Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
10/12/2024, 01:01 UTC
General
-
Target
d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe
-
Size
3.0MB
-
MD5
25ae2a8e59da886dbc3192b12e000ffa
-
SHA1
c384fbee5a29be18571d293c1e20a36d044bd86a
-
SHA256
d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4
-
SHA512
246a2948f880231fe597a4c6cfb1f8acbbc7173f73752532dd2049697cd4165c6d1e966a1a598d260053e1f4aeebf0472ffedc4aec56c8233899c965c7fc6736
-
SSDEEP
49152:auZju5PuuzE2wJMTFuUPHghJW5eqdCMuWnLBuU5ZHWIcCm:xjuFumw0Fu2gho5e4nLB5L
Malware Config
Extracted
quasar
1.4.1
Office04
45.200.148.155:6060
4b3820e0-d123-49d9-b51e-3c4daa4f6874
-
encryption_key
F8879E9B26846C57C99B6F152F74703E1CC15B8B
-
install_name
SecurityHealthSystray.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SecurityHealthSystray.exe
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe"C:\Users\Admin\AppData\Local\Temp\d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SecurityHealthSystray.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SecurityHealthSystray.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
Network
- No results found
-
45.200.148.155:6060 -
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
-
45.200.148.155:6060
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.6MB
-
Filesize
7.6MB
-
Filesize
7.6MB
-
Filesize
7.6MB