Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

26/01/2025, 04:48

250126-fff8nssmbz 3

26/01/2025, 04:44

250126-fdcgpsslez 10

Analysis

  • max time kernel
    108s
  • max time network
    111s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26/01/2025, 04:44

General

  • Target

    PrudaTweak.zip

  • Size

    10.6MB

  • MD5

    c83d23532d6dd591ffc0d6fd75597dd7

  • SHA1

    06b3ad285f681700d5f9d43fed6a45e18368f7e8

  • SHA256

    67edbefe621aabd00b18f98816b872a87abeb3334e24f535732d02915aa82058

  • SHA512

    a0f49ce993f803200f493dbacc1bd9cb615fab63878ad80d00b77155cce2e48f9dcb706c4e3d2009ef47d7aedd9253da26a9ace83689718accf1dfdf3998f88b

  • SSDEEP

    196608:7saahvSji7LYOSIlr3vTPzz3Uh33HUxxqM3PBOfo6cakJrdfLjPQbUINfkotWep:7z0SjkL/lT7jUhUxMM3PB5JrVAbVyotL

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PrudaBackend

C2

45.131.108.110:4782

Mutex

8f8e6059-ac4f-4e47-8d62-3ce070083ecf

Attributes
  • encryption_key

    D82EC4913FC5B28DDFF5AC48635D190A9342C6BD

  • install_name

    update.exe

  • log_directory

    Logs

  • reconnect_delay

    2500

  • startup_key

    Runtime Broker.exe

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PrudaTweak.zip"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4175F6E8\ReadMe.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:5112
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:424
    • C:\Users\Admin\Desktop\PrudaTweak\!PrudaTweak.exe
      "C:\Users\Admin\Desktop\PrudaTweak\!PrudaTweak.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Users\Admin\Desktop\PrudaTweak\crashpad_handler.exe
        C:\Users\Admin\Desktop\PrudaTweak\crashpad_handler.exe --no-rate-limit --database=C:\Users\Admin\Desktop\PrudaTweak\cache --metrics-dir=C:\Users\Admin\Desktop\PrudaTweak\cache --url=https://sentry.pruda.de:443/api/2/minidump/?sentry_client=sentry.native/0.7.16&sentry_key=ae11f7dd565c2b26983cff3e1a33de87 --attachment=C:\Users\Admin\Desktop\PrudaTweak\cache\8da2b3e0-5d2c-42f0-c510-0b1da3459a95.run\__sentry-event --attachment=C:\Users\Admin\Desktop\PrudaTweak\cache\8da2b3e0-5d2c-42f0-c510-0b1da3459a95.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\Desktop\PrudaTweak\cache\8da2b3e0-5d2c-42f0-c510-0b1da3459a95.run\__sentry-breadcrumb2 --initial-client-data=0x5c0,0x5c8,0x5cc,0x5bc,0x5d0,0x7ffe815b3b70,0x7ffe815b3b88,0x7ffe815b3ba0
        2⤵
        • Executes dropped EXE
        PID:3296
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3432
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -Command "Set-MpPreference -DisableBlockAtFirstSeen $true"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2408
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -Command "Set-MpPreference -DisableIOAVProtection $true"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4148
      • C:\Users\Admin\AppData\Local\Temp\Spotify.exe
        "C:\Users\Admin\AppData\Local\Temp\Spotify.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:5044
        • C:\Windows\system32\update.exe
          "C:\Windows\system32\update.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:928
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2396

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      8cb7f4b4ab204cacd1af6b29c2a2042c

      SHA1

      244540c38e33eac05826d54282a0bfa60340d6a1

      SHA256

      4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6

      SHA512

      7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      d0a4a3b9a52b8fe3b019f6cd0ef3dad6

      SHA1

      fed70ce7834c3b97edbd078eccda1e5effa527cd

      SHA256

      21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

      SHA512

      1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

    • C:\Users\Admin\AppData\Local\Temp\7zE4173E8E8\PrudaTweak\cache\4ad14509-b7df-46ad-9762-2eb94b7bb35b.run\__sentry-event

      Filesize

      305B

      MD5

      4d3bf9c62481386d99e2a5a0828341d2

      SHA1

      f359b6c105b8b1ece4569075a5781eecf61ecd21

      SHA256

      7407a8986ef45d2c6d7438d5d2d2664ab4089d23b6a02dc786987b375a07833a

      SHA512

      cf250facbff061775678b7be429763a6ca818587824e622341f986acd9e4e8f81dd82e49fb5d75759c5b186c327f7f89854c54f204dc6eb1af5eef5201537993

    • C:\Users\Admin\AppData\Local\Temp\7zO4175F6E8\ReadMe.txt

      Filesize

      54B

      MD5

      499de9d9188c430a05577a37ca55eb25

      SHA1

      38e94adbe669972e47ce5c8f9f7c1856b736325e

      SHA256

      4097e09dc2992caddd40ed08a80f6bd96ee15c9077cc1f81e82062b755341df0

      SHA512

      8926b484501ce4dd77d89960535e2bd1520f319a655efaecd565f18baedc4d80aa7f53c3b0429b4afcc540d713a6d2f317accfebab6be7d23a37d05aa0fcd6ab

