Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 06:34
Static task
static1
Behavioral task
behavioral1
Sample
2bda8d6ee0e3ba6dbd8093272ca3b524.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2bda8d6ee0e3ba6dbd8093272ca3b524.exe
Resource
win10v2004-20231215-en
General
-
Target
2bda8d6ee0e3ba6dbd8093272ca3b524.exe
-
Size
1.5MB
-
MD5
2bda8d6ee0e3ba6dbd8093272ca3b524
-
SHA1
0d6243b098aff07091fc2caa8ca78ba6c5d285d3
-
SHA256
5889d4b8dd5501b5bb0c31e99fbfba2f35cfcc44acee80f271404ba6e1046c23
-
SHA512
8ce12e23a3dbb4a185a520a659e0095df4c4157b1d1b0b8eb783bbbe417c19c53ceeaf78fee4882e9a204b91b073e1731dfae50212ab379c0df303e0d56c6744
-
SSDEEP
24576:KeV7YeExhf9aTXEuw+Plps89RjcyFShWVwjsgli:1KhwTzPlpjncDWG
Malware Config
Extracted
quasar
2.7.0.0
NexionHackTOOLS
lafeuilleocb.duckdns.org:1604
SoOlYmLEeaTU8o2xXj
-
encryption_key
EO5tiig6EEUjYq6qUEGc
-
install_name
NexiionHaclTOOLS.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
clses
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/936-42-0x0000000000600000-0x0000000000710000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 2bda8d6ee0e3ba6dbd8093272ca3b524.exe Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation InstallUtil.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\debuit.lnk 2bda8d6ee0e3ba6dbd8093272ca3b524.exe -
Executes dropped EXE 4 IoCs
pid Process 4076 debuit.exe 936 InstallUtil.exe 4772 NexiionHaclTOOLS.exe 3284 InstallUtil.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/408-8-0x0000000006670000-0x0000000006698000-memory.dmp agile_net -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 138 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\NexiionHaclTOOLS.exe InstallUtil.exe File opened for modification C:\Windows\SysWOW64\NexiionHaclTOOLS.exe InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4076 set thread context of 936 4076 debuit.exe 107 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3332 PING.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 4076 debuit.exe 4076 debuit.exe 4076 debuit.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeDebugPrivilege 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe Token: SeDebugPrivilege 4076 debuit.exe Token: SeDebugPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeSecurityPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeSecurityPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeSecurityPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeSecurityPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeSecurityPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeSecurityPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeSecurityPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeSecurityPrivilege 936 InstallUtil.exe Token: SeSecurityPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeSecurityPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe Token: SeSecurityPrivilege 936 InstallUtil.exe Token: SeBackupPrivilege 936 InstallUtil.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 408 wrote to memory of 4076 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 103 PID 408 wrote to memory of 4076 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 103 PID 408 wrote to memory of 4076 408 2bda8d6ee0e3ba6dbd8093272ca3b524.exe 103 PID 4076 wrote to memory of 936 4076 debuit.exe 107 PID 4076 wrote to memory of 936 4076 debuit.exe 107 PID 4076 wrote to memory of 936 4076 debuit.exe 107 PID 4076 wrote to memory of 936 4076 debuit.exe 107 PID 4076 wrote to memory of 936 4076 debuit.exe 107 PID 4076 wrote to memory of 936 4076 debuit.exe 107 PID 4076 wrote to memory of 936 4076 debuit.exe 107 PID 4076 wrote to memory of 936 4076 debuit.exe 107 PID 936 wrote to memory of 4772 936 InstallUtil.exe 108 PID 936 wrote to memory of 4772 936 InstallUtil.exe 108 PID 936 wrote to memory of 4772 936 InstallUtil.exe 108 PID 936 wrote to memory of 3916 936 InstallUtil.exe 110 PID 936 wrote to memory of 3916 936 InstallUtil.exe 110 PID 936 wrote to memory of 3916 936 InstallUtil.exe 110 PID 3916 wrote to memory of 3188 3916 cmd.exe 112 PID 3916 wrote to memory of 3188 3916 cmd.exe 112 PID 3916 wrote to memory of 3188 3916 cmd.exe 112 PID 3916 wrote to memory of 3332 3916 cmd.exe 113 PID 3916 wrote to memory of 3332 3916 cmd.exe 113 PID 3916 wrote to memory of 3332 3916 cmd.exe 113 PID 3916 wrote to memory of 3284 3916 cmd.exe 114 PID 3916 wrote to memory of 3284 3916 cmd.exe 114 PID 3916 wrote to memory of 3284 3916 cmd.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bda8d6ee0e3ba6dbd8093272ca3b524.exe"C:\Users\Admin\AppData\Local\Temp\2bda8d6ee0e3ba6dbd8093272ca3b524.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\debuit.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\debuit.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\NexiionHaclTOOLS.exe"C:\Windows\SysWOW64\NexiionHaclTOOLS.exe"4⤵
- Executes dropped EXE
PID:4772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C5qAIR9vF5J3.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:3188
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:3332
-
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"5⤵
- Executes dropped EXE
PID:3284
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59f0ab4a25d1ed1820e2e6791346fcbb3
SHA15fe78c8a3b420c4c407e7b081e022b8274fc051b
SHA256dd3304bba5d4cdb7f7edd03bddc9a6196affc5e15cbec3113fb83607082b6df2
SHA5121acccc67e08802bf4cbc7a3f402464b121ed98625aaf6dc1470b081f793fce5740e6138eb72dac74182379d7d2c177cbd1558284c53212e876a963c47104dcab
-
Filesize
208B
MD50404e163f78f198888745348943e7651
SHA1a55336e03e293dcf3f198ddee1db2d5be8defa22
SHA256c522df343fca25023f7e3670ce04aa684c1cf90eff4c0a27c616aa21df60ff37
SHA512ba0262ce8bc7e84f3f67eda78ef2cdcef152c3e87fe80f302ac1860c66614c2214c12b3267a0eb3b44788afa66e001e83dd16282a7bd4b5902b6bddf45a2512f
-
Filesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
Filesize
1.5MB
MD52bda8d6ee0e3ba6dbd8093272ca3b524
SHA10d6243b098aff07091fc2caa8ca78ba6c5d285d3
SHA2565889d4b8dd5501b5bb0c31e99fbfba2f35cfcc44acee80f271404ba6e1046c23
SHA5128ce12e23a3dbb4a185a520a659e0095df4c4157b1d1b0b8eb783bbbe417c19c53ceeaf78fee4882e9a204b91b073e1731dfae50212ab379c0df303e0d56c6744
-
Filesize
503KB
MD5ee44323007d74cc354584ffa1e780f52
SHA18e16aec7f4311f46889b3b04cbc5e8671a47afa4
SHA2561950aae7016af047420070a103b4e7e6b9c587868c3aa11d076342fa4d389a8e
SHA512532ecdfe0267b8d543a8d8f6e22201b6c47af21b8756293ccb4ddb98e98f3b59324e602b7b4e303a59e5624296d55f0c2b8959002abd60f93c5e3361732cace8
-
Filesize
472KB
MD56dcdcc5568c0b6e03d70168c5064b299
SHA1f43d4a2b193dc2e66cc5b19fb102c17d57cc568c
SHA256ff69fbc5ec0bc2e47bf5bd8f21fd56c11e5182c0b446c27241e4d191d83b1f22
SHA512c506ed51850adc4a7f8507daebcf919bad40e7dc64e2466e76443d9afe5d09ae11e3aa0fc4396303569a952563b2eb86b7efda3b8d454f8a2baa5ba4bf7e8538