Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2025, 04:59
Behavioral task
behavioral1
Sample
6d6c9c719e2f757442374af378c343a7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6d6c9c719e2f757442374af378c343a7.exe
Resource
win10v2004-20241007-en
General
-
Target
6d6c9c719e2f757442374af378c343a7.exe
-
Size
3.1MB
-
MD5
6d6c9c719e2f757442374af378c343a7
-
SHA1
a58a2aa6dae2dbdf64472614985cac2adce4eddb
-
SHA256
444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646
-
SHA512
a3ef795e64b1d43ca300da97abc7d211e5987064c1c7cafa7a1dadcd1cb35902fb230f5b8e9a008ced4bc1d33573403bad2d99a4ccca9b6b749355110eb10210
-
SSDEEP
49152:HwElUPhZwv68DkG17WlqTz5oqM/p7vGJfAHdkTHHB72eh2NT:HwYUPhZwv68DkG17WlqTzeqM/p6t
Malware Config
Extracted
quasar
1.4.2
Office04
193.31.28.181:4004
704ccf6d-01bf-4037-a807-12a60509b1a4
-
encryption_key
379B83B5AFE5908E0BC4583EBB5A83D7B76D2E00
-
install_name
Client.exe
-
log_directory
$77-Logs
-
reconnect_delay
3000
-
startup_key
$77-cmd
-
subdirectory
$77-cmd
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3472-1-0x0000000000C90000-0x0000000000FB4000-memory.dmp family_quasar behavioral2/files/0x0007000000023c96-9.dat family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 6d6c9c719e2f757442374af378c343a7.exe -
Executes dropped EXE 1 IoCs
pid Process 1608 Client.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 3 IoCs
pid Process 3344 timeout.exe 3120 timeout.exe 348 timeout.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\$77-cmd\\Install.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\$77-cmd\\Client.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3360 schtasks.exe 1756 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3472 6d6c9c719e2f757442374af378c343a7.exe Token: SeDebugPrivilege 1608 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1608 Client.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 3472 wrote to memory of 3360 3472 6d6c9c719e2f757442374af378c343a7.exe 83 PID 3472 wrote to memory of 3360 3472 6d6c9c719e2f757442374af378c343a7.exe 83 PID 3472 wrote to memory of 1868 3472 6d6c9c719e2f757442374af378c343a7.exe 85 PID 3472 wrote to memory of 1868 3472 6d6c9c719e2f757442374af378c343a7.exe 85 PID 1868 wrote to memory of 1196 1868 cmd.exe 87 PID 1868 wrote to memory of 1196 1868 cmd.exe 87 PID 1868 wrote to memory of 1552 1868 cmd.exe 88 PID 1868 wrote to memory of 1552 1868 cmd.exe 88 PID 1868 wrote to memory of 4216 1868 cmd.exe 89 PID 1868 wrote to memory of 4216 1868 cmd.exe 89 PID 1868 wrote to memory of 3344 1868 cmd.exe 90 PID 1868 wrote to memory of 3344 1868 cmd.exe 90 PID 4216 wrote to memory of 1608 4216 fodhelper.exe 91 PID 4216 wrote to memory of 1608 4216 fodhelper.exe 91 PID 1608 wrote to memory of 1756 1608 Client.exe 92 PID 1608 wrote to memory of 1756 1608 Client.exe 92 PID 1868 wrote to memory of 1864 1868 cmd.exe 94 PID 1868 wrote to memory of 1864 1868 cmd.exe 94 PID 1868 wrote to memory of 2372 1868 cmd.exe 95 PID 1868 wrote to memory of 2372 1868 cmd.exe 95 PID 3472 wrote to memory of 3316 3472 6d6c9c719e2f757442374af378c343a7.exe 97 PID 3472 wrote to memory of 3316 3472 6d6c9c719e2f757442374af378c343a7.exe 97 PID 3472 wrote to memory of 5080 3472 6d6c9c719e2f757442374af378c343a7.exe 99 PID 3472 wrote to memory of 5080 3472 6d6c9c719e2f757442374af378c343a7.exe 99 PID 3316 wrote to memory of 2252 3316 cmd.exe 101 PID 3316 wrote to memory of 2252 3316 cmd.exe 101 PID 3316 wrote to memory of 4048 3316 cmd.exe 102 PID 3316 wrote to memory of 4048 3316 cmd.exe 102 PID 5080 wrote to memory of 3120 5080 cmd.exe 103 PID 5080 wrote to memory of 3120 5080 cmd.exe 103 PID 3316 wrote to memory of 3648 3316 cmd.exe 104 PID 3316 wrote to memory of 3648 3316 cmd.exe 104 PID 3316 wrote to memory of 3976 3316 cmd.exe 105 PID 3316 wrote to memory of 3976 3316 cmd.exe 105 PID 3316 wrote to memory of 348 3316 cmd.exe 106 PID 3316 wrote to memory of 348 3316 cmd.exe 106 PID 3316 wrote to memory of 780 3316 cmd.exe 107 PID 3316 wrote to memory of 780 3316 cmd.exe 107 PID 3316 wrote to memory of 624 3316 cmd.exe 108 PID 3316 wrote to memory of 624 3316 cmd.