Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

DOX !Aka t...np.scr

windows7-x64

10

DOX !Aka t...np.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 05:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOX !Aka team ‮gnp.scr

  • Size

    1.5MB

  • MD5

    8cb48770ef48c80f07c8a7a3ef1586ee

  • SHA1

    1d1083098c4841ff23e3b040fb209af9887feb59

  • SHA256

    8a9718d2658c908e0ced599e637ce1ab27cfc22e43829ae6bcf784a8591825eb

  • SHA512

    befee76662064711a8ee60adf9aaaa3ccc3f4203db06974314d3d620d6e65e8789b5c2357bf75cfec5b65eb8258b07fc34887e4f8a632617b2927b2988a3365f

  • SSDEEP

    49152:zDjlabwz95bKxxiXIHLyoltXyYfyu7aOCwI:/qw/2xqIHL5tCl7OCwI

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.0.27:4782

Mutex

52f67a9c-ccc2-4eec-a61c-1567fbfeab31

Attributes
  • encryption_key

    E57D88E5AA0EFBFC2E93ADCD1BD6BB2BCF4B3BAA

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DOX !Aka team ‮gnp.scr
    "C:\Users\Admin\AppData\Local\Temp\DOX !Aka team ‮gnp.scr" /S
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
    Filesize

    3.1MB

    MD5

    6594c1c527c01d4a3031cd531f4d9feb

    SHA1

    3ac67da27beeee7089030f45b7b46cd83e8f38d4

    SHA256

    4b751e42cb5775f3ba47a7fdfe6864e3a48d39ed58d3ba678c8a16f8ab741bd1

    SHA512

    d241cc0597c3da66b64a3bfc0479990d4fff506d70f94a656dda620fe426369989e26c54e395b2a82f0cd9b21ad9e3ed9595b927c356b0f7651f0784ac831e38

    Download Submit

  • memory/4436-14-0x00007FFA7A603000-0x00007FFA7A605000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4436-15-0x0000000000DB0000-0x00000000010D4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4436-16-0x00007FFA7A600000-0x00007FFA7B0C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4436-17-0x000000001C7C0000-0x000000001C810000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4436-18-0x000000001C8D0000-0x000000001C982000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4436-19-0x00007FFA7A603000-0x00007FFA7A605000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4436-20-0x00007FFA7A600000-0x00007FFA7B0C1000-memory.dmp

    Filesize

    10.8MB

    Download