Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2025, 05:12

General

  • Target

    test.exe

  • Size

    1.4MB

  • MD5

    b7b90c3d3f12be01a2508b40015cdae3

  • SHA1

    a14a3f57ae4f6d66da36636e41bb95efe4291999

  • SHA256

    fd5cb342981e9d61398e07e8ccbb12d758b0faec8515ed99c2fe070090b869e0

  • SHA512

    0ec46bbce7349bcae6b4068246b6c2a9feb6133697c4d192172878f5f8b5bfcdfbda7e8e06d4d211439e7a1251dd9a0e90d4b7d19ce76e00bb7b6356f16d467d

  • SSDEEP

    12288:qOBn5xPFMHnPHvw+XVTt6uQ4lPPwQ1Mg0xhOyoK5zKpyS1u5XHmIyg:qOfH8QmPwqMgwhfz6imxg

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

advertising-interfaces.gl.at.ply.gg:32479

Mutex

9e444bcd-22a0-41fd-b465-3a16b901895b

Attributes
  • encryption_key

    70773A6AB51CC4D9E9DBC452F577B4BEB037CC32

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    jdk-23_windows-x64

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "jdk-23_windows-x64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2652
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "jdk-23_windows-x64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

    Filesize

    1.4MB

    MD5

    b7b90c3d3f12be01a2508b40015cdae3

    SHA1

    a14a3f57ae4f6d66da36636e41bb95efe4291999

    SHA256

    fd5cb342981e9d61398e07e8ccbb12d758b0faec8515ed99c2fe070090b869e0

    SHA512

    0ec46bbce7349bcae6b4068246b6c2a9feb6133697c4d192172878f5f8b5bfcdfbda7e8e06d4d211439e7a1251dd9a0e90d4b7d19ce76e00bb7b6356f16d467d

  • memory/2704-10-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

    Filesize

    9.9MB

  • memory/2704-9-0x0000000001030000-0x0000000001194000-memory.dmp

    Filesize

    1.4MB

  • memory/2704-11-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

    Filesize

    9.9MB

  • memory/2704-12-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

    Filesize

    9.9MB

  • memory/3020-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

    Filesize

    4KB

  • memory/3020-1-0x0000000001070000-0x00000000011D4000-memory.dmp

    Filesize

    1.4MB

  • memory/3020-2-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

    Filesize

    9.9MB

  • memory/3020-8-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

    Filesize

    9.9MB