Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05/12/2024, 19:10
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
d5f77af0c3259e8dfe5f630031ec4a34
-
SHA1
97345887a00ae86149ffe649bb8b8210d3d89f29
-
SHA256
9e17c6b9d15cd1ff039cd7aac08fe41a07522469a0b2cd9826b4695529d3594f
-
SHA512
e93d86be4df1e3de06916d861f34817613c69890400136ae98bc9fc49bccf22caa69872e51f5f630584adbb6b0cfc364724c557c43161a887c98d0ee63eddd0c
-
SSDEEP
49152:mvFt62XlaSFNWPjljiFa2RoUYIxixNESEHk/iHLoGdmTHHB72eh2NT:mv362XlaSFNWPjljiFXRoUYIAxCr
Malware Config
Extracted
quasar
1.4.1
slave
192.168.0.1:7680
fe472357-144d-4a3a-8e1d-9ef513643cc1
-
encryption_key
5E806E3CE72868F0BCCBB7C901531979B646D78D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
quasar
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "quasar" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "quasar" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5d5f77af0c3259e8dfe5f630031ec4a34
SHA197345887a00ae86149ffe649bb8b8210d3d89f29
SHA2569e17c6b9d15cd1ff039cd7aac08fe41a07522469a0b2cd9826b4695529d3594f
SHA512e93d86be4df1e3de06916d861f34817613c69890400136ae98bc9fc49bccf22caa69872e51f5f630584adbb6b0cfc364724c557c43161a887c98d0ee63eddd0c
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
10.8MB
-
Filesize
5.2MB
-
Filesize
10.8MB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
10.8MB