Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

testingfile.exe

windows7-x64

10

testingfile.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/12/2024, 10:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    testingfile.exe

  • Size

    3.1MB

  • MD5

    4489c3282400ad9e96ea5ca7c28e6369

  • SHA1

    91a2016778cce0e880636d236efca38cf0a7713d

  • SHA256

    cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77

  • SHA512

    adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0

  • SSDEEP

    49152:fvmI22SsaNYfdPBldt698dBcjH+ixNESEtk/i/LoGdCUTHHB72eh2NT:fvr22SsaNYfdPBldt6+dBcjHTx0D

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

testinghigger-42471.portmap.host:42471

Mutex

7a5f2afa-38ce-4bed-8e42-d1108199a2b3

Attributes
  • encryption_key

    0F8B61E5223AD57FA54A04631691138A0F76FAE4

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    wod2

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\testingfile.exe
    "C:\Users\Admin\AppData\Local\Temp\testingfile.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2184
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2432

Network

  • flag-us
    DNS
    testinghigger-42471.portmap.host
    Client.exe
    Remote address:
    8.8.8.8:53
    Request
    testinghigger-42471.portmap.host
    IN A
    Response
    testinghigger-42471.portmap.host
    IN A
    193.161.193.99
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    363 B
     549 B
     5
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    363 B
     549 B
     5
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    363 B
     549 B
     5
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    363 B
     549 B
     5
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    363 B
     549 B
     5
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    363 B
     549 B
     5
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    363 B
     549 B
     5
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    409 B
     1.0kB
     6
    4
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    363 B
     549 B
     5
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    363 B
     549 B
     5
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    415 B
     549 B
     6
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    409 B
     1.0kB
     6
    4
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    Client.exe
    244 B
     104 B
     5
    2
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    561 B
     1.1kB
     9
    5
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    415 B
     549 B
     6
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    457 B
     1.1kB
     7
    5
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    461 B
     1.1kB
     7
    5
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    363 B
     549 B
     5
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    461 B
     1.1kB
     7
    5
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    363 B
     549 B
     5
    3
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    409 B
     1.0kB
     6
    4
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    680 B
     1.1kB
     9
    6
  • 193.161.193.99:42471
    testinghigger-42471.portmap.host
    tls
    Client.exe
    363 B
     549 B
     5
    3
  • 8.8.8.8:53
    testinghigger-42471.portmap.host
    dns
    Client.exe
    78 B
     94 B
     1
    1

    DNS Request

    testinghigger-42471.portmap.host

    DNS Response

    193.161.193.99

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    Filesize

    3.1MB

    MD5

    4489c3282400ad9e96ea5ca7c28e6369

    SHA1

    91a2016778cce0e880636d236efca38cf0a7713d

    SHA256

    cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77

    SHA512

    adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0

    Download Submit

  • memory/2320-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2320-1-0x0000000000080000-0x00000000003A4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2320-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2320-9-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2396-8-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2396-10-0x0000000000EF0000-0x0000000001214000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2396-11-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2396-12-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

    Filesize

    9.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.