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d6c9c719e2f757442374af378c343a7.exe"C:\Users\Admin\AppData\Local\Temp\6d6c9c719e2f757442374af378c343a7.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "$77-cmd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Classes\ms-settings\shell\open\command" /ve /d "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe" /f3⤵
- Modifies registry class
PID:1196
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v "DelegateExecute" /f3⤵
- Modifies registry class
PID:1552
-
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe"C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "$77-cmd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:1756
-
-
-
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak3⤵
- Delays execution with timeout.exe
PID:3344
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\ms-settings\shell\open\command" /f3⤵
- Modifies registry class
PID:1864
-
-
C:\Windows\system32\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass1.bat"3⤵PID:2372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass2.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\ms-settings\shell\open\command" /f3⤵PID:2252
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Classes\ms-settings\shell\open\command" /ve /d "C:\Users\Admin\AppData\Roaming\$77-cmd\Install.exe" /f3⤵
- Modifies registry class
PID:4048
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v "DelegateExecute" /f3⤵
- Modifies registry class
PID:3648
-
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:3976
-
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak3⤵
- Delays execution with timeout.exe
PID:348
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\ms-settings\shell\open\command" /f3⤵
- Modifies registry class
PID:780
-
-
C:\Windows\system32\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass2.bat"3⤵PID:624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$77-cmd\Melt.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
PID:3120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD56d6c9c719e2f757442374af378c343a7
SHA1a58a2aa6dae2dbdf64472614985cac2adce4eddb
SHA256444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646
SHA512a3ef795e64b1d43ca300da97abc7d211e5987064c1c7cafa7a1dadcd1cb35902fb230f5b8e9a008ced4bc1d33573403bad2d99a4ccca9b6b749355110eb10210
-
Filesize
118B
MD5de5e036a2f08f6ca6f6c501e906ee183
SHA1a3c38b7d2ea31066d0bae492fb56649c22a73153
SHA256d6c0337116e52ef3fb46fcab1ade26cf9538e47f892c362f5317de3dd98d27ae
SHA51280ae4c5985b78fc2a74ab8946125f6a04ae8ca9102ad313fe543772a7aace610af1a8c17efaaadcbdad29cb1fa3170de632a984ec183e24fa7cdfeb81664c384
-
Filesize
368B
MD52c3953fd265ea1d97e348ff0a6daa80a
SHA1f794d9fc87e3011b1b134b45a20a5a3b7762497c
SHA2565b580991ef331e03c600f18fcdcae08763ee887c4ffa4d714244fa19dc762082
SHA5127b442c0934db9aca25cbc2d5b6d84f762905837f60120bc083b83d4858e6c24dec5633db5dff89825435f67f2fde9c1de5bf05ec21c6e6851c3e2ec0e853dad0
-
Filesize
401B
MD58702552763fe86626d3cb6c766578cc8
SHA153f2b99da6b2e1edc557fd999801b8e768699da0
SHA256e199e4c1f8ce95a86356655c6863bbdc0c4266bee73c872e97398419672ed626
SHA512355063c41d254ad0675c36f535b84d4bf1c6d716dc785bcdd668edb53d76454d3b372bacfe0c382a38be2b813eb463545deed47bf724c3d6d4fd52aa129b79e3