quasar | 600920f492a2bed6dd636efa706f7b7fde6043e3189156281ef3a9fbca534180

Analysis

max time kernel
22s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/11/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R2Tf11dq2.exe
Size

12.6MB
MD5

8a730916c93407c4b36e268918fd44e7
SHA1

c08a8ca96e78d0d4279270a1ea4cf92d7e8f9bad
SHA256

32693c669408671a06dd4aab4971a0e779a1c8bbe76b2d0f12f6f995f0cc1f01
SHA512

03ed7715ab1f7adf8f2b2d9185b5be96fd0c09fb73659f7df8602b93045fa1f6af032ce543fde8da011112c9de62a43ceed15e4d5ab2a972511a3bd47e9ff951
SSDEEP

196608:H4U7jbJjEQwFxWMkBZoW6yNrYc1T/1W3n2jowKL7+lmZg+Cjt5P5bJk:PjEQwFxWrovyNsYWjxL7+lmu+Cjn9J

Score

10^/10

quasar ougo80.sys discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ougo80.sys

9910675-38737.portmap.host:38737

Mutex

8751ee57-1f35-4283-9098-f6f6d7cbbfae

Attributes

encryption_key
E83D6FC31962786DAEA703F111D2381786DF06CA
install_name
ougouv.exe
log_directory
ougpouivou
reconnect_delay
3000
startup_key
runtime.sys
subdirectory
0808g098

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral6/files/0x0005000000019589-10.dat	family_quasar
behavioral6/memory/3028-20-0x00000000002B0000-0x00000000005D4000-memory.dmp	family_quasar
behavioral6/memory/2584-26-0x0000000000C90000-0x0000000000FB4000-memory.dmp	family_quasar
behavioral6/memory/2860-39-0x0000000000FE0000-0x0000000001304000-memory.dmp	family_quasar

Executes dropped EXE 9 IoCs

pid	Process
2756	CHCP.COM
3028	IUY7U.EXE
2268	RELOG.EXE
2584	ougouv.exe
2076	CHCP.COM
2860	ougouv.exe
2852	CHCP.COM
604	ougouv.exe
2200	CHCP.COM

