Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
298s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 16:59
General
-
Target
Exodus.exe
-
Size
3.1MB
-
MD5
bec3e464678accc2e79d7d6a965df8c8
-
SHA1
3aa1473e714c37a886e47363b89fc7d0a1dde2d7
-
SHA256
768a227e5aa261aa0874c31ddd3069783bad6f9963d1b6422879c4cc0368e85f
-
SHA512
556f89d50cebee601ffeb247c11dad83b99d763d3673afc1d9e96c0a173b611ad88135a8f63c9cc1588a9d3e65d04b0a1f9ddd67d4b8ec30aa5f6a0bbe417f05
-
SSDEEP
49152:Jvht62XlaSFNWPjljiFa2RoUYI5xrEDkYk/JxaoGdZTHHB72eh2NT:JvL62XlaSFNWPjljiFXRoUYI5xFs
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.56.1:4782
8fde6e55-a760-4124-8db0-c35d8826b33b
-
encryption_key
A606BBF3ED6B131B2AE59080A334668BA1692C31
-
install_name
Exodus.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/1120-1-0x00000000001E0000-0x000000000050C000-memory.dmp family_quasar behavioral1/files/0x0007000000023ca1-5.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 4748 Exodus.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3500 schtasks.exe 1484 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1120 Exodus.exe Token: SeDebugPrivilege 4748 Exodus.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4748 Exodus.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1120 wrote to memory of 1484 1120 Exodus.exe 84 PID 1120 wrote to memory of 1484 1120 Exodus.exe 84 PID 1120 wrote to memory of 4748 1120 Exodus.exe 86 PID 1120 wrote to memory of 4748 1120 Exodus.exe 86 PID 4748 wrote to memory of 3500 4748 Exodus.exe 87 PID 4748 wrote to memory of 3500 4748 Exodus.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Exodus.exe"C:\Users\Admin\AppData\Local\Temp\Exodus.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Exodus.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1484
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Exodus.exe"C:\Users\Admin\AppData\Roaming\SubDir\Exodus.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Exodus.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3500
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
3.1MB
MD5bec3e464678accc2e79d7d6a965df8c8
SHA13aa1473e714c37a886e47363b89fc7d0a1dde2d7
SHA256768a227e5aa261aa0874c31ddd3069783bad6f9963d1b6422879c4cc0368e85f
SHA512556f89d50cebee601ffeb247c11dad83b99d763d3673afc1d9e96c0a173b611ad88135a8f63c9cc1588a9d3e65d04b0a1f9ddd67d4b8ec30aa5f6a0bbe417f05