Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
276s -
max time network
281s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
22/08/2023, 10:15
General
-
Target
MMLo7.Rat.rar
-
Size
5.7MB
-
MD5
4747547f047d47bd37bc0d1b65625694
-
SHA1
827e3f9ca857ed95ef8185c80e5fa85fdffa28e4
-
SHA256
091833fb986ac8a78a9a33ae7852d2b02d510348bdcb915d4e2e51a6de27f64a
-
SHA512
3336de360626d125c4777d626a0790c69faf209c642d99d085cd72f92b9e5ba93aca9f9c92d81cb1e3b2ee21f6ff12cf9c6fe6ecbe9554ad846fa1cd74874241
-
SSDEEP
98304:HtkSjvhd8cMOBhzp1svAJFF5N7nicdRaDzmLW/nJHksov7iUsPIUDjvEQnQLligi:HtBjJd8vazEQFPN7tAeaBLNUsPIUvMUL
Malware Config
Extracted
xworm
-
install_file
USB.exe
Extracted
quasar
-
reconnect_delay
5000
Extracted
quasar
1.3.3.7
Office04
127.0.0.1:305
QSR_MUTEX_2Q0xuNOWuzstz1nIHm
-
encryption_key
yXJmgz868tgJWmotirHr
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 6 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Executes dropped EXE 7 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 55 IoCs
-
Suspicious behavior: EnumeratesProcesses 39 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MMLo7.Rat.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\MMLo7.Rat\" -spe -an -ai#7zMap15819:98:7zEvent154281⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\MMLo7.Rat\MMLo7 Rat.exe"C:\Users\Admin\AppData\Local\Temp\MMLo7.Rat\MMLo7 Rat.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MMLo7.Rat\Software.exe"C:\Users\Admin\AppData\Local\Temp\MMLo7.Rat\Software.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\conhost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "conhost" /tr "C:\ProgramData\conhost.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\ProgramData\conhost.exeC:\ProgramData\conhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\MMLo7-Trojan.exe"C:\Users\Admin\Desktop\MMLo7-Trojan.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\conhost.exeC:\ProgramData\conhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD54b08ce9062f3be1e89b4ad335e4b9fca
SHA1cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f
SHA2567ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff
SHA5128d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab
-
Filesize
64KB
MD54b08ce9062f3be1e89b4ad335e4b9fca
SHA1cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f
SHA2567ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff
SHA5128d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab
-
Filesize
64KB
MD54b08ce9062f3be1e89b4ad335e4b9fca
SHA1cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f
SHA2567ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff
SHA5128d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
4.3MB
MD5068b4f05eb35479a419bc55da643781e
SHA11d0fe6bb23bbd63dc6d4248f7c17afcf4bc16dea
SHA256477ebd61ce116c6908a1cd1e50bc93869f6f7b9c3e0e5757551e6dd2a01b4648
SHA512f9022c7d91364519f5b773fd641741637f89a4f4f8eb1406d1c594e0a286724cea7494fb047e810bbed0579b6870db49a6828b1c79808e4554d762f326a87dcc
-
Filesize
2.8MB
MD52dc24c81438806bd03b492b9a3f3c55c
