Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2025, 21:12
Behavioral task
behavioral1
Sample
RC7old.exe
Resource
win7-20240903-en
General
-
Target
RC7old.exe
-
Size
3.1MB
-
MD5
5efb08d03470612d11124136accc84fa
-
SHA1
46abe602f6566ff6103f504ef8ae73f43eae19c1
-
SHA256
853cf003dd01ec972a222a28b1e8b260fb06fab20245e609cb7df103d110343f
-
SHA512
13a1fbeae357662e2e2a60e511a3bce2f63fef40a96ba49f25e745dd466ca3da24de5155f0f2233e8d15941f353a21df14247ab7b4ebf84ee419ca7d7b7ae74a
-
SSDEEP
49152:CvHI22SsaNYfdPBldt698dBcjHuYREEf/yk/65LoGdvYAFTHHB72eh2NT:Cvo22SsaNYfdPBldt6+dBcjHuYRkp
Malware Config
Extracted
quasar
1.4.1
RC7old
yellow-parts.gl.at.ply.gg:52085
8356bffd-2b62-44f9-937c-4adee31d9ea3
-
encryption_key
5471C1CD3CF5D10BA14E0A632D9E07BC5FEE0E2B
-
install_name
RC7old.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
System
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4204-1-0x0000000000790000-0x0000000000AB4000-memory.dmp family_quasar behavioral2/files/0x000a000000023b7a-6.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2996 RC7old.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\System RC7old.exe File created C:\Windows\system32\System\RC7old.exe RC7old.exe File opened for modification C:\Windows\system32\System\RC7old.exe RC7old.exe File opened for modification C:\Windows\system32\System RC7old.exe File opened for modification C:\Windows\system32\System\RC7old.exe RC7old.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2468 schtasks.exe 3620 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4204 RC7old.exe Token: SeDebugPrivilege 2996 RC7old.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2996 RC7old.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2996 RC7old.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4204 wrote to memory of 2468 4204 RC7old.exe 83 PID 4204 wrote to memory of 2468 4204 RC7old.exe 83 PID 4204 wrote to memory of 2996 4204 RC7old.exe 85 PID 4204 wrote to memory of 2996 4204 RC7old.exe 85 PID 2996 wrote to memory of 3620 2996 RC7old.exe 86 PID 2996 wrote to memory of 3620 2996 RC7old.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RC7old.exe"C:\Users\Admin\AppData\Local\Temp\RC7old.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Windows\system32\System\RC7old.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2468
-
-
C:\Windows\system32\System\RC7old.exe"C:\Windows\system32\System\RC7old.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Windows\system32\System\RC7old.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3620
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
3.1MB
MD55efb08d03470612d11124136accc84fa
SHA146abe602f6566ff6103f504ef8ae73f43eae19c1
SHA256853cf003dd01ec972a222a28b1e8b260fb06fab20245e609cb7df103d110343f
SHA51213a1fbeae357662e2e2a60e511a3bce2f63fef40a96ba49f25e745dd466ca3da24de5155f0f2233e8d15941f353a21df14247ab7b4ebf84ee419ca7d7b7ae74a