Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

09/02/2025, 17:26

250209-vzvbzaxpck 10

09/02/2025, 17:22

250209-vxjsfsxqh1 10

09/02/2025, 16:34

250209-t3jtzawper 10

09/02/2025, 16:32

250209-t15nnaxjfv 8

27/01/2025, 22:33

250127-2gt2taxpgv 10

27/01/2025, 22:28

250127-2d6lfaxnhy 10

27/01/2025, 22:21

250127-19myjaxmew 10

Analysis

  • max time kernel
    249s
  • max time network
    250s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 22:28

General

  • Target

    New Text Document.exe.zip

  • Size

    1KB

  • MD5

    0206983f12db26f622bbe73b165f126f

  • SHA1

    e71f9fc602245a337f728e27917b0b716d3828f9

  • SHA256

    6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128

  • SHA512

    296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PrudaBackend

C2

45.131.108.110:4782

Mutex

8f8e6059-ac4f-4e47-8d62-3ce070083ecf

Attributes
  • encryption_key

    D82EC4913FC5B28DDFF5AC48635D190A9342C6BD

  • install_name

    update.exe

  • log_directory

    Logs

  • reconnect_delay

    2500

  • startup_key

    Runtime Broker.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

powerstealer

C2

192.168.56.1:4782

Mutex

6760d0e9-9df9-4aba-89be-4e5ce3e92cc8

Attributes
  • encryption_key

    057FCAF700E62ACFECC7338C474084AF9B47ABEB

  • install_name

    powerstealer.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

vidar

C2

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

100.108.37.105:4444

127.0.0.1:4444

Mutex

95a85978-c10d-4a09-935b-c02a2a18a609

Attributes
  • encryption_key

    6FDAA03D192B9C03BF83E41A8BBF78996D321E27

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Detect Vidar Stealer 6 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 8 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Disables Task Manager via registry modification
  • Downloads MZ/PE file 5 IoCs
  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 11 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe.zip"
    1⤵
      PID:3492
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:916
      • C:\Users\Admin\Desktop\New Text Document.exe
        "C:\Users\Admin\Desktop\New Text Document.exe"
        1⤵
        • Downloads MZ/PE file
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Users\Admin\Desktop\a\updater.exe
          "C:\Users\Admin\Desktop\a\updater.exe"
          2⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4452
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:760
          • C:\Windows\system32\update.exe
            "C:\Windows\system32\update.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2144
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:780
        • C:\Users\Admin\Desktop\a\Discord.exe
          "C:\Users\Admin\Desktop\a\Discord.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2312
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4004
          • C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1936
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:3772
        • C:\Users\Admin\Desktop\a\noyjhoadw.exe
          "C:\Users\Admin\Desktop\a\noyjhoadw.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3048
        • C:\Users\Admin\Desktop\a\build.exe
          "C:\Users\Admin\Desktop\a\build.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3312
        • C:\Users\Admin\Desktop\a\fag3.exe
          "C:\Users\Admin\Desktop\a\fag3.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3864
        • C:\Users\Admin\Desktop\a\fag.exe
          "C:\Users\Admin\Desktop\a\fag.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2620
        • C:\Users\Admin\Desktop\a\Server.exe
          "C:\Users\Admin\Desktop\a\Server.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3604
          • C:\Users\Admin\AppData\Local\Temp\server.exe
            "C:\Users\Admin\AppData\Local\Temp\server.exe"
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1764
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
              4⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:4560
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
              4⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:3840
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
              4⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:1224
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
              4⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2136
      • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
        C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:5080
      • C:\Users\Admin\Desktop\New Text Document.exe
        "C:\Users\Admin\Desktop\New Text Document.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:392

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

        Filesize

        734B

        MD5

        e192462f281446b5d1500d474fbacc4b

        SHA1

        5ed0044ac937193b78f9878ad7bac5c9ff7534ff

        SHA256

        f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

        SHA512

        cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BB6ABD5C8B98473A20C12EFFB847B7E2

