Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
3s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 03:05 UTC
Behavioral task
behavioral1
Sample
5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe
Resource
win10v2004-20241007-en
General
-
Target
5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe
-
Size
2.0MB
-
MD5
991fbae4fb220876924d5398a8252a60
-
SHA1
e98704697dc895376a7a77ed5eca8a84cd312a62
-
SHA256
5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fb
-
SHA512
c89c7aba766d9349ad7f8006583fc52f173819ef8b40d1384123ef8816c810c9cae4f956e23857c38823f0faa8033b42effc53ac9ff8718e0523e266329de86b
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYr:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YJ
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/files/0x0008000000016c58-17.dat family_quasar behavioral1/memory/2448-45-0x00000000012C0000-0x000000000131E000-memory.dmp family_quasar behavioral1/memory/2436-57-0x0000000000130000-0x000000000018E000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 2004 vnc.exe 2448 windef.exe 2436 winsock.exe -
Loads dropped DLL 13 IoCs
pid Process 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 2744 WerFault.exe 2744 WerFault.exe 2744 WerFault.exe 2744 WerFault.exe 2448 windef.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\v: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\a: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\e: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\h: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\j: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\s: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\t: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\z: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\i: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\k: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\m: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\r: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\o: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\w: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\y: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\x: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\b: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\g: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\l: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\n: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\p: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe File opened (read-only) \??\q: 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1740 set thread context of 2812 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2744 2004 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winsock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe 692 schtasks.exe 2972 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2004 vnc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2448 windef.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2004 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 30 PID 1740 wrote to memory of 2004 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 30 PID 1740 wrote to memory of 2004 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 30 PID 1740 wrote to memory of 2004 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 30 PID 2004 wrote to memory of 2920 2004 vnc.exe 31 PID 2004 wrote to memory of 2920 2004 vnc.exe 31 PID 2004 wrote to memory of 2920 2004 vnc.exe 31 PID 2004 wrote to memory of 2920 2004 vnc.exe 31 PID 2004 wrote to memory of 2920 2004 vnc.exe 31 PID 1740 wrote to memory of 2448 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 32 PID 1740 wrote to memory of 2448 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 32 PID 1740 wrote to memory of 2448 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 32 PID 1740 wrote to memory of 2448 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 32 PID 1740 wrote to memory of 2812 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 33 PID 1740 wrote to memory of 2812 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 33 PID 1740 wrote to memory of 2812 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 33 PID 1740 wrote to memory of 2812 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 33 PID 1740 wrote to memory of 2812 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 33 PID 1740 wrote to memory of 2812 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 33 PID 1740 wrote to memory of 2768 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 34 PID 1740 wrote to memory of 2768 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 34 PID 1740 wrote to memory of 2768 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 34 PID 1740 wrote to memory of 2768 1740 5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe 34 PID 2004 wrote to memory of 2744 2004 vnc.exe 36 PID 2004 wrote to memory of 2744 2004 vnc.exe 36 PID 2004 wrote to memory of 2744 2004 vnc.exe 36 PID 2004 wrote to memory of 2744 2004 vnc.exe 36 PID 2448 wrote to memory of 692 2448 windef.exe 38 PID 2448 wrote to memory of 692 2448 windef.exe 38 PID 2448 wrote to memory of 692 2448 windef.exe 38 PID 2448 wrote to memory of 692 2448 windef.exe 38 PID 2448 wrote to memory of 2436 2448 windef.exe 40 PID 2448 wrote to memory of 2436 2448 windef.exe 40 PID 2448 wrote to memory of 2436 2448 windef.exe 40 PID 2448 wrote to memory of 2436 2448 windef.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe"C:\Users\Admin\AppData\Local\Temp\5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵PID:2920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1803⤵
- Loads dropped DLL
- Program crash
PID:2744
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:692
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2972
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe"C:\Users\Admin\AppData\Local\Temp\5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2768
-
Network
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 58
X-Rl: 43
-
Remote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 0x21.in:8000
Content-Length: 107
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 24 Jan 2025 03:05:36 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=e3bfa89758683bf1ecae9cf253d691f9|181.215.176.83|1737687936|1737687936|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.0
Host: 0x21.in
Connection: close
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 107
ResponseHTTP/1.1 200 OK
Date: Fri, 24 Jan 2025 03:05:36 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=58ca5876a8d8dc8884c6639246dd2755|181.215.176.83|1737687936|1737687936|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
328 B 560 B 4 2
HTTP Request
GET http://ip-api.com/json/HTTP Response
200 -
374 B 560 B 5 2
HTTP Request
GET http://ip-api.com/json/HTTP Response
200 -
491 B 870 B 5 5
HTTP Request
POST http://0x21.in:8000/_az/HTTP Response
200 -
152 B 3
-
480 B 590 B 5 5
HTTP Request
POST http://0x21.in/_az/HTTP Response
200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb