Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 16:27
Behavioral task
behavioral1
Sample
Windows.exe
Resource
win7-20240903-en
General
-
Target
Windows.exe
-
Size
3.2MB
-
MD5
2a2ec1a8ea615248287faf97abd445e5
-
SHA1
0eea3289dec3fb5c6efa3c09bc65796fd71ffcbf
-
SHA256
75ed322604b0d21200fce3180cd91a659dfb0f788cc8037e32305054364a90bb
-
SHA512
0911c8bc8992ec1f36e4be276b59cc285a15fdaf2ad6abc724dbe26de8455bb752bec6d0c8aca6e14be303c6474292d3ce64cd5348be8ba2450a6323138fd30d
-
SSDEEP
49152:Hv2I22SsaNYfdPBldt698dBcjH8JRJ6BbR3LoGdujTHHB72eh2NT:Hvb22SsaNYfdPBldt6+dBcjH8JRJ6j
Malware Config
Extracted
quasar
1.4.1
Pedo
82.65.180.207:5986
a4c2b814-ab22-4cf2-9f11-52931b6b15b3
-
encryption_key
6A4706C957DF851DA854AED16AB5CE4562B9C4D4
-
install_name
serv-microsoft.exe
-
log_directory
Logs
-
reconnect_delay
4000
-
startup_key
windows
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/2384-1-0x00000000001F0000-0x0000000000520000-memory.dmp family_quasar -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3028 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2384 Windows.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2384 Windows.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2384 wrote to memory of 3028 2384 Windows.exe 30 PID 2384 wrote to memory of 3028 2384 Windows.exe 30 PID 2384 wrote to memory of 3028 2384 Windows.exe 30 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\serv-microsoft.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3028
-