Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 05:12
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20240903-en
General
-
Target
test.exe
-
Size
1.4MB
-
MD5
b7b90c3d3f12be01a2508b40015cdae3
-
SHA1
a14a3f57ae4f6d66da36636e41bb95efe4291999
-
SHA256
fd5cb342981e9d61398e07e8ccbb12d758b0faec8515ed99c2fe070090b869e0
-
SHA512
0ec46bbce7349bcae6b4068246b6c2a9feb6133697c4d192172878f5f8b5bfcdfbda7e8e06d4d211439e7a1251dd9a0e90d4b7d19ce76e00bb7b6356f16d467d
-
SSDEEP
12288:qOBn5xPFMHnPHvw+XVTt6uQ4lPPwQ1Mg0xhOyoK5zKpyS1u5XHmIyg:qOfH8QmPwqMgwhfz6imxg
Malware Config
Extracted
quasar
1.4.1
Office04
advertising-interfaces.gl.at.ply.gg:32479
9e444bcd-22a0-41fd-b465-3a16b901895b
-
encryption_key
70773A6AB51CC4D9E9DBC452F577B4BEB037CC32
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
jdk-23_windows-x64
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/3020-1-0x0000000001070000-0x00000000011D4000-memory.dmp family_quasar behavioral1/files/0x0008000000015686-6.dat family_quasar behavioral1/memory/2704-9-0x0000000001030000-0x0000000001194000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2704 Client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2652 schtasks.exe 2684 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3020 test.exe Token: SeDebugPrivilege 2704 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2704 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2652 3020 test.exe 30 PID 3020 wrote to memory of 2652 3020 test.exe 30 PID 3020 wrote to memory of 2652 3020 test.exe 30 PID 3020 wrote to memory of 2704 3020 test.exe 32 PID 3020 wrote to memory of 2704 3020 test.exe 32 PID 3020 wrote to memory of 2704 3020 test.exe 32 PID 2704 wrote to memory of 2684 2704 Client.exe 33 PID 2704 wrote to memory of 2684 2704 Client.exe 33 PID 2704 wrote to memory of 2684 2704 Client.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "jdk-23_windows-x64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2652
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "jdk-23_windows-x64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5b7b90c3d3f12be01a2508b40015cdae3
SHA1a14a3f57ae4f6d66da36636e41bb95efe4291999
SHA256fd5cb342981e9d61398e07e8ccbb12d758b0faec8515ed99c2fe070090b869e0
SHA5120ec46bbce7349bcae6b4068246b6c2a9feb6133697c4d192172878f5f8b5bfcdfbda7e8e06d4d211439e7a1251dd9a0e90d4b7d19ce76e00bb7b6356f16d467d