| File name: | TEQ.exe |
| Full analysis: | https://app.any.run/tasks/ef611742-f60f-43a5-9bd1-5f123e413f33 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | November 17, 2023, 05:15:08 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | B6871CEF458A765D51E3B0A1AE324E60 |
| SHA1: | B62DDA6EFCC41EF4FDF6B3990B64FF54F08F2E56 |
| SHA256: | A5182257DAEF1ABDE3A971ED1C3D9C3BEE6D74FA3D4B0BCB379E5A9DD57340EA |
| SSDEEP: | 98304:IDQPYys2E6S1RNJ31LawGx8lh6fPEXPYKzUyvtHLjAJ7MY2E8OieAWzEw1pCv2Xp:BhS53m3 |
MALICIOUS
Drops the executable file immediately after the start
- 7za.exe (PID: 3544)
- TEQ.exe (PID: 3428)
- TEQ.exe (PID: 3512)
- BLUE.exe (PID: 3644)
Disables Windows Defender
- DC.exe (PID: 3832)
- DC.exe (PID: 3908)
Creates or modifies Windows services
- DC.exe (PID: 3832)
- DC.exe (PID: 3908)
Known privilege escalation attack
- dllhost.exe (PID: 3556)
Changes powershell execution policy (Bypass)
- BLUE.exe (PID: 3644)
Bypass execution policy to execute commands
- powershell.exe (PID: 2268)
- powershell.exe (PID: 2392)
- powershell.exe (PID: 2260)
UAC/LUA settings modification
- BLUE.exe (PID: 3644)
Using BCDEDIT.EXE to modify recovery options
- BLUE.exe (PID: 3644)
Deletes shadow copies
- BLUE.exe (PID: 3644)
Actions looks like stealing of personal data
- BLUE.exe (PID: 3644)
Renames files like ransomware
- BLUE.exe (PID: 3644)
SUSPICIOUS
Drops 7-zip archiver for unpacking
- TEQ.exe (PID: 3428)
- TEQ.exe (PID: 3512)
Starts CMD.EXE for commands execution
- BLUE.exe (PID: 3644)
- TEQ.exe (PID: 3428)
Reads the Internet Settings
- TEQ.exe (PID: 3428)
Application launched itself
- BLUE.exe (PID: 3644)
- DC.exe (PID: 3832)
Creates or modifies Windows services
- BLUE.exe (PID: 3644)
Executing commands from ".cmd" file
- TEQ.exe (PID: 3428)
Powershell version downgrade attack
- powershell.exe (PID: 2268)
- powershell.exe (PID: 2260)
- powershell.exe (PID: 2392)
Uses powercfg.exe to modify the power settings
- BLUE.exe (PID: 3644)
Starts POWERSHELL.EXE for commands execution
- BLUE.exe (PID: 3644)
Executes as Windows Service
- systray.exe (PID: 3128)
- systray.exe (PID: 3620)
- systray.exe (PID: 1568)
- VSSVC.exe (PID: 3192)
- wbengine.exe (PID: 3484)
- vds.exe (PID: 3164)
Process drops legitimate windows executable
- BLUE.exe (PID: 3644)
INFO
Create files in a temporary directory
- TEQ.exe (PID: 3428)
- 7za.exe (PID: 3544)
- DC.exe (PID: 3832)
Reads the computer name
- 7za.exe (PID: 3544)
- 7za.exe (PID: 3216)
- TEQ.exe (PID: 3428)
- TEQ.exe (PID: 3512)
- DC.exe (PID: 3832)
- BLUE.exe (PID: 3644)
- DC.exe (PID: 3908)
- BLUE.exe (PID: 3984)
- BLUE.exe (PID: 3748)
- BLUE.exe (PID: 3736)
- Everything.exe (PID: 3592)
- Everything.exe (PID: 3912)
Checks supported languages
- 7za.exe (PID: 3216)
- 7za.exe (PID: 3544)
- TEQ.exe (PID: 3428)
- TEQ.exe (PID: 3512)
- DC.exe (PID: 3832)
- BLUE.exe (PID: 3644)
- BLUE.exe (PID: 3748)
- BLUE.exe (PID: 3984)
- DC.exe (PID: 3908)
- BLUE.exe (PID: 3736)
- Everything.exe (PID: 3592)
- Everything.exe (PID: 3912)
Creates files or folders in the user directory
- TEQ.exe (PID: 3512)
- BLUE.exe (PID: 3644)
- Everything.exe (PID: 3592)
Reads mouse settings
- DC.exe (PID: 3832)
- DC.exe (PID: 3908)
The executable file from the user directory is run by the CMD process
- DC.exe (PID: 3832)
Reads the machine GUID from the registry
- TEQ.exe (PID: 3512)
- BLUE.exe (PID: 3644)
Checks transactions between databases Windows and Oracle
- TEQ.exe (PID: 3512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2012:12:31 01:38:51+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 101888 |
| InitializedDataSize: | 61440 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1942f |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
111
Monitored processes
44
Malicious processes
11
