Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
24/02/2025, 18:33
250224-w68zdaxpv9 1029/10/2024, 18:04
241029-wn4a6sxfjg 1002/08/2024, 05:04
240802-fqpmssxdpl 9Analysis
-
max time kernel
106s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2025, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
QHAccount.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
QHAccount.exe
Resource
win10v2004-20250217-en
General
-
Target
QHAccount.exe
-
Size
2.1MB
-
MD5
57ebf50902949e13220b379c136db8a7
-
SHA1
75d55564986c8fb2d24c2f467e9c0cd2196a2055
-
SHA256
2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c
-
SHA512
77d90317289a247c1bda59e378b9073cf2c1a8d30763bd68c33b8a256f1dc2edb1f380dafd1572a2f762a4400f15d52c9375d4314c07faa3f78ee7011508de33
-
SSDEEP
49152:6VkETZV9OLiWLunGxHqsEbtNPDLzA7YzminZ:VETAi4EgHqsEpFL
Malware Config
Signatures
-
BlackSuit
A ransomware first detected in May 2023 linked to the Conti group.
-
Blacksuit_windows family
-
Detects the Windows variant of BlackSuit Ransomware 18 IoCs
resource yara_rule behavioral2/memory/396-1-0x00000000023B0000-0x0000000002409000-memory.dmp family_blacksuit_windows behavioral2/memory/396-2-0x00000000023B0000-0x0000000002409000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-9-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-15-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-16-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-19-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-14-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-13-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-12-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-11-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-10-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-8-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-7-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-6-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-5-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-202-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-30309-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows behavioral2/memory/2872-33038-0x00000000022A0000-0x00000000022F9000-memory.dmp family_blacksuit_windows -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Renames multiple (2065) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-400.png QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-32_contrast-black.png QHAccount.exe File created C:\Program Files\Common Files\System\Ole DB\fr-FR\readme.blacksuit.txt QHAccount.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-100.png QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x86\msvp9dec_store.dll QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-white.png QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\react.uwp.dll QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png QHAccount.exe File created C:\Program Files (x86)\Windows Media Player\en-US\readme.blacksuit.txt QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-200.png QHAccount.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll QHAccount.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\meBoot.min.js QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-100.png QHAccount.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Diagnostics.Tools.dll QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-unplated.png QHAccount.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-150.png QHAccount.exe File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\readme.blacksuit.txt QHAccount.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-100.png QHAccount.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_iw.dll QHAccount.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL QHAccount.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-150.png QHAccount.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msxactps.dll QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml QHAccount.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\psmachine.dll QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-125.png QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat QHAccount.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-125.png QHAccount.exe File created C:\Program Files\Common Files\System\ado\ja-JP\readme.blacksuit.txt QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxSignature.p7x QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerpointmui.msi.16.en-us.vreg.dat QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\mso30imm.dll QHAccount.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms QHAccount.