Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2025, 12:54 UTC

General

  • Target

    Payment010225.exe

  • Size

    951KB

  • MD5

    b76d3e743d68ca1e3f04d641bfcc3ec7

  • SHA1

    d2d4fea6920a1a737199ce0fcac7c44adb5d7bd8

  • SHA256

    72209f1e92435b27f56db50ee9db7b82ebb11a6fb37ea5ade6cda13fc2c0d00c

  • SHA512

    c1e29917358740c56e9c83a0a5e8ea48d368806a0b71b2a240df9f5568cb7dc0d7b18e2959fe5b40d4ada2733594b6c17e705f6181c3a38eeaa1efd0ab24558b

  • SSDEEP

    24576:JPzFQtxBAb2JewjA/s5TqKnNiw0RALH0+XxryrSwg2J:1FC+2jpnNiRSXxqgM

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Stroy

C2

109.248.151.166:61537

Mutex

QSR_MUTEX_uHD8seWaFzpqqYxRLX

Attributes
  • encryption_key

    IR3AcRhjtuelpwNmTP7v

  • install_name

    Updater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Windows

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment010225.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment010225.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\Temp\Payment010225.exe
      C:\Users\Admin\AppData\Local\Temp\Payment010225.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Payment010225.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2836
      • C:\Users\Admin\AppData\Roaming\Windows\Updater.exe
        "C:\Users\Admin\AppData\Roaming\Windows\Updater.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Users\Admin\AppData\Roaming\Windows\Updater.exe
          C:\Users\Admin\AppData\Roaming\Windows\Updater.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Updater.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2892
        • C:\Users\Admin\AppData\Roaming\Windows\Updater.exe
          C:\Users\Admin\AppData\Roaming\Windows\Updater.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2588
    • C:\Users\Admin\AppData\Local\Temp\Payment010225.exe
      C:\Users\Admin\AppData\Local\Temp\Payment010225.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1628

Network

  • flag-us
    DNS
    ip-api.com
    Updater.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json/
    Payment010225.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 03 Feb 2025 12:54:21 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    GET
    http://ip-api.com/json/
    Updater.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 03 Feb 2025 12:54:23 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 208.95.112.1:80
    http://ip-api.com/json/
    http
    Payment010225.exe
    374 B
    560 B
    5
    2

    HTTP Request

    GET http://ip-api.com/json/

    HTTP Response

    200
  • 208.95.112.1:80
    http://ip-api.com/json/
    http
    Updater.exe
    374 B
    640 B
    5
    4

    HTTP Request

    GET http://ip-api.com/json/

    HTTP Response

    200
  • 109.248.151.166:61537
    Updater.exe
    964 B
    733 B
    15
    13
  • 8.8.8.8:53
    ip-api.com
    dns
    Updater.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Windows\Updater.exe

    Filesize

    951KB

    MD5

    b76d3e743d68ca1e3f04d641bfcc3ec7

    SHA1

    d2d4fea6920a1a737199ce0fcac7c44adb5d7bd8

    SHA256

    72209f1e92435b27f56db50ee9db7b82ebb11a6fb37ea5ade6cda13fc2c0d00c

    SHA512

    c1e29917358740c56e9c83a0a5e8ea48d368806a0b71b2a240df9f5568cb7dc0d7b18e2959fe5b40d4ada2733594b6c17e705f6181c3a38eeaa1efd0ab24558b

  • memory/1628-19-0x00000000746C0000-0x0000000074DAE000-memory.dmp

    Filesize

    6.9MB

  • memory/1628-17-0x00000000746C0000-0x0000000074DAE000-memory.dmp

    Filesize

    6.9MB

  • memory/1628-15-0x00000000746C0000-0x0000000074DAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2016-8-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2016-4-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2016-6-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2016-18-0x00000000746C0000-0x0000000074DAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2016-14-0x00000000746C0000-0x0000000074DAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2016-27-0x00000000746C0000-0x0000000074DAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2168-2-0x0000000006DA0000-0x0000000006EB0000-memory.dmp

    Filesize

    1.1MB

  • memory/2168-16-0x00000000746C0000-0x0000000074DAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2168-3-0x00000000746C0000-0x0000000074DAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2168-0-0x00000000746CE000-0x00000000746CF000-memory.dmp

    Filesize

    4KB

  • memory/2168-1-0x0000000000EB0000-0x0000000000FA4000-memory.dmp

    Filesize

    976KB

  • memory/2768-26-0x0000000000A20000-0x0000000000B14000-memory.dmp

    Filesize

    976KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.