Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

54cef68b48...c8.dll

windows7-x64

10

54cef68b48...c8.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2024, 11:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54cef68b48ded4fa94e54f164a4dd838894a200c2887c885d29474c998c5e2c8.dll

  • Size

    542KB

  • MD5

    1fed599b6716c7395cfe19002774dac5

  • SHA1

    2dd268f89e179bdf68477660a51c77fe6e95e7eb

  • SHA256

    54cef68b48ded4fa94e54f164a4dd838894a200c2887c885d29474c998c5e2c8

  • SHA512

    ad4bd2c8b04cff498de9517481b5ffbc3c48d0842f2532ef8e6143773bceb49fbd70069b54c30a59affa8590f800ba8a2323284278ffda1e13db7629ba85dd5b

  • SSDEEP

    12288:RHVfvJEwcONs7+c/PfiIw0hleWqnFlw6lF9TZFb9/w8YrA9r6Abyv:/JUONOXns0hUFw6dfb9grMr4

Score
10/10
quasardiscoveryspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Blocklisted process makes network request 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\54cef68b48ded4fa94e54f164a4dd838894a200c2887c885d29474c998c5e2c8.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\54cef68b48ded4fa94e54f164a4dd838894a200c2887c885d29474c998c5e2c8.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:5076

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    159.241.216.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    159.241.216.162.in-addr.arpa
    IN PTR
    Response
    159.241.216.162.in-addr.arpa
    IN PTR
    unassigned162-216-241-159sprytnet
  • flag-us
    DNS
    159.241.216.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    159.241.216.162.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    ip-api.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json/
    rundll32.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 22 Nov 2024 11:07:22 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 58
    X-Rl: 43
  • flag-us
    DNS
    241.66.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.66.18.2.in-addr.arpa
    IN PTR
    Response
    241.66.18.2.in-addr.arpa
    IN PTR
    a2-18-66-241deploystaticakamaitechnologiescom
  • flag-us
    DNS
    241.66.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.66.18.2.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
    Response
    1.112.95.208.in-addr.arpa
    IN PTR
    ip-apicom
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 162.216.241.159:1005
    rundll32.exe
    912 B
     640 B
     14
    11
  • 208.95.112.1:80
    http://ip-api.com/json/
    http
    rundll32.exe
    380 B
     600 B
     5
    3

    HTTP Request

    GET http://ip-api.com/json/

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    132 B
     90 B
     2
    1

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    159.241.216.162.in-addr.arpa
    dns
    148 B
     124 B
     2
    1

    DNS Request

    159.241.216.162.in-addr.arpa

    DNS Request

    159.241.216.162.in-addr.arpa

  • 8.8.8.8:53
    ip-api.com
    dns
    rundll32.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    241.66.18.2.in-addr.arpa
    dns
    140 B
     133 B
     2
    1

    DNS Request

    241.66.18.2.in-addr.arpa

    DNS Request

    241.66.18.2.in-addr.arpa

  • 8.8.8.8:53
    1.112.95.208.in-addr.arpa
    dns
    142 B
     95 B
     2
    1

    DNS Request

    1.112.95.208.in-addr.arpa

    DNS Request

    1.112.95.208.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    142 B
     157 B
     2
    1

    DNS Request

    71.31.126.40.in-addr.arpa

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    144 B
     158 B
     2
    1

    DNS Request

    241.150.49.20.in-addr.arpa

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    140 B
     144 B
     2
    1

    DNS Request

    18.31.95.13.in-addr.arpa

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/5076-0-0x0000000002F10000-0x0000000002F4E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5076-2-0x000000007423E000-0x000000007423F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5076-3-0x0000000005710000-0x000000000574C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5076-5-0x0000000005D00000-0x00000000062A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5076-4-0x0000000074230000-0x00000000749E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5076-6-0x0000000005860000-0x00000000058F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5076-8-0x0000000074230000-0x00000000749E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5076-7-0x0000000074230000-0x00000000749E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5076-9-0x0000000005900000-0x0000000005966000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5076-10-0x00000000063B0000-0x00000000063C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5076-11-0x00000000065D0000-0x00000000065DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5076-12-0x0000000005C10000-0x0000000005C4C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5076-14-0x0000000074230000-0x00000000749E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5076-13-0x000000007423E000-0x000000007423F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5076-15-0x0000000074230000-0x00000000749E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5076-16-0x0000000074230000-0x00000000749E0000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.