Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

win32-Quickq1.5.6.exe

windows7-x64

3

win32-Quickq1.5.6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    win32-Quickq1.5.6.exe

  • Size

    115.6MB

  • MD5

    2fa7d6bc7f4104ef801e07c55e1366c2

  • SHA1

    3b8444be310dafe100072e5cec8530f92c70f941

  • SHA256

    6710f6c71ba74736003dcfd8fd0fc64e918cfa6fc923bd6fbf8bcecebfb4826f

  • SHA512

    7bf5d58a9d707d8a1ef74a74436ecdae58a654ff94e5006ab2fb98c3bed20088ad09dbcd8ba4a1e4ca92b7c8036cbeb3dfa3ba06290b65da7f4ccc9ecfb7c52d

  • SSDEEP

    3145728:eQwQQ81Cvx8qC2G3fwe8O2YxkkCa+w0SPh5BU70yfJS:LxQ2CvyPpnxKJwdJ1yf

Score
7/10
discoveryevasiontrojan

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 15 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 35 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\win32-Quickq1.5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\win32-Quickq1.5.6.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Users\Public\Documents\Playerk.exe
      "C:\Users\Public\Documents\Playerk.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill -F -IM quickq.exe -t
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:808
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill -F -IM quickq-browser.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4856
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill -F -IM typeperf.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4960
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill -F -IM quickqservice-*
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:656
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache.dat" "C:\Users\Admin\AppData\Local\QuickQ\cachebak.dat"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache6.dat" "C:\Users\Admin\AppData\Local\QuickQ\cachebak6.dat"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2288
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\cachebak.dat" "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache.dat"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2104
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\cachebak6.dat" "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache6.dat"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:936
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe /select,"C:\Users\Admin\AppData\Local\QuickQ\QuickQ.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4800
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /tn "FFWallpaper" /tr "C:\ProgramData\aFbC4K0lgS\FFWall.exe" /sc onlogon /rl highest /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2920
    • C:\ProgramData\aFbC4K0lgS\FFWall.exe
      "C:\ProgramData\aFbC4K0lgS\FFWall.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\ProgramData\aFbC4K0lgS\ffwallpaper.exe
        "C:\ProgramData\aFbC4K0lgS\ffwallpaper.exe" -b
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3748
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4656
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\aFbC4K0lgS\1.jpg
      Filesize

      1KB

      MD5

      44c96c061d47ae0fb61101561f7e8a85

      SHA1

      75045a8983e22d63b18565b831eeadf8f37c4069

      SHA256

      13bb4ed59107f7c04f582118a96cd297d408c83941a34cebbe3d513bed82d422

      SHA512

      7d3ee0a8d2e151265cfa489f91e7fe54657209bd71bef0af8417bc33f973c0a8d7c80f4168b3d7997db90dbea85376d7996bace92a337b1155048b0a59eb02ee

      Download Submit

    • C:\ProgramData\aFbC4K0lgS\FFWall.exe
      Filesize

      197KB

      MD5

      ef86482520346d6c4cc9c6f6b6d548c3

      SHA1

      515ae6bc0ff2386e67dbae2e9bce7e135876b694

      SHA256

      ca096b3bfb50abb95fa1472c53eeeed4278a3e78c19f74cc3816b674b2f100de

      SHA512

      ed6d8d7591aabc20cc08ce11ca8969c3932fd7ba1ea1b688507e6b705df408e767cbe275f2a08f548fea429d987460bd4bb8498df2130b7c4522522b89f2f158

      Download Submit

    • C:\ProgramData\aFbC4K0lgS\UpdateDriverSdk.dll
      Filesize

      443KB

      MD5

      30f663f7f05e9dae89f7f070acfb11fe

      SHA1

      2808b9c17b6ee986d7d2356bcf14112c089521d2

      SHA256

      9f86859fbb1dccbef4494ac65863556a0ccf9968d1b3df7ea678c51cbdf4b2dc

      SHA512

      9113bcb21e3eef688fdf12bd89a66892a8a572488478ce213a2f2a821f6ce198ee560572e3b5fde4617489a6ddb0007397fb99962ef58aafa50ba774d6cfbc3d

