Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    22s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2024, 07:45

General

  • Target

    R2Tf11dq2.exe

  • Size

    12.6MB

  • MD5

    8a730916c93407c4b36e268918fd44e7

  • SHA1

    c08a8ca96e78d0d4279270a1ea4cf92d7e8f9bad

  • SHA256

    32693c669408671a06dd4aab4971a0e779a1c8bbe76b2d0f12f6f995f0cc1f01

  • SHA512

    03ed7715ab1f7adf8f2b2d9185b5be96fd0c09fb73659f7df8602b93045fa1f6af032ce543fde8da011112c9de62a43ceed15e4d5ab2a972511a3bd47e9ff951

  • SSDEEP

    196608:H4U7jbJjEQwFxWMkBZoW6yNrYc1T/1W3n2jowKL7+lmZg+Cjt5P5bJk:PjEQwFxWrovyNsYWjxL7+lmu+Cjn9J

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ougo80.sys

C2

9910675-38737.portmap.host:38737

Mutex

8751ee57-1f35-4283-9098-f6f6d7cbbfae

Attributes
  • encryption_key

    E83D6FC31962786DAEA703F111D2381786DF06CA

  • install_name

    ougouv.exe

  • log_directory

    ougpouivou

  • reconnect_delay

    3000

  • startup_key

    runtime.sys

  • subdirectory

    0808g098

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 4 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\R2Tf11dq2.exe
    "C:\Users\Admin\AppData\Local\Temp\R2Tf11dq2.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\CHCP.COM
      "C:\Users\Admin\AppData\Local\Temp\CHCP.COM"
      2⤵
      • Executes dropped EXE
      PID:2756
    • C:\Users\Admin\AppData\Local\Temp\IUY7U.EXE
      "C:\Users\Admin\AppData\Local\Temp\IUY7U.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "runtime.sys" /sc ONLOGON /tr "C:\Windows\system32\0808g098\ougouv.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2736
      • C:\Windows\system32\0808g098\ougouv.exe
        "C:\Windows\system32\0808g098\ougouv.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\system32\schtasks.exe
          "schtasks" /create /tn "runtime.sys" /sc ONLOGON /tr "C:\Windows\system32\0808g098\ougouv.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2672
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\SDvGqleCos0I.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Users\Admin\AppData\Local\Temp\CHCP.COM
            chcp 65001
            5⤵
            • Executes dropped EXE
            PID:2076
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2060
          • C:\Windows\system32\0808g098\ougouv.exe
            "C:\Windows\system32\0808g098\ougouv.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "runtime.sys" /sc ONLOGON /tr "C:\Windows\system32\0808g098\ougouv.exe" /rl HIGHEST /f
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2936
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\p1mmB17TpxcC.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2828
              • C:\Users\Admin\AppData\Local\Temp\CHCP.COM
                chcp 65001
                7⤵
                • Executes dropped EXE
                PID:2852
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                7⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2088
              • C:\Windows\system32\0808g098\ougouv.exe
                "C:\Windows\system32\0808g098\ougouv.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:604
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "runtime.sys" /sc ONLOGON /tr "C:\Windows\system32\0808g098\ougouv.exe" /rl HIGHEST /f
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1380
                • C:\Windows\system32\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5Yuj3t1o53rc.bat" "
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2444
                  • C:\Users\Admin\AppData\Local\Temp\CHCP.COM
                    chcp 65001
                    9⤵
                    • Executes dropped EXE
                    PID:2200
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    9⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:2176
    • C:\Users\Admin\AppData\Local\Temp\RELOG.EXE
      "C:\Users\Admin\AppData\Local\Temp\RELOG.EXE"
      2⤵
      • Executes dropped EXE
      PID:2268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5Yuj3t1o53rc.bat

