Analysis
-
max time kernel
147s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-11-2022 09:09
Static task
static1
Behavioral task
behavioral1
Sample
Odeme.exe
Resource
win7-20220812-en
General
-
Target
Odeme.exe
-
Size
1.8MB
-
MD5
e40f64fd383df33b756de97b76508dc4
-
SHA1
8ea35ba8262b532748633d555ef1a5b5fb219562
-
SHA256
408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38
-
SHA512
cccbbb34e768cab2b4ffeede69536b068e60789738a74f2b6fcc3628ba0b6e89d4b3d2dbc3400e33258505fddbbcefcc02a9eb41acea0822c175dc7a16f17b2f
-
SSDEEP
24576:bGHCm8uPdJdbmQGE6GnkKsTgV7OlsUpQpqmjVxMebNVzNFm0TSG:auWBiEHs8VGs0Qsmpyeb32G
Malware Config
Extracted
quasar
1.3.0.0
top
dnuocc.com:64594
www.dnuocc.com:64594
QSR_MUTEX_NKzsG6279pND1MmPDw
-
encryption_key
6c7zzdS2IXrGaCb9wrMU
-
install_name
tors.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
tdm
-
subdirectory
tilk
Signatures
-
Quasar payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/524-73-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/524-74-0x00000000004581BE-mapping.dmp family_quasar behavioral1/memory/524-77-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/524-79-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/1828-88-0x00000000004581BE-mapping.dmp family_quasar -
Executes dropped EXE 5 IoCs
Processes:
gfxgx.sfx.exegfxgx.exegfxgx.exetors.exetors.exepid process 2016 gfxgx.sfx.exe 1972 gfxgx.exe 524 gfxgx.exe 1236 tors.exe 1828 tors.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exegfxgx.sfx.exegfxgx.exepid process 276 cmd.exe 2016 gfxgx.sfx.exe 2016 gfxgx.sfx.exe 2016 gfxgx.sfx.exe 2016 gfxgx.sfx.exe 524 gfxgx.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
gfxgx.exetors.exedescription pid process target process PID 1972 set thread context of 524 1972 gfxgx.exe gfxgx.exe PID 1236 set thread context of 1828 1236 tors.exe tors.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1036 schtasks.exe 1864 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
gfxgx.exegfxgx.exetors.exetors.exedescription pid process Token: SeDebugPrivilege 1972 gfxgx.exe Token: SeDebugPrivilege 524 gfxgx.exe Token: SeDebugPrivilege 1236 tors.exe Token: SeDebugPrivilege 1828 tors.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
Odeme.execmd.exegfxgx.sfx.exegfxgx.exegfxgx.exetors.exetors.exedescription pid process target process PID 1584 wrote to memory of 276 1584 Odeme.exe cmd.exe PID 1584 wrote to memory of 276 1584 Odeme.exe cmd.exe PID 1584 wrote to memory of 276 1584 Odeme.exe cmd.exe PID 1584 wrote to memory of 276 1584 Odeme.exe cmd.exe PID 276 wrote to memory of 2016 276 cmd.exe gfxgx.sfx.exe PID 276 wrote to memory of 2016 276 cmd.exe gfxgx.sfx.exe PID 276 wrote to memory of 2016 276 cmd.exe gfxgx.sfx.exe PID 276 wrote to memory of 2016 276 cmd.exe gfxgx.sfx.exe PID 2016 wrote to memory of 1972 2016 gfxgx.sfx.exe gfxgx.exe PID 2016 wrote to memory of 1972 2016 gfxgx.sfx.exe gfxgx.exe PID 2016 wrote to memory of 1972 2016 gfxgx.sfx.exe gfxgx.exe PID 2016 wrote to memory of 1972 2016 gfxgx.sfx.exe gfxgx.exe PID 1972 wrote to memory of 524 1972 gfxgx.exe gfxgx.exe PID 1972 wrote to memory of 524 1972 gfxgx.exe gfxgx.exe PID 1972 wrote to memory of 524 1972 gfxgx.exe gfxgx.exe PID 1972 wrote to memory of 524 1972 gfxgx.exe gfxgx.exe PID 1972 wrote to memory of 524 1972 gfxgx.exe gfxgx.exe PID 1972 wrote to memory of 524 1972 gfxgx.exe gfxgx.exe PID 1972 wrote to memory of 524 1972 gfxgx.exe gfxgx.exe PID 1972 wrote to memory of 524 1972 gfxgx.exe gfxgx.exe PID 1972 wrote to memory of 524 1972 gfxgx.exe gfxgx.exe PID 524 wrote to memory of 1036 524 gfxgx.exe schtasks.exe PID 524 wrote to memory of 1036 524 gfxgx.exe schtasks.exe PID 524 wrote to memory of 1036 524 gfxgx.exe schtasks.exe PID 524 wrote to memory of 1036 524 gfxgx.exe schtasks.exe PID 524 wrote to memory of 1236 524 gfxgx.exe tors.exe PID 524 wrote to memory of 1236 524 gfxgx.exe tors.exe PID 524 wrote to