Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25/05/2023, 01:56
Static task
static1
Behavioral task
behavioral1
Sample
5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe
Resource
win10v2004-20230220-en
General
-
Target
5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe
-
Size
4.4MB
-
MD5
e862112b0a3781dcf75eaf11b8b6ea7d
-
SHA1
725b9a18c2c6cdd616ad10d6f9e977753c7eb0e4
-
SHA256
5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135
-
SHA512
6a5ebf286858e2a814fedf81fae111bd4468eaafe19ecc2a7eadf2d441b9584bab4ee4a3c5f83415d5cc31bbe11f7888e6dbe2a0a8a006affaefe463de3f535f
-
SSDEEP
98304:+4uKDZOjVXFcG7BEcyZeW+gP/i6jepIA90sK6LovYr5K49ZQ:+4uKDeFT7BEcyZpDP/RERXKsog5BHQ
Malware Config
Extracted
quasar
1.4.1
Office04
microsoftbackup.duckdns.org:47600
b97303a2-a8f5-4170-91c1-56adceee5081
-
encryption_key
A31E078A7CC45D3676D5AE3FB460C3E365219397
-
install_name
Client.exe
-
log_directory
Log
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 5 IoCs
resource yara_rule behavioral1/memory/1792-77-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar behavioral1/memory/1792-78-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar behavioral1/memory/1792-80-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar behavioral1/memory/1792-82-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar behavioral1/memory/1792-84-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\serviceupdate = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\serviceupdate.exe\"" 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2044 set thread context of 1792 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1368 ipconfig.exe 1944 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1772 powershell.exe 1604 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 1792 aspnet_compiler.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1792 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1736 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 27 PID 2044 wrote to memory of 1736 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 27 PID 2044 wrote to memory of 1736 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 27 PID 2044 wrote to memory of 1736 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 27 PID 1736 wrote to memory of 1368 1736 cmd.exe 29 PID 1736 wrote to memory of 1368 1736 cmd.exe 29 PID 1736 wrote to memory of 1368 1736 cmd.exe 29 PID 1736 wrote to memory of 1368 1736 cmd.exe 29 PID 2044 wrote to memory of 1772 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 30 PID 2044 wrote to memory of 1772 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 30 PID 2044 wrote to memory of 1772 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 30 PID 2044 wrote to memory of 1772 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 30 PID 2044 wrote to memory of 2028 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 32 PID 2044 wrote to memory of 2028 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 32 PID 2044 wrote to memory of 2028 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 32 PID 2044 wrote to memory of 2028 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 32 PID 2028 wrote to memory of 1604 2028 cmd.exe 34 PID 2028 wrote to memory of 1604 2028 cmd.exe 34 PID 2028 wrote to memory of 1604 2028 cmd.exe 34 PID 2028 wrote to memory of 1604 2028 cmd.exe 34 PID 2044 wrote to memory of 1788 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 35 PID 2044 wrote to memory of 1788 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 35 PID 2044 wrote to memory of 1788 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 35 PID 2044 wrote to memory of 1788 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 35 PID 1788 wrote to memory of 1944 1788 cmd.exe 37 PID 1788 wrote to memory of 1944 1788 cmd.exe 37 PID 1788 wrote to memory of 1944 1788 cmd.exe 37 PID 1788 wrote to memory of 1944 1788 cmd.exe 37 PID 2044 wrote to memory of 1792 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 38 PID 2044 wrote to memory of 1792 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 38 PID 2044 wrote to memory of 1792 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 38 PID 2044 wrote to memory of 1792 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 38 PID 2044 wrote to memory of 1792 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 38 PID 2044 wrote to memory of 1792 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 38 PID 2044 wrote to memory of 1792 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 38 PID 2044 wrote to memory of 1792 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 38 PID 2044 wrote to memory of 1792 2044 5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe"C:\Users\Admin\AppData\Local\Temp\5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:1368
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:1944
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1792
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DZ36KH2USTDZQ9A14UYI.temp
Filesize7KB
MD5a50eed864c8df86ee93d2962297c6985
SHA1e6adf5e563209c7682428ee8e4fce29044375144
SHA2566c7d3e60da1bf4fbd2063869b08b561565a62e1a468d4472e716d2eee299b09e
SHA5126e5bca5fc24d7372c4304815fe7dfd5434b80c1900a9de56b4846877d34a5f4f3ede2aa100246a158af410c4abf1f69470a8cfd1dd0ec97eff8756538e303bac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a50eed864c8df86ee93d2962297c6985
SHA1e6adf5e563209c7682428ee8e4fce29044375144
SHA2566c7d3e60da1bf4fbd2063869b08b561565a62e1a468d4472e716d2eee299b09e
SHA5126e5bca5fc24d7372c4304815fe7dfd5434b80c1900a9de56b4846877d34a5f4f3ede2aa100246a158af410c4abf1f69470a8cfd1dd0ec97eff8756538e303bac