Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    127s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/01/2025, 02:09

General

  • Target

    444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe

  • Size

    3.1MB

  • MD5

    6d6c9c719e2f757442374af378c343a7

  • SHA1

    a58a2aa6dae2dbdf64472614985cac2adce4eddb

  • SHA256

    444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646

  • SHA512

    a3ef795e64b1d43ca300da97abc7d211e5987064c1c7cafa7a1dadcd1cb35902fb230f5b8e9a008ced4bc1d33573403bad2d99a4ccca9b6b749355110eb10210

  • SSDEEP

    49152:HwElUPhZwv68DkG17WlqTz5oqM/p7vGJfAHdkTHHB72eh2NT:HwYUPhZwv68DkG17WlqTzeqM/p6t

Malware Config

Extracted

Family

quasar

Version

1.4.2

Botnet

Office04

C2

193.31.28.181:4004

Mutex

704ccf6d-01bf-4037-a807-12a60509b1a4

Attributes
  • encryption_key

    379B83B5AFE5908E0BC4583EBB5A83D7B76D2E00

  • install_name

    Client.exe

  • log_directory

    $77-Logs

  • reconnect_delay

    3000

  • startup_key

    $77-cmd

  • subdirectory

    $77-cmd

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 3 IoCs
  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe
    "C:\Users\Admin\AppData\Local\Temp\444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "$77-cmd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1780
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /ve /d "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe" /f
        3⤵
        • Modifies registry class
        PID:64
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v "DelegateExecute" /f
        3⤵
        • Modifies registry class
        PID:2904
      • C:\Windows\system32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe
          "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:972
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "$77-cmd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe" /rl HIGHEST /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:536
      • C:\Windows\system32\timeout.exe
        timeout /t 2 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:4700
      • C:\Windows\system32\reg.exe
        reg delete "HKCU\Software\Classes\ms-settings\shell\open\command" /f
        3⤵
        • Modifies registry class
        PID:656
      • C:\Windows\system32\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass1.bat"
        3⤵
          PID:1180
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass2.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5108
        • C:\Windows\system32\reg.exe
          reg delete "HKCU\Software\Classes\ms-settings\shell\open\command" /f
          3⤵
            PID:452
          • C:\Windows\system32\reg.exe
            reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /ve /d "C:\Users\Admin\AppData\Roaming\$77-cmd\Install.exe" /f
            3⤵
            • Modifies registry class
            PID:2668
          • C:\Windows\system32\reg.exe
            reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v "DelegateExecute" /f
            3⤵
            • Modifies registry class
            PID:2080
          • C:\Windows\system32\fodhelper.exe
            fodhelper.exe
            3⤵
              PID:3124
            • C:\Windows\system32\timeout.exe
              timeout /t 2 /nobreak
              3⤵
              • Delays execution with timeout.exe
              PID:4272
            • C:\Windows\system32\reg.exe
              reg delete "HKCU\Software\Classes\ms-settings\shell\open\command" /f
              3⤵
              • Modifies registry class
              PID:2400
            • C:\Windows\system32\cmd.exe
              cmd /c del "C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass2.bat"
              3⤵
                PID:4916
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$77-cmd\Melt.bat" "
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2312
              • C:\Windows\system32\timeout.exe
                timeout /t 5 /nobreak
                3⤵
                • Delays execution with timeout.exe
                PID:1944

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe

            Filesize

            3.1MB

            MD5

            6d6c9c719e2f757442374af378c343a7

            SHA1

            a58a2aa6dae2dbdf64472614985cac2adce4eddb

            SHA256

            444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646

            SHA512

            a3ef795e64b1d43ca300da97abc7d211e5987064c1c7cafa7a1dadcd1cb35902fb230f5b8e9a008ced4bc1d33573403bad2d99a4ccca9b6b749355110eb10210

          • C:\Users\Admin\AppData\Roaming\$77-cmd\Melt.bat

            Filesize

            150B

            MD5

            df4ccbfe651e64d2625a58a5c81b5b08

            SHA1

            2b4c2c4446be348afc1931ade524b976c5ceefef

            SHA256

            a19396498d80d88258f478911745776ae34a6eca78d5f3544495a0c9748e9915

            SHA512

            d5784acb157e992e13d8a8f58cae140732f9d80f0718353d739b154a6ed8e2f5644a956e2db18672f651ca71d562f303ec2dec24b68a3de4df9fe6d05c232b97

          • C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass1.bat

            Filesize

            368B

            MD5

            2c3953fd265ea1d97e348ff0a6daa80a

            SHA1

            f794d9fc87e3011b1b134b45a20a5a3b7762497c

            SHA256

            5b580991ef331e03c600f18fcdcae08763ee887c4ffa4d714244fa19dc762082

            SHA512

            7b442c0934db9aca25cbc2d5b6d84f762905837f60120bc083b83d4858e6c24dec5633db5dff89825435f67f2fde9c1de5bf05ec21c6e6851c3e2ec0e853dad0

          • C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass2.bat

            Filesize

            401B

            MD5

            8702552763fe86626d3cb6c766578cc8

            SHA1

            53f2b99da6b2e1edc557fd999801b8e768699da0

            SHA256

            e199e4c1f8ce95a86356655c6863bbdc0c4266bee73c872e97398419672ed626

            SHA512

            355063c41d254ad0675c36f535b84d4bf1c6d716dc785bcdd668edb53d76454d3b372bacfe0c382a38be2b813eb463545deed47bf724c3d6d4fd52aa129b79e3

          • memory/972-11-0x000000001BDA0000-0x000000001BDF0000-memory.dmp

            Filesize

            320KB

          • memory/972-12-0x000000001BEB0000-0x000000001BF62000-memory.dmp

            Filesize

            712KB

          • memory/4800-0-0x00007FF955033000-0x00007FF955035000-memory.dmp

            Filesize

            8KB

          • memory/4800-1-0x0000000000330000-0x0000000000654000-memory.dmp

            Filesize

            3.1MB

          • memory/4800-2-0x00007FF955030000-0x00007FF955AF1000-memory.dmp

            Filesize

            10.8MB

          • memory/4800-20-0x00007FF955030000-0x00007FF955AF1000-memory.dmp

            Filesize

            10.8MB