      Download Submit

    • C:\ProgramData\aFbC4K0lgS\ffwallpaper.exe
      Filesize

      1.1MB

      MD5

      f4b3b809fae8b79cb131b5f878b1ebeb

      SHA1

      35c517b3fb501d1948a419cb8a51342656562854

      SHA256

      c5a28035d5dfc4814816111cf99cf827942688c4b65c41d150bff6da4d5e4df5

      SHA512

      072fc2bdc8f14b75143f716553249f8eb0453e56a9e8ebf8d5224b11b55ac603f4c440cdf191ac9a96ccba61b606572f8a7c2e7993bd0d4803f47c849729b9d0

      Download Submit

    • C:\Users\Admin\AppData\Local\QuickQ\QuickQ.exe
      Filesize

      2.0MB

      MD5

      e686129b7458fb5224061e571327d4cc

      SHA1

      ff8204ff553217e7ebe9c1d4e1a57f952a73ffde

      SHA256

      c8f4e3b5420d0cfd67edfc7c977461a4406819b58bfd7823f65940e686b96bda

      SHA512

      42d71df4899d186aaf825691c63137005f079a7030769302458e9707303c2f5e78d744ef374ec793b3ae905d8f39393167418db0fea49b4585a3ddb6c90ebf6a

      Download Submit

    • C:\Users\Admin\AppData\Local\QuickQ\QuickQ.lnk
      Filesize

      1KB

      MD5

      4ba6036c2f308b75809204c7ac6e08a8

      SHA1

      62f2e3c932edf8bbe36b490bdadd0c67de5056ac

      SHA256

      2f036e118d4b2bb9ab2aa1ec867b2d8d9fb736a4bb476f106a32b70a3d49a430

      SHA512

      e4522af1cd46d8e6daaedfef87b4cfe5e5e1d033ec2bc67081102d323bf9adaaca922dc1a124c0a1d30256a737ccc8f6b1d1ebe8d42b9358e2cdeb6cb0ff4e4b

      Download Submit

    • C:\Users\Admin\AppData\Local\QuickQ\locales\bg.pak.info
      Filesize

      742KB

      MD5

      d611503e029dab3c1262127dff2f899e

      SHA1

      415ccea2e7e47f294366490fde386d74261f8e33

      SHA256

      d0b585f25524b300bc67a510bb9674558656656d97a145ea13ae43aad3b7b9a6

      SHA512

      97df2a88fa4414c2d8f66aecefe166c5044db2576efc39c76446446850702d0d9e0221476c435f8ec44b38eafae49912f7c81fefd194c919d87f7178b9fc3f4c

      Download Submit

    • C:\Users\Admin\AppData\Local\QuickQ\notification_helper.exe
      Filesize

      829KB

      MD5

      eaac99cfa4a5690afafee789f9a6b87f

      SHA1

      05727fc12c50739a0a16f66f7c330f4e2ddff52f

      SHA256

      d48d9f3653245ff18e298a5dacdd046583acbe46b517144da05d16d1787108d4

      SHA512

      468ad28245be075af152641555c88418b70ab4a5300804addd770cab8293478142bfd1bd34bf6fde91f868edd37667206742472b842b1deec7f4e7c4250b0f93

      Download Submit

    • C:\Users\Admin\AppData\Local\QuickQ\resource\win32\winproc\4\quickq_winproc.exe
      Filesize

      23KB

      MD5

      2955a0fac28d3951ffa5738ba07de7ce

      SHA1

      30633ca29e79bbecb1e7b074dd2f5783f05c556b

      SHA256

      01b2e339f7205794e3708cebf66db7bb4940e7ae82497244307ff9561a001986

      SHA512

      f1dc5387b4862091ff912be801dd146d6c3a1f913a56cd3040a0ddbfcbc516c448d78606b47f609a3b05ff808d5a6ac5ef3aab0fa276bee96d0fd5e7e829b129

      Download Submit

    • C:\Users\Admin\AppData\Local\QuickQ\resource\win32\winproc\4\quickq_winproc_64.exe
      Filesize

