Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
25s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
25/04/2024, 22:39
General
-
Target
CzSOSINT.exe
-
Size
297KB
-
MD5
311c6835775d900f12ece1d138aee2a6
-
SHA1
95ea06961562ddfa77f645be03f95d08d1cdb2e0
-
SHA256
31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a
-
SHA512
19cc40219e209fc878ea2beb5cb81917cd3bf43684d9c1d42643581c38b5db393ae8c2362d167521002e466a80fe24b08163aefda5aa7d266b4731f5c985d500
-
SSDEEP
6144:9eQCIpHePBK7UOYz1mhJCtWY9XcNfPHDpu74NpgtcZRg/+wPO:0ae5mYzcLC0YuF8kHX/g/
Malware Config
Extracted
quasar
3.1.5
RSlaveReel
147.185.221.19:33587
$Sxr-PODin6zbdvLuVkqKla
-
encryption_key
myaDwGp04jmlN7Zrz509
-
install_name
WindowsDllRunHost.exe
-
log_directory
Update Logs
-
reconnect_delay
3000
-
startup_key
WindowsBIOSUpdx64
-
subdirectory
orbitpaid
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 3 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\CzSOSINT.exe"C:\Users\Admin\AppData\Local\Temp\CzSOSINT.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe"C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsBIOSUpdx64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Update.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\orbitpaid\WindowsDllRunHost.exe"C:\Users\Admin\AppData\Roaming\orbitpaid\WindowsDllRunHost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsBIOSUpdx64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\orbitpaid\WindowsDllRunHost.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Update.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Update.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
409KB
MD5b551c695865c6d7f51346d324f7d4604
SHA1dc8cc6bf41bf725fb8747c21d264dd7d9ec5ad72
SHA256bb450aec5b543dd30c3ce33c731340a3c601afa75ca2670dfc0bf547be064dd0
SHA5126a7cf624887b19fceb7f08dd06965c1a4ca8b07390447a411ef60738070ab19258d4ad96b489782b0f3e46c1e153e27293d2725123af72c57dd112bc61d51ba1
-
Filesize
139KB
MD5224ce6bc7b94e1843e1f1623d856e93b
SHA15a28a76369bc15982f0ba95c79e74c496db0df14
SHA2567d520ade71bbd117074f1c071c68021edbf8c0ff79729cdca6a556eac338bafd
SHA5126508be341f8b224657f288c543ee1bc99895d03d9fe0f27fdfbbe39261d6683555e53592f25ba0f523d74a84dbba39e1f86e18d9173c3820c1c8df3c01817ff6
-
Filesize
432KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
432KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
320KB