Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

aad9903b98...b7.exe

windows7-x64

10

aad9903b98...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/03/2024, 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe

  • Size

    1.0MB

  • MD5

    e51e1e4a21fef3fd98784683d80b5a02

  • SHA1

    309790387ec94c189ef94803a87fab335159657a

  • SHA256

    aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7

  • SHA512

    329922a8229f6e07f549e8919b4f6e1d60bf7d153b30487c8dde0116d8b31745f88d3f7bf20616d2a88276e8d2c24859e73440a03d4d2ecc08cd207678d84265

  • SSDEEP

    24576:A1QNv9uN9fFNd6AtvbGN/BCfKEPmxKVnRNWg:A1WluN9fZvbGyKFxg

Score
10/10
quasarpvp2spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

PVP2

C2

clausetestbits.chickenkiller.com:64598

snoetestbits.ignorelist.com:64598
Mutex

QSR_MUTEX_ttz0i8tcYpqYyKkP3l

Attributes
  • encryption_key

    kxBjTYBAXsyGYsjsYZcL

  • install_name

    mcr.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    mcs

  • subdirectory

    mcr

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • Detects executables containing common artifacts observed in infostealers 1 IoCs
  • Detects executables packed with ConfuserEx Mod 6 IoCs
  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe
    "C:\Users\Admin\AppData\Local\Temp\aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Users\Admin\AppData\Local\Temp\aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe
      C:\Users\Admin\AppData\Local\Temp\aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe
      2⤵
        PID:4108
      • C:\Users\Admin\AppData\Local\Temp\aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe
        C:\Users\Admin\AppData\Local\Temp\aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1456
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "mcs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:4932
        • C:\Users\Admin\AppData\Roaming\mcr\mcr.exe
          "C:\Users\Admin\AppData\Roaming\mcr\mcr.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1216
          • C:\Users\Admin\AppData\Roaming\mcr\mcr.exe
            C:\Users\Admin\AppData\Roaming\mcr\mcr.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4504
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "mcs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\mcr\mcr.exe" /rl HIGHEST /f
              5⤵
              • Creates scheduled task(s)
              PID:3008
          • C:\Users\Admin\AppData\Roaming\mcr\mcr.exe
            C:\Users\Admin\AppData\Roaming\mcr\mcr.exe
            4⤵
            • Executes dropped EXE
            PID:2072
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 80
              5⤵
              • Program crash
              PID:4464
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2072 -ip 2072
      1⤵
        PID:2600

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe.log
        Filesize

        706B

        MD5

        d95c58e609838928f0f49837cab7dfd2

        SHA1

        55e7139a1e3899195b92ed8771d1ca2c7d53c916

        SHA256

        0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

        SHA512

        405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mcr\mcr.exe
        Filesize

        344KB

        MD5

        9b4441a09e3af86426c8edd6842e59ff

        SHA1

        8043a1fe7bff2a65a56b04c1270566b89f2065b8

        SHA256

        9fd16b9eb0e8a775925d8e80f6b5773e4557cf4cf77d09902d27086597384cf4

        SHA512

        ed56cd6739d404c4d3312278506a890287c176f4b12796dfd930d8f66d3fbea1ffe1fc6784bcbd6272ac19074cd56ce0dc1fd9c84815f408d72f0c394fc89720

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mcr\mcr.exe
        Filesize

        271KB

        MD5

        16d7628160da1f6c92bc18a0365a9559

        SHA1

        afa864763a1bfbb06d83b645c54f84ea91afc255

        SHA256

        972d7a947eac13d67163757cd464ea53e308d99dd052159f7920fc4bcea54fa4

        SHA512

        5df6f8bd852bba2a48cad86dba869eb4b5be15aacc317c878fe6f1d9c258e8b150bd6fee2dea514ae7262e2457ede03c00a600bab12250bd6252a2fbc21afedd

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mcr\mcr.exe
        Filesize

        149KB

        MD5

        ae68df297e84e76c6be760cb5804e05a

        SHA1

        2c12ddee70e4565cf7d213931dee66ce36373a58

        SHA256

        a21b63c9f8e07abc863fecf0618e92f87b24923f910d060a73314e8255a84e2c

        SHA512

        abea03dab47b2c49151053016cb34d72a011cb1de7638bcd26febf110464f7672f4498b55e12194e497265f46ad061488d16e069ea14aa2ae56619d5f9063c9b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mcr\mcr.exe
        Filesize

        128KB

        MD5

        df03308dc61a9e55cb422bfeeaef824a

        SHA1

        5a4118506e028207a07144bec309753aecec0917

        SHA256

        b5357ee001faee42f2cb9e9307959a1ad0bf7dc3cd2344e2d9ed789724f31160

        SHA512

        b60a244dc11cd8de6e5fdf4814f2591d0bfc51f9522ee3da614b9d7c739d1335a50f6a0c8c777d416eb9ce8a5c3b9a388c4eecc69dd779d04a661e9777735b5c

        Download Submit

      • memory/1120-5-0x000000000DE10000-0x000000000DEAC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1120-7-0x000000000DEB0000-0x000000000DF42000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1120-8-0x0000000002AD0000-0x0000000002AD6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1120-6-0x000000000E460000-0x000000000EA04000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1120-4-0x000000000DC60000-0x000000000DD78000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1120-13-0x0000000074880000-0x0000000075030000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1120-3-0x00000000050A0000-0x00000000050B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1120-2-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1120-0-0x0000000074880000-0x0000000075030000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1120-1-0x00000000005E0000-0x00000000006EA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1216-37-0x0000000074880000-0x0000000075030000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1216-29-0x0000000005650000-0x0000000005660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1216-28-0x0000000074880000-0x0000000075030000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1456-19-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1456-16-0x0000000005660000-0x0000000005670000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1456-21-0x00000000069F0000-0x0000000006A2C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1456-17-0x00000000055D0000-0x0000000005636000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1456-14-0x0000000074880000-0x0000000075030000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1456-27-0x0000000074880000-0x0000000075030000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4108-15-0x0000000005130000-0x0000000005140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4108-20-0x0000000074880000-0x0000000075030000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4108-12-0x0000000074880000-0x0000000075030000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4108-9-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB

        Download

      • memory/4504-35-0x0000000074880000-0x0000000075030000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4504-36-0x0000000005200000-0x0000000005210000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4504-38-0x0000000006740000-0x000000000674A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4504-39-0x0000000074880000-0x0000000075030000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4504-40-0x0000000005200000-0x0000000005210000-memory.dmp

        Filesize

        64KB

        Download