Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

24/02/2025, 18:33

250224-w68zdaxpv9 10

29/10/2024, 18:04

241029-wn4a6sxfjg 10

02/08/2024, 05:04

240802-fqpmssxdpl 9

Analysis

  • max time kernel
    106s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2025, 18:33

General

  • Target

    QHAccount.exe

  • Size

    2.1MB

  • MD5

    57ebf50902949e13220b379c136db8a7

  • SHA1

    75d55564986c8fb2d24c2f467e9c0cd2196a2055

  • SHA256

    2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c

  • SHA512

    77d90317289a247c1bda59e378b9073cf2c1a8d30763bd68c33b8a256f1dc2edb1f380dafd1572a2f762a4400f15d52c9375d4314c07faa3f78ee7011508de33

  • SSDEEP

    49152:6VkETZV9OLiWLunGxHqsEbtNPDLzA7YzminZ:VETAi4EgHqsEpFL

Malware Config

Signatures

  • BlackSuit

    A ransomware first detected in May 2023 linked to the Conti group.

  • Blacksuit_windows family
  • Detects the Windows variant of BlackSuit Ransomware 18 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Renames multiple (2065) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QHAccount.exe
    "C:\Users\Admin\AppData\Local\Temp\QHAccount.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:396
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:884
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3128
      • C:\Users\Admin\AppData\Local\Temp\QHAccount.exe
        QHAccount.exe -id 00000000000000000000000000000000
        2⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c vssadmin delete shadows /all /quiet
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3752
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.blacksuit.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:404

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\bs.pak.DATA

      Filesize

      1.0MB

      MD5

      4729adbd47439033d9bc84523f1f931b

      SHA1

      c737a8e7e8f25e886ee497131c92ff1a7fd6b3f4

      SHA256

      d3f71ea09e948cd040825461b2b5df6f70ccc08a94ca0c04abba1434edb43cdb

      SHA512

      0b65c4339d82dfcd24b84518ffd86b537c460e24aacf059038ce60a5638c6cf43262b3f1af6e5a815440a35910b59e9563e407ebe43c2f4f1db8314ac6296a17

    • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\icudtl.dat.DATA

      Filesize

      11.4MB

      MD5

      bd662501280fa1af8a4ac6060a40053d

      SHA1

      c24b360e5587d5830d771c9fbe82acbd0b9e6f78

      SHA256

      5190db24885b53a1ffcf35f87d1516c98d1f05733e4572b364c762b9ceb18b61

      SHA512

      235fb5eba824b3b2f39bacaea49d0ca987cd3f8a3a42f2a61759044431e5e2a3cbb535ddedf0647e3246329083a2ffcc0d0e24aa47c1d826a9078510a8194618

    • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\d3dcompiler_47.dll.blacksuit

      Filesize

      4.7MB

      MD5

      4e1c18b7497259b6e14ebeaf85cd2b6d

      SHA1

      d442d82bcfca352fb1f616ba21bfde8c4c65837a

      SHA256

      aed35e8ae6666ab90d01f693b1bbd220c796674810d6e07e29d2a8f687f2a0dc

      SHA512

      4dd19dc82985f60d144cf2144b6eb0918f42b9e52410b2555d8b7f0c17d67aeabe6c40c3aea354f6a2e582e7593b51eb594b65a91b7ed76defa7cbdd9e52843d

    • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\libGLESv2.dll.blacksuit

      Filesize

      6.7MB

      MD5

      c05233f66d9174d28067d739300454f7

      SHA1

      fbe6bc2e0e4adb450e01c97c1c0db4a188a84bcc

      SHA256

      8b369a7b7f7be8ae1a15d10939c6368f5e8a4165d45be78eaaf40f5716c5ff25

      SHA512

      fd626fcba098cd379c8502bb00a4af97ee6611509ee892176bcd5da2d8792814d680cb123eda95b1502a4617e123a6a5aa9002803d24f58f7db5b3530b20c6b7

    • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\oneauth.dll.blacksuit

      Filesize

      5.4MB

      MD5

      0d22c87367f6c659ed367b82e07177bc

      SHA1

      7467868e25ee6d7c566793639eeb535bdcfa6fef

      SHA256

      2803ffed8c4b5d29fe37ef85bdb8d2e28a303dfef9f6b88051976e541abac6c0

      SHA512

      a4c2aa6782aa84fdd9167a5fc5cb95a24e9a5b75b2f45758f8745c04a44446a5ad46af5fff4ad452dfde2330c3fd591346a4e11d8e52c9353125069cc07b7411

    • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\vk_swiftshader.dll.blacksuit

      Filesize

      4.6MB

      MD5

      3d0ff4e30d05afd4da56390170cd1ae9

      SHA1

      273240e9ae9523f9158ccbdc577b5a0bb9293dc7

      SHA256

      79535ce16173b510da01bd70cf2fade61ac547bf40c23ac260c07e21cbdebc58

      SHA512

      df7680d7c60337c7491527e368ef925f70534da6152de7a8e46ab12265e6d5b2e0219ba3e30a91cf7315ca0cf9ba2967902d38574a7a161d73c240bce20c29a9

    • C:\ProgramData\readme.blacksuit.txt

      Filesize

      1KB

      MD5

      b998d433168b18428f7f7713d1851f23

      SHA1

      0a5023d699ed0d9b1c2b1d4d5138747d0eb8955a

      SHA256

      06453319ed3bd3fa04da6b9d1c2ada5eb445e1e0a878c0eb3af54f751dace513

      SHA512

      c1b2d9282cf887c5c41b9365aec04284c420442cd33d4eeded89a3a74501fe1bfe5058bcc26af952fe3e5c04b896db70352e3b6324d2d5329225138af9f0e11a

    • memory/396-1-0x00000000023B0000-0x0000000002409000-memory.dmp

      Filesize

      356KB

    • memory/396-2-0x00000000023B0000-0x0000000002409000-memory.dmp

      Filesize

      356KB

    • memory/396-4-0x0000000000400000-0x0000000000622000-memory.dmp

      Filesize

      2.1MB

    • memory/396-0-0x0000000000400000-0x0000000000622000-memory.dmp

      Filesize

      2.1MB

    • memory/2872-19-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-30309-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-10-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-8-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-7-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-6-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-5-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-202-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-12-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-11-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-13-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-14-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-16-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-15-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-9-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-33038-0x00000000022A0000-0x00000000022F9000-memory.dmp

      Filesize

      356KB

    • memory/2872-33047-0x0000000000400000-0x0000000000622000-memory.dmp

      Filesize

      2.1MB