Loads dropped DLL 1 IoCs

pid	Process
2232	R2Tf11dq2.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\0808g098	ougouv.exe
File opened for modification	C:\Windows\system32\0808g098\ougouv.exe	IUY7U.EXE
File opened for modification	C:\Windows\system32\0808g098	IUY7U.EXE
File opened for modification	C:\Windows\system32\0808g098	ougouv.exe
File opened for modification	C:\Windows\system32\0808g098	ougouv.exe
File opened for modification	C:\Windows\system32\0808g098\ougouv.exe	ougouv.exe
File created	C:\Windows\system32\0808g098\ougouv.exe	IUY7U.EXE
File opened for modification	C:\Windows\system32\0808g098\ougouv.exe	ougouv.exe
File opened for modification	C:\Windows\system32\0808g098\ougouv.exe	ougouv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R2Tf11dq2.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2060	PING.EXE
2088	PING.EXE
2176	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2176	PING.EXE
2060	PING.EXE
2088	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2936	schtasks.exe
1380	schtasks.exe
2736	schtasks.exe
2672	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	IUY7U.EXE
Token: SeDebugPrivilege	2584	ougouv.exe
Token: SeDebugPrivilege	2860	ougouv.exe
Token: SeDebugPrivilege	604	ougouv.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 3028	2232	R2Tf11dq2.exe	31
PID 2232 wrote to memory of 3028	2232	R2Tf11dq2.exe	31
PID 2232 wrote to memory of 3028	2232	R2Tf11dq2.exe	31
PID 2232 wrote to memory of 3028	2232	R2Tf11dq2.exe	31
PID 3028 wrote to memory of 2736	3028	IUY7U.EXE	33
PID 3028 wrote to memory of 2736	3028	IUY7U.EXE	33
PID 3028 wrote to memory of 2736	3028	IUY7U.EXE	33
PID 3028 wrote to memory of 2584	3028	IUY7U.EXE	35
PID 3028 wrote to memory of 2584	3028	IUY7U.EXE	35
PID 3028 wrote to memory of 2584	3028	IUY7U.EXE	35
PID 2584 wrote to memory of 2672	2584	ougouv.exe	36
PID 2584 wrote to memory of 2672	2584	ougouv.exe	36
PID 2584 wrote to memory of 2672	2584	ougouv.exe	36
PID 2584 wrote to memory of 2968	2584	ougouv.exe	38
PID 2584 wrote to memory of 2968	2584	ougouv.exe	38
PID 2584 wrote to memory of 2968	2584	ougouv.exe	38
PID 2968 wrote to memory of 2060	2968	cmd.exe	41
PID 2968 wrote to memory of 2060	2968	cmd.exe	41
PID 2968 wrote to memory of 2060	2968	cmd.exe	41
PID 2968 wrote to memory of 2860	2968	cmd.exe	42
PID 2968 wrote to memory of 2860	2968	cmd.exe	42
PID 2968 wrote to memory of 2860	2968	cmd.exe	42
PID 2860 wrote to memory of 2936	2860	ougouv.exe	43
PID 2860 wrote to memory of 2936	2860	ougouv.exe	43
PID 2860 wrote to memory of 2936	2860	ougouv.exe	43
PID 2860 wrote to memory of 2828	2860	ougouv.exe	45
PID 2860 wrote to memory of 2828	2860	ougouv.exe	45
PID 2860 wrote to memory of 2828	2860	ougouv.exe	45
PID 2828 wrote to memory of 2088	2828	cmd.exe	48
PID 2828 wrote to memory of 2088	2828	cmd.exe	48
PID 2828 wrote to memory of 2088	2828	cmd.exe	48
PID 2828 wrote to memory of 604	2828	cmd.exe	50
PID 2828 wrote to memory of 604	2828	cmd.exe	50
PID 2828 wrote to memory of 604	2828	cmd.exe	50
PID 604 wrote to memory of 1380	604	ougouv.exe	51
PID 604 wrote to memory of 1380	604	ougouv.exe	51
PID 604 wrote to memory of 1380	604	ougouv.exe	51
PID 604 wrote to memory of 2444	604	ougouv.exe	53
PID 604 wrote to memory of 2444	604	ougouv.exe	53
PID 604 wrote to memory of 2444	604	ougouv.exe	53
PID 2444 wrote to memory of 2176	2444	cmd.exe	56
PID 2444 wrote to memory of 2176	2444	cmd.exe	56
PID 2444 wrote to memory of 2176	2444	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\R2Tf11dq2.exe
"C:\Users\Admin\AppData\Local\Temp\R2Tf11dq2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\CHCP.COM
  "C:\Users\Admin\AppData\Local\Temp\CHCP.COM"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\IUY7U.EXE
  "C:\Users\Admin\AppData\Local\Temp\IUY7U.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "runtime.sys" /sc ONLOGON /tr "C:\Windows\system32\0808g098\ougouv.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2736
- - C:\Windows\system32\0808g098\ougouv.exe
    "C:\Windows\system32\0808g098\ougouv.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "runtime.sys" /sc ONLOGON /tr "C:\Windows\system32\0808g098\ougouv.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2672
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\SDvGqleCos0I.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\CHCP.COM
        
        chcp 65001
        5⤵
        Executes dropped EXE
        
        PID:2076
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2060
    - - C:\Windows\system32\0808g098\ougouv.exe
        
        "C:\Windows\system32\0808g098\ougouv.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "runtime.sys" /sc ONLOGON /tr "C:\Windows\system32\0808g098\ougouv.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\p1mmB17TpxcC.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\CHCP.COM
        
        chcp 65001
        7⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2088
        
        C:\Windows\system32\0808g098\ougouv.exe
        
        "C:\Windows\system32\0808g098\ougouv.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "runtime.sys" /sc ONLOGON /tr "C:\Windows\system32\0808g098\ougouv.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1380
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5Yuj3t1o53rc.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\CHCP.COM
        
        chcp 65001
        9⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
- C:\Users\Admin\AppData\Local\Temp\RELOG.EXE
  "C:\Users\Admin\AppData\Local\Temp\RELOG.EXE"
  2⤵
  - Executes dropped EXE
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5Yuj3t1o53rc.bat

