Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

s.exe

windows7-x64

10

s.exe

windows10-2004-x64

10

s.exe

windows10-ltsc 2021-x64

10

s.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    9s
  • max time network
    12s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/01/2025, 19:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    s.exe

  • Size

    3.1MB

  • MD5

    c710a6667ea3c649ee266a981893440d

  • SHA1

    064314508d0579b471c568741ce170f1d6ce61d3

  • SHA256

    1ea872be9eeda2c5637a2f53b1121e88417bf0bff95fc12a2aeee9c48f0664e3

  • SHA512

    f9cc489459127a011f4e883f53d20c146d1ee2410e77b0c767162b11e42d2c3b19fb7fb40df841ce6c18bc3f3ad1b453de7692abaa69db71373c5a953fd31fe6

  • SSDEEP

    49152:bvTlL26AaNeWgPhlmVqvMQ7XSK2ixNESEXk/idLoGdSTHHB72eh2NT:bvJL26AaNeWgPhlmVqkQ7XSKfxeV

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

per-cassette.gl.at.ply.gg:41388

Mutex

96621e5e-be82-4575-8b94-bb078b016935

Attributes
  • encryption_key

    8372309E4F7DFDD0DD443E979B8B9374D4F2B48F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\s.exe
    "C:\Users\Admin\AppData\Local\Temp\s.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3044
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3612
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4532

Network

  • flag-us
    DNS
    4.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.99.105.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.99.105.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    per-cassette.gl.at.ply.gg
    Client.exe
    Remote address:
    8.8.8.8:53
    Request
    per-cassette.gl.at.ply.gg
    IN A
    Response
    per-cassette.gl.at.ply.gg
    IN A
    147.185.221.25
  • 147.185.221.25:41388
    per-cassette.gl.at.ply.gg
    Client.exe
    208 B
     4
  • 8.8.8.8:53
    4.160.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    58.99.105.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    58.99.105.20.in-addr.arpa

  • 8.8.8.8:53
    per-cassette.gl.at.ply.gg
    dns
    Client.exe
    71 B
     87 B
     1
    1

    DNS Request

    per-cassette.gl.at.ply.gg

    DNS Response

    147.185.221.25

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    Filesize

    3.1MB

    MD5

    c710a6667ea3c649ee266a981893440d

    SHA1

    064314508d0579b471c568741ce170f1d6ce61d3

    SHA256

    1ea872be9eeda2c5637a2f53b1121e88417bf0bff95fc12a2aeee9c48f0664e3

    SHA512

    f9cc489459127a011f4e883f53d20c146d1ee2410e77b0c767162b11e42d2c3b19fb7fb40df841ce6c18bc3f3ad1b453de7692abaa69db71373c5a953fd31fe6

    Download Submit

  • memory/3612-10-0x00007FFCB9340000-0x00007FFCB9E01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3612-11-0x00007FFCB9340000-0x00007FFCB9E01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3612-12-0x000000001C1D0000-0x000000001C220000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3612-13-0x000000001C2E0000-0x000000001C392000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3612-14-0x00007FFCB9340000-0x00007FFCB9E01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3772-0-0x00007FFCB9343000-0x00007FFCB9345000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3772-1-0x0000000000220000-0x0000000000544000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3772-2-0x00007FFCB9340000-0x00007FFCB9E01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3772-9-0x00007FFCB9340000-0x00007FFCB9E01000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.