Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10CMMON32.exe
windows7-x64
7Client-built.exe
windows7-x64
10CraxsRatV7.6.exe
windows7-x64
3FivemCheat.exe
windows7-x64
10QuantumBuilder.exe
windows7-x64
10R2Tf11dq2.exe
windows7-x64
10System.exe
windows7-x64
10kinginamoV2.exe
windows7-x64
10robloxfisc...st.exe
windows7-x64
10robloxlist.exe
windows7-x64
10Analysis
-
max time kernel
22s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/11/2024, 07:45
Behavioral task
behavioral1
Sample
CMMON32.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
CraxsRatV7.6.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
FivemCheat.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
QuantumBuilder.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
R2Tf11dq2.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
System.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
kinginamoV2.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
robloxfischscriptlist.exe
Resource
win7-20241010-en
General
-
Target
R2Tf11dq2.exe
-
Size
12.6MB
-
MD5
8a730916c93407c4b36e268918fd44e7
-
SHA1
c08a8ca96e78d0d4279270a1ea4cf92d7e8f9bad
-
SHA256
32693c669408671a06dd4aab4971a0e779a1c8bbe76b2d0f12f6f995f0cc1f01
-
SHA512
03ed7715ab1f7adf8f2b2d9185b5be96fd0c09fb73659f7df8602b93045fa1f6af032ce543fde8da011112c9de62a43ceed15e4d5ab2a972511a3bd47e9ff951
-
SSDEEP
196608:H4U7jbJjEQwFxWMkBZoW6yNrYc1T/1W3n2jowKL7+lmZg+Cjt5P5bJk:PjEQwFxWrovyNsYWjxL7+lmu+Cjn9J
Malware Config
Extracted
quasar
1.4.1
ougo80.sys
9910675-38737.portmap.host:38737
8751ee57-1f35-4283-9098-f6f6d7cbbfae
-
encryption_key
E83D6FC31962786DAEA703F111D2381786DF06CA
-
install_name
ougouv.exe
-
log_directory
ougpouivou
-
reconnect_delay
3000
-
startup_key
runtime.sys
-
subdirectory
0808g098
Signatures
-
Quasar family
-
Quasar payload 4 IoCs
resource yara_rule behavioral6/files/0x0005000000019589-10.dat family_quasar behavioral6/memory/3028-20-0x00000000002B0000-0x00000000005D4000-memory.dmp family_quasar behavioral6/memory/2584-26-0x0000000000C90000-0x0000000000FB4000-memory.dmp family_quasar behavioral6/memory/2860-39-0x0000000000FE0000-0x0000000001304000-memory.dmp family_quasar -
Executes dropped EXE 9 IoCs
pid Process 2756 CHCP.COM 3028 IUY7U.EXE 2268 RELOG.EXE 2584 ougouv.exe 2076 CHCP.COM 2860 ougouv.exe 2852 CHCP.COM 604 ougouv.exe 2200 CHCP.COM -
Loads dropped DLL 1 IoCs
pid Process 2232 R2Tf11dq2.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\0808g098 ougouv.exe File opened for modification C:\Windows\system32\0808g098\ougouv.exe IUY7U.EXE File opened for modification C:\Windows\system32\0808g098 IUY7U.EXE File opened for modification C:\Windows\system32\0808g098 ougouv.exe File opened for modification C:\Windows\system32\0808g098 ougouv.exe File opened for modification C:\Windows\system32\0808g098\ougouv.exe ougouv.exe File created C:\Windows\system32\0808g098\ougouv.exe IUY7U.EXE File opened for modification C:\Windows\system32\0808g098\ougouv.exe ougouv.exe File opened for modification C:\Windows\system32\0808g098\ougouv.exe ougouv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R2Tf11dq2.