Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Proton.exe

windows7-x64

10

Proton.exe

windows10-2004-x64

Analysis

  • max time kernel
    61s
  • max time network
    76s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 13:57

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Proton.exe

  • Size

    831KB

  • MD5

    34e8bec2eff81b0451a68e3fc7562fb8

  • SHA1

    91b8aa5907020bad02fcaed731f53e9e433e0f4d

  • SHA256

    dd31e310c502f14a8ca479ee8723dcb8ded8ce9caf6fbeaa435fc966bd1458a4

  • SHA512

    0a6d23997a9d29f40907097c28afa62162cc03369b8a8c4c84e124d131706a8dc19b62c0cc9efb2b6deccbcd72d4e034d9b893d538e5060d0cf7b43556bf4b05

  • SSDEEP

    24576:uZsS44StKHIPbcNK0KKfaOwI55l2SLaB4/:uZsSIKEgKKHwCBe

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

C2

fall-alberta.gl.at.ply.gg:48316

Mutex

f3374a4e-4175-4db9-a8d8-303de2184767

Attributes
  • encryption_key

    669A421372DEF816BCFAA19491270BD72DCE71F1

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Proton VPN

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 47 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Proton.exe
    "C:\Users\Admin\AppData\Local\Temp\Proton.exe"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1208
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2584-24-0x00000213E9BB0000-0x00000213E9BC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2584-1-0x00000213CF420000-0x00000213CF4F6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2584-2-0x00000213CF8B0000-0x00000213CF8CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2584-3-0x00007FFE59FE0000-0x00007FFE5AAA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2584-4-0x00000213E9B30000-0x00000213E9B80000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2584-5-0x00000213E9DD0000-0x00000213E9E82000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2584-6-0x00000213D11D0000-0x00000213D121E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2584-7-0x00007FFE59FE3000-0x00007FFE59FE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2584-8-0x00007FFE59FE0000-0x00007FFE5AAA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2584-25-0x00000213E9D50000-0x00000213E9D8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2584-0-0x00007FFE59FE3000-0x00007FFE59FE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5308-10-0x000001A013E50000-0x000001A013E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5308-15-0x000001A013E50000-0x000001A013E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5308-21-0x000001A013E50000-0x000001A013E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5308-20-0x000001A013E50000-0x000001A013E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5308-19-0x000001A013E50000-0x000001A013E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5308-18-0x000001A013E50000-0x000001A013E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5308-17-0x000001A013E50000-0x000001A013E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5308-16-0x000001A013E50000-0x000001A013E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5308-9-0x000001A013E50000-0x000001A013E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5308-11-0x000001A013E50000-0x000001A013E51000-memory.dmp

    Filesize

    4KB

    Download