Filesize
198B

MD5
a1353e10bdad6f29e8ded6c5cb07660e

SHA1
d5439a36c96538042c189bff50050a73b9e4e801

SHA256
e0883c71383ce9506badd97afc151be39aae7a32bcd8fc97c3a68950c7d2efde

SHA512
afd681bed49710938747591a886bdbb234316b4b7875f958c7ebf1c59a811afb4a4232f64e76722910f790a0d4e2fd280a981fe446560d35a551208b6cc49a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHCP.COM

Filesize
12KB

MD5
6bc4f3126d659ec424ff10f7014e4a74

SHA1
d11976a9bf4158aefafe6e0f83a237d53b943e97

SHA256
a8cdb0ec6269d5c6bdbc3d769d4784f5a9ab42033b7944b1f5d78570a2bc6c5b

SHA512
be5abf0f245c068f5fb94ed65d951fc2e58bbbe17119830bd46a6abe69d0f1650f4f379c70bcc6185515d5373bd0137536c64a1df4a00a7fe9f2cda690325e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUY7U.EXE

Filesize
3.1MB

MD5
544d53dbc501942a68fe7dae9e57032b

SHA1
a32d41d4d476f8f47d26fa0c2e47de1a43f94db0

SHA256
753f2d6d41e9b5b57645d4a59399aa5f8d73ea98b968b59c7de6778710b1c76e

SHA512
eaad5c2c62af30eac4be392d824a7cd1225791af7f9ee889af79f12a5e2b89f418a9609dfc06d5704bc2ae8ea02de84d974f857ecf1f023f660d0b8f902e6348

Download Submit
C:\Users\Admin\AppData\Local\Temp\RELOG.EXE

Filesize
46KB

MD5
ffe1ac1433396fd6aa891f2367388c0f

SHA1
7145d2f42aa331829efc4ba926527cdf422cffa7

SHA256
71e533f13262d3914ca8de44ca7bee2d910a2044ea44a18ff6d651083d203655

SHA512
676552cbeb0e791b774db8fc5ad3a858505b7a21bda13efa1878cc168b2522a80c223a4db988a1afb21a4ac36bff28401a07d95fb33e3827638cb8fa922221a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDvGqleCos0I.bat

Filesize
198B

MD5
8d2eecc579f45a49dd5d5cb3d5ebf1f1

SHA1
c57bc1305eb22a8f04f16b92fd2a34c338d4ca98

SHA256
87782b44d0ff58e8a62fe9d434db5164aac63195814d13ace857739136973992

SHA512
7e238ad7de6a51cddebb708773e1a98b5e63c0e00101d3148fd058a567187c3001f7dd9cd04597e8a9aeed89147778a210140f1b9a4119c3532a0409bb4984b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\p1mmB17TpxcC.bat

Filesize
198B

MD5
160d3fcf2911a8504e5ef12e4536c3bc

SHA1
5deb2f2ae3be1971d8d76cfc71f88c48445cd139

SHA256
385eb384961d0297f2f8249accf8f3ad31d0bed3967b0cf79c2bb6d62fc7eb62

SHA512
814f99dec1420fc120b951683eae88723241985f50e6d29a493e5d991996d8f36e294189c89f9365e28821f944063a5ca20730aa9c9427e161a876f8e7cbcab9

Download Submit
memory/2584-26-0x0000000000C90000-0x0000000000FB4000-memory.dmp

Filesize
3.1MB

Download
memory/2860-39-0x0000000000FE0000-0x0000000001304000-memory.dmp

Filesize
3.1MB

Download
memory/3028-20-0x00000000002B0000-0x00000000005D4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads