Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

b01dff27ad...d0.exe

windows7-x64

10

b01dff27ad...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2025, 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b01dff27adffe5c43253bb33fb78b40f3bbb9853a510ee978abb821c38ffced0.exe

  • Size

    2.3MB

  • MD5

    6fc6164b3a08669992acad3764fb1922

  • SHA1

    e99c667e338dfeee60e7bd5c2c7848a351c67114

  • SHA256

    b01dff27adffe5c43253bb33fb78b40f3bbb9853a510ee978abb821c38ffced0

  • SHA512

    716bd8bdd358d2251cde981697c8a4f473a6f4294287e75366be7d8e86ee70feeed513a6310a6ce953a3814648f56f9ebb830c08a8420b06604a90df1c28b328

  • SSDEEP

    49152:emWMASox0K6ZlCF4k9oT7J9L3jjS7W55H:emXtox7ag/a7J9L

Score
10/10
agendabootkitdiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Family

agenda

Credentials
  • Username:
    sysadmin@ashminlc
  • Password:
    Pa55w0rd123
Attributes
  • company_id

    quQkrKaqTs

  • note

    -- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from your system/network. Our group cooperates with the mass media. If you refuse to communicate with us and we do not come to an agreement, your data will be reviewed and published on our blog and on the media page (https://31.41.244.100) Blog links: http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials Please note that communication with us is only possible via the website in the Tor browser, which is specified in this note. All other means of communication are not real and may be created by third parties, if such were not provided in this note or on the website specified in this note. -- Credentials Extension: quQkrKaqTs Domain: aqfe4f3zqb5luwgkbnxycfxdeqjgnuhsjfiqf6wxnohamich7a6nqnyd.onion login: B5zd2EBjH7iqZratqg2V4pzWeYcBSsGw password:

rsa_privkey.plain

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\b01dff27adffe5c43253bb33fb78b40f3bbb9853a510ee978abb821c38ffced0.exe
    "C:\Users\Admin\AppData\Local\Temp\b01dff27adffe5c43253bb33fb78b40f3bbb9853a510ee978abb821c38ffced0.exe"
    1⤵
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(1).LOG
    Filesize

    8KB

    MD5

    3762f6d4e922f5b872eac782a06bed25

    SHA1

    e1f0ac967eb0566529d1d1ebcdb9d989c1ad5e8a

    SHA256

    98a84df0f409176cea09ca1822a25efcd0a87e98fb78239cfd16ca8e625c007a

    SHA512

    f5db4d06eea4318e459d80fce965a3d3617a01fa9c964d47dd02e34f0bca35e758b7e348a9c06e67adba1949a049ebfa5c55a8541bb9fa83b2de5a3b5f0073b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(13).LOG
    Filesize

    4KB

    MD5

    9c06ff98c95ed74f3687b970c4f20425

    SHA1

    9f8a13411479a75efea7977f6704675def62b370

    SHA256

    0f8428d6e465aea435d71e5744d7351a878a658dd7ff4ea06210fad538ae360b

    SHA512

    87dcea77d29d49350f7e8d7b1cb4554d6d0f7e74673cdba7b66379bff6d7c96bcfea2ad3bf060577063b15277bf6dd7e119fb0f1542363f5fd661fbd25af2aa2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(15).LOG
    Filesize

    4KB

    MD5

    67f8a0638d3a8ef2dafea2865d58b9f1

    SHA1

    d9a44efb6bd55bac5b53332f248266f0dd07a068

    SHA256

    48f4535fd6f2197f19358308a8f5fc4a7041608543d00c0dc5b3f628ff1aaa4c

    SHA512

    28cf152cc351409b7040ad4f37bb4354b8a96001514720f22cc8d3487494c3c3eb3acd52bcd69f65c45daad8f07603623a3a668425426f935ad919c4fe2c501e

    Download Submit

  • memory/3068-14502-0x0000000001150000-0x000000000139B000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3068-38466-0x0000000001150000-0x000000000139B000-memory.dmp

    Filesize

    2.3MB

    Download