Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f06b06c633...9b.exe

windows7-x64

10

f06b06c633...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2025, 21:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe

  • Size

    5.5MB

  • MD5

    d39ebc382ec4e299ebfe7c2cc37677fc

  • SHA1

    b28d02f9d146248ef878a23d2cfba7c2be828795

  • SHA256

    f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b

  • SHA512

    44647f02fe00af43767162ace5b86480e47c3ef7a625775a25895a817d2be1fa93acffa5767253422735891c6259fcb9baf1afb46407d8e53db68ecd10aaa51a

  • SSDEEP

    98304:RmBng9T/DSjSHtu4ffZN238DqQcBrcM7LacCmpfqAZekM5s3iD56lbSzfk:Y6DSjSHA4ffZI38kBPfacCmpCAZekM5c

Score
10/10
quasarrevengeratofficebootkitdefense_evasiondiscoverypersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

45.87.154.103:4782

45.87.154.103:5552
Mutex

U79isvQ39fwJG6MYPN

Attributes
  • encryption_key

    cpXWTWxmR3Z0HXR8Fdwt

  • install_name

    csrss.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    NET framework

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 4 IoCs
  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe
    "C:\Users\Admin\AppData\Local\Temp\f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops startup file
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\ProgramData\kanovemamal\mokajotabet.exe
      "C:\ProgramData\kanovemamal\mokajotabet.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2040
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c @echo off & ping 127.0.0.1 -n 5 -w 1000 > nul & del "C:\Users\Admin\AppData\Local\Temp\f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 5 -w 1000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2672

Network

  • flag-us
    DNS
    ip-api.com
    InstallUtil.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json/
    InstallUtil.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 04 Feb 2025 21:49:21 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 208.95.112.1:80
    http://ip-api.com/json/
    http
    InstallUtil.exe
    374 B
     640 B
     5
    4

    HTTP Request

    GET http://ip-api.com/json/

    HTTP Response

    200
  • 45.87.154.103:4782
    InstallUtil.exe
    152 B
     3
  • 45.87.154.103:5552
    InstallUtil.exe
    152 B
     3
  • 45.87.154.103:4782
    InstallUtil.exe
    152 B
     3
  • 45.87.154.103:5552
    InstallUtil.exe
    152 B
     3
  • 8.8.8.8:53
    ip-api.com
    dns
    InstallUtil.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\mntemp
    Filesize

    16B

    MD5

    8ba7c838ab15c599b7738854fcff343e

    SHA1

    b9e953c3d4f82fee91989d329052a35c932c84c1

    SHA256

    149fe925f3d8ac8abe574830c8e3e256b56d95d7c6fe6dff6a0e795f6ac7c938

    SHA512

    4f675754bd93138a540167f69cbed21974f957670c790eef7a56eaf744c84ca110f35edad6823edb4fbc76b24e5e595823246b6065a68b9f9cda2973e60b0de5

    Download Submit

  • memory/2040-38-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2040-37-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2040-31-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2040-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-35-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2700-23-0x0000000001340000-0x0000000001F9F000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/2700-0-0x0000000001340000-0x0000000001F9F000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/2700-19-0x0000000003BC0000-0x000000000481F000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/2700-9-0x0000000000450000-0x0000000000550000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2700-5-0x0000000001340000-0x0000000001F9F000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/2700-4-0x0000000001340000-0x0000000001F9F000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/2700-3-0x0000000001340000-0x0000000001F9F000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/2700-1-0x00000000776C0000-0x00000000776C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2780-21-0x0000000000B00000-0x000000000175F000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/2780-25-0x0000000000B00000-0x000000000175F000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/2780-26-0x0000000000B00000-0x000000000175F000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/2780-28-0x0000000000B00000-0x000000000175F000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/2780-39-0x0000000000B00000-0x000000000175F000-memory.dmp

    Filesize

    12.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.