    • C:\Users\Admin\AppData\Local\Temp\Spotify.exe

      Filesize

      3.1MB

      MD5

      c965446805dc5c40e1bffe859716bea7

      SHA1

      7d6b257f8f830f512552bd11b36bb1fc88a1e966

      SHA256

      874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5

      SHA512

      157b7d59cb94d83dceba138207f1d335df6f9da90c510cbad8e0b252173be05679352de83d2aef2e3ae3d7de58f7253f93422b44680d2cb63e6c3640fd68233b

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3gq3xlf.ypx.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\Desktop\PrudaTweak\!PrudaTweak.exe

      Filesize

      135KB

      MD5

      b919c1037e70d3db56f5a5ddb67d9e86

      SHA1

      e96772ca1fe8e044c3a03b46a9535c67c063bec0

      SHA256

      86c4260b065071bb0e89c3b6ea67a1065a63dd23cf03ad4e27cdcbeaf9748398

      SHA512

      502a5252a1ae87f93e272689da3fd206538ffde5e01aa281b3ee3905c273af79cfe9aa3759e675197f7ff6c166f898307789263429cdf34b7402b07a99511b04

    • C:\Users\Admin\Desktop\PrudaTweak\Sentry.dll

      Filesize

      547KB

      MD5

      f634f84cf9f0244b3c62b04b21c69bbf

      SHA1

      e0a09946aad5cf6d402b617fc1679b139ddcb79f

      SHA256

      1e28984f8e08bcf2c902b9621a3b9646c695f12cd5b059b820bdbd735f706651

      SHA512

      50a15ef80f5ec00169a214cc8b26c8a5a81209760c48a6108d16b0ccc2a63fa8f0a22f3d8db235a74abfc4db65fc3e4a4eb8b46e06342c183c2c1f5b52b42fb3

    • C:\Users\Admin\Desktop\PrudaTweak\application.deps.json

      Filesize

      2KB

      MD5

      81dba0ada628b279fdd419ae8b6cdb51

      SHA1

      856a511842dca4955c6b99f2154ac71c1d3053cb

      SHA256

      38c88f3aec2b0cbc7136020ec13eba93225e96cdca13d2f6941398900a905178

      SHA512

      2545810e4d8f96ee3e54608a7ffc0e3fa33f8bbdfd7ca781d63fad287a965ec6765bbb61cac25d6c9ee8f8e8670b5736b4b9671d0aed677f21615186a59ac87f

    • C:\Users\Admin\Desktop\PrudaTweak\application.dll

      Filesize

      122KB

      MD5

      69c33683d8a85555a7d6c46ae03f5a9b

      SHA1

      52d0dbf8509944a14de7a1628e87868a13323828

      SHA256

      fa79404124b3bee4aa13cb36f0fbbb886daf68f083ad4f59e1825645ce1b2194

      SHA512

      e67c988c46d8c69293d6aa6f78fac724933769bf9c810e254883543fd60fa32210d01b0733f2d886126c2c905889b3b8e2cde7bdc59f60c1e0862405d8081997

    • C:\Users\Admin\Desktop\PrudaTweak\application.runtimeconfig.json

      Filesize

      515B

      MD5

      e0f6f18f9b152bc2d8c710b0214805d6

      SHA1

      ae3d39e59fd6edc05792a76cdf4f02a637f52e29

      SHA256

      89ad1ea5c9c20b6b266547ef27c0ae3840cab5642d3c2aedf06b7026245671dd

      SHA512

      80a6a9ff925bd1ba6f57fa1f7dd40de962001af97f8c2477d0b502728e23b6f412c74134e33efb36ccfeb08bbbeb678beb7e2e52fad24a763967eba8cf09b29e

    • C:\Users\Admin\Desktop\PrudaTweak\cache\4ad14509-b7df-46ad-9762-2eb94b7bb35b.run\session.json

      Filesize

      205B

      MD5

      a9a8c0495255b0d780a48beeff331553

      SHA1

      73d7a0d2e5a607f2cb8f4b3e05c9303dafa577fe

      SHA256

      3a3b4b38fcdaa295a36a57636ec96cd84afa40a32fdd5a1b39720b56cbbd4064

      SHA512

      e98e09d71b8f00783d0a1d5bc3967345c0f4671b5dd68781bee34e2cddad59790649aa8649724aac1393f0e8569ab714b494fefe4a13e27fdc3c3dcc462a253b

    • C:\Users\Admin\Desktop\PrudaTweak\cache\8b8eaff1-9501-4d58-3a5e-90f8a6f28619.run\session.json

      Filesize

      205B

      MD5

      06df072958cdbd820f13b70130c8f8a0

      SHA1

      94c378762ff9a19a503160bd05814a8fc3ef5cd9

      SHA256

      98902d8d2f18e29169cb60d5ba46974b79d841dcd0d0c243f47d7c6d663a9254

      SHA512

      6212959e85dbc965de7406f2a596bdb1746efead9bec35fb861f57c75e33de6c3006c6798cc09583335e1705c3771ec45621a4c84f059803823cbca8fed924a5

