Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2022 09:09
Static task
static1
Behavioral task
behavioral1
Sample
Odeme.exe
Resource
win7-20220812-en
General
-
Target
Odeme.exe
-
Size
1.8MB
-
MD5
e40f64fd383df33b756de97b76508dc4
-
SHA1
8ea35ba8262b532748633d555ef1a5b5fb219562
-
SHA256
408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38
-
SHA512
cccbbb34e768cab2b4ffeede69536b068e60789738a74f2b6fcc3628ba0b6e89d4b3d2dbc3400e33258505fddbbcefcc02a9eb41acea0822c175dc7a16f17b2f
-
SSDEEP
24576:bGHCm8uPdJdbmQGE6GnkKsTgV7OlsUpQpqmjVxMebNVzNFm0TSG:auWBiEHs8VGs0Qsmpyeb32G
Malware Config
Extracted
quasar
1.3.0.0
top
dnuocc.com:64594
www.dnuocc.com:64594
QSR_MUTEX_NKzsG6279pND1MmPDw
-
encryption_key
6c7zzdS2IXrGaCb9wrMU
-
install_name
tors.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
tdm
-
subdirectory
tilk
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/456-144-0x0000000000000000-mapping.dmp family_quasar behavioral2/memory/456-145-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral2/memory/2452-155-0x0000000000000000-mapping.dmp family_quasar -
Executes dropped EXE 5 IoCs
Processes:
gfxgx.sfx.exegfxgx.exegfxgx.exetors.exetors.exepid process 1564 gfxgx.sfx.exe 3368 gfxgx.exe 456 gfxgx.exe 4300 tors.exe 2452 tors.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Odeme.exegfxgx.sfx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Odeme.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation gfxgx.sfx.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
gfxgx.exetors.exedescription pid process target process PID 3368 set thread context of 456 3368 gfxgx.exe gfxgx.exe PID 4300 set thread context of 2452 4300 tors.exe tors.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5012 schtasks.exe 4776 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
gfxgx.exegfxgx.exetors.exetors.exedescription pid process Token: SeDebugPrivilege 3368 gfxgx.exe Token: SeDebugPrivilege 456 gfxgx.exe Token: SeDebugPrivilege 4300 tors.exe Token: SeDebugPrivilege 2452 tors.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
Odeme.execmd.exegfxgx.sfx.exegfxgx.exegfxgx.exetors.exetors.exedescription pid process target process PID 4316 wrote to memory of 2616 4316 Odeme.exe cmd.exe PID 4316 wrote to memory of 2616 4316 Odeme.exe cmd.exe PID 4316 wrote to memory of 2616 4316 Odeme.exe cmd.exe PID 2616 wrote to memory of 1564 2616 cmd.exe gfxgx.sfx.exe PID 2616 wrote to memory of 1564 2616 cmd.exe gfxgx.sfx.exe PID 2616 wrote to memory of 1564 2616 cmd.exe gfxgx.sfx.exe PID 1564 wrote to memory of 3368 1564 gfxgx.sfx.exe gfxgx.exe PID 1564 wrote to memory of 3368 1564 gfxgx.sfx.exe gfxgx.exe PID 1564 wrote to memory of 3368 1564 gfxgx.sfx.exe gfxgx.exe PID 3368 wrote to memory of 456 3368 gfxgx.exe gfxgx.exe PID 3368 wrote to memory of 456 3368 gfxgx.exe gfxgx.exe PID 3368 wrote to memory of 456 3368 gfxgx.exe gfxgx.exe PID 3368 wrote to memory of 456 3368 gfxgx.exe gfxgx.exe PID 3368 wrote to memory of 456 3368 gfxgx.exe gfxgx.exe PID 3368 wrote to memory of 456 3368 gfxgx.exe gfxgx.exe PID 3368 wrote to memory of 456 3368 gfxgx.exe gfxgx.exe PID 3368 wrote to memory of 456 3368 gfxgx.exe gfxgx.exe PID 456 wrote to memory of 4776 456 gfxgx.exe schtasks.exe PID 456 wrote to memory of 4776 456 gfxgx.exe schtasks.exe PID 456 wrote to memory of 4776 456 gfxgx.exe schtasks.exe PID 456 wrote to memory of 4300 456 gfxgx.exe tors.exe PID 456 wrote to memory of 4300 456 gfxgx.exe tors.exe PID 456 wrote to memory of 4300 456 gfxgx.exe tors.exe PID 4300 wrote to