Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22/12/2024, 02:29
General
-
Target
EUPHORIA SPOOFER.exe
-
Size
3.1MB
-
MD5
747da4cd939f55760c8f05ac18379274
-
SHA1
8c97e718177a7ebc5be519416092434b1eb703e0
-
SHA256
3f5ad363ca773fa11543df4a54c4f1b44b19cd1c7eb58a13e1153acd52d523c2
-
SHA512
9ce808076587fc6be47d851556cba2336572ca8b971ea65546e0ca6cb6908ca32d73f67a9cd42702bc1dece1e0d4a7f4f1516160f31667016d5a51f7acc8d35f
-
SSDEEP
49152:SvCY52fyaSZOrPWluWBuGG5g5h5BssdpSLoGdSTHHB72eh2NT:Sv352fyaSZOrPWluWBDG5g5hrsD
Malware Config
Extracted
quasar
1.4.1
Office04
JJ:4782
9a10c5be-59aa-4915-9bd2-d92256f2c938
-
encryption_key
83ADBC9532F819159CF9138DCD18B9BF646C2117
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Drops file in System32 directory 27 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 12 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\EUPHORIA SPOOFER.exe"C:\Users\Admin\AppData\Local\Temp\EUPHORIA SPOOFER.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWPxAtIx2YZH.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iL8qSIGuJrFK.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1HReSi7Vt78i.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCRyNsB2hTri.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSop6KcyXZp2.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yfv99r23Q3Gq.bat" "13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0z8luQEBovjL.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RrKP8zebWC1f.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9K77PQyqwpau.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGX1iRNZXhnT.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VHazoBeyOgzH.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2V0FbitDDokn.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
196B
MD5023678a533f9fc815bcb85493537b836
SHA11ee43db05ea00b76a8d30b1fac8acab17ef87433
SHA2567ac714e09cf9394c7d1de210a6e3e4f045d38b06462bd48500ef3e448643a1c7
SHA51275b6d267bf5950bb6fdf6983e7cf2642bc990206728a664b634822857b84cea1c1e80496b13f2fd219ebca08e96cca5887a16eb7dc8034930c897fe62c335b30
-
Filesize
196B
MD5ac5791823aa3cae24f48db26a5f06483
SHA1f7cf2b2b81e9d8a1ac7d15d8ae6ad0c343ca8ac1
SHA2560a45aba2b675acb08de40436b0b40e11297c030e9e07b6adb9bd0472801765f7
SHA51249fad00a9626fb25f63e3e72ecf10fe56b97e31f4962b15607d51eb8bed011ae2dd925c4f15fca7121a6a504ab3aaeb6aab7d2945e1d1267f1f92cec62453837
-
Filesize
196B
MD522b59dd6113e2503fcd3b67d6cfd359c
SHA1ca8d50eff76aea3534282ca0d161e515ce652eaa
SHA256fa595036f4c1475201c47ea8da60901832f1aa83f07067c7ed056333f2f6400f
SHA512b9e0fd59bc7a26fd80f1cc7b014ef5fb3b69766acdc24aedcd96a3f20635945138589a2c5c30a5939e6e447f5aeb63f203d07ae4f59c9b09bbf7fcd7919cd951
-
Filesize
196B
MD5d56631d2685adeaa9dff7384284757a2
SHA123a4bc2c4e5a2b2793040690d1564fa91e9bedfd
SHA25670a462349605e19c4692e7dfc0e3ef4c700984b2810a6440d12aeda8ebb5b3a8
SHA512115ad4dcba6cff1d9bf095c4c8fe5931a1d70b85cd187ded023704b4da65b2fc62d8554f865ef9ce5c9a347a57c5385162ff5f1ede9e5ce6c38bf48af514b7ec