    • C:\Users\Admin\Desktop\PrudaTweak\cache\settings.dat

      Filesize

      40B

      MD5

      f0695e361eda3407c992d4042c98bd96

      SHA1

      4750f5d01ec5434f4852e06f1a0d6867c8eaa700

      SHA256

      31bc96d2a96b589e9d3fbae934e22112f847415081e54ff60cf21d2c7a0f3797

      SHA512

      19058ec366abad9414c26ad0acc5a22a870ca4e75aa8f60626a41e3bb8814a27be5d1b37e80b5f4e608b1c9fe991584d2430dba3ebb090b75a12cb63953cdecb

    • C:\Users\Admin\Desktop\PrudaTweak\core.dll

      Filesize

      7.8MB

      MD5

      2812dc85be549cb7ac9f2af2fd33bf23

      SHA1

      397162303b15457cd883c20da2a51c08fd47414b

      SHA256

      c0c06a8ad06ca18771acb39d53eeb4222606d817c0fd51b31f58f9bb11c08610

      SHA512

      0720cd21fb2f52f7b64785f1083ef8ca9a2cc0e1bfc7ae3226145a02e21befd001e4b98aaed04f2535c9d4f3c6d7f11d814f2a154836a0a78f81277b5650381c

    • C:\Users\Admin\Desktop\PrudaTweak\crashpad_handler.exe

      Filesize

      2.3MB

      MD5

      3334755210b904abcb67d187770e8cbf

      SHA1

      27d22593374bb6611ff54562b18422ef515cf8b3

      SHA256

      c3f4c395b7ab3caa33dfc30a05a1e0ffba81d05ecbdc6eb9f2c901421e31c8ff

      SHA512

      9d8a3eadd27733dae3025542c4ac46eb3fe6923770c41b178f96f99751cb8809b3965ea1b2fd1585be5af3803e3046f47337d3fb2aa6130fd51b018549775c52

    • C:\Users\Admin\Desktop\PrudaTweak\libcrypto-3-x64.dll

      Filesize

      4.5MB

      MD5

      5a6752a89ddc99da064d5f7ddad70888

      SHA1

      c0aeefaa763c50ed4403f9d881d75aa1304ae81d

      SHA256

      523708e61d7509314047baf84d8d23a2c9dea59fa962ac58eec85c01c9877408

      SHA512

      4df9556a06c883c5e4dc8b37acc5be54f62cc471d482c19af54d52f160e00be98ce07bf54650cea881f9ddcf65f4c53b7f6e91aba178f64c3bff5201154b914f

    • C:\Users\Admin\Desktop\PrudaTweak\libssl-3-x64.dll

      Filesize

      879KB

      MD5

      4a8dde272f6015afe307853acd2b21e1

      SHA1

      7b5c07d101e4aab1ad246f4cd1c55e497b02ee8b

      SHA256

      befc04fbac884fd3bbe09131efa7f6dd6713a732e31f839e6145680a41827e0f

      SHA512

      ff45450f195d8440fb99fbb6bcffbf1c08201c4a9b146a703bc2474d31adfbb98444657acf4d9c0be73072dba8353026d26f3dbd4b53d044099fc4c84b2c9329

    • C:\Users\Admin\Desktop\PrudaTweak\runtimeconfig.json

      Filesize

      170B

      MD5

      351f746426eecd5f6dab7a8549706845

      SHA1

      25fa3a53604551783aaab0f7a47936c9b1368653

      SHA256

      8dc2877edafe9f042088b9ba55b5193177dc4569b36bfbd0f9141e4489fc6e94

      SHA512

      ce310761a102e7f0a17ddd4c07f668e746c304a7c6ea7b02e94eea3e129eff5ac49384da9cd5ee046ba150f4759afe3834b16f8a5111f037c288c464735496bd

    • memory/928-117-0x0000000002620000-0x0000000002670000-memory.dmp

      Filesize

      320KB

    • memory/928-122-0x000000001BD50000-0x000000001BD8C000-memory.dmp

      Filesize

      240KB

    • memory/928-121-0x000000001B0C0000-0x000000001B0D2000-memory.dmp

      Filesize

      72KB

    • memory/928-118-0x000000001BDD0000-0x000000001BE82000-memory.dmp

      Filesize

      712KB

    • memory/3272-110-0x00000000000A0000-0x00000000003C4000-memory.dmp

      Filesize

      3.1MB

    • memory/3432-74-0x0000027EFEFB0000-0x0000027EFEFD2000-memory.dmp

      Filesize

      136KB

    • memory/3544-56-0x00007FFEA71F0000-0x00007FFEA71F2000-memory.dmp

      Filesize

      8KB

    • memory/3544-57-0x00007FFE814D0000-0x00007FFE82322000-memory.dmp

      Filesize

      14.3MB