Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 03:39
Behavioral task
behavioral1
Sample
BITCOIN GEN PRIVATE/Bitcoingens.pdf.exe
Resource
win7-20240903-en
General
-
Target
BITCOIN GEN PRIVATE/Bitcoingens.pdf.exe
-
Size
3.1MB
-
MD5
571474cb077262465a4ff6747023b90b
-
SHA1
be44641489168160ed22ab2b57658a94394441b6
-
SHA256
2ba889c691dea990e030ef2707a242017df0f094d8d1eadb37343e82f6417e3f
-
SHA512
e34117b3c5567843019f84d3b8b849404f4463f67188ed26241839c91e91275c4f916a7bde5dcaaeb0fa625e7bbaf682d60a91ec28d01deaafac3e7afb39ee15
-
SSDEEP
49152:WvbI22SsaNYfdPBldt698dBcjH8xRJ6AbR3LoGdUVXmCTHHB72eh2NT:Wvk22SsaNYfdPBldt6+dBcjH8xRJ6al
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.56.1:4782
275f2628-c225-4b94-8c3e-6fb61e5e53af
-
encryption_key
F72BC567B8A2606D9029D70BA29A969A6DEB42D8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2456-1-0x00000000002F0000-0x0000000000614000-memory.dmp family_quasar behavioral1/files/0x0008000000016f02-4.dat family_quasar behavioral1/memory/2324-9-0x0000000000990000-0x0000000000CB4000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2324 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2356 schtasks.exe 2448 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2456 Bitcoingens.pdf.exe Token: SeDebugPrivilege 2324 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2324 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2324 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2324 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2356 2456 Bitcoingens.pdf.exe 31 PID 2456 wrote to memory of 2356 2456 Bitcoingens.pdf.exe 31 PID 2456 wrote to memory of 2356 2456 Bitcoingens.pdf.exe 31 PID 2456 wrote to memory of 2324 2456 Bitcoingens.pdf.exe 33 PID 2456 wrote to memory of 2324 2456 Bitcoingens.pdf.exe 33 PID 2456 wrote to memory of 2324 2456 Bitcoingens.pdf.exe 33 PID 2324 wrote to memory of 2448 2324 Client.exe 34 PID 2324 wrote to memory of 2448 2324 Client.exe 34 PID 2324 wrote to memory of 2448 2324 Client.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BITCOIN GEN PRIVATE\Bitcoingens.pdf.exe"C:\Users\Admin\AppData\Local\Temp\BITCOIN GEN PRIVATE\Bitcoingens.pdf.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2356
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2448
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5571474cb077262465a4ff6747023b90b
SHA1be44641489168160ed22ab2b57658a94394441b6
SHA2562ba889c691dea990e030ef2707a242017df0f094d8d1eadb37343e82f6417e3f
SHA512e34117b3c5567843019f84d3b8b849404f4463f67188ed26241839c91e91275c4f916a7bde5dcaaeb0fa625e7bbaf682d60a91ec28d01deaafac3e7afb39ee15