      23KB

      MD5

      07e5da1aebc7f4d96cd8481f227798dd

      SHA1

      101e92945a762869f26d2dfd242b3e957f6afedb

      SHA256

      9db5f4b9ddd00abd44decce002f6a23d5efffe00afddeaf84f5a31611ffc95dd

      SHA512

      a5bc4206b448d4cc68f6d05768af5589e18e7adfa2a89c283778e6268f37d41815686ec0b22f6387b722eef57c13426fef49cbaeb9b53cd8ff28ebe5fca38993

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsgAFFD.tmp\InstallOptions.dll
      Filesize

      14KB

      MD5

      8d5a5529462a9ba1ac068ee0502578c7

      SHA1

      875e651e302ce0bfc8893f341cf19171fee25ea5

      SHA256

      e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

      SHA512

      101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsgAFFD.tmp\LangDLL.dll
      Filesize

      5KB

      MD5

      77ff758c10c66937de6d86c388aa431c

      SHA1

      14bd5628eaf8a12b55cd38f9560c839cb21ce77a

      SHA256

      6a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008

      SHA512

      319837951be276a179ead69efcd24bd7566061abc7997ea782af50bd4b0d69e5ec1a6e4cdeb2825bafedf87edf03380396b7bcf58682b6a3a824c8dc4b966bda

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsgAFFD.tmp\System.dll
      Filesize

      11KB

      MD5

      b0c77267f13b2f87c084fd86ef51ccfc

      SHA1

      f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

      SHA256

      a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

      SHA512

      f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsgAFFD.tmp\ioSpecial.ini
      Filesize

      541B

      MD5

      22cefb93627704eec8f235bb4a3071b3

      SHA1

      b0bcd2097bb71aad7918a1c93eca90da52fa92b4

      SHA256

      82a32f6dc608258af92958346f485958b0aa159f4e47f90b6dec601dbbc57af3

      SHA512

      25a82a026b01788fc3a56437ed5067cfa993192117ececaa07ac87c4c44ee77fd3a8c8d4e006cf26e4172e92de516c08b953874b8e7edd627ff308a6d9e098aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsgAFFD.tmp\ioSpecial.ini
      Filesize

      543B

      MD5

      4c01a9c9d91911be3cf63756d9526ccb

      SHA1

      521c399a4320f15e30c3681bba0c80f927cf4880

      SHA256

      5bee5cd5a9a935d2cc7fcf7dfac4454d097aec5ba7271f1374db9dfccbc0dad5

      SHA512

      1becfb77b7f4ca310ca517fbee2ae504d14dcf803a88d36b1e7264adc068cac1250cc9a504ae6a0fb57c699e1fe3e717dcf0fb8e776141c7924b9bd5c759f194

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsgAFFD.tmp\ioSpecial.ini
      Filesize

      679B

      MD5

      d4bceabe69902c87b6772ec5ade4069b

      SHA1

      09008a1a4b5d12bbdac5efdeafef2c6984d8e539

      SHA256

      b914986ae71d6f9c416e8078689d35bb729eb020f41e564a089fd2d0190bde46

      SHA512

      5f5f60625f97c5d7d57fdb5964c8c635b3ae494de4deab6839d43abf2e0133d968bc6c9b10976e5d112a9e77d6c1c2e7401fa4ade6edf45f492a66be126a697b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsgAFFD.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      1f49d8af9be9e915d54b2441c4a79adf

      SHA1

      1ee4f809c693e31f34bc6d8153664a6dc2c3e499

      SHA256

      b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782

      SHA512

      c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsgAFFD.tmp\nsis7z.dll
      Filesize

      436KB

      MD5

      d7778720208a94e2049972fb7a1e0637

      SHA1

      080d607b10f93c839ec3f07faec3548bb78ac4dc

      SHA256

      98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e

      SHA512

      98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b

      Download Submit

    • memory/4184-104-0x00000000745FE000-0x00000000745FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4184-100-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4184-218-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4184-264-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4184-109-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4184-105-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4184-108-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4184-102-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4184-101-0x000000000E3E0000-0x000000000E5AE000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4184-103-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4184-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4184-1176-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4184-5-0x000000000C280000-0x000000000C28A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4184-4-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4184-3-0x000000000C290000-0x000000000C322000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4184-2-0x000000000C990000-0x000000000CF34000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4184-1-0x0000000000520000-0x0000000001520000-memory.dmp

      Filesize

      16.0MB

      Download