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2060 PING.EXE 2088 PING.EXE 2176 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2176 PING.EXE 2060 PING.EXE 2088 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2936 schtasks.exe 1380 schtasks.exe 2736 schtasks.exe 2672 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3028 IUY7U.EXE Token: SeDebugPrivilege 2584 ougouv.exe Token: SeDebugPrivilege 2860 ougouv.exe Token: SeDebugPrivilege 604 ougouv.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2232 wrote to memory of 3028 2232 R2Tf11dq2.exe 31 PID 2232 wrote to memory of 3028 2232 R2Tf11dq2.exe 31 PID 2232 wrote to memory of 3028 2232 R2Tf11dq2.exe 31 PID 2232 wrote to memory of 3028 2232 R2Tf11dq2.exe 31 PID 3028 wrote to memory of 2736 3028 IUY7U.EXE 33 PID 3028 wrote to memory of 2736 3028 IUY7U.EXE 33 PID 3028 wrote to memory of 2736 3028 IUY7U.EXE 33 PID 3028 wrote to memory of 2584 3028 IUY7U.EXE 35 PID 3028 wrote to memory of 2584 3028 IUY7U.EXE 35 PID 3028 wrote to memory of 2584 3028 IUY7U.EXE 35 PID 2584 wrote to memory of 2672 2584 ougouv.exe 36 PID 2584 wrote to memory of 2672 2584 ougouv.exe 36 PID 2584 wrote to memory of 2672 2584 ougouv.exe 36 PID 2584 wrote to memory of 2968 2584 ougouv.exe 38 PID 2584 wrote to memory of 2968 2584 ougouv.exe 38 PID 2584 wrote to memory of 2968 2584 ougouv.exe 38 PID 2968 wrote to memory of 2060 2968 cmd.exe 41 PID 2968 wrote to memory of 2060 2968 cmd.exe 41 PID 2968 wrote to memory of 2060 2968 cmd.exe 41 PID 2968 wrote to memory of 2860 2968 cmd.exe 42 PID 2968 wrote to memory of 2860 2968 cmd.exe 42 PID 2968 wrote to memory of 2860 2968 cmd.exe 42 PID 2860 wrote to memory of 2936 2860 ougouv.exe 43 PID 2860 wrote to memory of 2936 2860 ougouv.exe 43 PID 2860 wrote to memory of 2936 2860 ougouv.exe 43 PID 2860 wrote to memory of 2828 2860 ougouv.exe 45 PID 2860 wrote to memory of 2828 2860 ougouv.exe 45 PID 2860 wrote to memory of 2828 2860 ougouv.exe 45 PID 2828 wrote to memory of 2088 2828 cmd.exe 48 PID 2828 wrote to memory of 2088 2828 cmd.exe 48 PID 2828 wrote to memory of 2088 2828 cmd.exe 48 PID 2828 wrote to memory of 604 2828 cmd.exe 50 PID 2828 wrote to memory of 604 2828 cmd.exe 50 PID 2828 wrote to memory of 604 2828 cmd.exe 50 PID 604 wrote to memory of 1380 604 ougouv.exe 51 PID 604 wrote to memory of 1380 604 ougouv.exe 51 PID 604 wrote to memory of 1380 604 ougouv.exe 51 PID 604 wrote to memory of 2444 604 ougouv.exe 53 PID 604 wrote to memory of 2444 604 ougouv.exe 53 PID 604 wrote to memory of 2444 604 ougouv.exe 53 PID 2444 wrote to memory of 2176 2444 cmd.exe 56 PID 2444 wrote to memory of 2176 2444 cmd.exe 56 PID 2444 wrote to memory of 2176 2444 cmd.exe 56 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\R2Tf11dq2.exe"C:\Users\Admin\AppData\Local\Temp\R2Tf11dq2.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\CHCP.COM"C:\Users\Admin\AppData\Local\Temp\CHCP.COM"2⤵
- Executes dropped EXE
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\IUY7U.EXE"C:\Users\Admin\AppData\Local\Temp\IUY7U.EXE"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "runtime.sys" /sc ONLOGON /tr "C:\Windows\system32\0808g098\ougouv.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2736
-
-
C:\Windows\system32\0808g098\ougouv.exe"C:\Windows\system32\0808g098\ougouv.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "runtime.sys" /sc ONLOGON /tr "C:\Windows\system32\0808g098\ougouv.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2672
