Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 09:41
Behavioral task
behavioral1
Sample
loli.exe
Resource
win7-20240903-en
General
-
Target
loli.exe
-
Size
3.1MB
-
MD5
fc04e19e18532ba031bd6e05fad571b1
-
SHA1
d124d44ac3afc724c4cfa84af182af347b430cfa
-
SHA256
677b56921e0ac313d88a476865bcdfbc59ae7b941a4f31ee98cff34b5b47c67a
-
SHA512
f0c11c3c79dbfaae2a7cd18335dfc2b55477b7b5cc7750f31f7817cbb71f405bb8a7a6b09d246e29e2b21f5568467241fb9fc7661ed207a914c0ed77c887e9dc
-
SSDEEP
49152:XvkG42pda6D+/PjlLOlg6yQipVlZyg+vEPTHHB72eh2NT:XvP42pda6D+/PjlLOlZyQipVlZR
Malware Config
Extracted
quasar
1.4.1
Slave
manufacturer-iran.gl.at.ply.gg:46957
manufacturer-iran.gl.at.ply.gg:5047
261b229e-a9e0-46eb-b59b-76313ea213fe
-
encryption_key
F7ACA224CAA318E1652BB3825C87CAD85F986692
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2468-1-0x00000000009C0000-0x0000000000CDA000-memory.dmp family_quasar behavioral1/files/0x002b000000018cf2-6.dat family_quasar behavioral1/memory/2208-10-0x0000000000900000-0x0000000000C1A000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2208 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 236 schtasks.exe 2688 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2468 loli.exe Token: SeDebugPrivilege 2208 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2208 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2208 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2208 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2468 wrote to memory of 236 2468 loli.exe 29 PID 2468 wrote to memory of 236 2468 loli.exe 29 PID 2468 wrote to memory of 236 2468 loli.exe 29 PID 2468 wrote to memory of 2208 2468 loli.exe 31 PID 2468 wrote to memory of 2208 2468 loli.exe 31 PID 2468 wrote to memory of 2208 2468 loli.exe 31 PID 2208 wrote to memory of 2688 2208 Client.exe 32 PID 2208 wrote to memory of 2688 2208 Client.exe 32 PID 2208 wrote to memory of 2688 2208 Client.exe 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\loli.exe"C:\Users\Admin\AppData\Local\Temp\loli.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:236
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2688
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5fc04e19e18532ba031bd6e05fad571b1
SHA1d124d44ac3afc724c4cfa84af182af347b430cfa
SHA256677b56921e0ac313d88a476865bcdfbc59ae7b941a4f31ee98cff34b5b47c67a
SHA512f0c11c3c79dbfaae2a7cd18335dfc2b55477b7b5cc7750f31f7817cbb71f405bb8a7a6b09d246e29e2b21f5568467241fb9fc7661ed207a914c0ed77c887e9dc