Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    130s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2025, 04:57

General

  • Target

    cfd7fa8f2578198fa2aab263ae3087774a557a065f3e36c0a05be900a062b221.exe

  • Size

    331KB

  • MD5

    25e4b3153f2e61b139aaa9df1b2f8b12

  • SHA1

    23c38b69b037670cafd48cf285cf88f41c7c854c

  • SHA256

    cfd7fa8f2578198fa2aab263ae3087774a557a065f3e36c0a05be900a062b221

  • SHA512

    b0c7090f25d63e7277e25d396db6636135a72c863f98bf24b23ab16ed547c593cf4ed19c6ebd969395cee205741ca7d5f9dffbe3ed770cbad016f33cb2f9d46e

  • SSDEEP

    6144:FQAEfkGPHFi1zron6+s78g8mTXJgQ8EZbST8FQeLg5tIk:6/Fi1zro6+swHOEx8FQeLSq

Malware Config

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs
  • Modifies security service 2 TTPs 4 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies Security services 2 TTPs 16 IoCs

    Modifies the startup behavior of a security service.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfd7fa8f2578198fa2aab263ae3087774a557a065f3e36c0a05be900a062b221.exe
    "C:\Users\Admin\AppData\Local\Temp\cfd7fa8f2578198fa2aab263ae3087774a557a065f3e36c0a05be900a062b221.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Modifies security service
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Modifies Security services
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:628
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "\Microsoft\Windows\System\Pev64\Files\PocTelemetryAgentLogOfse" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\cfd7fa8f2578198fa2aab263ae3087774a557a065f3e36c0a05be900a062b221.exe" /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:888
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /delete /tn "PocTelemetryAgentLogOfse" /f
      2⤵
        PID:4572
      • C:\Windows\SYSTEM32\vssadmin.exe
        "vssadmin" delete shadows /all /quiet
        2⤵
        • Interacts with shadow copies
        PID:2476
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3900
      • C:\Users\Admin\AppData\Roaming\PLogfsete\Pnsys.exe
        "C:\Users\Admin\AppData\Roaming\PLogfsete\Pnsys.exe"
        2⤵
        • Modifies Windows Defender Real-time Protection settings
        • Modifies security service
        • UAC bypass
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Security services
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:5088
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "\Microsoft\Windows\System\Pev64\Files\PocTelemetryAgentLogOfse" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Roaming\PLogfsete\Pnsys.exe" /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2428
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /delete /tn "PocTelemetryAgentLogOfse" /f
          3⤵
            PID:212
          • C:\Windows\SYSTEM32\vssadmin.exe
            "vssadmin" delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:3292
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Get-MpPreference -verbose
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1588
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3088
      • C:\Users\Admin\AppData\Roaming\PLogfsete\Pnsys.exe
        C:\Users\Admin\AppData\Roaming\PLogfsete\Pnsys.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3292

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        731e9e4becec0b1ef9caad4b3562d4b4

        SHA1

        6dffb77aba4e92ad5bd4b7c02fdee6f328bcd457

        SHA256

        71c7eca538938fa4d5b470fee41cfe43734e9beb9ae409d5b41111fa1a15c2d5

        SHA512

        841cf559ae5b0feec4be43018717641399b3602a553112e98b07d498f1a44169924466abc7e2313b8e8cf1c0fdc1bb7635e2818aab8269b0ef349a0ba0cd6ae5

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hh3w1ywk.pm5.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Roaming\PLogfsete\Pnsys.exe

        Filesize

        331KB

        MD5

        25e4b3153f2e61b139aaa9df1b2f8b12

        SHA1

        23c38b69b037670cafd48cf285cf88f41c7c854c

        SHA256

        cfd7fa8f2578198fa2aab263ae3087774a557a065f3e36c0a05be900a062b221

        SHA512

        b0c7090f25d63e7277e25d396db6636135a72c863f98bf24b23ab16ed547c593cf4ed19c6ebd969395cee205741ca7d5f9dffbe3ed770cbad016f33cb2f9d46e

      • C:\Users\Admin\AppData\Roaming\PLogfsete\settings.xml

        Filesize

        76B

        MD5

        71330e621c034f659ccfe4dd0cf6ab9f

        SHA1

        dab22af92eb3dc9d220ae9421631f817ca8b6bbc

        SHA256

        b85d6e085df587885fb7351f4897346807d86484e12f68459a9c61b9b5005432

        SHA512

        ade04e246e004fe46665286d5d89978b082605a551e849daf4fa358056a9b5163b67b8b9d78c16c8368922516639c1072b80f1d80eb1eb2e52d25fe9c2e8ecd4

      • memory/628-0-0x00007FFEF0D73000-0x00007FFEF0D75000-memory.dmp

        Filesize

        8KB

      • memory/628-1-0x0000000000450000-0x00000000004AA000-memory.dmp

        Filesize

        360KB

      • memory/628-2-0x00007FFEF0D70000-0x00007FFEF1831000-memory.dmp

        Filesize

        10.8MB

      • memory/628-4-0x000000001B120000-0x000000001B132000-memory.dmp

        Filesize

        72KB

      • memory/628-5-0x000000001BF20000-0x000000001BF5C000-memory.dmp

        Filesize

        240KB

      • memory/628-25-0x00007FFEF0D70000-0x00007FFEF1831000-memory.dmp

        Filesize

        10.8MB

      • memory/3900-16-0x000002037C0B0000-0x000002037C0D2000-memory.dmp

        Filesize

        136KB