Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 16:27
Behavioral task
behavioral1
Sample
Windows.exe
Resource
win7-20240903-en
General
-
Target
Windows.exe
-
Size
3.2MB
-
MD5
2a2ec1a8ea615248287faf97abd445e5
-
SHA1
0eea3289dec3fb5c6efa3c09bc65796fd71ffcbf
-
SHA256
75ed322604b0d21200fce3180cd91a659dfb0f788cc8037e32305054364a90bb
-
SHA512
0911c8bc8992ec1f36e4be276b59cc285a15fdaf2ad6abc724dbe26de8455bb752bec6d0c8aca6e14be303c6474292d3ce64cd5348be8ba2450a6323138fd30d
-
SSDEEP
49152:Hv2I22SsaNYfdPBldt698dBcjH8JRJ6BbR3LoGdujTHHB72eh2NT:Hvb22SsaNYfdPBldt6+dBcjH8JRJ6j
Malware Config
Extracted
quasar
1.4.1
Pedo
82.65.180.207:5986
a4c2b814-ab22-4cf2-9f11-52931b6b15b3
-
encryption_key
6A4706C957DF851DA854AED16AB5CE4562B9C4D4
-
install_name
serv-microsoft.exe
-
log_directory
Logs
-
reconnect_delay
4000
-
startup_key
windows
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/4752-1-0x0000000000880000-0x0000000000BB0000-memory.dmp family_quasar -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3488 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4752 Windows.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4752 Windows.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4752 wrote to memory of 3488 4752 Windows.exe 82 PID 4752 wrote to memory of 3488 4752 Windows.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\serv-microsoft.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3488
-