Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 23:54
Behavioral task
behavioral1
Sample
8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe
Resource
win7-20240319-en
General
-
Target
8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe
-
Size
3.1MB
-
MD5
c52e8cb313bd0e446cb9607636bbc6ec
-
SHA1
77d3ca1584e486528e39802449027cd9e8b08b83
-
SHA256
8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583
-
SHA512
d8bdbad8a179c74f2479da58af5530782a1683e07ad656b91ee05b0b00daa8008d1e7143b34eae16ef6ef612e1f742832ae9b9167ac2286799075886d1a66a45
-
SSDEEP
49152:KvWI22SsaNYfdPBldt698dBcjHS5RJ6PbR3LoGdBTHHB72eh2NT:Kv722SsaNYfdPBldt6+dBcjHS5RJ6h
Malware Config
Extracted
quasar
1.4.1
victim
192.168.56.1:4782
f887c652-41ce-4f9e-8a72-52676eb54001
-
encryption_key
194B648FB0D06C59B36705385FF44BFC616F014E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/944-0-0x00000000003D0000-0x00000000006F4000-memory.dmp family_quasar behavioral2/files/0x00070000000233bc-5.dat family_quasar -
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
resource yara_rule behavioral2/memory/944-0-0x00000000003D0000-0x00000000006F4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/files/0x00070000000233bc-5.dat INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
resource yara_rule behavioral2/memory/944-0-0x00000000003D0000-0x00000000006F4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/files/0x00070000000233bc-5.dat INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 2 IoCs
resource yara_rule behavioral2/memory/944-0-0x00000000003D0000-0x00000000006F4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer behavioral2/files/0x00070000000233bc-5.dat INDICATOR_SUSPICIOUS_GENInfoStealer -
Executes dropped EXE 1 IoCs
pid Process 436 Client.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\SubDir\Client.exe 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe File opened for modification C:\Windows\system32\SubDir\Client.exe 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2128 schtasks.exe 1868 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 944 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe Token: SeDebugPrivilege 436 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 436 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 944 wrote to memory of 2128 944 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe 89 PID 944 wrote to memory of 2128 944 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe 89 PID 944 wrote to memory of 436 944 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe 91 PID 944 wrote to memory of 436 944 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe 91 PID 436 wrote to memory of 1868 436 Client.exe 93 PID 436 wrote to memory of 1868 436 Client.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe"C:\Users\Admin\AppData\Local\Temp\8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2128
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1868
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5c52e8cb313bd0e446cb9607636bbc6ec
SHA177d3ca1584e486528e39802449027cd9e8b08b83
SHA2568168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583
SHA512d8bdbad8a179c74f2479da58af5530782a1683e07ad656b91ee05b0b00daa8008d1e7143b34eae16ef6ef612e1f742832ae9b9167ac2286799075886d1a66a45