Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

s.exe

windows7-x64

10

s.exe

windows10-2004-x64

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/01/2025, 08:43 UTC

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    s.exe

  • Size

    3.1MB

  • MD5

    c710a6667ea3c649ee266a981893440d

  • SHA1

    064314508d0579b471c568741ce170f1d6ce61d3

  • SHA256

    1ea872be9eeda2c5637a2f53b1121e88417bf0bff95fc12a2aeee9c48f0664e3

  • SHA512

    f9cc489459127a011f4e883f53d20c146d1ee2410e77b0c767162b11e42d2c3b19fb7fb40df841ce6c18bc3f3ad1b453de7692abaa69db71373c5a953fd31fe6

  • SSDEEP

    49152:bvTlL26AaNeWgPhlmVqvMQ7XSK2ixNESEXk/idLoGdSTHHB72eh2NT:bvJL26AaNeWgPhlmVqkQ7XSKfxeV

Score
10/10
quasaroffice04spywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

per-cassette.gl.at.ply.gg:41388

Mutex

96621e5e-be82-4575-8b94-bb078b016935

Attributes
  • encryption_key

    8372309E4F7DFDD0DD443E979B8B9374D4F2B48F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\s.exe
    "C:\Users\Admin\AppData\Local\Temp\s.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3480
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2428
      • C:\Windows\System32\shutdown.exe
        "C:\Windows\System32\shutdown.exe" /s /t 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1860
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa38c7855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1976

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=391d6d20cdf74a369ff10fa9c48d3a74&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=391d6d20cdf74a369ff10fa9c48d3a74&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2C7AC73042E261160FE0D2B543E46081; domain=.bing.com; expires=Wed, 25-Feb-2026 08:43:47 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6256220A74DF4C88A6BD7D9DEB25E606 Ref B: LON601060108025 Ref C: 2025-01-31T08:43:47Z
    date: Fri, 31 Jan 2025 08:43:46 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=391d6d20cdf74a369ff10fa9c48d3a74&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=391d6d20cdf74a369ff10fa9c48d3a74&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2C7AC73042E261160FE0D2B543E46081
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=CIpXdk9fs-CkPS8nG9w5AbtIAClXtS_0OLaDxYQOSj8; domain=.bing.com; expires=Wed, 25-Feb-2026 08:43:47 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D83FC2E69B96412D97BE94E720722AF0 Ref B: LON601060108025 Ref C: 2025-01-31T08:43:47Z
    date: Fri, 31 Jan 2025 08:43:47 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=391d6d20cdf74a369ff10fa9c48d3a74&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=391d6d20cdf74a369ff10fa9c48d3a74&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2C7AC73042E261160FE0D2B543E46081; MSPTC=CIpXdk9fs-CkPS8nG9w5AbtIAClXtS_0OLaDxYQOSj8
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AE803496C5034BEAA184AE5D4CF09350 Ref B: LON601060108025 Ref C: 2025-01-31T08:43:47Z
    date: Fri, 31 Jan 2025 08:43:47 GMT
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    per-cassette.gl.at.ply.gg
    Client.exe
    Remote address:
    8.8.8.8:53
    Request
    per-cassette.gl.at.ply.gg
    IN A
    Response
    per-cassette.gl.at.ply.gg
    IN A
    147.185.221.25
  • flag-us
    DNS
    25.221.185.147.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.221.185.147.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ipwho.is
    Client.exe
    Remote address:
    8.8.8.8:53
    Request
    ipwho.is
    IN A
    Response
    ipwho.is
    IN A
    195.201.57.90
  • flag-de
    GET
    https://ipwho.is/
    Client.exe
    Remote address:
    195.201.57.90:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
    Host: ipwho.is
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 08:43:51 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Server: ipwhois
    Access-Control-Allow-Headers: *
    X-Robots-Tag: noindex
  • flag-us
    DNS
    90.57.201.195.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.57.201.195.in-addr.arpa
    IN PTR
    Response
    90.57.201.195.in-addr.arpa
    IN PTR
    static9057201195clients your-serverde
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.153.16.2.in-addr.arpa
    IN PTR
    Response
    13.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-13deploystaticakamaitechnologiescom
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=391d6d20cdf74a369ff10fa9c48d3a74&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=
    tls, http2
    2.0kB
     9.4kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=391d6d20cdf74a369ff10fa9c48d3a74&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=391d6d20cdf74a369ff10fa9c48d3a74&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=391d6d20cdf74a369ff10fa9c48d3a74&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=

    HTTP Response

    204
  • 147.185.221.25:41388
    per-cassette.gl.at.ply.gg
    tls
    Client.exe
    3.8kB
     4.8kB
     30
    24
  • 195.201.57.90:443
    https://ipwho.is/
    tls, http
    Client.exe
    923 B
     6.3kB
     10
    10

    HTTP Request

    GET https://ipwho.is/

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    per-cassette.gl.at.ply.gg
    dns
    Client.exe
    71 B
     87 B
     1
    1

    DNS Request

    per-cassette.gl.at.ply.gg

    DNS Response

    147.185.221.25

  • 8.8.8.8:53
    25.221.185.147.in-addr.arpa
    dns
    73 B
     130 B
     1
    1

    DNS Request

    25.221.185.147.in-addr.arpa

  • 8.8.8.8:53
    ipwho.is
    dns
    Client.exe
    54 B
     70 B
     1
    1

    DNS Request

    ipwho.is

    DNS Response

    195.201.57.90

  • 8.8.8.8:53
    90.57.201.195.in-addr.arpa
    dns
    72 B
     129 B
     1
    1

    DNS Request

    90.57.201.195.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    13.153.16.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    13.153.16.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    Filesize

    3.1MB

    MD5

    c710a6667ea3c649ee266a981893440d

    SHA1

    064314508d0579b471c568741ce170f1d6ce61d3

    SHA256

    1ea872be9eeda2c5637a2f53b1121e88417bf0bff95fc12a2aeee9c48f0664e3

    SHA512

    f9cc489459127a011f4e883f53d20c146d1ee2410e77b0c767162b11e42d2c3b19fb7fb40df841ce6c18bc3f3ad1b453de7692abaa69db71373c5a953fd31fe6

    Download Submit

  • memory/824-11-0x00007FF9E7920000-0x00007FF9E83E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/824-10-0x00007FF9E7920000-0x00007FF9E83E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/824-12-0x000000001C1A0000-0x000000001C1F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/824-13-0x000000001C2B0000-0x000000001C362000-memory.dmp

    Filesize

    712KB

    Download

  • memory/824-14-0x000000001C170000-0x000000001C182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/824-15-0x000000001C230000-0x000000001C26C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/824-16-0x00007FF9E7920000-0x00007FF9E83E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/824-17-0x00007FF9E7920000-0x00007FF9E83E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3672-2-0x00007FF9E7920000-0x00007FF9E83E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3672-1-0x0000000000CF0000-0x0000000001014000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3672-9-0x00007FF9E7920000-0x00007FF9E83E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3672-0-0x00007FF9E7923000-0x00007FF9E7925000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.