-
Filesize
196B
MD5d2161760eb37ee5812564a6262bb4930
SHA1fdb343ceceb6f55979eeaefe1f916e00180bef41
SHA256c12795781cef4bed226ffc570f0e2bd85c5ce662711813027451f8819b588594
SHA512df50760899a7a832ea1763909728ea895c3583211b32214d7e6053fafb301450086f8a4c9093bba02cc20b35ef22fea34850b7ee1da6ea5c00f769f1fa4b9984
-
Filesize
196B
MD510819401a8c412563afd25a67346198e
SHA1d6c90d9090f30392c36d1243e0c9fb06d3caf08a
SHA256ab17fe5f1e56dfc34240a28863208532faac5f3642e1934d06a2d351b9a62547
SHA5123cf28d5cc4de92169a7cf6c46354d0745b29dade18e436a92cd02b058d1e4494945079667b8ccafcfe06ab078a7620f3c8873746f166b31ccf8fc65a7eba50ba
-
Filesize
196B
MD5382fb366b995e164f975035fdd7c48e9
SHA1c2846b97139d81745bc193d381c02f50e6972281
SHA256658a0344c76300da741f1f5d357e1e8f0f3cdac7f0782cf4197c2e66471f090d
SHA512c582c3fc7dfcf47b3ea15791d773a2aada82876c98912a556ddc213f84330f66250684ea2e624c1ffaba086c638a905b45443cbca38969daf0122a07c42a5bf9
-
Filesize
196B
MD5861451e13de7f94bd379121929a95c45
SHA12ead066c43b79c2cf1b0c422e58a3bcca3032556
SHA256987f96255f43ded32521ed789c70d00dfe9daee39952d22823f4a30b1c13757c
SHA512810beb2b5c6f2555278dc434bcd55f23975aa75fae985f34fb64ee7ea88646bc3990b779313bcb83a2f63439250dd032410c824e6ed8bf1cff8dfdd8743bb132
-
Filesize
196B
MD5edf70fbf25fcb366fb767763786bf6c2
SHA1619ba3db179f0489be253f0eafee7c52eb1d95d8
SHA25654dc56363c893d171903e50c8bde7b322c8ea420145e8473ad5c4b1828d0a62c
SHA5125448b82a85d2619ceab911705d8ac49e65431caf32981d81f2492b14fdcc6ffd16be795499dc25ed998b33d5d878f7cdd5c465904a1641ecf2a6b04403a2430d
-
Filesize
196B
MD5190346c085b03e00fd9a6c645c115190
SHA15d39802dd97ace2d0066dec06b8e4356f5b45bb4
SHA256ed981a4963b87817f58741801dd01430aa932f5b48a3a9c82e6ff1ee7c07affc
SHA512510d4a184dac2834bc08f176337a3f9bcfd3902c6695eef485fcaefec28c7189bfafa5b0fc12a8abfa5884047e801deddb89dde5942886e45e220a01b2a23d39
-
Filesize
196B
MD5f392858fd6c8aabb2c9cb68eebb14fbb
SHA16789d928ddb3d2d43312a67cdf5ffe76593901b5
SHA2567109dbda20907dd89750886d14424b8e7decbc5467e23e75989e821ba990c200
SHA51219de2aa6da05c0e927393942edc0c568f9b364c6daf4e0fa72ff227d3253b278e66a6e97400c98976bfa79af9735c17d8190dc135fb1ab05235bd60312c8a67e
-
Filesize
196B
MD5a32a7f0457a56cebd01386271cceaf1e
SHA177f786e6805251aa5afb5f9f5d3cb77b489d96e4
SHA25662035c3efcca71eac95f25c4fec649d260539c52ab2ed7f033ed24130672cac8
SHA51225e5228614ffef5e70be392b7f41112637cbed5194622f71f42a4336329605dd9daa1d5f54e268376ef117a73526246c66a097d59ed8592d1e848b95eaa0456b
-
Filesize
3.1MB
MD5747da4cd939f55760c8f05ac18379274
SHA18c97e718177a7ebc5be519416092434b1eb703e0
SHA2563f5ad363ca773fa11543df4a54c4f1b44b19cd1c7eb58a13e1153acd52d523c2
SHA5129ce808076587fc6be47d851556cba2336572ca8b971ea65546e0ca6cb6908ca32d73f67a9cd42702bc1dece1e0d4a7f4f1516160f31667016d5a51f7acc8d35f
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
3.1MB
-
Filesize
10.8MB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
10.8MB