Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

24/02/2025, 18:33

250224-w68zdaxpv9 10

29/10/2024, 18:04

241029-wn4a6sxfjg 10

02/08/2024, 05:04

240802-fqpmssxdpl 9

Analysis

  • max time kernel
    15s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2025, 18:33

General

  • Target

    QHAccount.exe

  • Size

    2.1MB

  • MD5

    57ebf50902949e13220b379c136db8a7

  • SHA1

    75d55564986c8fb2d24c2f467e9c0cd2196a2055

  • SHA256

    2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c

  • SHA512

    77d90317289a247c1bda59e378b9073cf2c1a8d30763bd68c33b8a256f1dc2edb1f380dafd1572a2f762a4400f15d52c9375d4314c07faa3f78ee7011508de33

  • SSDEEP

    49152:6VkETZV9OLiWLunGxHqsEbtNPDLzA7YzminZ:VETAi4EgHqsEpFL

Malware Config

Signatures

  • BlackSuit

    A ransomware first detected in May 2023 linked to the Conti group.

  • Blacksuit_windows family
  • Detects the Windows variant of BlackSuit Ransomware 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\QHAccount.exe
    "C:\Users\Admin\AppData\Local\Temp\QHAccount.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2296-0-0x0000000000400000-0x0000000000622000-memory.dmp

    Filesize

    2.1MB

  • memory/2296-2-0x0000000000320000-0x0000000000379000-memory.dmp

    Filesize

    356KB

  • memory/2296-1-0x0000000000320000-0x0000000000379000-memory.dmp

    Filesize

    356KB

  • memory/2296-4-0x0000000000400000-0x0000000000622000-memory.dmp

    Filesize

    2.1MB