Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

c9d37a7234...47.exe

windows7-x64

10

c9d37a7234...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    02/05/2024, 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe

  • Size

    9.0MB

  • MD5

    4921d7a6d49401873cff200a4f3d990d

  • SHA1

    3d008d53e798505b858ff48574f3080210c56e27

  • SHA256

    c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047

  • SHA512

    9bc506b0615f3e7ba18ed70c92bef4dff257aad5437f17670ba88d8aec1ce20b0b46f8c194918e2c0fa0fa0397ec0ef2f954801da09fbf211c8597936fc097c4

  • SSDEEP

    98304:F6D7RBxsErIVyJTk8LJ5i4J/OCV4HEZFrp:QRw08yJIC5uuT

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes
  • encryption_key

    534734397C0FA9A1D28F061AD75DF4100BFF5787

  • install_name

    Msconfig.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 8 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 8 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 8 IoCs
  • Detects executables containing common artifacts observed in infostealers 8 IoCs
  • Detects executables packed with SmartAssembly 14 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe
    "C:\Users\Admin\AppData\Local\Temp\c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2540
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
        3⤵
          PID:1224
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
            4⤵
            • Creates scheduled task(s)
            PID:1648
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C copy "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
          3⤵
            PID:1716
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
          2⤵
            PID:2632
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
              3⤵
              • Creates scheduled task(s)
              PID:2792
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
            2⤵
              PID:2820
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {5C47043C-40A4-4D38-879F-10E03CFF2293} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1680
            • C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
              C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1776
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                3⤵
                • Suspicious use of SetThreadContext
                PID:2312
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1452
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
                  4⤵
                    PID:2220
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
                    4⤵
                      PID:2184
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
                        5⤵
                        • Creates scheduled task(s)
                        PID:1728
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /C copy "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
                      4⤵
                        PID:844
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
                      3⤵
                        PID:596
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
                        3⤵
                          PID:1332
                          • C:\Windows\SysWOW64\schtasks.exe
                            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
                            4⤵
                            • Creates scheduled task(s)
                            PID:1816
                        • C:\Windows\SysWOW64\cmd.exe
                          "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
                          3⤵
                            PID:2088
                        • C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
                          C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:1832
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                            3⤵
                              PID:1232
                            • C:\Windows\SysWOW64\cmd.exe
                              "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
                              3⤵
                                PID:1932
                              • C:\Windows\SysWOW64\cmd.exe
                                "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
                                3⤵
                                  PID:2564
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
                                    4⤵
                                    • Creates scheduled task(s)
                                    PID:2660
                                • C:\Windows\SysWOW64\cmd.exe
                                  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
                                  3⤵
                                    PID:3004

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
                                Filesize

                                9.0MB

                                MD5

                                4921d7a6d49401873cff200a4f3d990d

                                SHA1

                                3d008d53e798505b858ff48574f3080210c56e27

                                SHA256

                                c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047

                                SHA512

                                9bc506b0615f3e7ba18ed70c92bef4dff257aad5437f17670ba88d8aec1ce20b0b46f8c194918e2c0fa0fa0397ec0ef2f954801da09fbf211c8597936fc097c4

                                Download Submit

                              • memory/1232-110-0x00000000006C0000-0x00000000009EA000-memory.dmp

                                Filesize

                                3.2MB

                                Download

                              • memory/1452-82-0x00000000006A0000-0x00000000009C4000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/1452-90-0x00000000006A0000-0x00000000009C4000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/1776-32-0x00000000000D0000-0x00000000009DE000-memory.dmp

                                Filesize

                                9.1MB

                                Download

                              • memory/1832-71-0x00000000013B0000-0x0000000001CBE000-memory.dmp

                                Filesize

                                9.1MB

                                Download

                              • memory/2040-28-0x00000000740B0000-0x000000007479E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/2040-4-0x00000000740B0000-0x000000007479E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/2040-0-0x00000000740BE000-0x00000000740BF000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2040-3-0x00000000740BE000-0x00000000740BF000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2040-1-0x0000000000CA0000-0x00000000015AE000-memory.dmp

                                Filesize

                                9.1MB

                                Download

                              • memory/2040-2-0x00000000740B0000-0x000000007479E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/2312-62-0x00000000007E0000-0x0000000000B0A000-memory.dmp

                                Filesize

                                3.2MB

                                Download

                              • memory/2312-69-0x00000000007E0000-0x0000000000B0A000-memory.dmp

                                Filesize

                                3.2MB

                                Download

                              • memory/2312-66-0x00000000007E0000-0x0000000000B0A000-memory.dmp

                                Filesize

                                3.2MB

                                Download

                              • memory/2540-43-0x0000000000680000-0x00000000009A4000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/2540-42-0x0000000000680000-0x00000000009A4000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/2540-39-0x0000000000680000-0x00000000009A4000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/2540-37-0x0000000000680000-0x00000000009A4000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/2540-34-0x0000000000680000-0x00000000009A4000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/2540-50-0x0000000000680000-0x00000000009A4000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/2540-47-0x0000000000680000-0x00000000009A4000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/2540-35-0x0000000000680000-0x00000000009A4000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/2620-16-0x0000000000880000-0x0000000000BAA000-memory.dmp

                                Filesize

                                3.2MB

                                Download

                              • memory/2620-29-0x00000000740B0000-0x000000007479E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/2620-9-0x0000000000880000-0x0000000000BAA000-memory.dmp

                                Filesize

                                3.2MB

                                Download

                              • memory/2620-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2620-51-0x00000000740B0000-0x000000007479E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/2620-15-0x0000000000880000-0x0000000000BAA000-memory.dmp

                                Filesize

                                3.2MB

                                Download

                              • memory/2620-6-0x0000000000880000-0x0000000000BAA000-memory.dmp

                                Filesize

                                3.2MB

                                Download

                              • memory/2620-11-0x0000000000880000-0x0000000000BAA000-memory.dmp

                                Filesize

                                3.2MB

                                Download

                              • memory/2620-25-0x00000000740B0000-0x000000007479E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/2620-7-0x0000000000880000-0x0000000000BAA000-memory.dmp

                                Filesize

                                3.2MB

                                Download

                              • memory/2620-24-0x0000000000880000-0x0000000000BAA000-memory.dmp

                                Filesize

                                3.2MB

                                Download

                              • memory/2620-20-0x0000000000880000-0x0000000000BAA000-memory.dmp

                                Filesize

                                3.2MB

                                Download