Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
29s -
max time network
31s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01/01/2025, 01:27
General
-
Target
HsSGqhA8hLnRhzEU.exe
-
Size
2.9MB
-
MD5
cff6d32fcf161fee5537d671088a9c69
-
SHA1
b7e25d124e1104d9f5e4db75189d1040523166c8
-
SHA256
28152bd25dcb79c1fe7f7fc8a8ca1990567dc9bc46385139908978a1bdf61c37
-
SHA512
5e63001d649d80634273e8cdb7143d7c423f2b2e210e4f16982126726bf0ff6792edc6ffc131fc89826d5ff9f2ab396d0f220fbaf305682eb0495f55080921e8
-
SSDEEP
49152:tIe8YWczZM9/RYOcsTo1pWYXb7PfbRpRhtjsA5LZVVIbiF30QHWgwQXST:tGYLq9/RYOlTo//DRpRHjsQZJNLeQXc
Malware Config
Extracted
quasar
-
encryption_key
cjAti90cIswbpuxF3OyR
-
reconnect_delay
1200
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 5 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\HsSGqhA8hLnRhzEU.exe"C:\Users\Admin\AppData\Local\Temp\HsSGqhA8hLnRhzEU.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HsSGqhA8hLnRhzEU.exe"C:\Users\Admin\AppData\Local\Temp\HsSGqhA8hLnRhzEU.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4c47UZqDTLxzUk4G.exe"C:\Users\Admin\AppData\Local\Temp\4c47UZqDTLxzUk4G.exe" 03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\t7Q76efrM7xVSp6Q.exe"C:\Users\Admin\AppData\Local\Temp\t7Q76efrM7xVSp6Q.exe" 03⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
-
-
C:\Users\Admin\AppData\Local\Temp\ServiceRelay.exe"C:\Users\Admin\AppData\Local\Temp\ServiceRelay.exe" 03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "ProtecSys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ServiceRelay.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe"C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "ProtecSys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BnjanPv4Fys.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe"C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "ProtecSys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe" /rl HIGHEST /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y86eHBC30Ec2.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe"C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "ProtecSys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe" /rl HIGHEST /f9⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BA5Cyerkld5P.bat" "9⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 22249⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 22047⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 21925⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2032 -ip 20321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4844 -ip 48441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4408 -ip 44081⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
295KB
MD508481f11e5fe4894a359305f22db416f
SHA17ea518a53bf02495781b163a1289ce83eaa46127
SHA25667de8f33db4ace58a818fc5aed65d860417bf4dd14a1bd5fd7d3a395a8ff7aa3
SHA51274058bd670208222b98443fae3e3e66e1dd8e57a7fe9cdb5d9f5aa134ed1b5945333d820573c12e965910e9c3ca245abfbdd84df1d371d797c59e70ae5630eb4
-
Filesize
229B
MD597b35355167b545423b424e22171f512
SHA169e74b4db7c212c31fdcb67bc81c13ad9d0ba040
SHA25608c3e89ab776d0102cf9bb68274906dcd4fc526783e91936f99c8403b2ae9f27
SHA512e3deca0ceedabd74f95e960ee244529241ce1498c8089bf70c26fc4a676ee7b97c6403e56b9a6d6088fe5aca5c9fc08d15bccc3be7e5940af4081ae2eaae9bda
-
Filesize
229B
MD543e26ff229796481333b7763b1ed79f3
SHA15e4e55eac6ded6855a2541702adf1b0e2665c743
SHA256fd01054f8cc43a335c1cd713e0bd1061ba05b8389f422ea065dc053c49558ec7
SHA51294314c5a70f6acb735e9873493be9439fb2e8503bfca7282c9e26cf4803a6ed25c8fa5e5821c0109b7cf3c84094cdc53f25b82a23a3ad3654e7044b87cd3bd30
-
Filesize
741KB
MD5ecd249a261ceecdb80e0b4bf001ba8ad
SHA12e271018594cac23b87ea0b60b6c6763dbbb0d23
SHA256bc681f240cda963c599b492b5876f47f624dba3867ea2954d94b93a6c258701f
SHA512af4c6bc71b714a7a030ab6bcd8ef2f4a0444242c969e514ba15bc6a8184642b89ae08406dbb952d389ec2641100d8e18a2d0e3f74d62dff81171898a17ecc6d8
-
Filesize
229B
MD58359f052e73ebfb6bd49aabfdc7f774f
SHA1f0ddad1eb99adf7bacec37e21cdb7effe1aea6ef
SHA2565fdc26eb7bfe32f19b7c0c66f5aeaaa638c4cc7b74f2220e070a064576f5b1b3
SHA51217a6915a60afbc0843041ea9f3e3a48776f564c30b9f443a236c156ed18e54d7875296cda9ad74300152907331cd778a3823be4690d0b01aab4a3b5837d09a34
-
Filesize
9KB
MD52a4441134fc12a6d704d1f4b2ab58876
SHA10367169489fa0854d10f6cc0e57392d640d92b36
SHA25642997d05907d02764463b0fbfbfc86a03df8ab6399836cd6511129802b9a2492
SHA512d60bbed90aa1e2547371f2342ed083e068a1933a69df8a7b924e1caa3d7b1e49b33c0bba0c3f261271005a0a8c487679e89f8d2fa0d6169fc7391e4a358000d8
-
Filesize
224B
MD59eedef8aa177f47d404a958022f2f169
SHA1bb2e2128f6fc72280456cec29d79166bd72406b2
SHA25636fe6db2cc2a14e1ac8cbb5926f20625eee05ab48b381e733b2a2a23fd9bde8b
SHA51278341e35f91022a9d33f0a3b412576d6d765d0d43e251c99b4009f5777aa39ddb11bd5b737172111e86df55a476054decfec01482210f76b507eb30a474038ee
-
Filesize
224B
MD58e566a2668916fa97fec2f20784c1cfc
SHA1d52e0ba6758b242f84713888840c1566c9887e1a
SHA2560b334239d2a4701f770ace2a5906386492e7488795d7da45e46be510bbc8fbe6
SHA51264b1f546e33b308b5d02e5a7846607f2839a504b4603032cbbab3aa17833db614d46015eb9c53773be27aa9dd1f95faceed08a0981219b41b6db5cb2ae0eef3d
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
472KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
768KB
-
Filesize
8KB
-
Filesize
32KB