SHA11b62f6d53570d7cd3c8d04e6ea7e349b5de5cc89
SHA2563edd74d68dd78681ed9eae3973ee2fb878c60e6e24dfa313ea2b4547008b1149
SHA512f03ef03ffd926c35a6c88be065a8b6174af323a9fc633fc8d0c1ee55bf8b2eb5ef824d9c9feda21104dd10ff7f0d8d0660e9d4ba0cd8a932dd5d8e342f023ce1
-
Filesize
2.8MB
MD52dc24c81438806bd03b492b9a3f3c55c
SHA11b62f6d53570d7cd3c8d04e6ea7e349b5de5cc89
SHA2563edd74d68dd78681ed9eae3973ee2fb878c60e6e24dfa313ea2b4547008b1149
SHA512f03ef03ffd926c35a6c88be065a8b6174af323a9fc633fc8d0c1ee55bf8b2eb5ef824d9c9feda21104dd10ff7f0d8d0660e9d4ba0cd8a932dd5d8e342f023ce1
-
Filesize
161B
MD5c16b0746faa39818049fe38709a82c62
SHA13fa322fe6ed724b1bc4fd52795428a36b7b8c131
SHA256d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad
SHA512cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c
-
Filesize
277KB
MD58df4d6b5dc1629fcefcdc20210a88eac
SHA116c661757ad90eb84228aa3487db11a2eac6fe64
SHA2563e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e
SHA512874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174
-
Filesize
40KB
MD5bf929442b12d4b5f9906b29834bf7db1
SHA1810a2b3c8e548d1df931538bc304cc1405f7a32b
SHA256b33435ac7cdefcf7c2adf96738c762a95414eb7a4967ef6b88dcda14d58bfee0
SHA5129fcfaf48bfe5455a466e666bafa59a7348a736368daa892333cefa0cac22bcef3255f9cee24a70ed96011b73abea8e5d3dbf24876cffa81e0b532df41dd81828
-
Filesize
1016B
MD5804a72ca0e8d431d67ec1f1920d839cd
SHA12f3d22973e147a049ac87817d26ec13dcc959a2c
SHA256ebe8b86d9c5e1865a4d8ae9c7781a04a56e865bd5e5ffd114211191bae161497
SHA51207c5974f18be4769e9af00d2d5378c5a389be0b8ec4649b0dbd24b84643ab5aa322d0a68417e301795a49bc3dfef767668f6d8fc48178f521e99c51221393213
-
Filesize
5.0MB
MD5a03565cf42ca83d7494117d7e3cc82e4
SHA17a4bc05fe549484bd831c8f0397d7c1a0fe288c2
SHA256c8406d3bcc1ecf408d6f66991a711fb8bddd7ca48a5a3cb4144d7ba20e3754cf
SHA5123084c9df0e9e81746b67435e2f5653e5cc49f176df209112fc9b8de5340bd68fe6ed39a2cfd7fc50f2d4a7b33834c4530cf77754903f1036a6fdd9af5624fa3a
-
Filesize
5.0MB
MD5a03565cf42ca83d7494117d7e3cc82e4
SHA17a4bc05fe549484bd831c8f0397d7c1a0fe288c2
SHA256c8406d3bcc1ecf408d6f66991a711fb8bddd7ca48a5a3cb4144d7ba20e3754cf
SHA5123084c9df0e9e81746b67435e2f5653e5cc49f176df209112fc9b8de5340bd68fe6ed39a2cfd7fc50f2d4a7b33834c4530cf77754903f1036a6fdd9af5624fa3a
-
Filesize
5.0MB
MD5a03565cf42ca83d7494117d7e3cc82e4
SHA17a4bc05fe549484bd831c8f0397d7c1a0fe288c2
SHA256c8406d3bcc1ecf408d6f66991a711fb8bddd7ca48a5a3cb4144d7ba20e3754cf
SHA5123084c9df0e9e81746b67435e2f5653e5cc49f176df209112fc9b8de5340bd68fe6ed39a2cfd7fc50f2d4a7b33834c4530cf77754903f1036a6fdd9af5624fa3a
-
Filesize
76KB
MD564e9cb25aeefeeba3bb579fb1a5559bc
SHA1e719f80fcbd952609475f3d4a42aa578b2034624
SHA25634cab594ce9c9af8e12a6923fc16468f5b87e168777db4be2f04db883c1db993
SHA512b21cd93f010b345b09b771d24b2e5eeed3b73a82fc16badafea7f0324e39477b0d7033623923313d2de5513cb778428ae10161ae7fc0d6b00e446f8d89cf0f8c
-
Filesize
286KB
MD5c81a9adf64819041ac1435fab28004e3
SHA1a126d54caabbdd6456ac1ddd57a4ead629f4f287
SHA2565a1c7a22a6fbe36701b53b49a134ad37ab6194030753824a1bef260862902ac8
SHA5123ec5bc46bd46a06271905614adde9e60dd30d2315eb700d36852c6d2e1207a6218d007a7eb9ef2f0134eae53b1a04305be61e314e0ca426e132e8660e0bdcf58
