Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
03/11/2021, 19:54
Static task
static1
Behavioral task
behavioral1
Sample
9860743c4ff83784de05aa8444594aed.exe
Resource
win7-en-20210920
General
-
Target
9860743c4ff83784de05aa8444594aed.exe
-
Size
14KB
-
MD5
9860743c4ff83784de05aa8444594aed
-
SHA1
517ab424f9f6ee8de223e396691f1cb3b2d01a09
-
SHA256
70da41b661dc8de4e8cd1bde0f17f434433115bffad2fb762205b734acd4ed35
-
SHA512
cae8c9f056f7556d30e170caca7b4146baf00eaa32b6d2fac8659d2547d97e1461ee8cce0b123db02d5497faf9e12057d5daa530b4b8e722d73c66e769064b88
Malware Config
Extracted
quasar
1.4.0
helper
41.79.11.214:61032
307d89ac-968f-48de-a3b3-0c81d2cf4d4a
-
encryption_key
0D0F7891BD61AE0C503175723ADA783C9973F3B8
-
install_name
DllHelper.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
DllHelper
-
subdirectory
DllHelper
Signatures
-
Quasar Payload 4 IoCs
resource yara_rule behavioral2/files/0x00020000000155f8-116.dat family_quasar behavioral2/files/0x00020000000155f8-117.dat family_quasar behavioral2/files/0x00020000000155fa-123.dat family_quasar behavioral2/files/0x00020000000155fa-124.dat family_quasar -
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3916 jmwigosg.exe 4244 DllHelper.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wmic.exe 9860743c4ff83784de05aa8444594aed.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wmic.exe 9860743c4ff83784de05aa8444594aed.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 api.ipify.org 24 api.ipify.org -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4044 schtasks.exe 420 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3916 jmwigosg.exe Token: SeDebugPrivilege 4244 DllHelper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4244 DllHelper.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3672 wrote to memory of 3916 3672 9860743c4ff83784de05aa8444594aed.exe 70 PID 3672 wrote to memory of 3916 3672 9860743c4ff83784de05aa8444594aed.exe 70 PID 3916 wrote to memory of 4044 3916 jmwigosg.exe 72 PID 3916 wrote to memory of 4044 3916 jmwigosg.exe 72 PID 3916 wrote to memory of 4244 3916 jmwigosg.exe 73 PID 3916 wrote to memory of 4244 3916 jmwigosg.exe 73 PID 4244 wrote to memory of 420 4244 DllHelper.exe 74 PID 4244 wrote to memory of 420 4244 DllHelper.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\9860743c4ff83784de05aa8444594aed.exe"C:\Users\Admin\AppData\Local\Temp\9860743c4ff83784de05aa8444594aed.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\jmwigosg.exeC:\Users\Admin\AppData\Local\Temp\jmwigosg.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "DllHelper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\jmwigosg.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4044
-
-
C:\Users\Admin\AppData\Roaming\DllHelper\DllHelper.exe"C:\Users\Admin\AppData\Roaming\DllHelper\DllHelper.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "DllHelper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\DllHelper\DllHelper.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:420
-
-
-