    Filesize

    198B

    MD5

    a1353e10bdad6f29e8ded6c5cb07660e

    SHA1

    d5439a36c96538042c189bff50050a73b9e4e801

    SHA256

    e0883c71383ce9506badd97afc151be39aae7a32bcd8fc97c3a68950c7d2efde

    SHA512

    afd681bed49710938747591a886bdbb234316b4b7875f958c7ebf1c59a811afb4a4232f64e76722910f790a0d4e2fd280a981fe446560d35a551208b6cc49a42

  • C:\Users\Admin\AppData\Local\Temp\CHCP.COM

    Filesize

    12KB

    MD5

    6bc4f3126d659ec424ff10f7014e4a74

    SHA1

    d11976a9bf4158aefafe6e0f83a237d53b943e97

    SHA256

    a8cdb0ec6269d5c6bdbc3d769d4784f5a9ab42033b7944b1f5d78570a2bc6c5b

    SHA512

    be5abf0f245c068f5fb94ed65d951fc2e58bbbe17119830bd46a6abe69d0f1650f4f379c70bcc6185515d5373bd0137536c64a1df4a00a7fe9f2cda690325e44

  • C:\Users\Admin\AppData\Local\Temp\IUY7U.EXE

    Filesize

    3.1MB

    MD5

    544d53dbc501942a68fe7dae9e57032b

    SHA1

    a32d41d4d476f8f47d26fa0c2e47de1a43f94db0

    SHA256

    753f2d6d41e9b5b57645d4a59399aa5f8d73ea98b968b59c7de6778710b1c76e

    SHA512

    eaad5c2c62af30eac4be392d824a7cd1225791af7f9ee889af79f12a5e2b89f418a9609dfc06d5704bc2ae8ea02de84d974f857ecf1f023f660d0b8f902e6348

  • C:\Users\Admin\AppData\Local\Temp\RELOG.EXE

    Filesize

    46KB

    MD5

    ffe1ac1433396fd6aa891f2367388c0f

    SHA1

    7145d2f42aa331829efc4ba926527cdf422cffa7

    SHA256

    71e533f13262d3914ca8de44ca7bee2d910a2044ea44a18ff6d651083d203655

    SHA512

    676552cbeb0e791b774db8fc5ad3a858505b7a21bda13efa1878cc168b2522a80c223a4db988a1afb21a4ac36bff28401a07d95fb33e3827638cb8fa922221a8

  • C:\Users\Admin\AppData\Local\Temp\SDvGqleCos0I.bat

    Filesize

    198B

    MD5

    8d2eecc579f45a49dd5d5cb3d5ebf1f1

    SHA1

    c57bc1305eb22a8f04f16b92fd2a34c338d4ca98

    SHA256

    87782b44d0ff58e8a62fe9d434db5164aac63195814d13ace857739136973992

    SHA512

    7e238ad7de6a51cddebb708773e1a98b5e63c0e00101d3148fd058a567187c3001f7dd9cd04597e8a9aeed89147778a210140f1b9a4119c3532a0409bb4984b9

  • C:\Users\Admin\AppData\Local\Temp\p1mmB17TpxcC.bat

    Filesize

    198B

    MD5

    160d3fcf2911a8504e5ef12e4536c3bc

    SHA1

    5deb2f2ae3be1971d8d76cfc71f88c48445cd139

    SHA256

    385eb384961d0297f2f8249accf8f3ad31d0bed3967b0cf79c2bb6d62fc7eb62

    SHA512

    814f99dec1420fc120b951683eae88723241985f50e6d29a493e5d991996d8f36e294189c89f9365e28821f944063a5ca20730aa9c9427e161a876f8e7cbcab9

  • memory/2584-26-0x0000000000C90000-0x0000000000FB4000-memory.dmp

    Filesize

    3.1MB

  • memory/2860-39-0x0000000000FE0000-0x0000000001304000-memory.dmp

    Filesize

    3.1MB

  • memory/3028-20-0x00000000002B0000-0x00000000005D4000-memory.dmp

    Filesize

    3.1MB