Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    13s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2025, 16:19

General

  • Target

    wefudoneset.exe

  • Size

    3.1MB

  • MD5

    06838ba1d6af1ff162f4bf79e8f7e451

  • SHA1

    1cf5196a0436fed50538a2bfef6cb14e1f8e30ed

  • SHA256

    22e0e3319b3a845ef2c6f8a5efdcb3612ba9561fcdf5c70b8e95cc26d959ff50

  • SHA512

    e87ca2bf97c7d4d1a4e0857d75a40bd30e009fafdbcd70a905f1818994afd3694abc6680f89c127b8d7a965dd12420d097ac1371da575cfe0872f303a1735c68

  • SSDEEP

    49152:8d9yr29T0PwfnBP6RTgxLul5XHpTTHHB72eh2NT:8dC29TffnB1xLw

Malware Config

Extracted

Family

quasar

Version

1.0

Botnet

1321

C2

127.0.0.1:7000

Mutex

b8169f21-b1ab-4cdd-89e8-040d5b4d2b12

Attributes
  • encryption_key

    14277F7D27CB958C695738C76EE5FBECE431CF60

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
    "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Olr7w6Nlpaiw.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3952
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1412
        • C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
          "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
          3⤵
          • Checks computer location settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2936
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEC6gOhGCXAt.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2528
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:1512
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2940

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wefudoneset.exe.log

        Filesize

        1KB

        MD5

        baf55b95da4a601229647f25dad12878

        SHA1

        abc16954ebfd213733c4493fc1910164d825cac8

        SHA256

        ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

        SHA512

        24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

      • C:\Users\Admin\AppData\Local\Temp\Olr7w6Nlpaiw.bat

        Filesize

        208B

        MD5

        cfdcb91cdb5462cd3231237176cbd657

        SHA1

        d2710c848e6ca756f9ca283cb164d14d02a9336b

        SHA256

        50483ef65787ba026951317b7c69db2a9bcac13862a3f8dda94018c4301e146f

        SHA512

        ca52777782d947f4c626250ff3d32e24710c6f2e70376a4244c169f5cd2bacd1101304b612488d554b6d75e5fd8b566c60f7a40f5ed9d1960cb26b5dc3f9c810

      • C:\Users\Admin\AppData\Local\Temp\hEC6gOhGCXAt.bat

        Filesize

        208B

        MD5

        30f31f44c0d76b555d0be7c7f2251982

        SHA1

        e7043c72d2d2ae0dd47de2fa9b1a1d706cf9f0d5

        SHA256

        accc4cf0bfdedfdbd4731921e32f28875bd6720796b2dcace9443c602985fb9f

        SHA512

        4aaf4606a0b358a5e0195430daebc805e1a552a7272942301693452af4e4194e875cad463d3c564c0ec2be88ef36f9744260773a342f9d26c56c38490fc4f54f

      • memory/2936-10-0x00007FF873670000-0x00007FF874131000-memory.dmp

        Filesize

        10.8MB

      • memory/2936-11-0x00007FF873670000-0x00007FF874131000-memory.dmp

        Filesize

        10.8MB

      • memory/2936-15-0x00007FF873670000-0x00007FF874131000-memory.dmp

        Filesize

        10.8MB

      • memory/3748-0-0x00007FF8739D3000-0x00007FF8739D5000-memory.dmp

        Filesize

        8KB

      • memory/3748-1-0x0000000000B10000-0x0000000000E34000-memory.dmp

        Filesize

        3.1MB

      • memory/3748-2-0x00007FF8739D0000-0x00007FF874491000-memory.dmp

        Filesize

        10.8MB

      • memory/3748-7-0x00007FF8739D0000-0x00007FF874491000-memory.dmp

        Filesize

        10.8MB