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 556 | powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0 | C:\Windows\System32\powercfg.exe | — | BLUE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 608 | powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0 | C:\Windows\System32\powercfg.exe | — | BLUE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1032 | powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0 | C:\Windows\System32\powercfg.exe | — | BLUE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1152 | powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0 | C:\Windows\System32\powercfg.exe | — | BLUE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1208 | powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0 | C:\Windows\System32\powercfg.exe | — | BLUE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1244 | wbadmin.exe DELETE SYSTEMSTATEBACKUP | C:\Windows\System32\wbadmin.exe | — | BLUE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® BLB Backup Exit code: 4294967293 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1272 | powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0 | C:\Windows\System32\powercfg.exe | — | BLUE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1348 | powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0 | C:\Windows\System32\powercfg.exe | — | BLUE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1568 | C:\Windows\System32\Systray.exe C:\Windows\system32\SearchIndexer.exe /Embedding | C:\Windows\System32\systray.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Systray .exe stub Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1616 | powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0 | C:\Windows\System32\powercfg.exe | — | BLUE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
6 805
Read events
6 606
Write events
199
Delete events
0
Modification events
| (PID) Process: | (3428) TEQ.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3428) TEQ.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3428) TEQ.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3428) TEQ.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3556) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3556) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3556) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3556) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3832) DC.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
| (PID) Process: | (3832) DC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend |
| Operation: | write | Name: | Start |
Value: 3 | |||
Executable files
767
Suspicious files
15 242
Text files
6 155
Unknown types
32
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3428 | TEQ.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\7za.exe | executable | |
MD5:B93EB0A48C91A53BDA6A1A074A4B431E | SHA256:AB15A9B27EE2D69A8BC8C8D1F5F40F28CD568F5CBB28D36ED938110203F8D142 | |||
| 3428 | TEQ.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll | compressed | |
MD5:01327FCD52053BA0B9E753DE88195637 | SHA256:53143309B4F29789D8316C8A424B35B14340B01679D8D53EF65200945F772391 | |||
| 3544 | 7za.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\DC.exe | executable | |
MD5:AC34BA84A5054CD701EFAD5DD14645C9 | SHA256:C576F7F55C4C0304B290B15E70A638B037DF15C69577CD6263329C73416E490E | |||
| 3544 | 7za.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe | executable | |
MD5:803DF907D936E08FBBD06020C411BE93 | SHA256:E8EAA39E2ADFD49AB69D7BB8504CCB82A902C8B48FBC256472F36F41775E594C | |||
| 3544 | 7za.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini | text | |
MD5:742C2400F2DE964D0CCE4A8DABADD708 | SHA256:2FEFB69E4B2310BE5E09D329E8CF1BEBD1F9E18884C8C2A38AF8D7EA46BD5E01 | |||
| 3428 | TEQ.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll | executable | |
MD5:3B03324537327811BBBAFF4AAFA4D75B | SHA256:8CAE8A9740D466E17F16481E68DE9CBD58265863C3924D66596048EDFD87E880 | |||
| 3544 | 7za.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\encrypt.exe | executable | |
MD5:7CA770CC5F649256A18623245348F39F | SHA256:07631E96B95B1F01BDC591699AE6BC2E6787387CBE865BC11004BD34C0F9C3A4 | |||
| 3544 | 7za.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini | text | |
MD5:51014C0C06ACDD80F9AE4469E7D30A9E | SHA256:89AD2164717BD5F5F93FBB4CEBF0EFEB473097408FDDFC7FC7B924D790514DC5 | |||
| 3428 | TEQ.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe | executable | |
MD5:C44487CE1827CE26AC4699432D15B42A | SHA256:4C83E46A29106AFBAF5279029D102B489D958781764289B61AB5B618A4307405 | |||
| 3544 | 7za.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\TEQ.exe | executable | |
MD5:CFDB19345DEC70E33FB559514D0C951B | SHA256:D7FE920929797C83862C796B9B1C5BB00445AF2BEF761FEF2FED71A72DC91665 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |