Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/01/2025, 07:56
Behavioral task
behavioral1
Sample
3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31.exe
Resource
win7-20241010-en
General
-
Target
3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31.exe
-
Size
3.1MB
-
MD5
fbb44da2d0860af30fc45116529832df
-
SHA1
44377732b9959172cdb261d366069801adafd52a
-
SHA256
3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31
-
SHA512
b1cdda7f3b67f1bedfbf896a4e7e8af0d12aa78a8709604d1262cc68ff0b0bdb3a326e7325075210f4d4e22e43fd7a7fa4bfbc90fc4c032bc3f3304f79157909
-
SSDEEP
49152:Pvyt62XlaSFNWPjljiFa2RoUYIonF7KoGd1GKuTHHB72eh2NT:Pva62XlaSFNWPjljiFXRoUYIonFW
Malware Config
Extracted
quasar
1.4.1
svhost32
87.228.57.81:4782
47b71fc0-b2c4-4112-b97a-39385a5399c1
-
encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost32
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2916-1-0x00000000002A0000-0x00000000005C4000-memory.dmp family_quasar behavioral1/files/0x000f000000016d3f-5.dat family_quasar behavioral1/memory/2960-10-0x0000000000E90000-0x00000000011B4000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2960 Client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2872 schtasks.exe 3008 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2916 3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31.exe Token: SeDebugPrivilege 2960 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2960 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2872 2916 3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31.exe 30 PID 2916 wrote to memory of 2872 2916 3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31.exe 30 PID 2916 wrote to memory of 2872 2916 3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31.exe 30 PID 2916 wrote to memory of 2960 2916 3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31.exe 32 PID 2916 wrote to memory of 2960 2916 3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31.exe 32 PID 2916 wrote to memory of 2960 2916 3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31.exe 32 PID 2960 wrote to memory of 3008 2960 Client.exe 33 PID 2960 wrote to memory of 3008 2960 Client.exe 33 PID 2960 wrote to memory of 3008 2960 Client.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31.exe"C:\Users\Admin\AppData\Local\Temp\3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2872
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5fbb44da2d0860af30fc45116529832df
SHA144377732b9959172cdb261d366069801adafd52a
SHA2563dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31
SHA512b1cdda7f3b67f1bedfbf896a4e7e8af0d12aa78a8709604d1262cc68ff0b0bdb3a326e7325075210f4d4e22e43fd7a7fa4bfbc90fc4c032bc3f3304f79157909