Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19/01/2025, 08:36
General
-
Target
436052B37A3752148C885667E34DD9C3.exe
-
Size
10.7MB
-
MD5
436052b37a3752148c885667e34dd9c3
-
SHA1
59dbc9e97fb1c74ae666bc87e9ab2f453f780006
-
SHA256
2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88
-
SHA512
c6ef01300bb1350d64e5a4d5f48a1c013f8638ac9240820d2d27e951b0ca4b105ff2ee66a07bb3954178c7df8435dbfb561b7a7112f8f3ec79e63cedb7f4d784
-
SSDEEP
196608:QPW6IG7f1KCArQWGRhoDyp7t1OCf80nXIQPfMEftec7HsrEha1:w37d6T+97t1OCf80XIxQec7O
Malware Config
Extracted
quasar
1.4.1
svchost 3
41.216.183.179:3742
11b8b70b-ab15-4aab-8132-3e7b18b2b48b
-
encryption_key
0325CE0E85B5B8870BB69FE8C81088DBCBFAC6F7
-
install_name
startui.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
startui
-
subdirectory
SubDir
Extracted
quasar
1.4.1
svchost 2
41.216.183.179:3742
d018acac-011d-4ca3-b0c3-4fdd7ec2d6d1
-
encryption_key
0325CE0E85B5B8870BB69FE8C81088DBCBFAC6F7
-
install_name
Host Process for Windows Tasks.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Host Process for Windows Tasks
-
subdirectory
SubDir
Signatures
-
Detect Umbral payload 2 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 4 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 5 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\436052B37A3752148C885667E34DD9C3.exe"C:\Users\Admin\AppData\Local\Temp\436052B37A3752148C885667E34DD9C3.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WormGPT.exe"C:\Users\Admin\AppData\Local\Temp\WormGPT.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WormGPT.exe"C:\Users\Admin\AppData\Local\Temp\WormGPT.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\comsurrogate.exe"C:\Users\Admin\AppData\Local\Temp\comsurrogate.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Host Process for Windows Tasks" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe"C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Host Process for Windows Tasks" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\qLhaGMwuEu33.exe"C:\Users\Admin\AppData\Local\Temp\qLhaGMwuEu33.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\qLhaGMwuEu33.exe"5⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\qLhaGMwuEu33.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 25⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name5⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\qLhaGMwuEu33.exe" && pause5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svc.exe"C:\Users\Admin\AppData\Local\Temp\svc.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "startui" /sc ONLOGON /tr "C:\Program Files\SubDir\startui.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files\SubDir\startui.exe"C:\Program Files\SubDir\startui.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "startui" /sc ONLOGON /tr "C:\Program Files\SubDir\startui.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
948B
MD5e136966aba3500e5d57bcfc57edb3be1
SHA13dc5f1c1888b68da52706fb5fb053a86d5ac4c8d
SHA25655f1c311ffec50f6d364764298fcb3172f034ad47b32eea2941bdaab95e369b0
SHA512118f09f6b0a690641abbae52d5e4fa71493553eadcaee9639e59d671ce64576709b3ec3d94e9cfd066f94774590f76de0796d503c73e432f0f3412f5a97aed81
-
Filesize
8.6MB
MD51c2128b3ad0a5dc32f938362e16f6b07
SHA1eecb906f664ff6a5fc4cded35c274cbcc342fec8
SHA2562b093e0b16481ff4d090e4502c6ef4d547fb7003a6a07e43fc042a1550f9bb9c
SHA51221758831af1d641c1f1aad7fb148b16c87ebf00ae5574a3f66542620931088c6ebedc61a92ccb2ffe2f1643792989541eae9180a0bdd672202df7ac455f4350e
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
119KB
MD5ca4cef051737b0e4e56b7d597238df94
SHA1583df3f7ecade0252fdff608eb969439956f5c4a
SHA256e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b
SHA51217103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3
-
Filesize
63KB
MD5470364d8abdc5c22828df8e22c095ed2
SHA14c707b1061012deb8ce4ab38772a21d3195624c2
SHA2564262cabac7e97220d0e4bd72deb337ffd9df429860ab298b3e2d5c9223874705
SHA51270eb15796ead54cdadf696ea6581ff2f979057c3be8c95c12ab89be51c02b2aba591f9ee9671e8c4f376c973b154d0f2e0614498c5835397411c876346429cd5
-
Filesize
1.0MB
MD5d83e1395c18c93d96645462bb79e86ae
SHA17dd7988f499390ce0508e51219f70c8db426c989
SHA2565a4fa8a060ee1eea1b7e6ea27bba2f4913469c83db0f31ceaec2c17b9a01340d
SHA5128e011b62c15e207d694182b4e7d5997f60fff0dfb5e7aab7ade93dcd2e8a5493606b1bc03997743e22fc13b5a1a0b44c1b72ca90e63e926f8657755874881ed1
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
Filesize
1.8MB
MD575909678c6a79ca2ca780a1ceb00232e
SHA139ddbeb1c288335abe910a5011d7034345425f7d
SHA256fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860
SHA51291689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf
-
Filesize
1KB
MD5e9117326c06fee02c478027cb625c7d8
SHA12ed4092d573289925a5b71625cf43cc82b901daf
SHA256741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e
SHA512d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52
-
Filesize
1.5MB
MD54b6270a72579b38c1cc83f240fb08360
SHA11a161a014f57fe8aa2fadaab7bc4f9faaac368de
SHA256cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08
SHA5120c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.1MB
MD5026407873fa1c229033246e574724e02
SHA1888c874808635b0b03456da413b1941c61c33686
SHA2564531e23ad4f6443dd3e0807007afd811ea1fc6a2a35f423e9ac98bcfc21be996
SHA512660db81f331c9ff47440d41d2e5062d92ad1fe2b7cc5559ba120c4908b5cd9a253c4fb1da323a1f0f1e7a5ce50d04e9020aec286e3eb399cb3ebdf1b765acc7f
-
Filesize
227KB
MD5513c9ed3a690a8568531bc6103b3499b
SHA19df50595d7cfb2a48741ab4983d6ac7b2ab89202
SHA256c9ff36b9f84347e191f8e9e80af044e528dcb57abfdf4abb01e146d4f26be377
SHA5128d0c47844b514bf16feebee3502e77e7d24755c6c01df6b5279e1c002d8f30d9fdf35b7e75332d3251b0630925dd98310e6be0cf6f6befaa6b4ddfde0ff3e4d9
-
Filesize
3.1MB
MD57776335b8b0d230370ca39602c484a69
SHA17705fb56ea438e609a6094bef10bdb2392f55719
SHA256b6bb8a533c77034b0d4eab34ffa434b1a999cac5f59983680d222f04e437729d
SHA5120e290749b442e317fe90591a43549a003d7f95c086d220b04eae018209a9785a1754b834d529a5839b15d2aa783edd17e52f4ab2b331e3a14c47d84ebf24899d
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
3.1MB
-
Filesize
136KB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
3.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
256KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
72KB