814
-
Filesize
136B
MD5c3bcda4b5dfff7a6a73391a68a8e6f3b
SHA1f51a72e61c05fc8b625a481775f971490a1b6b1b
SHA256da2c59a5ceaa1642d452d896d65e220b85517430ce87c2debc963b0948b8c5e3
SHA5126678f136452db27f5d9699acac6837ee15bb975ee3d0c3d1547dee3e95aa02ccf703c04db2d2ed1cb44c77bf75b15c4c7acdbd066d65febf95f4fc111f8cc541