Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ea2b9ce0bf...e8.exe

windows7-x64

10

ea2b9ce0bf...e8.exe

windows10-2004-x64

10

ea412d4c42...1c.exe

windows7-x64

10

ea412d4c42...1c.exe

windows10-2004-x64

10

ea5b328e16...cd.exe

windows7-x64

10

ea5b328e16...cd.exe

windows10-2004-x64

10

ea6fec7b9d...1b.exe

windows7-x64

1

ea6fec7b9d...1b.exe

windows10-2004-x64

1

ea78193c0a...a1.exe

windows7-x64

10

ea78193c0a...a1.exe

windows10-2004-x64

10

ea89c0c553...a2.exe

windows7-x64

1

ea89c0c553...a2.exe

windows10-2004-x64

1

eac98ebb34...f5.exe

windows7-x64

10

eac98ebb34...f5.exe

windows10-2004-x64

10

ead0a43ebb...05.exe

windows7-x64

10

ead0a43ebb...05.exe

windows10-2004-x64

10

eb00f484dd...2a.exe

windows7-x64

10

eb00f484dd...2a.exe

windows10-2004-x64

10

eb0d447842...57.exe

windows7-x64

7

eb0d447842...57.exe

windows10-2004-x64

7

eb3cc89ac8...b9.exe

windows7-x64

1

eb3cc89ac8...b9.exe

windows10-2004-x64

1

eb5a48e4b7...a2.exe

windows7-x64

10

eb5a48e4b7...a2.exe

windows10-2004-x64

10

eb5b067a2c...c7.exe

windows7-x64

7

eb5b067a2c...c7.exe

windows10-2004-x64

7

eb7e5b2843...5a.exe

windows7-x64

10

eb7e5b2843...5a.exe

windows10-2004-x64

10

eb8ab40a3b...5e.exe

windows7-x64

10

eb8ab40a3b...5e.exe

windows10-2004-x64

10

ebe2e28a80...2e.exe

windows7-x64

10

ebe2e28a80...2e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea2b9ce0bf438cd413b9da177608b91c6a1129a65917f66ae2db49a4d6776ee8.exe

  • Size

    3.1MB

  • MD5

    59cced923e3a96704b1e7b5549559aa7

  • SHA1

    2a463e2d878673c2041d0064b5185193efbd3113

  • SHA256

    ea2b9ce0bf438cd413b9da177608b91c6a1129a65917f66ae2db49a4d6776ee8

  • SHA512

    6f232972332a860120c663462b836124575ef9208eb1e0e9c7e75b9720f1a22ff09c264e8339f7fb75bb04bafed79bd282bf3d65837f7beec09642cf0dc80d61

  • SSDEEP

    49152:mvBt62XlaSFNWPjljiFa2RoUYIxpxNESE2k/iNLoGdXTHHB72eh2NT:mvr62XlaSFNWPjljiFXRoUYIrxJF

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

0.tcp.ngrok.io:16515

Mutex

8d4f5337-a7b5-4237-9349-d9bede1e2337

Attributes
  • encryption_key

    CC1E18558E65763D4940C1C87A6788F6761FFA4D

  • install_name

    svchostt.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win64launcher

  • subdirectory

    SubDirr

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea2b9ce0bf438cd413b9da177608b91c6a1129a65917f66ae2db49a4d6776ee8.exe
    "C:\Users\Admin\AppData\Local\Temp\ea2b9ce0bf438cd413b9da177608b91c6a1129a65917f66ae2db49a4d6776ee8.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "win64launcher" /sc ONLOGON /tr "C:\Windows\system32\SubDirr\svchostt.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3056
    • C:\Windows\system32\SubDirr\svchostt.exe
      "C:\Windows\system32\SubDirr\svchostt.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "win64launcher" /sc ONLOGON /tr "C:\Windows\system32\SubDirr\svchostt.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\SubDirr\svchostt.exe
    Filesize

    3.1MB

    MD5

    59cced923e3a96704b1e7b5549559aa7

    SHA1

    2a463e2d878673c2041d0064b5185193efbd3113

    SHA256

    ea2b9ce0bf438cd413b9da177608b91c6a1129a65917f66ae2db49a4d6776ee8

    SHA512

    6f232972332a860120c663462b836124575ef9208eb1e0e9c7e75b9720f1a22ff09c264e8339f7fb75bb04bafed79bd282bf3d65837f7beec09642cf0dc80d61

    Download Submit

  • memory/1252-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1252-1-0x0000000001070000-0x0000000001394000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1252-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1252-8-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3024-9-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3024-10-0x0000000000DB0000-0x00000000010D4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3024-11-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3024-12-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

    Filesize

    9.9MB

    Download