Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 23:54 UTC
Behavioral task
behavioral1
Sample
8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe
Resource
win7-20240319-en
General
-
Target
8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe
-
Size
3.1MB
-
MD5
c52e8cb313bd0e446cb9607636bbc6ec
-
SHA1
77d3ca1584e486528e39802449027cd9e8b08b83
-
SHA256
8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583
-
SHA512
d8bdbad8a179c74f2479da58af5530782a1683e07ad656b91ee05b0b00daa8008d1e7143b34eae16ef6ef612e1f742832ae9b9167ac2286799075886d1a66a45
-
SSDEEP
49152:KvWI22SsaNYfdPBldt698dBcjHS5RJ6PbR3LoGdBTHHB72eh2NT:Kv722SsaNYfdPBldt6+dBcjHS5RJ6h
Malware Config
Extracted
quasar
1.4.1
victim
192.168.56.1:4782
f887c652-41ce-4f9e-8a72-52676eb54001
-
encryption_key
194B648FB0D06C59B36705385FF44BFC616F014E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/944-0-0x00000000003D0000-0x00000000006F4000-memory.dmp family_quasar behavioral2/files/0x00070000000233bc-5.dat family_quasar -
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
resource yara_rule behavioral2/memory/944-0-0x00000000003D0000-0x00000000006F4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/files/0x00070000000233bc-5.dat INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
resource yara_rule behavioral2/memory/944-0-0x00000000003D0000-0x00000000006F4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/files/0x00070000000233bc-5.dat INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 2 IoCs
resource yara_rule behavioral2/memory/944-0-0x00000000003D0000-0x00000000006F4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer behavioral2/files/0x00070000000233bc-5.dat INDICATOR_SUSPICIOUS_GENInfoStealer -
Executes dropped EXE 1 IoCs
pid Process 436 Client.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\SubDir\Client.exe 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe File opened for modification C:\Windows\system32\SubDir\Client.exe 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2128 schtasks.exe 1868 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 944 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe Token: SeDebugPrivilege 436 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 436 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 944 wrote to memory of 2128 944 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe 89 PID 944 wrote to memory of 2128 944 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe 89 PID 944 wrote to memory of 436 944 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe 91 PID 944 wrote to memory of 436 944 8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe 91 PID 436 wrote to memory of 1868 436 Client.exe 93 PID 436 wrote to memory of 1868 436 Client.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe"C:\Users\Admin\AppData\Local\Temp\8168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2128
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1868
-
-
Network
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTR
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=31DC04F3BA2E641D24BD1096BB956504; domain=.bing.com; expires=Tue, 13-May-2025 23:54:59 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 440B85437AA84B9391FDA2F6AD42DE99 Ref B: LON04EDGE0919 Ref C: 2024-04-18T23:54:59Z
date: Thu, 18 Apr 2024 23:54:58 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=31DC04F3BA2E641D24BD1096BB956504
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=k2WMNotN4xD-iofwBqGKZzu1e78Clo-BgZHIBPgvWrE; domain=.bing.com; expires=Tue, 13-May-2025 23:54:59 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D065DE8B314041F69C08ACC4C56E8B85 Ref B: LON04EDGE0919 Ref C: 2024-04-18T23:54:59Z
date: Thu, 18 Apr 2024 23:54:58 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=31DC04F3BA2E641D24BD1096BB956504; MSPTC=k2WMNotN4xD-iofwBqGKZzu1e78Clo-BgZHIBPgvWrE
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D653064B731549A5984D2934735B9CBD Ref B: LON04EDGE0919 Ref C: 2024-04-18T23:54:59Z
date: Thu, 18 Apr 2024 23:54:58 GMT
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request144.107.17.2.in-addr.arpaIN PTRResponse144.107.17.2.in-addr.arpaIN PTRa2-17-107-144deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request21.114.53.23.in-addr.arpaIN PTRResponse21.114.53.23.in-addr.arpaIN PTRa23-53-114-21deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request130.118.77.104.in-addr.arpaIN PTRResponse130.118.77.104.in-addr.arpaIN PTRa104-77-118-130deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.134.221.88.in-addr.arpaIN PTRResponse41.134.221.88.in-addr.arpaIN PTRa88-221-134-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request66.112.168.52.in-addr.arpaIN PTRResponse
-
204.79.197.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=tls, http22.0kB 9.2kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b023975b404d495bafd5e20cc5743a9e&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=HTTP Response
204 -
260 B 5
-
260 B 5
-
46 B 1
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
71 B 157 B 1 1
DNS Request
71.31.126.40.in-addr.arpa
-
168 B 151 B 3 1
DNS Request
g.bing.com
DNS Request
g.bing.com
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
144 B 158 B 2 1
DNS Request
241.154.82.20.in-addr.arpa
DNS Request
241.154.82.20.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
144.107.17.2.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
21.114.53.23.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
57.169.31.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
130.118.77.104.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
41.134.221.88.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
66.112.168.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5c52e8cb313bd0e446cb9607636bbc6ec
SHA177d3ca1584e486528e39802449027cd9e8b08b83
SHA2568168236516ecd464c7c004c1d824ace70932b9dd61c9e238256965c33f059583
SHA512d8bdbad8a179c74f2479da58af5530782a1683e07ad656b91ee05b0b00daa8008d1e7143b34eae16ef6ef612e1f742832ae9b9167ac2286799075886d1a66a45