memory of 2452 4300 tors.exe tors.exe PID 4300 wrote to memory of 2452 4300 tors.exe tors.exe PID 4300 wrote to memory of 2452 4300 tors.exe tors.exe PID 4300 wrote to memory of 2452 4300 tors.exe tors.exe PID 4300 wrote to memory of 2452 4300 tors.exe tors.exe PID 4300 wrote to memory of 2452 4300 tors.exe tors.exe PID 4300 wrote to memory of 2452 4300 tors.exe tors.exe PID 4300 wrote to memory of 2452 4300 tors.exe tors.exe PID 2452 wrote to memory of 5012 2452 tors.exe schtasks.exe PID 2452 wrote to memory of 5012 2452 tors.exe schtasks.exe PID 2452 wrote to memory of 5012 2452 tors.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Odeme.exe"C:\Users\Admin\AppData\Local\Temp\Odeme.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gfxgx.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exegfxgx.sfx.exe -pyqdkffiqncmcjufgjkflgfhfjgukjvcghjfjcGHmfgkfughkfjumkSKrgbfknnsracznyvoGgfmfcgjhmvzgnbmgcjfbncgdpodnfionJjgimaabihqgdbwvhewhken -dC:\Users\Admin\AppData\Roaming3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gfxgx.exe"C:\Users\Admin\AppData\Roaming\gfxgx.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeC:\Users\Admin\AppData\Roaming\gfxgx.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfxgx.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exe"C:\Users\Admin\AppData\Roaming\tilk\tors.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeC:\Users\Admin\AppData\Roaming\tilk\tors.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\tilk\tors.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gfxgx.exe.logFilesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.batFilesize
155B
MD59d4164a125a4f7d232458f0a6cddbdfb
SHA123ca2c2908a97b2543fa1e0241189d3a4676ca84
SHA25647c8ed3502b9de43a918da9abdf6f708ca5fc44febb3ab16314ff2b0aad55afd
SHA5120f4b499bfdbafd6fda1dcaa7821443d74f8421b3b587264ad992586b3312a9b1a2e2e19d4739b31e93289e90cd5bc0be48e8f17645a42cc274ea044aa9542225
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exeFilesize
1.2MB
MD550fc280c07ded77779e61a87a3d861fe
SHA1f025a667489005ac753064e5eb494abe46a97393
SHA256f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169
SHA512dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exeFilesize
1.2MB
MD550fc280c07ded77779e61a87a3d861fe
SHA1f025a667489005ac753064e5eb494abe46a97393
SHA256f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169
SHA512dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
memory/456-144-0x0000000000000000-mapping.dmp
-
memory/456-145-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/456-148-0x0000000005BF0000-0x0000000005C56000-memory.dmpFilesize
408KB
-
memory/456-149-0x0000000006850000-0x0000000006862000-memory.dmpFilesize
72KB
-
memory/456-150-0x0000000006DC0000-0x0000000006DFC000-memory.dmpFilesize
240KB
-
memory/1564-134-0x0000000000000000-mapping.dmp
-
memory/2452-155-0x0000000000000000-mapping.dmp
-
memory/2452-159-0x0000000006DB0000-0x0000000006DBA000-memory.dmpFilesize
40KB
-
memory/2616-132-0x0000000000000000-mapping.dmp
-
memory/3368-141-0x0000000007320000-0x00000000073BC000-memory.dmpFilesize
624KB
-
memory/3368-140-0x0000000000200000-0x0000000000336000-memory.dmpFilesize
1.2MB
-
memory/3368-137-0x0000000000000000-mapping.dmp
-
memory/3368-143-0x0000000007460000-0x00000000074F2000-memory.dmpFilesize
584KB
-
memory/3368-142-0x0000000007970000-0x0000000007F14000-memory.dmpFilesize
5.6MB
-
memory/4300-152-0x0000000000000000-mapping.dmp
-
memory/4776-151-0x0000000000000000-mapping.dmp
-
memory/5012-158-0x0000000000000000-mapping.dmp