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x QHAccount.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-100.png QHAccount.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-RTL.gif QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msproof7.dll QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x QHAccount.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\readme.blacksuit.txt QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-pl.xrm-ms QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80.png QHAccount.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\psmachine_64.dll QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms QHAccount.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_altform-unplated_contrast-white.png QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-200.png QHAccount.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-24.png QHAccount.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdateres_lo.dll QHAccount.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QHAccount.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QHAccount.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 404 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe 2872 QHAccount.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3128 wrote to memory of 2872 3128 cmd.exe 106 PID 3128 wrote to memory of 2872 3128 cmd.exe 106 PID 3128 wrote to memory of 2872 3128 cmd.exe 106 PID 2872 wrote to memory of 3752 2872 QHAccount.exe 107 PID 2872 wrote to memory of 3752 2872 QHAccount.exe 107 PID 2872 wrote to memory of 3752 2872 QHAccount.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\QHAccount.exe"C:\Users\Admin\AppData\Local\Temp\QHAccount.exe"1⤵
- System Location Discovery: System Language Discovery
PID:396
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:884
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\QHAccount.exeQHAccount.exe -id 000000000000000000000000000000002⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
PID:3752
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.blacksuit.txt1⤵
- Opens file in notepad (likely ransom note)
PID:404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\bs.pak.DATA
Filesize1.0MB
MD54729adbd47439033d9bc84523f1f931b
SHA1c737a8e7e8f25e886ee497131c92ff1a7fd6b3f4
SHA256d3f71ea09e948cd040825461b2b5df6f70ccc08a94ca0c04abba1434edb43cdb
SHA5120b65c4339d82dfcd24b84518ffd86b537c460e24aacf059038ce60a5638c6cf43262b3f1af6e5a815440a35910b59e9563e407ebe43c2f4f1db8314ac6296a17
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\icudtl.dat.DATA
Filesize11.4MB
MD5bd662501280fa1af8a4ac6060a40053d
SHA1c24b360e5587d5830d771c9fbe82acbd0b9e6f78
SHA2565190db24885b53a1ffcf35f87d1516c98d1f05733e4572b364c762b9ceb18b61
SHA512235fb5eba824b3b2f39bacaea49d0ca987cd3f8a3a42f2a61759044431e5e2a3cbb535ddedf0647e3246329083a2ffcc0d0e24aa47c1d826a9078510a8194618
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\d3dcompiler_47.dll.blacksuit
Filesize4.7MB
MD54e1c18b7497259b6e14ebeaf85cd2b6d
SHA1d442d82bcfca352fb1f616ba21bfde8c4c65837a
SHA256aed35e8ae6666ab90d01f693b1bbd220c796674810d6e07e29d2a8f687f2a0dc
SHA5124dd19dc82985f60d144cf2144b6eb0918f42b9e52410b2555d8b7f0c17d67aeabe6c40c3aea354f6a2e582e7593b51eb594b65a91b7ed76defa7cbdd9e52843d
-
Filesize
6.7MB
MD5c05233f66d9174d28067d739300454f7
SHA1fbe6bc2e0e4adb450e01c97c1c0db4a188a84bcc
SHA2568b369a7b7f7be8ae1a15d10939c6368f5e8a4165d45be78eaaf40f5716c5ff25
SHA512fd626fcba098cd379c8502bb00a4af97ee6611509ee892176bcd5da2d8792814d680cb123eda95b1502a4617e123a6a5aa9002803d24f58f7db5b3530b20c6b7
-
Filesize
5.4MB
MD50d22c87367f6c659ed367b82e07177bc
SHA17467868e25ee6d7c566793639eeb535bdcfa6fef
SHA2562803ffed8c4b5d29fe37ef85bdb8d2e28a303dfef9f6b88051976e541abac6c0
SHA512a4c2aa6782aa84fdd9167a5fc5cb95a24e9a5b75b2f45758f8745c04a44446a5ad46af5fff4ad452dfde2330c3fd591346a4e11d8e52c9353125069cc07b7411
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\vk_swiftshader.dll.blacksuit
Filesize4.6MB
MD53d0ff4e30d05afd4da56390170cd1ae9
SHA1273240e9ae9523f9158ccbdc577b5a0bb9293dc7
SHA25679535ce16173b510da01bd70cf2fade61ac547bf40c23ac260c07e21cbdebc58
SHA512df7680d7c60337c7491527e368ef925f70534da6152de7a8e46ab12265e6d5b2e0219ba3e30a91cf7315ca0cf9ba2967902d38574a7a161d73c240bce20c29a9
-
Filesize
1KB
MD5b998d433168b18428f7f7713d1851f23
SHA10a5023d699ed0d9b1c2b1d4d5138747d0eb8955a
SHA25606453319ed3bd3fa04da6b9d1c2ada5eb445e1e0a878c0eb3af54f751dace513
SHA512c1b2d9282cf887c5c41b9365aec04284c420442cd33d4eeded89a3a74501fe1bfe5058bcc26af952fe3e5c04b896db70352e3b6324d2d5329225138af9f0e11a