Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
77s -
max time network
79s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
09/11/2024, 15:56
General
-
Target
SpotifyLauncher.exe
-
Size
3.1MB
-
MD5
459bd1f40deff63df61baa82b8c053b3
-
SHA1
e08e35044bf8f73b67e54901ad37a4edf33fc319
-
SHA256
812c0beafd8928e2aa6410d1889acecf6b4213614d3fadbfc3fbba295932c9c3
-
SHA512
4232cf3ef7fe0e199a9e673ce785ecdd313ebdd5104d0a016105c7a76d77c350bac623e33d794255b04d989c12436d42850ef95b68452f04f9a7c6109c44130b
-
SSDEEP
49152:+vkt62XlaSFNWPjljiFa2RoUYIlgtCxkkvJrNoGdR5UTHHB72eh2NT:+v462XlaSFNWPjljiFXRoUYIDkcr
Malware Config
Extracted
quasar
1.4.1
filip
192.168.1.171:4782
8a32f315-b6f7-488d-8f1f-fefeb759304a
-
encryption_key
F0287BA2AFF0852B0C114DD06BE24EB4A3DB1A65
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SpotifyLauncher
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Modifies registry class 4 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SpotifyLauncher.exe"C:\Users\Admin\AppData\Local\Temp\SpotifyLauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SpotifyLauncher" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SpotifyLauncher" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5069c37bf9e39b121efb7a28ece933aee
SHA1eaef2e55b66e543a14a6780c23bb83fe60f2f04d
SHA256485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8
SHA512f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796
-
Filesize
10KB
MD5eed640164203d0d0a2a1e7919a6fdbdf
SHA19af74121e090cf2970beee82d22ef4ebb886c0ae
SHA2564ca7fe712b4322fdb497733e015f4ae4496d3998772a6c37305da3cbba3eb7ae
SHA5121bf6de193ae00189525ea9a685bbe3dc7722eceb6ccfb83c70adc766b6301b4978abf73b2f8f41b865f1521925308e4f96285dca569e9c2b2c61e79db1100e3d
-
Filesize
3.1MB
MD5459bd1f40deff63df61baa82b8c053b3
SHA1e08e35044bf8f73b67e54901ad37a4edf33fc319
SHA256812c0beafd8928e2aa6410d1889acecf6b4213614d3fadbfc3fbba295932c9c3
SHA5124232cf3ef7fe0e199a9e673ce785ecdd313ebdd5104d0a016105c7a76d77c350bac623e33d794255b04d989c12436d42850ef95b68452f04f9a7c6109c44130b
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB