Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

c9d37a7234...47.exe

windows7-x64

10

c9d37a7234...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2024, 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe

  • Size

    9.0MB

  • MD5

    4921d7a6d49401873cff200a4f3d990d

  • SHA1

    3d008d53e798505b858ff48574f3080210c56e27

  • SHA256

    c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047

  • SHA512

    9bc506b0615f3e7ba18ed70c92bef4dff257aad5437f17670ba88d8aec1ce20b0b46f8c194918e2c0fa0fa0397ec0ef2f954801da09fbf211c8597936fc097c4

  • SSDEEP

    98304:F6D7RBxsErIVyJTk8LJ5i4J/OCV4HEZFrp:QRw08yJIC5uuT

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes
  • encryption_key

    534734397C0FA9A1D28F061AD75DF4100BFF5787

  • install_name

    Msconfig.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables containing common artifacts observed in infostealers 1 IoCs
  • Detects executables packed with SmartAssembly 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe
    "C:\Users\Admin\AppData\Local\Temp\c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1396
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
        3⤵
          PID:4988
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4264
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
            4⤵
            • Creates scheduled task(s)
            PID:4368
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C copy "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
          3⤵
            PID:4704
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
          2⤵
            PID:4380
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1392
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
              3⤵
              • Creates scheduled task(s)
              PID:2780
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
            2⤵
              PID:920
          • C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
            C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1260
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1264
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2732
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
                3⤵
                  PID:3892
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
                  3⤵
                    PID:2428
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
                      4⤵
                      • Creates scheduled task(s)
                      PID:4552
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /C copy "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
                    3⤵
                      PID:2352
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
                    2⤵
                      PID:1344
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4324
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
                        3⤵
                        • Creates scheduled task(s)
                        PID:1392
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
                      2⤵
                        PID:3560
                    • C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
                      C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:3796
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                        2⤵
                          PID:5020
                        • C:\Windows\SysWOW64\cmd.exe
                          "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
                          2⤵
                            PID:4404
                          • C:\Windows\SysWOW64\cmd.exe
                            "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
                            2⤵
                              PID:4844
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
                                3⤵
                                • Creates scheduled task(s)
                                PID:4364
                            • C:\Windows\SysWOW64\cmd.exe
                              "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
                              2⤵
                                PID:3224

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csc.exe.log
                              Filesize

                              520B

                              MD5

                              03febbff58da1d3318c31657d89c8542

                              SHA1

                              c9e017bd9d0a4fe533795b227c855935d86c2092

                              SHA256

                              5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

                              SHA512

                              3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
                              Filesize

                              9.0MB

                              MD5

                              4921d7a6d49401873cff200a4f3d990d

                              SHA1

                              3d008d53e798505b858ff48574f3080210c56e27

                              SHA256

                              c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047

                              SHA512

                              9bc506b0615f3e7ba18ed70c92bef4dff257aad5437f17670ba88d8aec1ce20b0b46f8c194918e2c0fa0fa0397ec0ef2f954801da09fbf211c8597936fc097c4

                              Download Submit

                            • memory/1396-23-0x0000000006DD0000-0x0000000006E82000-memory.dmp

                              Filesize

                              712KB

                              Download

                            • memory/1396-22-0x0000000006B60000-0x0000000006BB0000-memory.dmp

                              Filesize

                              320KB

                              Download

                            • memory/1396-21-0x0000000007080000-0x0000000007698000-memory.dmp

                              Filesize

                              6.1MB

                              Download

                            • memory/1396-20-0x0000000005E80000-0x0000000005E8A000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/1396-17-0x0000000005F00000-0x0000000005F92000-memory.dmp

                              Filesize

                              584KB

                              Download

                            • memory/1396-16-0x0000000001420000-0x0000000001744000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/1444-19-0x0000000074670000-0x0000000074E20000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/1444-13-0x0000000074670000-0x0000000074E20000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/1444-8-0x0000000074670000-0x0000000074E20000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/1444-7-0x0000000074670000-0x0000000074E20000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/1444-6-0x0000000000E00000-0x000000000112A000-memory.dmp

                              Filesize

                              3.2MB

                              Download

                            • memory/4652-12-0x0000000074670000-0x0000000074E20000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/4652-5-0x0000000074670000-0x0000000074E20000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/4652-0-0x000000007467E000-0x000000007467F000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4652-4-0x000000007467E000-0x000000007467F000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4652-3-0x0000000074670000-0x0000000074E20000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/4652-2-0x0000000006560000-0x0000000006B04000-memory.dmp

                              Filesize

                              5.6MB

                              Download

                            • memory/4652-1-0x0000000000BF0000-0x00000000014FE000-memory.dmp

                              Filesize

                              9.1MB

                              Download