quasar | 408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2022 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Odeme.exe
Size

1.8MB
MD5

e40f64fd383df33b756de97b76508dc4
SHA1

8ea35ba8262b532748633d555ef1a5b5fb219562
SHA256

408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38
SHA512

cccbbb34e768cab2b4ffeede69536b068e60789738a74f2b6fcc3628ba0b6e89d4b3d2dbc3400e33258505fddbbcefcc02a9eb41acea0822c175dc7a16f17b2f
SSDEEP

24576:bGHCm8uPdJdbmQGE6GnkKsTgV7OlsUpQpqmjVxMebNVzNFm0TSG:auWBiEHs8VGs0Qsmpyeb32G

Score

10^/10

quasar top spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

top

dnuocc.com:64594

www.dnuocc.com:64594

Mutex

QSR_MUTEX_NKzsG6279pND1MmPDw

Attributes

encryption_key
6c7zzdS2IXrGaCb9wrMU
install_name
tors.exe
log_directory
Logs
reconnect_delay
5000
startup_key
tdm
subdirectory
tilk

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4220-144-0x0000000000000000-mapping.dmp	family_quasar
behavioral2/memory/4220-145-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral2/memory/5032-155-0x0000000000000000-mapping.dmp	family_quasar

Executes dropped EXE 5 IoCs

Processes:

gfxgx.sfx.exegfxgx.exegfxgx.exetors.exetors.exe

pid process

4196 gfxgx.sfx.exe
620 gfxgx.exe
4220 gfxgx.exe
1516 tors.exe
5032 tors.exe

pid	process
4196	gfxgx.sfx.exe
620	gfxgx.exe
4220	gfxgx.exe
1516	tors.exe
5032	tors.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Odeme.exegfxgx.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Odeme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	gfxgx.sfx.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ip-api.com
Suspicious use of SetThreadContext 2 IoCs

Processes:

gfxgx.exetors.exe

description pid process target process

PID 620 set thread context of 4220 620 gfxgx.exe gfxgx.exe
PID 1516 set thread context of 5032 1516 tors.exe tors.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2096 schtasks.exe
3656 schtasks.exe

flow	ioc
21	ip-api.com

description	pid	process	target process
PID 620 set thread context of 4220	620	gfxgx.exe	gfxgx.exe
PID 1516 set thread context of 5032	1516	tors.exe	tors.exe

pid	process
2096	schtasks.exe
3656	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

gfxgx.exegfxgx.exetors.exetors.exe

description	pid	process
Token: SeDebugPrivilege	620	gfxgx.exe
Token: SeDebugPrivilege	4220	gfxgx.exe
Token: SeDebugPrivilege	1516	tors.exe
Token: SeDebugPrivilege	5032	tors.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