-
Filesize
426B
MD508eaf0a087c3a7d35c1c0e50dd304cbd
SHA1e6f8463ad17ae7ef4b28b33ad6d6742791bfa628
SHA256f638d7332e5b55ac336f8f6f2692a3db9df3b51f95771720d923f4db439e3fdb
SHA512ccc6b132eebe3536671bff04fc6d7664abdfe5dd8022fa64bf6a678927791f39b55b7d890f210570378b16fb59dd219e216a979f7da2fec0b3814b05da95cd2c
-
Filesize
427B
MD5fc02b03164bba49b505046234efa9e8d
SHA126aaa4dc2e2f090ad574487cbf69c17e40898c52
SHA25625d3fd8a749be829ba0db17bbc9538fda71b9ac0f049d4355167783a63bb100e
SHA512d8c1d83ca46770b833daaef346e84ab23d98d4b342301fd4d67aac7eabf10cf2756319d09c076a985731296fefb8f85c22aa2ac7e2c0c941b124a94413c122fd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
64KB
MD54b08ce9062f3be1e89b4ad335e4b9fca
SHA1cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f
SHA2567ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff
SHA5128d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab
-
Filesize
64KB
MD54b08ce9062f3be1e89b4ad335e4b9fca
SHA1cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f
SHA2567ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff
SHA5128d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab
-
Filesize
64KB
MD54b08ce9062f3be1e89b4ad335e4b9fca
SHA1cf9dfe7d29227b52a1e54a1a119e2172fa5f6a0f
SHA2567ca9588bcfc058c3ae22caec75367fb4aae066d59b3411fd845b98e138d44dff
SHA5128d093eb5b996332522fbc379ab2811c98e084060d9797b2c156f402f82e5889fd2783abd74e8635801a6659b88bc8ff67231fa7ec24a7a85bdb78f2a15c31aab
-
Filesize
405KB
MD5d210d7aaeec5222740bce8da9a1ba195
SHA168219d51fbbaf26bf6ba5aa4598e4cf08f5ac702
SHA2567281b274d848f116141307f1b15c3c29eff71ef653508e1fa27f402925b77229
SHA512d27253dfff897bb7bed214c1a6749ea49c58fb847bfde84deb129babdf3f72ac187b191719ffbcd5aa93d2eb8eefbf697bd29667265af7edd67090142548e968
-
Filesize
405KB
MD5d210d7aaeec5222740bce8da9a1ba195
SHA168219d51fbbaf26bf6ba5aa4598e4cf08f5ac702
SHA2567281b274d848f116141307f1b15c3c29eff71ef653508e1fa27f402925b77229
SHA512d27253dfff897bb7bed214c1a6749ea49c58fb847bfde84deb129babdf3f72ac187b191719ffbcd5aa93d2eb8eefbf697bd29667265af7edd67090142548e968
-
Filesize
405KB
MD5d210d7aaeec5222740bce8da9a1ba195
SHA168219d51fbbaf26bf6ba5aa4598e4cf08f5ac702
SHA2567281b274d848f116141307f1b15c3c29eff71ef653508e1fa27f402925b77229
SHA512d27253dfff897bb7bed214c1a6749ea49c58fb847bfde84deb129babdf3f72ac187b191719ffbcd5aa93d2eb8eefbf697bd29667265af7edd67090142548e968
-
Filesize
405KB
MD5d210d7aaeec5222740bce8da9a1ba195
SHA168219d51fbbaf26bf6ba5aa4598e4cf08f5ac702
SHA2567281b274d848f116141307f1b15c3c29eff71ef653508e1fa27f402925b77229
SHA512d27253dfff897bb7bed214c1a6749ea49c58fb847bfde84deb129babdf3f72ac187b191719ffbcd5aa93d2eb8eefbf697bd29667265af7edd67090142548e968
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
4.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
5.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
432KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
600KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
2.8MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB