Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22/03/2025, 18:08
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
73c23b1192bfd4f2fd59ca10523e13f2
-
SHA1
587f13586069971b5fb715a66aa498c36510a5dc
-
SHA256
d9db91945538a06bb9f9fd23cdba8b769953b654486c9d6ef85e891c58df2ffd
-
SHA512
07195c5b5f75aa682a5957e5f1bd440dd6b4cce1b6a4fd76ae0a9d621d8b32e25633178b71bffb02bb0c8af482dc00863e29a18e016694d8cfd5fb89740d32ec
-
SSDEEP
49152:HvLlL26AaNeWgPhlmVqvMQ7XSKOfsqIBe9joGARVTHHB72eh2NT:HvxL26AaNeWgPhlmVqkQ7XSKOEqZ
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.10.126:52427
94.31.108.129:52427
8338883e-e167-4933-893d-9116970a5a7e
-
encryption_key
FFFB8904E2A834B666E9B38240430975448158C8
-
install_name
pcimprover.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft-Imrpover
-
subdirectory
find
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft-Imrpover" /sc ONLOGON /tr "C:\Program Files\find\pcimprover.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files\find\pcimprover.exe"C:\Program Files\find\pcimprover.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft-Imrpover" /sc ONLOGON /tr "C:\Program Files\find\pcimprover.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD573c23b1192bfd4f2fd59ca10523e13f2
SHA1587f13586069971b5fb715a66aa498c36510a5dc
SHA256d9db91945538a06bb9f9fd23cdba8b769953b654486c9d6ef85e891c58df2ffd
SHA51207195c5b5f75aa682a5957e5f1bd440dd6b4cce1b6a4fd76ae0a9d621d8b32e25633178b71bffb02bb0c8af482dc00863e29a18e016694d8cfd5fb89740d32ec
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB