Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/01/2025, 02:09
Behavioral task
behavioral1
Sample
444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe
Resource
win10v2004-20241007-en
General
-
Target
444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe
-
Size
3.1MB
-
MD5
6d6c9c719e2f757442374af378c343a7
-
SHA1
a58a2aa6dae2dbdf64472614985cac2adce4eddb
-
SHA256
444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646
-
SHA512
a3ef795e64b1d43ca300da97abc7d211e5987064c1c7cafa7a1dadcd1cb35902fb230f5b8e9a008ced4bc1d33573403bad2d99a4ccca9b6b749355110eb10210
-
SSDEEP
49152:HwElUPhZwv68DkG17WlqTz5oqM/p7vGJfAHdkTHHB72eh2NT:HwYUPhZwv68DkG17WlqTzeqM/p6t
Malware Config
Extracted
quasar
1.4.2
Office04
193.31.28.181:4004
704ccf6d-01bf-4037-a807-12a60509b1a4
-
encryption_key
379B83B5AFE5908E0BC4583EBB5A83D7B76D2E00
-
install_name
Client.exe
-
log_directory
$77-Logs
-
reconnect_delay
3000
-
startup_key
$77-cmd
-
subdirectory
$77-cmd
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4800-1-0x0000000000330000-0x0000000000654000-memory.dmp family_quasar behavioral2/files/0x0008000000023c91-9.dat family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe -
Executes dropped EXE 1 IoCs
pid Process 972 Client.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 3 IoCs
pid Process 4700 timeout.exe 1944 timeout.exe 4272 timeout.exe -
Modifies registry class 13 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\$77-cmd\\Client.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\$77-cmd\\Install.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1780 schtasks.exe 536 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4800 444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe Token: SeDebugPrivilege 972 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 972 Client.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 4800 wrote to memory of 1780 4800 444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe 83 PID 4800 wrote to memory of 1780 4800 444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe 83 PID 4800 wrote to memory of 1908 4800 444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe 85 PID 4800 wrote to memory of 1908 4800 444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe 85 PID 1908 wrote to memory of 64 1908 cmd.exe 87 PID 1908 wrote to memory of 64 1908 cmd.exe 87 PID 1908 wrote to memory of 2904 1908 cmd.exe 88 PID 1908 wrote to memory of 2904 1908 cmd.exe 88 PID 1908 wrote to memory of 3952 1908 cmd.exe 89 PID 1908 wrote to memory of 3952 1908 cmd.exe 89 PID 1908 wrote to memory of 4700 1908 cmd.exe 90 PID 1908 wrote to memory of 4700 1908 cmd.exe 90 PID 3952 wrote to memory of 972 3952 fodhelper.exe 91 PID 3952 wrote to memory of 972 3952 fodhelper.exe 91 PID 972 wrote to memory of 536 972 Client.exe 92 PID 972 wrote to memory of 536 972 Client.exe 92 PID 1908 wrote to memory of 656 1908 cmd.exe 96 PID 1908 wrote to memory of 656 1908 cmd.exe 96 PID 1908 wrote to memory of 1180 1908 cmd.exe 97 PID 1908 wrote to memory of 1180 1908 cmd.exe 97 PID 4800 wrote to memory of 5108 4800 444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe 98 PID 4800 wrote to memory of 5108 4800 444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe 98 PID 4800 wrote to memory of 2312 4800 444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe 100 PID 4800 wrote to memory of 2312 4800 444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe 100 PID 5108 wrote to memory of 452 5108 cmd.exe 102 PID 5108 wrote to memory of 452 5108 cmd.exe 102 PID 2312 wrote to memory of 1944 2312 cmd.exe 103 PID 2312 wrote to memory of 1944 2312 cmd.exe 103 PID 5108 wrote to memory of 2668 5108 cmd.exe 104 PID 5108 wrote to memory of 2668 5108 cmd.exe 104 PID 5108 wrote to memory of 2080 5108 cmd.exe 105 PID 5108 wrote to memory of 2080 5108 cmd.exe 105 PID 5108 wrote to memory of 3124 5108 cmd.exe 106 PID 5108 wrote to memory of 3124 5108 cmd.exe 106 PID 5108 wrote to memory of 4272 5108 cmd.exe 107 PID 5108 wrote to memory of 4272 5108 cmd.exe 107 PID 5108 wrote to memory of 2400 5108 cmd.exe 112 PID 5108 wrote to memory of 2400 5108 cmd.exe 112 PID 5108 wrote to memory of 4916 5108 cmd.exe 113 PID 5108 wrote to memory of 4916 5108 cmd.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe"C:\Users\Admin\AppData\Local\Temp\444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "$77-cmd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Classes\ms-settings\shell\open\command" /ve /d "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe" /f3⤵
- Modifies registry class
PID:64
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v "DelegateExecute" /f3⤵
- Modifies registry class
PID:2904
-
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe"C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "$77-cmd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:536
-
-
-
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak3⤵
- Delays execution with timeout.exe
PID:4700
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\ms-settings\shell\open\command" /f3⤵
- Modifies registry class
PID:656
-
-
C:\Windows\system32\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass1.bat"3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass2.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\ms-settings\shell\open\command" /f3⤵PID:452
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Classes\ms-settings\shell\open\command" /ve /d "C:\Users\Admin\AppData\Roaming\$77-cmd\Install.exe" /f3⤵
- Modifies registry class
PID:2668
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v "DelegateExecute" /f3⤵
- Modifies registry class
PID:2080
-
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:3124
-
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak3⤵
- Delays execution with timeout.exe
PID:4272
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\ms-settings\shell\open\command" /f3⤵
- Modifies registry class
PID:2400
-
-
C:\Windows\system32\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass2.bat"3⤵PID:4916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$77-cmd\Melt.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
PID:1944
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD56d6c9c719e2f757442374af378c343a7
SHA1a58a2aa6dae2dbdf64472614985cac2adce4eddb
SHA256444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646
SHA512a3ef795e64b1d43ca300da97abc7d211e5987064c1c7cafa7a1dadcd1cb35902fb230f5b8e9a008ced4bc1d33573403bad2d99a4ccca9b6b749355110eb10210
-
Filesize
150B
MD5df4ccbfe651e64d2625a58a5c81b5b08
SHA12b4c2c4446be348afc1931ade524b976c5ceefef
SHA256a19396498d80d88258f478911745776ae34a6eca78d5f3544495a0c9748e9915
SHA512d5784acb157e992e13d8a8f58cae140732f9d80f0718353d739b154a6ed8e2f5644a956e2db18672f651ca71d562f303ec2dec24b68a3de4df9fe6d05c232b97
-
Filesize
368B
MD52c3953fd265ea1d97e348ff0a6daa80a
SHA1f794d9fc87e3011b1b134b45a20a5a3b7762497c
SHA2565b580991ef331e03c600f18fcdcae08763ee887c4ffa4d714244fa19dc762082
SHA5127b442c0934db9aca25cbc2d5b6d84f762905837f60120bc083b83d4858e6c24dec5633db5dff89825435f67f2fde9c1de5bf05ec21c6e6851c3e2ec0e853dad0
-
Filesize
401B
MD58702552763fe86626d3cb6c766578cc8
SHA153f2b99da6b2e1edc557fd999801b8e768699da0
SHA256e199e4c1f8ce95a86356655c6863bbdc0c4266bee73c872e97398419672ed626
SHA512355063c41d254ad0675c36f535b84d4bf1c6d716dc785bcdd668edb53d76454d3b372bacfe0c382a38be2b813eb463545deed47bf724c3d6d4fd52aa129b79e3