Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
22s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23/01/2025, 06:36
General
-
Target
minko.exe
-
Size
3.1MB
-
MD5
f58a18b8929f009586495b2607a8b806
-
SHA1
524c72a260cc4f80e2e4c92acad39aa16a05254c
-
SHA256
7dc1fd4a138be818ea68ea646718e202e386b0ed202108f6958309ff3455693c
-
SHA512
3c2449f8fbb9a19543163bb37bb8909208a45754ed317cdb7c8707b7bd3682c105e36712c070a8ec22217cc54b93cd042e834bbad076187455a8b4f0995b9c7f
-
SSDEEP
49152:Gvkt62XlaSFNWPjljiFa2RoUYIT59oCLNLoGdBhTHHB72eh2NT:Gv462XlaSFNWPjljiFXRoUYIT59bx
Malware Config
Extracted
quasar
1.4.1
minko
192.168.1.104:4782
7f791aa9-cb89-4d49-8582-d2bee1e4c964
-
encryption_key
EDB1628352F4EB382035992E9E2540BB09AFD0AA
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Client
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\minko.exe"C:\Users\Admin\AppData\Local\Temp\minko.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5f58a18b8929f009586495b2607a8b806
SHA1524c72a260cc4f80e2e4c92acad39aa16a05254c
SHA2567dc1fd4a138be818ea68ea646718e202e386b0ed202108f6958309ff3455693c
SHA5123c2449f8fbb9a19543163bb37bb8909208a45754ed317cdb7c8707b7bd3682c105e36712c070a8ec22217cc54b93cd042e834bbad076187455a8b4f0995b9c7f
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB