Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
58s -
max time network
35s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
10/11/2024, 23:49
General
-
Target
polrthujk.exe
-
Size
3.1MB
-
MD5
cb838b6eafe658027d563c2a67adbd37
-
SHA1
422e0bcc834cca0e8d349e08725b2ac4499fbd86
-
SHA256
4d9705a277ea2a8de918dd0d05efa543f6e3efc0ddd6aa37ae140fdd028338fc
-
SHA512
6c0eefaee665a2fc2f2b9b53995bafeae1959d5d356d2214a208fbe117cf676a0bc8352ffbfa390c6bf7148a34c3a58c34f7c81ed3b5c264602e5ef6ecfa3b99
-
SSDEEP
49152:evUt62XlaSFNWPjljiFa2RoUYIdlzfD4OdoGsbbTHHB72eh2NT:evI62XlaSFNWPjljiFXRoUYIdlzn
Malware Config
Extracted
quasar
1.4.1
Office04
127.0.0.1:4040
e51e2b65-e963-4051-9736-67d57ed46798
-
encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\polrthujk.exe"C:\Users\Admin\AppData\Local\Temp\polrthujk.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5cb838b6eafe658027d563c2a67adbd37
SHA1422e0bcc834cca0e8d349e08725b2ac4499fbd86
SHA2564d9705a277ea2a8de918dd0d05efa543f6e3efc0ddd6aa37ae140fdd028338fc
SHA5126c0eefaee665a2fc2f2b9b53995bafeae1959d5d356d2214a208fbe117cf676a0bc8352ffbfa390c6bf7148a34c3a58c34f7c81ed3b5c264602e5ef6ecfa3b99
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB