Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
24s -
max time network
26s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 20:46
Behavioral task
behavioral1
Sample
retard.exe
Resource
win7-20240903-en
Errors
General
-
Target
retard.exe
-
Size
3.1MB
-
MD5
b55e5489b45595fb38bf5bb30b69717b
-
SHA1
7511ee8909e0a0c53625eef4bd6b57250e561391
-
SHA256
4f111d05ddb93bf8e4ec906d2705740790402254ee115982d9e5aae36c3b4ffe
-
SHA512
40a520e89579a298922595428033b7f0ae0b8bd5bd6ead29488cad9707b153998ab88c3d55316045315297d185fefaaba49ef21b392ca216ac220e75220d1ead
-
SSDEEP
49152:6vxt62XlaSFNWPjljiFa2RoUYI4N83bR4LoGdzTHHB72eh2NT:6v762XlaSFNWPjljiFXRoUYI4N80
Malware Config
Extracted
quasar
1.4.1
afafaf
194.26.192.167:2768
c1060262-cacc-4b5e-8e09-ac72d84cef52
-
encryption_key
BE2B0B270E4DB19CAA5C42E9D2EBF64645A2D055
-
install_name
OneDrive.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
OneDrive
-
subdirectory
OneDrive
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/2672-1-0x0000000000B60000-0x0000000000E84000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation retard.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "232" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4852 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2672 retard.exe Token: SeShutdownPrivilege 3700 shutdown.exe Token: SeRemoteShutdownPrivilege 3700 shutdown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2672 retard.exe 2908 LogonUI.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2672 wrote to memory of 4852 2672 retard.exe 83 PID 2672 wrote to memory of 4852 2672 retard.exe 83 PID 2672 wrote to memory of 3700 2672 retard.exe 102 PID 2672 wrote to memory of 3700 2672 retard.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\retard.exe"C:\Users\Admin\AppData\Local\Temp\retard.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "OneDrive" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4852
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:852
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3927855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2908