Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2024, 22:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
59356dc459eb2f627b5136fa383ab9131c7675f98532d0e717f13ca5cc498a5e.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
59356dc459eb2f627b5136fa383ab9131c7675f98532d0e717f13ca5cc498a5e.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
59356dc459eb2f627b5136fa383ab9131c7675f98532d0e717f13ca5cc498a5e.exe
-
Size
53KB
-
MD5
75a8cb2643d609ef51ca4dc53a1cfd11
-
SHA1
ebadd152df8ceec4e4176798b387655462e3dc10
-
SHA256
59356dc459eb2f627b5136fa383ab9131c7675f98532d0e717f13ca5cc498a5e
-
SHA512
4769517ac3f01862c83148c576c05d57ba0b9dbbecf69abbf63ed861dbf6106684ca918120e4b74a8ede49a414b2f72691ed62e3a2eb4a6cea95499ae4f85227
-
SSDEEP
1536:vNfg8r8Qu0S5ticma7Kp3StjEMjmLM3ztDJWZsXy4JzxPMk:g0S5tiKJJjmLM3zRJWZsXy4JN
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fcliq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 59356dc459eb2f627b5136fa383ab9131c7675f98532d0e717f13ca5cc498a5e.exe -
Executes dropped EXE 1 IoCs
pid Process 4636 fcliq.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fcliq = "C:\\Users\\Admin\\fcliq.exe" fcliq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe 4636 fcliq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1344 59356dc459eb2f627b5136fa383ab9131c7675f98532d0e717f13ca5cc498a5e.exe 4636 fcliq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1344 wrote to memory of 4636 1344 59356dc459eb2f627b5136fa383ab9131c7675f98532d0e717f13ca5cc498a5e.exe 91 PID 1344 wrote to memory of 4636 1344 59356dc459eb2f627b5136fa383ab9131c7675f98532d0e717f13ca5cc498a5e.exe 91 PID 1344 wrote to memory of 4636 1344 59356dc459eb2f627b5136fa383ab9131c7675f98532d0e717f13ca5cc498a5e.exe 91 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86 PID 4636 wrote to memory of 1344 4636 fcliq.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\59356dc459eb2f627b5136fa383ab9131c7675f98532d0e717f13ca5cc498a5e.exe"C:\Users\Admin\AppData\Local\Temp\59356dc459eb2f627b5136fa383ab9131c7675f98532d0e717f13ca5cc498a5e.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\fcliq.exe"C:\Users\Admin\fcliq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD59521c68224a0c2da3156621970f5c310
SHA1db2b9f0f9b9f4f54d36c30b1e2bf62c7cc807783
SHA256e59c83e94f702c0d875e9b0a6d98a860d1f5a2796b744441a637afdacff679e4
SHA512b0a8f3eed1a8595880a49ab285f40344e49eaf5893a65ccc36962c81ddf1faee0b92a25f926485841c77f143f1466e2df85b14bfc58c26697bb5399edb8cf77f