Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    29s
  • max time network
    31s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/01/2025, 01:27

General

  • Target

    HsSGqhA8hLnRhzEU.exe

  • Size

    2.9MB

  • MD5

    cff6d32fcf161fee5537d671088a9c69

  • SHA1

    b7e25d124e1104d9f5e4db75189d1040523166c8

  • SHA256

    28152bd25dcb79c1fe7f7fc8a8ca1990567dc9bc46385139908978a1bdf61c37

  • SHA512

    5e63001d649d80634273e8cdb7143d7c423f2b2e210e4f16982126726bf0ff6792edc6ffc131fc89826d5ff9f2ab396d0f220fbaf305682eb0495f55080921e8

  • SSDEEP

    49152:tIe8YWczZM9/RYOcsTo1pWYXb7PfbRpRhtjsA5LZVVIbiF30QHWgwQXST:tGYLq9/RYOlTo//DRpRHjsQZJNLeQXc

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    cjAti90cIswbpuxF3OyR

  • reconnect_delay

    1200

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 5 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HsSGqhA8hLnRhzEU.exe
    "C:\Users\Admin\AppData\Local\Temp\HsSGqhA8hLnRhzEU.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Users\Admin\AppData\Local\Temp\HsSGqhA8hLnRhzEU.exe
      "C:\Users\Admin\AppData\Local\Temp\HsSGqhA8hLnRhzEU.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Users\Admin\AppData\Local\Temp\4c47UZqDTLxzUk4G.exe
        "C:\Users\Admin\AppData\Local\Temp\4c47UZqDTLxzUk4G.exe" 0
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:244
      • C:\Users\Admin\AppData\Local\Temp\t7Q76efrM7xVSp6Q.exe
        "C:\Users\Admin\AppData\Local\Temp\t7Q76efrM7xVSp6Q.exe" 0
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        PID:4572
      • C:\Users\Admin\AppData\Local\Temp\ServiceRelay.exe
        "C:\Users\Admin\AppData\Local\Temp\ServiceRelay.exe" 0
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "ProtecSys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ServiceRelay.exe" /rl HIGHEST /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1840
        • C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe
          "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "ProtecSys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2988
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BnjanPv4Fys.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4560
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1256
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3568
            • C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe
              "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4844
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks" /create /tn "ProtecSys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe" /rl HIGHEST /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1188
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y86eHBC30Ec2.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:776
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:952
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:3056
                • C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe
                  "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe"
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4408
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "ProtecSys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe" /rl HIGHEST /f
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:4160
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BA5Cyerkld5P.bat" "
                    9⤵
                      PID:384
                      • C:\Windows\SysWOW64\chcp.com
                        chcp 65001
                        10⤵
                          PID:3136
                        • C:\Windows\SysWOW64\PING.EXE
                          ping -n 10 localhost
                          10⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Runs ping.exe
                          PID:2720
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 2224
                        9⤵
                        • Program crash
                        PID:2824
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 2204
                    7⤵
                    • Program crash
                    PID:2172
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 2192
                5⤵
                • Program crash
                PID:3968
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2032 -ip 2032
        1⤵
          PID:2224
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4844 -ip 4844
          1⤵
            PID:1456
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4408 -ip 4408
            1⤵
              PID:812

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\4c47UZqDTLxzUk4G.exe

              Filesize

              295KB

              MD5

              08481f11e5fe4894a359305f22db416f

              SHA1

              7ea518a53bf02495781b163a1289ce83eaa46127

              SHA256

              67de8f33db4ace58a818fc5aed65d860417bf4dd14a1bd5fd7d3a395a8ff7aa3

              SHA512

              74058bd670208222b98443fae3e3e66e1dd8e57a7fe9cdb5d9f5aa134ed1b5945333d820573c12e965910e9c3ca245abfbdd84df1d371d797c59e70ae5630eb4

            • C:\Users\Admin\AppData\Local\Temp\7BnjanPv4Fys.bat

              Filesize

              229B

              MD5

              97b35355167b545423b424e22171f512

              SHA1

              69e74b4db7c212c31fdcb67bc81c13ad9d0ba040

              SHA256

              08c3e89ab776d0102cf9bb68274906dcd4fc526783e91936f99c8403b2ae9f27

              SHA512

              e3deca0ceedabd74f95e960ee244529241ce1498c8089bf70c26fc4a676ee7b97c6403e56b9a6d6088fe5aca5c9fc08d15bccc3be7e5940af4081ae2eaae9bda

            • C:\Users\Admin\AppData\Local\Temp\BA5Cyerkld5P.bat

              Filesize

              229B

              MD5

              43e26ff229796481333b7763b1ed79f3

              SHA1

              5e4e55eac6ded6855a2541702adf1b0e2665c743

              SHA256

              fd01054f8cc43a335c1cd713e0bd1061ba05b8389f422ea065dc053c49558ec7

              SHA512

              94314c5a70f6acb735e9873493be9439fb2e8503bfca7282c9e26cf4803a6ed25c8fa5e5821c0109b7cf3c84094cdc53f25b82a23a3ad3654e7044b87cd3bd30

