Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

b01dff27ad...d0.exe

windows7-x64

10

b01dff27ad...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2025, 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b01dff27adffe5c43253bb33fb78b40f3bbb9853a510ee978abb821c38ffced0.exe

  • Size

    2.3MB

  • MD5

    6fc6164b3a08669992acad3764fb1922

  • SHA1

    e99c667e338dfeee60e7bd5c2c7848a351c67114

  • SHA256

    b01dff27adffe5c43253bb33fb78b40f3bbb9853a510ee978abb821c38ffced0

  • SHA512

    716bd8bdd358d2251cde981697c8a4f473a6f4294287e75366be7d8e86ee70feeed513a6310a6ce953a3814648f56f9ebb830c08a8420b06604a90df1c28b328

  • SSDEEP

    49152:emWMASox0K6ZlCF4k9oT7J9L3jjS7W55H:emXtox7ag/a7J9L

Score
10/10
agendabootkitdiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Family

agenda

Credentials
  • Username:
    sysadmin@ashminlc
  • Password:
    Pa55w0rd123
Attributes
  • company_id

    quQkrKaqTs

  • note

    -- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from your system/network. Our group cooperates with the mass media. If you refuse to communicate with us and we do not come to an agreement, your data will be reviewed and published on our blog and on the media page (https://31.41.244.100) Blog links: http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials Please note that communication with us is only possible via the website in the Tor browser, which is specified in this note. All other means of communication are not real and may be created by third parties, if such were not provided in this note or on the website specified in this note. -- Credentials Extension: quQkrKaqTs Domain: aqfe4f3zqb5luwgkbnxycfxdeqjgnuhsjfiqf6wxnohamich7a6nqnyd.onion login: B5zd2EBjH7iqZratqg2V4pzWeYcBSsGw password:

rsa_privkey.plain

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\b01dff27adffe5c43253bb33fb78b40f3bbb9853a510ee978abb821c38ffced0.exe
    "C:\Users\Admin\AppData\Local\Temp\b01dff27adffe5c43253bb33fb78b40f3bbb9853a510ee978abb821c38ffced0.exe"
    1⤵
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(1).LOG
    Filesize

    8KB

    MD5

    2d923b177d137bb69accf2db03ba4b3d

    SHA1

    d613b6d6946d015e18dac2c80032497996e85e09

    SHA256

    e24b2d1ec801eb1eba0f86b7e9382e5f3044f0d019d34f0b8f4afc0f8e95e229

    SHA512

    4cf98b52119b82de8c0145f81622660bbf82a82bd4da3a9c5f6e7fb8f116a20f157376196110c25c503d7bf5b83f093f3c45b84838eec64fd079962fe5816ce7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(11).LOG
    Filesize

    4KB

    MD5

    be57e0814cd2aa62f72a5f443c4a57b7

    SHA1

    67e17f8c1476893d044a80b746e60bb1da3d6d62

    SHA256

    a9b56bb183cc01e1e1ae5195f5f22b0a4d0665510550c6870f52f90d4c209362

    SHA512

    49887cc744c68b78bafc263de3578018621b97297a5622c86faeb4b4be1c8c37ce256ebfe651cda8f55e1790222cfb448fd9c32ecef71b947f1d16c242b2bc03

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(15).LOG
    Filesize

    4KB

    MD5

    9b17b1119c47cecc0987f441db4c0cf2

    SHA1

    41d16e489597709cb17de132753efef65f6c9c40

    SHA256

    32009c0a566f9aa00420762ba0dd8fb300b391a5069692b7ebab7dde785da8e7

    SHA512

    a970fc16d6f5e01a224c19d8b28d02537981a3e1491d4746656710fb9675b855115ad92618a9feedeb1c57354d82f960ff5996661a35accd2dea30196cefa6fb

    Download Submit

  • memory/2512-7255-0x0000000000EB0000-0x00000000010FB000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2512-31357-0x0000000000EB0000-0x00000000010FB000-memory.dmp

    Filesize

    2.3MB

    Download