Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Installer.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    43s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    29/11/2024, 06:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer.exe

  • Size

    3.1MB

  • MD5

    19570d471b4f795bf854b8f8951d28f0

  • SHA1

    9d43a2c713ca6d8d7ecf2b9546b24add96612994

  • SHA256

    9057d608444db943deadf4f2b4da0b6c9e8bbfcb1efcf451679fa2cf1e7f3a18

  • SHA512

    f3f059d81f29f3e3607f9837be54226a5a82f83d64c812b01b6a3200abc3e3a41360a931dfe143c07359df5bb07bcb5dc695882a715ccf635c3ab5a54bb59298

  • SSDEEP

    49152:3vyI22SsaNYfdPBldt698dBcjHAD6eCLogoGdGfTHHB72eh2NT:3vf22SsaNYfdPBldt6+dBcjHAD63W

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes
  • encryption_key

    AEA258EF65BF1786F0F767C0BE2497ECC304C46F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3132
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2332

Network

  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    azxq0ap.localto.net
    Client.exe
    Remote address:
    8.8.8.8:53
    Request
    azxq0ap.localto.net
    IN A
    Response
    azxq0ap.localto.net
    IN A
    23.158.232.33
  • flag-us
    DNS
    ipwho.is
    Client.exe
    Remote address:
    8.8.8.8:53
    Request
    ipwho.is
    IN A
    Response
    ipwho.is
    IN A
    195.201.57.90
  • flag-de
    GET
    https://ipwho.is/
    Client.exe
    Remote address:
    195.201.57.90:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
    Host: ipwho.is
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 29 Nov 2024 06:12:40 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Server: ipwhois
    Access-Control-Allow-Headers: *
    X-Robots-Tag: noindex
  • flag-us
    DNS
    33.232.158.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    33.232.158.23.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    90.57.201.195.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.57.201.195.in-addr.arpa
    IN PTR
    Response
    90.57.201.195.in-addr.arpa
    IN PTR
    static9057201195clients your-serverde
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • 23.158.232.33:3425
    azxq0ap.localto.net
    tls
    Client.exe
    91.0kB
     5.7kB
     94
    80
  • 195.201.57.90:443
    https://ipwho.is/
    tls, http
    Client.exe
    877 B
     6.3kB
     9
    10

    HTTP Request

    GET https://ipwho.is/

    HTTP Response

    200
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    144 B
     158 B
     2
    1

    DNS Request

    232.168.11.51.in-addr.arpa

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    140 B
     133 B
     2
    1

    DNS Request

    88.210.23.2.in-addr.arpa

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    azxq0ap.localto.net
    dns
    Client.exe
    65 B
     81 B
     1
    1

    DNS Request

    azxq0ap.localto.net

    DNS Response

    23.158.232.33

  • 8.8.8.8:53
    ipwho.is
    dns
    Client.exe
    54 B
     70 B
     1
    1

    DNS Request

    ipwho.is

    DNS Response

    195.201.57.90

  • 8.8.8.8:53
    33.232.158.23.in-addr.arpa
    dns
    72 B
     152 B
     1
    1

    DNS Request

    33.232.158.23.in-addr.arpa

  • 8.8.8.8:53
    90.57.201.195.in-addr.arpa
    dns
    72 B
     129 B
     1
    1

    DNS Request

    90.57.201.195.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    Filesize

    3.1MB

    MD5

    19570d471b4f795bf854b8f8951d28f0

    SHA1

    9d43a2c713ca6d8d7ecf2b9546b24add96612994

    SHA256

    9057d608444db943deadf4f2b4da0b6c9e8bbfcb1efcf451679fa2cf1e7f3a18

    SHA512

    f3f059d81f29f3e3607f9837be54226a5a82f83d64c812b01b6a3200abc3e3a41360a931dfe143c07359df5bb07bcb5dc695882a715ccf635c3ab5a54bb59298

    Download Submit

  • memory/2724-6-0x00007FFA4E070000-0x00007FFA4EB32000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2724-7-0x00007FFA4E070000-0x00007FFA4EB32000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2724-8-0x0000000002E00000-0x0000000002E50000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2724-9-0x000000001CB30000-0x000000001CBE2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2724-12-0x0000000002FF0000-0x0000000003002000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2724-13-0x000000001BB80000-0x000000001BBBC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2724-14-0x00007FFA4E070000-0x00007FFA4EB32000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3668-0-0x00007FFA4E073000-0x00007FFA4E075000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3668-1-0x0000000000C70000-0x0000000000F94000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3668-2-0x00007FFA4E070000-0x00007FFA4EB32000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3668-5-0x00007FFA4E070000-0x00007FFA4EB32000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.