        Filesize

        345B

        MD5

        7edbce9b8d730aab97bad5fb0fd94c80

        SHA1

        7201189c4ed6f6c0395c6e72ab100633b8257a0c

        SHA256

        c8b0d844bd3624524a1f4682797bf3db7f96057707c038345f925abdcb719fae

        SHA512

        6dddab7ae53df794df1613befa618a5b76d00d170074741df7d6cda43b0dc47051b50673ba5454a2a30ce5be6f81f21f0a3d973e2a819c8f18d60394a23c26a9

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

        Filesize

        192B

        MD5

        ac8176c2d631174edf859addea652168

        SHA1

        42ae520152bc4a9ad24ec1d2073ca9a3a10c945d

        SHA256

        92b7e1a674a396cf0ee7625eb4c77bbc6e909b3778745358fe999dcfdf0a8897

        SHA512

        483a1110d55b713c5b372d9b15ec27dfab15fe329e421c567965d6d30bf9d9cc02e563b33effab41e6a8e534d7377f5cb19ff52086f6a2a45bd9b2970a2a9a51

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BB6ABD5C8B98473A20C12EFFB847B7E2

        Filesize

        540B

        MD5

        7ab7a19bef50e77537e546f93b6c2285

        SHA1

        6ab63dd6357ac3c9ba529f4caaa57e43bd4c21a5

        SHA256

        853db65a5637fcd4289599469c98faae053be670de505ba5eb6647f997d071db

        SHA512

        a9e63f1f9115a34b7976d3008e6cecee8d2e6a37afcaebf1347140534bccdf1678f7358b07174d024070c7f63301353d385b217e74706f002c0020d74fd3c98c

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

        Filesize

        408B

        MD5

        661cab77d3b907e8057f2e689e995af3

        SHA1

        5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

        SHA256

        8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

        SHA512

        2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\New Text Document.exe.log

        Filesize

        847B

        MD5

        66a0a4aa01208ed3d53a5e131a8d030a

        SHA1

        ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

        SHA256

        f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

        SHA512

        626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

      • C:\Users\Admin\AppData\Roaming\app

        Filesize

        5B

        MD5

        c60feebd511c87b86dea130692995a0f

        SHA1

        d64447a8b3d8949cab5a1f8d168f7c6fee6b6a0a

        SHA256

        632994320c04707e7ef564b3e983a694170561659552a24dfe14a922dcf0f511

        SHA512

        bf03fbf3329c6f7a21ecd620319ef1a6f676b22a27afd24aab546483c3fe5f6eee7bbcfdc14c5f6626957f2b96519bdd21aaea45d74a80253fa4220c8c12df7c

      • C:\Users\Admin\Desktop\a\Discord.exe

        Filesize

        3.1MB

        MD5

        bedd5e5f44b78c79f93e29dc184cfa3d

        SHA1

        11e7e692b9a6b475f8561f283b2dd59c3cd19bfd

        SHA256

        e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c

        SHA512

        3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de

      • C:\Users\Admin\Desktop\a\Server.exe

        Filesize

        93KB

        MD5

        a9ba2416df448c5f3b36581ecfa4cd31

        SHA1

        105592c84c83cbf4e6f7b6978ecb6d37c99440b7

        SHA256

        b12ace477963fdde7e7b3c3b81dc01d585d87097e68bed90f5dd41077556b4bf

        SHA512

        456ffb46cf5d914108a68292e1f9e73665e7dd3905015c76709ecc954d02b50d9dfdd758c2178791d75aa1010b7c0f2e0cf92659f2471a227497343477e6c9f3

      • C:\Users\Admin\Desktop\a\build.exe

        Filesize

        119KB

        MD5

        08388bb4894c71e7b1be4bad966c3824

        SHA1

        7437ac98f08fc41283b900aa6fb0ae350d59dd6c

        SHA256

        986a98dc33a925fa232e1e5311807c7681cad9e0f07957d81e4f2f8257503f9c

        SHA512

        2adf5154e7dca7de1fcf12560c97f1b74e66fb3c5074d8fa9d29dd9da91a1314f9fc18270808c12364c4941a6a2346109824bd4c625df905f9be84af393934b3

