Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2025, 16:19
Behavioral task
behavioral1
Sample
wefudoneset.exe
Resource
win10v2004-20241007-en
General
-
Target
wefudoneset.exe
-
Size
3.1MB
-
MD5
06838ba1d6af1ff162f4bf79e8f7e451
-
SHA1
1cf5196a0436fed50538a2bfef6cb14e1f8e30ed
-
SHA256
22e0e3319b3a845ef2c6f8a5efdcb3612ba9561fcdf5c70b8e95cc26d959ff50
-
SHA512
e87ca2bf97c7d4d1a4e0857d75a40bd30e009fafdbcd70a905f1818994afd3694abc6680f89c127b8d7a965dd12420d097ac1371da575cfe0872f303a1735c68
-
SSDEEP
49152:8d9yr29T0PwfnBP6RTgxLul5XHpTTHHB72eh2NT:8dC29TffnB1xLw
Malware Config
Extracted
quasar
1.0
1321
127.0.0.1:7000
b8169f21-b1ab-4cdd-89e8-040d5b4d2b12
-
encryption_key
14277F7D27CB958C695738C76EE5FBECE431CF60
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/3748-1-0x0000000000B10000-0x0000000000E34000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation wefudoneset.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation wefudoneset.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1412 PING.EXE 2940 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1412 PING.EXE 2940 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3748 wefudoneset.exe 3748 wefudoneset.exe 2936 wefudoneset.exe 2936 wefudoneset.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3748 wefudoneset.exe Token: SeDebugPrivilege 2936 wefudoneset.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3748 wrote to memory of 548 3748 wefudoneset.exe 83 PID 3748 wrote to memory of 548 3748 wefudoneset.exe 83 PID 548 wrote to memory of 3952 548 cmd.exe 85 PID 548 wrote to memory of 3952 548 cmd.exe 85 PID 548 wrote to memory of 1412 548 cmd.exe 86 PID 548 wrote to memory of 1412 548 cmd.exe 86 PID 548 wrote to memory of 2936 548 cmd.exe 89 PID 548 wrote to memory of 2936 548 cmd.exe 89 PID 2936 wrote to memory of 2528 2936 wefudoneset.exe 90 PID 2936 wrote to memory of 2528 2936 wefudoneset.exe 90 PID 2528 wrote to memory of 1512 2528 cmd.exe 92 PID 2528 wrote to memory of 1512 2528 cmd.exe 92 PID 2528 wrote to memory of 2940 2528 cmd.exe 93 PID 2528 wrote to memory of 2940 2528 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Olr7w6Nlpaiw.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3952
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1412
-
-
C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEC6gOhGCXAt.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1512
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2940
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
208B
MD5cfdcb91cdb5462cd3231237176cbd657
SHA1d2710c848e6ca756f9ca283cb164d14d02a9336b
SHA25650483ef65787ba026951317b7c69db2a9bcac13862a3f8dda94018c4301e146f
SHA512ca52777782d947f4c626250ff3d32e24710c6f2e70376a4244c169f5cd2bacd1101304b612488d554b6d75e5fd8b566c60f7a40f5ed9d1960cb26b5dc3f9c810
-
Filesize
208B
MD530f31f44c0d76b555d0be7c7f2251982
SHA1e7043c72d2d2ae0dd47de2fa9b1a1d706cf9f0d5
SHA256accc4cf0bfdedfdbd4731921e32f28875bd6720796b2dcace9443c602985fb9f
SHA5124aaf4606a0b358a5e0195430daebc805e1a552a7272942301693452af4e4194e875cad463d3c564c0ec2be88ef36f9744260773a342f9d26c56c38490fc4f54f