Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 21:55
Behavioral task
behavioral1
Sample
friendsforever.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
friendsforever.exe
Resource
win10v2004-20241007-en
General
-
Target
friendsforever.exe
-
Size
3.1MB
-
MD5
ea836fb4533514a9a0e7e1b79378844d
-
SHA1
efda5af5b9ee2d3c6f799e23435a1a4b741232e3
-
SHA256
6f7eb9b82b545931d07d4763a819578e3161f3df295dfcbf6c831be04ee2e61d
-
SHA512
c116e25c1c4550b4ba66137b442d2b7f372a0ac0f27f016e4e86e81b7c0d3f43c964fac5e8fe611690ea44d3caf27911a135ee3f4e44d8b872ec48576f68623a
-
SSDEEP
98304:nvSL26AaNeWgPhlmVqkQ7XSKctFxwnys:vC4SR3x0y
Malware Config
Extracted
quasar
1.4.1
Click Lover
193.161.193.99:44422
98bd51bf-11bf-416b-a912-36f489dfdd26
-
encryption_key
2E11DF8B2B2BF1F6C123C50C37AB3BD9FF752BD5
-
install_name
Video Application.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Video Application
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4948-1-0x0000000000060000-0x0000000000384000-memory.dmp family_quasar behavioral2/files/0x0007000000023ccb-6.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 3712 Video Application.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\SubDir\Video Application.exe friendsforever.exe File opened for modification C:\Windows\system32\SubDir\Video Application.exe friendsforever.exe File opened for modification C:\Windows\system32\SubDir friendsforever.exe File opened for modification C:\Windows\system32\SubDir\Video Application.exe Video Application.exe File opened for modification C:\Windows\system32\SubDir Video Application.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3016 schtasks.exe 3692 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4948 friendsforever.exe Token: SeDebugPrivilege 3712 Video Application.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3712 Video Application.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4948 wrote to memory of 3016 4948 friendsforever.exe 82 PID 4948 wrote to memory of 3016 4948 friendsforever.exe 82 PID 4948 wrote to memory of 3712 4948 friendsforever.exe 84 PID 4948 wrote to memory of 3712 4948 friendsforever.exe 84 PID 3712 wrote to memory of 3692 3712 Video Application.exe 85 PID 3712 wrote to memory of 3692 3712 Video Application.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\friendsforever.exe"C:\Users\Admin\AppData\Local\Temp\friendsforever.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Video Application" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Video Application.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3016
-
-
C:\Windows\system32\SubDir\Video Application.exe"C:\Windows\system32\SubDir\Video Application.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Video Application" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Video Application.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3692
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5ea836fb4533514a9a0e7e1b79378844d
SHA1efda5af5b9ee2d3c6f799e23435a1a4b741232e3
SHA2566f7eb9b82b545931d07d4763a819578e3161f3df295dfcbf6c831be04ee2e61d
SHA512c116e25c1c4550b4ba66137b442d2b7f372a0ac0f27f016e4e86e81b7c0d3f43c964fac5e8fe611690ea44d3caf27911a135ee3f4e44d8b872ec48576f68623a