            • C:\Users\Admin\AppData\Local\Temp\ServiceRelay.exe

              Filesize

              741KB

              MD5

              ecd249a261ceecdb80e0b4bf001ba8ad

              SHA1

              2e271018594cac23b87ea0b60b6c6763dbbb0d23

              SHA256

              bc681f240cda963c599b492b5876f47f624dba3867ea2954d94b93a6c258701f

              SHA512

              af4c6bc71b714a7a030ab6bcd8ef2f4a0444242c969e514ba15bc6a8184642b89ae08406dbb952d389ec2641100d8e18a2d0e3f74d62dff81171898a17ecc6d8

            • C:\Users\Admin\AppData\Local\Temp\Y86eHBC30Ec2.bat

              Filesize

              229B

              MD5

              8359f052e73ebfb6bd49aabfdc7f774f

              SHA1

              f0ddad1eb99adf7bacec37e21cdb7effe1aea6ef

              SHA256

              5fdc26eb7bfe32f19b7c0c66f5aeaaa638c4cc7b74f2220e070a064576f5b1b3

              SHA512

              17a6915a60afbc0843041ea9f3e3a48776f564c30b9f443a236c156ed18e54d7875296cda9ad74300152907331cd778a3823be4690d0b01aab4a3b5837d09a34

            • C:\Users\Admin\AppData\Local\Temp\t7Q76efrM7xVSp6Q.exe

              Filesize

              9KB

              MD5

              2a4441134fc12a6d704d1f4b2ab58876

              SHA1

              0367169489fa0854d10f6cc0e57392d640d92b36

              SHA256

              42997d05907d02764463b0fbfbfc86a03df8ab6399836cd6511129802b9a2492

              SHA512

              d60bbed90aa1e2547371f2342ed083e068a1933a69df8a7b924e1caa3d7b1e49b33c0bba0c3f261271005a0a8c487679e89f8d2fa0d6169fc7391e4a358000d8

            • C:\Users\Admin\AppData\Roaming\PressTrak\01-01-2025

              Filesize

              224B

              MD5

              9eedef8aa177f47d404a958022f2f169

              SHA1

              bb2e2128f6fc72280456cec29d79166bd72406b2

              SHA256

              36fe6db2cc2a14e1ac8cbb5926f20625eee05ab48b381e733b2a2a23fd9bde8b

              SHA512

              78341e35f91022a9d33f0a3b412576d6d765d0d43e251c99b4009f5777aa39ddb11bd5b737172111e86df55a476054decfec01482210f76b507eb30a474038ee

            • C:\Users\Admin\AppData\Roaming\PressTrak\01-01-2025

              Filesize

              224B

              MD5

              8e566a2668916fa97fec2f20784c1cfc

              SHA1

              d52e0ba6758b242f84713888840c1566c9887e1a

              SHA256

              0b334239d2a4701f770ace2a5906386492e7488795d7da45e46be510bbc8fbe6

              SHA512

              64b1f546e33b308b5d02e5a7846607f2839a504b4603032cbbab3aa17833db614d46015eb9c53773be27aa9dd1f95faceed08a0981219b41b6db5cb2ae0eef3d

            • memory/2984-51-0x0000000000400000-0x00000000006E4000-memory.dmp

              Filesize

              2.9MB

            • memory/2984-9-0x0000000000400000-0x00000000006E4000-memory.dmp

              Filesize

              2.9MB

            • memory/2984-12-0x0000000000400000-0x00000000006E4000-memory.dmp

              Filesize

              2.9MB

            • memory/3220-6-0x0000000005560000-0x00000000055D6000-memory.dmp

              Filesize

              472KB

            • memory/3220-15-0x00000000753A0000-0x0000000075B50000-memory.dmp

              Filesize

              7.7MB

            • memory/3220-8-0x0000000005750000-0x000000000576E000-memory.dmp

              Filesize

              120KB

            • memory/3220-7-0x0000000005D80000-0x000000000606C000-memory.dmp

              Filesize

              2.9MB

            • memory/3220-1-0x0000000000670000-0x000000000095E000-memory.dmp

              Filesize

              2.9MB

            • memory/3220-2-0x00000000057D0000-0x0000000005D74000-memory.dmp

              Filesize

              5.6MB

            • memory/3220-0-0x00000000753AE000-0x00000000753AF000-memory.dmp

              Filesize

              4KB

            • memory/3220-3-0x0000000005300000-0x0000000005392000-memory.dmp

              Filesize

              584KB

            • memory/3220-4-0x00000000054B0000-0x00000000054BA000-memory.dmp

              Filesize

              40KB

            • memory/3220-5-0x00000000753A0000-0x0000000075B50000-memory.dmp

              Filesize

              7.7MB

            • memory/4460-56-0x0000000005E40000-0x0000000005E7C000-memory.dmp

              Filesize

              240KB

            • memory/4460-55-0x0000000005900000-0x0000000005912000-memory.dmp

              Filesize

              72KB

            • memory/4460-54-0x0000000004AF0000-0x0000000004B56000-memory.dmp

              Filesize

              408KB

            • memory/4460-52-0x0000000000160000-0x0000000000220000-memory.dmp

              Filesize

              768KB

            • memory/4572-45-0x00007FFBC2253000-0x00007FFBC2255000-memory.dmp

              Filesize

              8KB

            • memory/4572-46-0x0000000000B60000-0x0000000000B68000-memory.dmp

              Filesize

              32KB