Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2024, 23:54 UTC

General

  • Target

    8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe

  • Size

    3.1MB

  • MD5

    c52e8cb313bd0e446cb9607636bbc6ec

  • SHA1

    77d3ca1584e486528e39802449027cd9e8b08b83

  • SHA256

    8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583

  • SHA512

    d8bdbad8a179c74f2479da58af5530782a1683e07ad656b91ee05b0b00daa8008d1e7143b34eae16ef6ef612e1f742832ae9b9167ac2286799075886d1a66a45

  • SSDEEP

    49152:KvWI22SsaNYfdPBldt698dBcjHS5RJ6PbR3LoGdBTHHB72eh2NT:Kv722SsaNYfdPBldt6+dBcjHS5RJ6h

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

victim

C2

192.168.56.1:4782

Mutex

f887c652-41ce-4f9e-8a72-52676eb54001

Attributes
  • encryption_key

    194B648FB0D06C59B36705385FF44BFC616F014E

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects executables containing common artifacts observed in infostealers 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe
    "C:\Users\Admin\AppData\Local\Temp\8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2128
    • C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1868

Network

  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=31DC04F3BA2E641D24BD1096BB956504; domain=.bing.com; expires=Tue, 13-May-2025 23:54:59 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 440B85437AA84B9391FDA2F6AD42DE99 Ref B: LON04EDGE0919 Ref C: 2024-04-18T23:54:59Z
    date: Thu, 18 Apr 2024 23:54:58 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=31DC04F3BA2E641D24BD1096BB956504
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=k2WMNotN4xD-iofwBqGKZzu1e78Clo-BgZHIBPgvWrE; domain=.bing.com; expires=Tue, 13-May-2025 23:54:59 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D065DE8B314041F69C08ACC4C56E8B85 Ref B: LON04EDGE0919 Ref C: 2024-04-18T23:54:59Z
    date: Thu, 18 Apr 2024 23:54:58 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=31DC04F3BA2E641D24BD1096BB956504; MSPTC=k2WMNotN4xD-iofwBqGKZzu1e78Clo-BgZHIBPgvWrE
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D653064B731549A5984D2934735B9CBD Ref B: LON04EDGE0919 Ref C: 2024-04-18T23:54:59Z
    date: Thu, 18 Apr 2024 23:54:58 GMT
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    144.107.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    144.107.17.2.in-addr.arpa
    IN PTR
    Response
    144.107.17.2.in-addr.arpa
    IN PTR
    a2-17-107-144deploystaticakamaitechnologiescom
  • flag-us
    DNS
    21.114.53.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.114.53.23.in-addr.arpa
    IN PTR
    Response
    21.114.53.23.in-addr.arpa
    IN PTR
    a23-53-114-21deploystaticakamaitechnologiescom
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    130.118.77.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    130.118.77.104.in-addr.arpa
    IN PTR
    Response
    130.118.77.104.in-addr.arpa
    IN PTR
    a104-77-118-130deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    41.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.134.221.88.in-addr.arpa
    IN PTR
    Response
    41.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    66.112.168.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    66.112.168.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=
    tls, http2
    2.0kB
    9.2kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=

    HTTP Response

    204
  • 192.168.56.1:4782
    Client.exe
    260 B
    5
  • 192.168.56.1:4782
    Client.exe
    260 B
    5
  • 23.53.113.159:80
    46 B
    1
  • 192.168.56.1:4782
    Client.exe
    260 B
    5
  • 192.168.56.1:4782
    Client.exe
    260 B
    5
  • 192.168.56.1:4782
    Client.exe
    260 B
    5
  • 192.168.56.1:4782
    Client.exe
    260 B
    5
  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    168 B
    151 B
    3
    1

    DNS Request

    g.bing.com

    DNS Request

    g.bing.com

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    241.154.82.20.in-addr.arpa

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
    143 B
    1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    144.107.17.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    144.107.17.2.in-addr.arpa

  • 8.8.8.8:53
    21.114.53.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    21.114.53.23.in-addr.arpa

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    130.118.77.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    130.118.77.104.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    41.134.221.88.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    41.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    66.112.168.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    66.112.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\SubDir\Client.exe

    Filesize

    3.1MB

    MD5

    c52e8cb313bd0e446cb9607636bbc6ec

    SHA1

    77d3ca1584e486528e39802449027cd9e8b08b83

    SHA256

    8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583

    SHA512

    d8bdbad8a179c74f2479da58af5530782a1683e07ad656b91ee05b0b00daa8008d1e7143b34eae16ef6ef612e1f742832ae9b9167ac2286799075886d1a66a45

  • memory/436-9-0x00007FFC5BBE0000-0x00007FFC5C6A1000-memory.dmp

    Filesize

    10.8MB

  • memory/436-10-0x0000000001360000-0x0000000001370000-memory.dmp

    Filesize

    64KB

  • memory/436-11-0x0000000002D40000-0x0000000002D90000-memory.dmp

    Filesize

    320KB

  • memory/436-12-0x000000001C440000-0x000000001C4F2000-memory.dmp

    Filesize

    712KB

  • memory/436-13-0x00007FFC5BBE0000-0x00007FFC5C6A1000-memory.dmp

    Filesize

    10.8MB

  • memory/944-0-0x00000000003D0000-0x00000000006F4000-memory.dmp

    Filesize

    3.1MB

  • memory/944-1-0x00007FFC5BBE0000-0x00007FFC5C6A1000-memory.dmp

    Filesize

    10.8MB

  • memory/944-2-0x000000001B4A0000-0x000000001B4B0000-memory.dmp

    Filesize

    64KB

  • memory/944-8-0x00007FFC5BBE0000-0x00007FFC5C6A1000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.