Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

quagmire_e...r2.exe

windows7-x64

10

quagmire_e...r2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/01/2025, 20:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    quagmire_encryptor2.exe

  • Size

    253KB

  • MD5

    78572ddc6c215e15151bba7189c2e1eb

  • SHA1

    a4ebd9a66acd131d187eb6d0c6828e37cd58b243

  • SHA256

    840f208eb507bc48e3c9ba26465a35bdec139718e5f09b243bf0be898a9dd2a0

  • SHA512

    aee7e00dcf9d2e5a9b678728ddacd52cc18df59b4614ed16fce05ccfb36d080bb998496e7f7d9e6f357ff655708165ef63ad8dbf93ef852ad1ee1251faaec36d

  • SSDEEP

    3072:nAQOKOuSqqY4K/Iv47VI9JVagusCyMP0ZJm1sa+iOzM40HW8TCUwfgpdBQ:qvqFV7qJVtBptzM4snTyodBQ

Score
10/10
shurkinfostealerransomware

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk family
    shurk
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\quagmire_encryptor2.exe
    "C:\Users\Admin\AppData\Local\Temp\quagmire_encryptor2.exe"
    1⤵
    • Sets desktop wallpaper using registry
    PID:3992

Network

  • flag-us
    DNS
    i.etsystatic.com
    quagmire_encryptor2.exe
    Remote address:
    8.8.8.8:53
    Request
    i.etsystatic.com
    IN A
    Response
    i.etsystatic.com
    IN CNAME
    zone1.i.etsystatic.com
    zone1.i.etsystatic.com
    IN CNAME
    etsy.map.fastly.net
    etsy.map.fastly.net
    IN A
    151.101.1.224
    etsy.map.fastly.net
    IN A
    151.101.65.224
    etsy.map.fastly.net
    IN A
    151.101.193.224
    etsy.map.fastly.net
    IN A
    151.101.129.224
  • flag-us
    GET
    https://i.etsystatic.com/32609342/r/il/0f5f2f/4026988973/il_794xN.4026988973_n3xo.jpg
    quagmire_encryptor2.exe
    Remote address:
    151.101.1.224:443
    Request
    GET /32609342/r/il/0f5f2f/4026988973/il_794xN.4026988973_n3xo.jpg HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: i.etsystatic.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 99060
    Cache-Control: public, max-age=365000000, immutable
    Content-Type: image/jpeg
    Etag: "w2xjfRCB2JW13AarNUM94atiio4+0/sCJPG7M63OPko"
    Expires: Tue, 20 Jan 2026 02:55:35 GMT
    Fastly-Io-Info: ifsz=700375 idim=2000x2000 ifmt=jpeg ofsz=99060 odim=794x794 ofmt=jpeg
    Fastly-Io-Served-By: vpop-kiad7010231
    Fastly-Stats: io=1
    Server: UploadServer
    X-Goog-Generation: 1656606639085937
    X-Goog-Hash: crc32c=V29G4g==
    X-Goog-Hash: md5=xGfW6tPnv5RF4leVjZsvLA==
    X-Goog-Metageneration: 2
    X-Goog-Storage-Class: STANDARD
    X-Goog-Stored-Content-Encoding: identity
    X-Goog-Stored-Content-Length: 700375
    X-Guploader-Uploadid: AFIdbgSV1WaMZyB3CghM6c3mu4AiYB6Y8P9pKwMVb8_QqiMqrj0c5CkN2aODa9zDJnmNg-U6X_5fRuw
    Via: 1.1 varnish, 1.1 varnish
    Accept-Ranges: bytes
    Age: 582324
    Date: Sun, 26 Jan 2025 20:40:59 GMT
    X-Served-By: cache-chi-kigq8000103-CHI, cache-lon420100-LON
    X-Cache: HIT, HIT
    X-Cache-Hits: 3, 0
    X-Timer: S1737924059.482843,VS0,VE1
    Vary: Accept
    Server-Timing: clientrtt; dur=27.210, clienttt; dur=1.097, origin; dur=1.080, cdntime; dur=0.017
    Server-Timing: cdn; desc=Fastly
    Server-Timing: cache_status;desc=HIT-CLUSTER
    Timing-Allow-Origin: *
    Strict-Transport-Security: max-age=300
  • flag-us
    DNS
    224.1.101.151.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    224.1.101.151.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    226.21.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.21.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    7.98.51.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.98.51.23.in-addr.arpa
    IN PTR
    Response
    7.98.51.23.in-addr.arpa
    IN PTR
    a23-51-98-7deploystaticakamaitechnologiescom
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.129.81.91.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.153.16.2.in-addr.arpa
    IN PTR
    Response
    13.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-13deploystaticakamaitechnologiescom
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 151.101.1.224:443
    https://i.etsystatic.com/32609342/r/il/0f5f2f/4026988973/il_794xN.4026988973_n3xo.jpg
    tls, http
    quagmire_encryptor2.exe
    4.7kB
     109.6kB
     88
    87

    HTTP Request

    GET https://i.etsystatic.com/32609342/r/il/0f5f2f/4026988973/il_794xN.4026988973_n3xo.jpg

    HTTP Response

    200
  • 8.8.8.8:53
    i.etsystatic.com
    dns
    quagmire_encryptor2.exe
    62 B
     179 B
     1
    1

    DNS Request

    i.etsystatic.com

    DNS Response

    151.101.1.224
    151.101.65.224
    151.101.193.224
    151.101.129.224

  • 8.8.8.8:53
    224.1.101.151.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    224.1.101.151.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    226.21.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    226.21.18.104.in-addr.arpa

  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    7.98.51.23.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    7.98.51.23.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    180.129.81.91.in-addr.arpa
    dns
    144 B
     147 B
     2
    1

    DNS Request

    180.129.81.91.in-addr.arpa

    DNS Request

    180.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    22.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    22.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    13.153.16.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    13.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3992-7-0x00007FF6D4B70000-0x00007FF6D4BB1000-memory.dmp

    Filesize

    260KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.