      • C:\Users\Admin\Desktop\a\fag.exe

        Filesize

        3.1MB

        MD5

        814d032273cdbdc32dc6a232c108129f

        SHA1

        bd4b3bea0d543dd287fd952a5ae053f649f11fe4

        SHA256

        95e8911b88b45f18c2f415df69166ea5dadc1af3ee4ed79d42ca31dc812c4043

        SHA512

        1aca47dc3e839f192a0c51c396f1596f03a843c88883a6d4be02ce55647585d6a98e8ed215872661dbe412d9095eabf334fec5545a4a1dcf75a3ebe48dd2cbbf

      • C:\Users\Admin\Desktop\a\fag3.exe

        Filesize

        3.1MB

        MD5

        6b6cd0ace200ae15a3c40568bd516739

        SHA1

        c17c2dae1f9d4a3268f51ba9acf2095171408621

        SHA256

        9746060c7d36d8675945405b0c1928fb6bbcfe1bbac0f4c3247bd245ac6c4271

        SHA512

        4330446f193832bc3cdba0461df477ed7b27af44cce83daa7bf4c46afacee37b8e5ce7191573b23604efbeef66b2ed763adc156303e3e3927e1fc315ba22b1cd

      • C:\Users\Admin\Desktop\a\noyjhoadw.exe

        Filesize

        119KB

        MD5

        65cc23e7237f3cff2d206a269793772e

        SHA1

        fa3b354d2a7a4a673d4477ddcf1e1f2c93bb05fd

        SHA256

        a57a8a3c3c073632337bb870db56538ef3d3cebd1ada4c3ed2397ea73a6923fb

        SHA512

        7596ec7aeef7fcf446328dc928a835a54fa1060264b170baf2413252977bb0ac0b8da96867895530601cc098516e7bb82d1edbabfcfccd29d24619fe89f49613

      • C:\Users\Admin\Desktop\a\updater.exe

        Filesize

        3.1MB

        MD5

        c965446805dc5c40e1bffe859716bea7

        SHA1

        7d6b257f8f830f512552bd11b36bb1fc88a1e966

        SHA256

        874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5

        SHA512

        157b7d59cb94d83dceba138207f1d335df6f9da90c510cbad8e0b252173be05679352de83d2aef2e3ae3d7de58f7253f93422b44680d2cb63e6c3640fd68233b

      • memory/1636-2-0x00007FFE0A730000-0x00007FFE0B1F1000-memory.dmp

        Filesize

        10.8MB

      • memory/1636-1-0x0000000000510000-0x0000000000518000-memory.dmp

        Filesize

        32KB

      • memory/1636-0-0x00007FFE0A733000-0x00007FFE0A735000-memory.dmp

        Filesize

        8KB

      • memory/1636-105-0x00007FFE0A730000-0x00007FFE0B1F1000-memory.dmp

        Filesize

        10.8MB

      • memory/1636-138-0x00007FFE0A730000-0x00007FFE0B1F1000-memory.dmp

        Filesize

        10.8MB

      • memory/1636-99-0x00007FFE0A733000-0x00007FFE0A735000-memory.dmp

        Filesize

        8KB

      • memory/2144-77-0x000000001C3F0000-0x000000001C42C000-memory.dmp

        Filesize

        240KB

      • memory/2144-76-0x000000001C390000-0x000000001C3A2000-memory.dmp

        Filesize

        72KB

      • memory/2144-60-0x000000001C430000-0x000000001C4E2000-memory.dmp

        Filesize

        712KB

      • memory/2144-59-0x000000001C320000-0x000000001C370000-memory.dmp

        Filesize

        320KB

      • memory/2144-127-0x000000001C930000-0x000000001CA32000-memory.dmp

        Filesize

        1.0MB

      • memory/2312-28-0x00000000001D0000-0x00000000004FA000-memory.dmp

        Filesize

        3.2MB

      • memory/2620-102-0x0000000000E10000-0x0000000001134000-memory.dmp

        Filesize

        3.1MB

      • memory/3048-81-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

      • memory/3048-38-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

      • memory/3312-115-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

      • memory/3312-58-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

      • memory/3864-72-0x0000000000BD0000-0x0000000000EF4000-memory.dmp

        Filesize

        3.1MB

      • memory/4452-16-0x0000000000380000-0x00000000006A4000-memory.dmp

        Filesize

        3.1MB