Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2024, 05:41
Static task
static1
Behavioral task
behavioral1
Sample
497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe
Resource
win7-20241010-en
General
-
Target
497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe
-
Size
13.3MB
-
MD5
0d6982311c8a21313994773c99380dfb
-
SHA1
d8a6abfbdf3fe52598f570abeed3b272b10484bd
-
SHA256
497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f
-
SHA512
47b4c7f9a8a49ab067d4214d6cb73277bc56f7e671d3ef3c38ca8d845c65dbf2303e083294d71d68bf4348b87558141d4d3281d959d262efe56b29a87e5437c4
-
SSDEEP
49152:Kqsm55NYMPrb/T7vO90dL3BmAFd4A64nsfJlFngTR55I7NLz1S:Kq95TUGPf
Malware Config
Extracted
quasar
1.4.0
COM Surrogate
10.8.1.66:8869
119b9028-5664-4725-b2c1-1e4eaf743d68
-
encryption_key
B0092D1E1BA8BCBB825AA0760094E03D6D52E169
-
install_name
3388.exe
-
log_directory
COMLogs
-
reconnect_delay
5000
-
startup_key
COM Surrogate
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/files/0x0007000000023ca5-34.dat disable_win_def behavioral2/memory/5024-38-0x00000000006E0000-0x00000000006EC000-memory.dmp disable_win_def behavioral2/files/0x0007000000023ca6-45.dat disable_win_def behavioral2/memory/4444-47-0x0000000000A50000-0x0000000000A58000-memory.dmp disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 0rqchlom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 0rqchlom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 0rqchlom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 0rqchlom.exe -
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/files/0x000c000000023c9a-36.dat family_quasar behavioral2/memory/1240-39-0x0000000000E50000-0x0000000000ED4000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation go-memexec-2427138717.exe -
Executes dropped EXE 8 IoCs
pid Process 3760 go-memexec-2427138717.exe 4140 DISCORD-BUILD.EXE 1916 JAVAFIX.EXE-BUILD.EXE 2636 WINDEFENDDISABLE.EXE-BUILD.EXE 5024 go-memexec-1045855478.exe 1240 go-memexec-2927655030.exe 4444 0rqchlom.exe 1464 3388.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 0rqchlom.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\3388.exe go-memexec-2927655030.exe File opened for modification C:\Windows\system32\3388.exe go-memexec-2927655030.exe File opened for modification C:\Windows\system32\3388.exe 3388.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language go-memexec-2427138717.exe -
Kills process with taskkill 1 IoCs
pid Process 2816 taskkill.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2264 schtasks.exe 656 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 5024 go-memexec-1045855478.exe Token: SeDebugPrivilege 1240 go-memexec-2927655030.exe Token: SeDebugPrivilege 4648 powershell.exe Token: SeDebugPrivilege 2816 taskkill.exe Token: SeDebugPrivilege 1464 3388.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5024 go-memexec-1045855478.exe 5024 go-memexec-1045855478.exe 1464 3388.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4352 wrote to memory of 3760 4352 497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe 84 PID 4352 wrote to memory of 3760 4352 497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe 84 PID 4352 wrote to memory of 3760 4352 497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe 84 PID 3760 wrote to memory of 4140 3760 go-memexec-2427138717.exe 85 PID 3760 wrote to memory of 4140 3760 go-memexec-2427138717.exe 85 PID 3760 wrote to memory of 1916 3760 go-memexec-2427138717.exe 86 PID 3760 wrote to memory of 1916 3760 go-memexec-2427138717.exe 86 PID 3760 wrote to memory of 2636 3760 go-memexec-2427138717.exe 89 PID 3760 wrote to memory of 2636 3760 go-memexec-2427138717.exe 89 PID 1916 wrote to memory of 1240 1916 JAVAFIX.EXE-BUILD.EXE 91 PID 1916 wrote to memory of 1240 1916 JAVAFIX.EXE-BUILD.EXE 91 PID 2636 wrote to memory of 5024 2636 WINDEFENDDISABLE.EXE-BUILD.EXE 92 PID 2636 wrote to memory of 5024 2636 WINDEFENDDISABLE.EXE-BUILD.EXE 92 PID 5024 wrote to memory of 3952 5024 go-memexec-1045855478.exe 93 PID 5024 wrote to memory of 3952 5024 go-memexec-1045855478.exe 93 PID 4764 wrote to memory of 4444 4764 cmd.exe 97 PID 4764 wrote to memory of 4444 4764 cmd.exe 97 PID 4444 wrote to memory of 4648 4444 0rqchlom.exe 98 PID 4444 wrote to memory of 4648 4444 0rqchlom.exe 98 PID 1240 wrote to memory of 2264 1240 go-memexec-2927655030.exe 102 PID 1240 wrote to memory of 2264 1240 go-memexec-2927655030.exe 102 PID 1240 wrote to memory of 1464 1240 go-memexec-2927655030.exe 105 PID 1240 wrote to memory of 1464 1240 go-memexec-2927655030.exe 105 PID 1464 wrote to memory of 656 1464 3388.exe 106 PID 1464 wrote to memory of 656 1464 3388.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe"C:\Users\Admin\AppData\Local\Temp\497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\go-memexec-2427138717.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-2427138717.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\DISCORD-BUILD.EXE"C:\Users\Admin\AppData\Local\Temp\DISCORD-BUILD.EXE"3⤵
