Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
49s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2025, 23:29
General
-
Target
ligma_menu.exe
-
Size
3.1MB
-
MD5
5d585eaddfaddd8dad1d752c0bbaa34a
-
SHA1
f42906d58c5a404cdc349b7a98c087c1e500b21b
-
SHA256
b37cf25cf1b1df68f13bba06d62439fde48b2b08156691baf36b1506a6242d0f
-
SHA512
31705030c280f617ad87087e0aa3079a661bcb74fa7d8f5d93dc3bae2239f1de5f7b2f48dd9f88051695a64673ee09a4d19a7705fe3d3942aa2d46668777bde2
-
SSDEEP
49152:mvyI22SsaNYfdPBldt698dBcjHdoSgYWboGZ4rTHHB72eh2NT:mvf22SsaNYfdPBldt6+dBcjHdoSgY0
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.184:4782
3b3d8c23-815f-460c-a0d4-67d49cd2682d
-
encryption_key
1758FB18D23634847927348E0CD6C3963ABFE0AB
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/2004-1-0x0000000000970000-0x0000000000C94000-memory.dmp family_quasar behavioral1/files/0x0008000000023c94-6.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 4448 Client.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2192 schtasks.exe 4504 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2004 ligma_menu.exe Token: SeDebugPrivilege 4448 Client.exe Token: SeDebugPrivilege 4416 taskmgr.exe Token: SeSystemProfilePrivilege 4416 taskmgr.exe Token: SeCreateGlobalPrivilege 4416 taskmgr.exe Token: SeDebugPrivilege 444 ligma_menu.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe -
Suspicious use of SendNotifyMessage 39 IoCs
pid Process 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4448 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2192 2004 ligma_menu.exe 83 PID 2004 wrote to memory of 2192 2004 ligma_menu.exe 83 PID 2004 wrote to memory of 4448 2004 ligma_menu.exe 85 PID 2004 wrote to memory of 4448 2004 ligma_menu.exe 85 PID 4448 wrote to memory of 4504 4448 Client.exe 86 PID 4448 wrote to memory of 4504 4448 Client.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ligma_menu.exe"C:\Users\Admin\AppData\Local\Temp\ligma_menu.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2192
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4504
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4416
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\ligma_menu.exe"C:\Users\Admin\AppData\Local\Temp\ligma_menu.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
3.1MB
MD55d585eaddfaddd8dad1d752c0bbaa34a
SHA1f42906d58c5a404cdc349b7a98c087c1e500b21b
SHA256b37cf25cf1b1df68f13bba06d62439fde48b2b08156691baf36b1506a6242d0f
SHA51231705030c280f617ad87087e0aa3079a661bcb74fa7d8f5d93dc3bae2239f1de5f7b2f48dd9f88051695a64673ee09a4d19a7705fe3d3942aa2d46668777bde2