memory of 1236 524 gfxgx.exe tors.exe PID 524 wrote to memory of 1236 524 gfxgx.exe tors.exe PID 1236 wrote to memory of 1828 1236 tors.exe tors.exe PID 1236 wrote to memory of 1828 1236 tors.exe tors.exe PID 1236 wrote to memory of 1828 1236 tors.exe tors.exe PID 1236 wrote to memory of 1828 1236 tors.exe tors.exe PID 1236 wrote to memory of 1828 1236 tors.exe tors.exe PID 1236 wrote to memory of 1828 1236 tors.exe tors.exe PID 1236 wrote to memory of 1828 1236 tors.exe tors.exe PID 1236 wrote to memory of 1828 1236 tors.exe tors.exe PID 1236 wrote to memory of 1828 1236 tors.exe tors.exe PID 1828 wrote to memory of 1864 1828 tors.exe schtasks.exe PID 1828 wrote to memory of 1864 1828 tors.exe schtasks.exe PID 1828 wrote to memory of 1864 1828 tors.exe schtasks.exe PID 1828 wrote to memory of 1864 1828 tors.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Odeme.exe"C:\Users\Admin\AppData\Local\Temp\Odeme.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gfxgx.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exegfxgx.sfx.exe -pyqdkffiqncmcjufgjkflgfhfjgukjvcghjfjcGHmfgkfughkfjumkSKrgbfknnsracznyvoGgfmfcgjhmvzgnbmgcjfbncgdpodnfionJjgimaabihqgdbwvhewhken -dC:\Users\Admin\AppData\Roaming3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gfxgx.exe"C:\Users\Admin\AppData\Roaming\gfxgx.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeC:\Users\Admin\AppData\Roaming\gfxgx.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfxgx.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exe"C:\Users\Admin\AppData\Roaming\tilk\tors.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeC:\Users\Admin\AppData\Roaming\tilk\tors.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\tilk\tors.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.batFilesize
155B
MD59d4164a125a4f7d232458f0a6cddbdfb
SHA123ca2c2908a97b2543fa1e0241189d3a4676ca84
SHA25647c8ed3502b9de43a918da9abdf6f708ca5fc44febb3ab16314ff2b0aad55afd
SHA5120f4b499bfdbafd6fda1dcaa7821443d74f8421b3b587264ad992586b3312a9b1a2e2e19d4739b31e93289e90cd5bc0be48e8f17645a42cc274ea044aa9542225
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exeFilesize
1.2MB
MD550fc280c07ded77779e61a87a3d861fe
SHA1f025a667489005ac753064e5eb494abe46a97393
SHA256f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169
SHA512dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exeFilesize
1.2MB
MD550fc280c07ded77779e61a87a3d861fe
SHA1f025a667489005ac753064e5eb494abe46a97393
SHA256f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169
SHA512dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exeFilesize
1.2MB
MD550fc280c07ded77779e61a87a3d861fe
SHA1f025a667489005ac753064e5eb494abe46a97393
SHA256f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169
SHA512dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666
-
\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
memory/276-55-0x0000000000000000-mapping.dmp
-
memory/524-77-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/524-79-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/524-73-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/524-74-0x00000000004581BE-mapping.dmp
-
memory/1036-81-0x0000000000000000-mapping.dmp
-
memory/1236-83-0x0000000000000000-mapping.dmp
-
memory/1236-86-0x00000000013E0000-0x0000000001516000-memory.dmpFilesize
1.2MB
-
memory/1584-54-0x0000000075241000-0x0000000075243000-memory.dmpFilesize
8KB
-
memory/1828-88-0x00000000004581BE-mapping.dmp
-
memory/1864-95-0x0000000000000000-mapping.dmp
-
memory/1972-69-0x0000000000F40000-0x0000000001076000-memory.dmpFilesize
1.2MB
-
memory/1972-72-0x00000000003C0000-0x00000000003C6000-memory.dmpFilesize
24KB
-
memory/1972-70-0x00000000004A0000-0x00000000004A6000-memory.dmpFilesize
24KB
-
memory/1972-66-0x0000000000000000-mapping.dmp
-
memory/1972-71-0x0000000004C30000-0x0000000004D7A000-memory.dmpFilesize
1.3MB
-
memory/2016-59-0x0000000000000000-mapping.dmp