- Executes dropped EXE
PID:4140
-
-
C:\Users\Admin\AppData\Local\Temp\JAVAFIX.EXE-BUILD.EXE"C:\Users\Admin\AppData\Local\Temp\JAVAFIX.EXE-BUILD.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\go-memexec-2927655030.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-2927655030.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "COM Surrogate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\go-memexec-2927655030.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2264
-
-
C:\Windows\system32\3388.exe"C:\Windows\system32\3388.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "COM Surrogate" /sc ONLOGON /tr "C:\Windows\system32\3388.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:656
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WINDEFENDDISABLE.EXE-BUILD.EXE"C:\Users\Admin\AppData\Local\Temp\WINDEFENDDISABLE.EXE-BUILD.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\go-memexec-1045855478.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-1045855478.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\1d444jtc.inf5⤵PID:3952
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c start C:\Windows\temp\0rqchlom.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\temp\0rqchlom.exeC:\Windows\temp\0rqchlom.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2816
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5f50a77623d245a4599777ab4fbf714c6
SHA1ef50b96df7cd351b62bdca83b7244e550d4a2e89
SHA2560f68faff74b9185ca8c48dd2aa5bfdf0ee5dcf0c7a0282e964b4d29d807143cf
SHA5121b8c09465a6cb42a5b121187edbb1082edcd8f5983d61cb243514ef8da4f90a64f7d0d6f9a08b346a869a065f981ab469cc6f97c6edffd5be79f281b180094b6
-
Filesize
2.6MB
MD56f5376f20c7f474f5554222d01456849
SHA14931b9dc0767c76dc31e3e6c4423a961c0f51d86
SHA256bdbc5164ef806974456f579200541d7c84f643377c86b0bc3c1081ddd1317146
SHA5123c0510afbd1b076889491f7e177e03cd7e73b1debd1c416765bf18890e916a504376af7b04923ee233d78e08124f0d89fc60ca4dcc256ca44adffa87b83a59e0
-
Filesize
1.6MB
MD59af255f8c616c0cce55ba6ebed9575cd
SHA106e0a3e0183c0dada31c3e7f2195f2156f98f336
SHA25683a53512f6ed96e88941330b73ceffed794603da3204d169eb44826b0a03985f
SHA51205e0c2d059de60ff0186b372198148f3980738e71328366b585045477ef9e3f62ad230fbcbee3c4aac9113f178d77cf2745c0a17205867a12e6dda5766bf14f3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
19KB
MD5c6e7fd0dc447c35e6e31aad46e83de96
SHA15367e124d66f45babf625b56418155ea5a04ccd3
SHA25660a855b888b3021d74803be43ae95ec62ec509ed3d70dd734295d12d9375a0a1
SHA5126c7a43aa7dd335e388db6cb651ab1bfd4e3d3abb82b31dce2900178af27616e330e84d8e5d89a3435eb8939cfed0a23892f3aeac219c883f4e53a51932d61746
-
Filesize
5.8MB
MD5456fda268601e84c3308378d26dc74d2
SHA1a27d3718b6338927e98a38219862f5859528d5fb
SHA256b9a1d3ee098339ac5942b437f76cb25bf5f33dacb65a883162a447c158702cfb
SHA512a70ab8ffa8f429aa9e98eb181d405ad01333258b4646d67ec3b9743267e56de11cac9eff2a41611e7a3e269f8577a8db6217341f1ca68bdaedafbdd0e7699434
-
Filesize
502KB
MD5e49e8745bb3748c02b6991155ef988f9
SHA113ce804a8d4dd951b5535ceb819be3f04372f375
SHA2569e105120064cd753917b8f60a20dedc1d5c33156189afdcc514189b07d23587e
SHA512f7b514a905ba52970f5c17bd91e12a07ebd3e3715d3b5c59284c8f09ea7e4da317fd3968a46b164e520757de9567bd0ef36f0b0bed79e7aacd412032322a416d
-
Filesize
12KB
MD59cfc5141261e2144858e32a779e4e87f
SHA15698cb6c917d92a40d44f6e096acbf90be3a86c5
SHA256e117d0ef5ed73d676fb845556b2ca33fe68c1728069ad1df39429b2ad5feaa15
SHA512340af9ef8bad9678ef458e2e57aa79d5038fe1805e8a7a67e5a839efd89f6aa414d0022d233d624317eff1ca225f1b7a3b8637f0555511fddc588a9aeab34003
-
Filesize
606B
MD500b2928899facb1edc3bda24e24715ce
SHA1d35859b8f21de31dd2395379fe0f39aa9100150f
SHA2569aa0aba74bedf19c4006134772a79be3620ade31cd3531e1c43f6f1ccf63994e
SHA51296f1f275e600ff0389a5b0c3f56007d7053365f0c1ad0424a08fbf2806f16379a53327e45ab40e9a0896c241900cc3ff097c429321a9541599074ed9ce7c9830