Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/02/2025, 12:54
Static task
static1
Behavioral task
behavioral1
Sample
Payment010225.exe
Resource
win7-20240903-en
General
-
Target
Payment010225.exe
-
Size
951KB
-
MD5
b76d3e743d68ca1e3f04d641bfcc3ec7
-
SHA1
d2d4fea6920a1a737199ce0fcac7c44adb5d7bd8
-
SHA256
72209f1e92435b27f56db50ee9db7b82ebb11a6fb37ea5ade6cda13fc2c0d00c
-
SHA512
c1e29917358740c56e9c83a0a5e8ea48d368806a0b71b2a240df9f5568cb7dc0d7b18e2959fe5b40d4ada2733594b6c17e705f6181c3a38eeaa1efd0ab24558b
-
SSDEEP
24576:JPzFQtxBAb2JewjA/s5TqKnNiw0RALH0+XxryrSwg2J:1FC+2jpnNiRSXxqgM
Malware Config
Extracted
quasar
1.3.0.0
Stroy
109.248.151.166:61537
QSR_MUTEX_uHD8seWaFzpqqYxRLX
-
encryption_key
IR3AcRhjtuelpwNmTP7v
-
install_name
Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2016-4-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2016-8-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2016-6-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 2768 Updater.exe 2632 Updater.exe 2588 Updater.exe -
Loads dropped DLL 3 IoCs
pid Process 2016 Payment010225.exe 2768 Updater.exe 2768 Updater.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2168 set thread context of 2016 2168 Payment010225.exe 30 PID 2168 set thread context of 1628 2168 Payment010225.exe 31 PID 2768 set thread context of 2632 2768 Updater.exe 36 PID 2768 set thread context of 2588 2768 Updater.exe 37 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment010225.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment010225.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment010225.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updater.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2836 schtasks.exe 2892 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2168 Payment010225.exe Token: SeDebugPrivilege 2016 Payment010225.exe Token: SeDebugPrivilege 2768 Updater.exe Token: SeDebugPrivilege 2632 Updater.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2016 2168 Payment010225.exe 30 PID 2168 wrote to memory of 2016 2168 Payment010225.exe 30 PID 2168 wrote to memory of 2016 2168 Payment010225.exe 30 PID 2168 wrote to memory of 2016 2168 Payment010225.exe 30 PID 2168 wrote to memory of 2016 2168 Payment010225.exe 30 PID 2168 wrote to memory of 2016 2168 Payment010225.exe 30 PID 2168 wrote to memory of 2016 2168 Payment010225.exe 30 PID 2168 wrote to memory of 2016 2168 Payment010225.exe 30 PID 2168 wrote to memory of 2016 2168 Payment010225.exe 30 PID 2168 wrote to memory of 1628 2168 Payment010225.exe 31 PID 2168 wrote to memory of 1628 2168 Payment010225.exe 31 PID 2168 wrote to memory of 1628 2168 Payment010225.exe 31 PID 2168 wrote to memory of 1628 2168 Payment010225.exe 31 PID 2168 wrote to memory of 1628 2168 Payment010225.exe 31 PID 2168 wrote to memory of 1628 2168 Payment010225.exe 31 PID 2168 wrote to memory of 1628 2168 Payment010225.exe 31 PID 2168 wrote to memory of 1628 2168 Payment010225.exe 31 PID 2168 wrote to memory of 1628 2168 Payment010225.exe 31 PID 2016 wrote to memory of 2836 2016 Payment010225.exe 33 PID 2016 wrote to memory of 2836 2016 Payment010225.exe 33 PID 2016 wrote to memory of 2836 2016 Payment010225.exe 33 PID 2016 wrote to memory of 2836 2016 Payment010225.exe 33 PID 2016 wrote to memory of 2768 2016 Payment010225.exe 35 PID 2016 wrote to memory of 2768 2016 Payment010225.exe 35 PID 2016 wrote to memory of 2768 2016 Payment010225.exe 35 PID 2016 wrote to memory of 2768 2016 Payment010225.exe 35 PID 2016 wrote to memory of 2768 2016 Payment010225.exe 35 PID 2016 wrote to memory of 2768 2016 Payment010225.exe 35 PID 2016 wrote to memory of 2768 2016 Payment010225.exe 35 PID 2768 wrote to memory of 2632 2768 Updater.exe 36 PID 2768 wrote to memory of 2632 2768 Updater.exe 36 PID 2768 wrote to memory of 2632 2768 Updater.exe 36 PID 2768 wrote to memory of 2632 2768 Updater.exe 36 PID 2768 wrote to memory of 2632 2768 Updater.exe 36 PID 2768 wrote to memory of 2632 2768 Updater.exe 36 PID 2768 wrote to memory of 2632 2768 Updater.exe 36 PID 2768 wrote to memory of 2632 2768 Updater.exe 36 PID 2768 wrote to memory of 2632 2768 Updater.exe 36 PID 2768 wrote to memory of 2632 2768 Updater.exe 36 PID 2768 wrote to memory of 2632 2768 Updater.exe 36 PID 2768 wrote to memory of 2632 2768 Updater.exe 36 PID 2768 wrote to memory of 2588 2768 Updater.exe 37 PID 2768 wrote to memory of 2588 2768 Updater.exe 37 PID 2768 wrote to memory of 2588 2768 Updater.exe 37 PID 2768 wrote to memory of 2588 2768 Updater.exe 37 PID 2768 wrote to memory of 2588 2768 Updater.exe 37 PID 2768 wrote to memory of 2588 2768 Updater.exe 37 PID 2768 wrote to memory of 2588 2768 Updater.exe 37 PID 2768 wrote to memory of 2588 2768 Updater.exe 37 PID 2768 wrote to memory of 2588 2768 Updater.exe 37 PID 2768 wrote to memory of 2588 2768 Updater.exe 37 PID 2768 wrote to memory of 2588 2768 Updater.exe 37 PID 2768 wrote to memory of 2588 2768 Updater.exe 37 PID 2632 wrote to memory of 2892 2632 Updater.exe 38 PID 2632 wrote to memory of 2892 2632 Updater.exe 38 PID 2632 wrote to memory of 2892 2632 Updater.exe 38 PID 2632 wrote to memory of 2892 2632 Updater.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment010225.exe"C:\Users\Admin\AppData\Local\Temp\Payment010225.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\Payment010225.exeC:\Users\Admin\AppData\Local\Temp\Payment010225.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Payment010225.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2836
-
-
C:\Users\Admin\AppData\Roaming\Windows\Updater.exe"C:\Users\Admin\AppData\Roaming\Windows\Updater.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Roaming\Windows\Updater.exeC:\Users\Admin\AppData\Roaming\Windows\Updater.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Updater.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2892
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\Updater.exeC:\Users\Admin\AppData\Roaming\Windows\Updater.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2588
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Payment010225.exeC:\Users\Admin\AppData\Local\Temp\Payment010225.exe2⤵
- System Location Discovery: System Language Discovery
PID:1628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
951KB
MD5b76d3e743d68ca1e3f04d641bfcc3ec7
SHA1d2d4fea6920a1a737199ce0fcac7c44adb5d7bd8
SHA25672209f1e92435b27f56db50ee9db7b82ebb11a6fb37ea5ade6cda13fc2c0d00c
SHA512c1e29917358740c56e9c83a0a5e8ea48d368806a0b71b2a240df9f5568cb7dc0d7b18e2959fe5b40d4ada2733594b6c17e705f6181c3a38eeaa1efd0ab24558b