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SDvGqleCos0I.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\CHCP.COMchcp 650015⤵
- Executes dropped EXE
PID:2076
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2060
-
-
C:\Windows\system32\0808g098\ougouv.exe"C:\Windows\system32\0808g098\ougouv.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "runtime.sys" /sc ONLOGON /tr "C:\Windows\system32\0808g098\ougouv.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2936
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\p1mmB17TpxcC.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\CHCP.COMchcp 650017⤵
- Executes dropped EXE
PID:2852
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2088
-
-
C:\Windows\system32\0808g098\ougouv.exe"C:\Windows\system32\0808g098\ougouv.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "runtime.sys" /sc ONLOGON /tr "C:\Windows\system32\0808g098\ougouv.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:1380
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5Yuj3t1o53rc.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\CHCP.COMchcp 650019⤵
- Executes dropped EXE
PID:2200
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2176
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RELOG.EXE"C:\Users\Admin\AppData\Local\Temp\RELOG.EXE"2⤵
- Executes dropped EXE
PID:2268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198B
MD5a1353e10bdad6f29e8ded6c5cb07660e
SHA1d5439a36c96538042c189bff50050a73b9e4e801
SHA256e0883c71383ce9506badd97afc151be39aae7a32bcd8fc97c3a68950c7d2efde
SHA512afd681bed49710938747591a886bdbb234316b4b7875f958c7ebf1c59a811afb4a4232f64e76722910f790a0d4e2fd280a981fe446560d35a551208b6cc49a42
-
Filesize
12KB
MD56bc4f3126d659ec424ff10f7014e4a74
SHA1d11976a9bf4158aefafe6e0f83a237d53b943e97
SHA256a8cdb0ec6269d5c6bdbc3d769d4784f5a9ab42033b7944b1f5d78570a2bc6c5b
SHA512be5abf0f245c068f5fb94ed65d951fc2e58bbbe17119830bd46a6abe69d0f1650f4f379c70bcc6185515d5373bd0137536c64a1df4a00a7fe9f2cda690325e44
-
Filesize
3.1MB
MD5544d53dbc501942a68fe7dae9e57032b
SHA1a32d41d4d476f8f47d26fa0c2e47de1a43f94db0
SHA256753f2d6d41e9b5b57645d4a59399aa5f8d73ea98b968b59c7de6778710b1c76e
SHA512eaad5c2c62af30eac4be392d824a7cd1225791af7f9ee889af79f12a5e2b89f418a9609dfc06d5704bc2ae8ea02de84d974f857ecf1f023f660d0b8f902e6348
-
Filesize
46KB
MD5ffe1ac1433396fd6aa891f2367388c0f
SHA17145d2f42aa331829efc4ba926527cdf422cffa7
SHA25671e533f13262d3914ca8de44ca7bee2d910a2044ea44a18ff6d651083d203655
SHA512676552cbeb0e791b774db8fc5ad3a858505b7a21bda13efa1878cc168b2522a80c223a4db988a1afb21a4ac36bff28401a07d95fb33e3827638cb8fa922221a8
-
Filesize
198B
MD58d2eecc579f45a49dd5d5cb3d5ebf1f1
SHA1c57bc1305eb22a8f04f16b92fd2a34c338d4ca98
SHA25687782b44d0ff58e8a62fe9d434db5164aac63195814d13ace857739136973992
SHA5127e238ad7de6a51cddebb708773e1a98b5e63c0e00101d3148fd058a567187c3001f7dd9cd04597e8a9aeed89147778a210140f1b9a4119c3532a0409bb4984b9
-
Filesize
198B
MD5160d3fcf2911a8504e5ef12e4536c3bc
SHA15deb2f2ae3be1971d8d76cfc71f88c48445cd139
SHA256385eb384961d0297f2f8249accf8f3ad31d0bed3967b0cf79c2bb6d62fc7eb62
SHA512814f99dec1420fc120b951683eae88723241985f50e6d29a493e5d991996d8f36e294189c89f9365e28821f944063a5ca20730aa9c9427e161a876f8e7cbcab9