Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

loli.exe

windows7-x64

10

loli.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loli.exe

  • Size

    3.1MB

  • MD5

    fc04e19e18532ba031bd6e05fad571b1

  • SHA1

    d124d44ac3afc724c4cfa84af182af347b430cfa

  • SHA256

    677b56921e0ac313d88a476865bcdfbc59ae7b941a4f31ee98cff34b5b47c67a

  • SHA512

    f0c11c3c79dbfaae2a7cd18335dfc2b55477b7b5cc7750f31f7817cbb71f405bb8a7a6b09d246e29e2b21f5568467241fb9fc7661ed207a914c0ed77c887e9dc

  • SSDEEP

    49152:XvkG42pda6D+/PjlLOlg6yQipVlZyg+vEPTHHB72eh2NT:XvP42pda6D+/PjlLOlZyQipVlZR

Score
10/10
quasarslavediscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

manufacturer-iran.gl.at.ply.gg:46957

manufacturer-iran.gl.at.ply.gg:5047
Mutex

261b229e-a9e0-46eb-b59b-76313ea213fe

Attributes
  • encryption_key

    F7ACA224CAA318E1652BB3825C87CAD85F986692

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\loli.exe
    "C:\Users\Admin\AppData\Local\Temp\loli.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1196
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:884
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /delete /tn "Update" /f
        3⤵
          PID:1148
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmF1GqKkpLMP.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1680
          • C:\Windows\system32\chcp.com
            chcp 65001
            4⤵
              PID:4984
            • C:\Windows\system32\PING.EXE
              ping -n 10 localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2844
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:8
        1⤵
          PID:2116

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\GmF1GqKkpLMP.bat
          Filesize

          211B

          MD5

          315896fdbb1591fa5471e89ed8a61e0e

          SHA1

          2c96e0ac8812c49c4234196d9b993065d4974ddc

          SHA256

          96a8adf6897b07d3fe3da01edde814111e363ab9352fe9526cbdd81fb0d7d9f1

          SHA512

          006b5e7760e167eb4afbd75780058a3a6499b02f8dda8d343ccc227c4f97bf0679403e4fa50a80f42b1ebd03d8663d6e3e0e2d9da868ceb8654bcf58b467606b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
          Filesize

          3.1MB

          MD5

          fc04e19e18532ba031bd6e05fad571b1

          SHA1

          d124d44ac3afc724c4cfa84af182af347b430cfa

          SHA256

          677b56921e0ac313d88a476865bcdfbc59ae7b941a4f31ee98cff34b5b47c67a

          SHA512

          f0c11c3c79dbfaae2a7cd18335dfc2b55477b7b5cc7750f31f7817cbb71f405bb8a7a6b09d246e29e2b21f5568467241fb9fc7661ed207a914c0ed77c887e9dc

          Download Submit

        • memory/2312-11-0x00007FF9CDF80000-0x00007FF9CEA41000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2312-10-0x00007FF9CDF80000-0x00007FF9CEA41000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2312-12-0x000000001BD20000-0x000000001BD70000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2312-13-0x000000001BE30000-0x000000001BEE2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/2312-16-0x000000001BDB0000-0x000000001BDC2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2312-17-0x000000001CA30000-0x000000001CA6C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2312-18-0x00007FF9CDF80000-0x00007FF9CEA41000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2312-19-0x00007FF9CDF80000-0x00007FF9CEA41000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2312-24-0x00007FF9CDF80000-0x00007FF9CEA41000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4984-2-0x00007FF9CDF80000-0x00007FF9CEA41000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4984-9-0x00007FF9CDF80000-0x00007FF9CEA41000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4984-0-0x00007FF9CDF83000-0x00007FF9CDF85000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4984-1-0x0000000000360000-0x000000000067A000-memory.dmp

          Filesize

          3.1MB

          Download