Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/01/2025, 02:20
Behavioral task
behavioral1
Sample
33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e.exe
Resource
win10v2004-20241007-en
General
-
Target
33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e.exe
-
Size
3.2MB
-
MD5
64037f2d91fe82b3cf5300d6fa6d21c3
-
SHA1
61c8649b92fc06db644616af549ff5513f0f0a6d
-
SHA256
33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e
-
SHA512
2a70ef0c4d3a2237175078f0e84cd35d7d595422c3aa5219d6f0fe876f82cf60e1d4f592a58f166cf8175c52d275c21950c5ea421416fee8877dfaec5b9be008
-
SSDEEP
49152:Kvkt62XlaSFNWPjljiFa2RoUYISyMDJERHWk/OgRoGduATHHB72eh2NT8:Kv462XlaSFNWPjljiFXRoUYILMDZq+q
Malware Config
Extracted
quasar
1.4.1
Helper Atanka
193.203.238.136:8080
14f39659-ca5b-4af7-8045-bed3500c385f
-
encryption_key
11049F2AEBDCF8E3A57474CD5FBA40FB2FFC5424
-
install_name
diskutil.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
diskutil
-
subdirectory
diskutil
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/1924-1-0x0000000001050000-0x0000000001382000-memory.dmp family_quasar behavioral1/files/0x0008000000016ca2-6.dat family_quasar behavioral1/memory/2700-10-0x0000000000980000-0x0000000000CB2000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2700 diskutil.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2744 schtasks.exe 2828 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1924 33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e.exe Token: SeDebugPrivilege 2700 diskutil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2700 diskutil.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2744 1924 33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e.exe 30 PID 1924 wrote to memory of 2744 1924 33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e.exe 30 PID 1924 wrote to memory of 2744 1924 33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e.exe 30 PID 1924 wrote to memory of 2700 1924 33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e.exe 32 PID 1924 wrote to memory of 2700 1924 33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e.exe 32 PID 1924 wrote to memory of 2700 1924 33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e.exe 32 PID 2700 wrote to memory of 2828 2700 diskutil.exe 33 PID 2700 wrote to memory of 2828 2700 diskutil.exe 33 PID 2700 wrote to memory of 2828 2700 diskutil.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e.exe"C:\Users\Admin\AppData\Local\Temp\33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "diskutil" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2744
-
-
C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe"C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "diskutil" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2828
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD564037f2d91fe82b3cf5300d6fa6d21c3
SHA161c8649b92fc06db644616af549ff5513f0f0a6d
SHA25633aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e
SHA5122a70ef0c4d3a2237175078f0e84cd35d7d595422c3aa5219d6f0fe876f82cf60e1d4f592a58f166cf8175c52d275c21950c5ea421416fee8877dfaec5b9be008