Odeme.execmd.exegfxgx.sfx.exegfxgx.exegfxgx.exetors.exetors.exe

description	pid	process	target process
PID 3060 wrote to memory of 2156	3060	Odeme.exe	cmd.exe
PID 3060 wrote to memory of 2156	3060	Odeme.exe	cmd.exe
PID 3060 wrote to memory of 2156	3060	Odeme.exe	cmd.exe
PID 2156 wrote to memory of 4196	2156	cmd.exe	gfxgx.sfx.exe
PID 2156 wrote to memory of 4196	2156	cmd.exe	gfxgx.sfx.exe
PID 2156 wrote to memory of 4196	2156	cmd.exe	gfxgx.sfx.exe
PID 4196 wrote to memory of 620	4196	gfxgx.sfx.exe	gfxgx.exe
PID 4196 wrote to memory of 620	4196	gfxgx.sfx.exe	gfxgx.exe
PID 4196 wrote to memory of 620	4196	gfxgx.sfx.exe	gfxgx.exe
PID 620 wrote to memory of 4220	620	gfxgx.exe	gfxgx.exe
PID 620 wrote to memory of 4220	620	gfxgx.exe	gfxgx.exe
PID 620 wrote to memory of 4220	620	gfxgx.exe	gfxgx.exe
PID 620 wrote to memory of 4220	620	gfxgx.exe	gfxgx.exe
PID 620 wrote to memory of 4220	620	gfxgx.exe	gfxgx.exe
PID 620 wrote to memory of 4220	620	gfxgx.exe	gfxgx.exe
PID 620 wrote to memory of 4220	620	gfxgx.exe	gfxgx.exe
PID 620 wrote to memory of 4220	620	gfxgx.exe	gfxgx.exe
PID 4220 wrote to memory of 2096	4220	gfxgx.exe	schtasks.exe
PID 4220 wrote to memory of 2096	4220	gfxgx.exe	schtasks.exe
PID 4220 wrote to memory of 2096	4220	gfxgx.exe	schtasks.exe
PID 4220 wrote to memory of 1516	4220	gfxgx.exe	tors.exe
PID 4220 wrote to memory of 1516	4220	gfxgx.exe	tors.exe
PID 4220 wrote to memory of 1516	4220	gfxgx.exe	tors.exe
PID 1516 wrote to memory of 5032	1516	tors.exe	tors.exe
PID 1516 wrote to memory of 5032	1516	tors.exe	tors.exe
PID 1516 wrote to memory of 5032	1516	tors.exe	tors.exe
PID 1516 wrote to memory of 5032	1516	tors.exe	tors.exe
PID 1516 wrote to memory of 5032	1516	tors.exe	tors.exe
PID 1516 wrote to memory of 5032	1516	tors.exe	tors.exe
PID 1516 wrote to memory of 5032	1516	tors.exe	tors.exe
PID 1516 wrote to memory of 5032	1516	tors.exe	tors.exe
PID 5032 wrote to memory of 3656	5032	tors.exe	schtasks.exe
PID 5032 wrote to memory of 3656	5032	tors.exe	schtasks.exe
PID 5032 wrote to memory of 3656	5032	tors.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Odeme.exe
"C:\Users\Admin\AppData\Local\Temp\Odeme.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gfxgx.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exe
gfxgx.sfx.exe -pyqdkffiqncmcjufgjkflgfhfjgukjvcghjfjcGHmfgkfughkfjumkSKrgbfknnsracznyvoGgfmfcgjhmvzgnbmgcjfbncgdpodnfionJjgimaabihqgdbwvhewhken -dC:\Users\Admin\AppData\Roaming
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4196

C:\Users\Admin\AppData\Roaming\gfxgx.exe
"C:\Users\Admin\AppData\Roaming\gfxgx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Roaming\gfxgx.exe
C:\Users\Admin\AppData\Roaming\gfxgx.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfxgx.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:2096

C:\Users\Admin\AppData\Roaming\tilk\tors.exe
"C:\Users\Admin\AppData\Roaming\tilk\tors.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Roaming\tilk\tors.exe
C:\Users\Admin\AppData\Roaming\tilk\tors.exe
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\tilk\tors.exe" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:3656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gfxgx.exe.log
Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfxgx.bat
Filesize
155B

MD5
9d4164a125a4f7d232458f0a6cddbdfb

SHA1
23ca2c2908a97b2543fa1e0241189d3a4676ca84

SHA256
47c8ed3502b9de43a918da9abdf6f708ca5fc44febb3ab16314ff2b0aad55afd

SHA512
0f4b499bfdbafd6fda1dcaa7821443d74f8421b3b587264ad992586b3312a9b1a2e2e19d4739b31e93289e90cd5bc0be48e8f17645a42cc274ea044aa9542225

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exe
Filesize
1.2MB

MD5
50fc280c07ded77779e61a87a3d861fe

SHA1
f025a667489005ac753064e5eb494abe46a97393

SHA256
f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169

SHA512
dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exe
Filesize
1.2MB

MD5
50fc280c07ded77779e61a87a3d861fe

SHA1
f025a667489005ac753064e5eb494abe46a97393

SHA256
f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169

SHA512
dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666

Download Submit
C:\Users\Admin\AppData\Roaming\gfxgx.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
C:\Users\Admin\AppData\Roaming\gfxgx.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
C:\Users\Admin\AppData\Roaming\gfxgx.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
C:\Users\Admin\AppData\Roaming\tilk\tors.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
C:\Users\Admin\AppData\Roaming\tilk\tors.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
C:\Users\Admin\AppData\Roaming\tilk\tors.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
memory/620-137-0x0000000000000000-mapping.dmp

Download
memory/620-143-0x000000000E690000-0x000000000E722000-memory.dmp

Filesize
584KB

Download
memory/620-142-0x000000000EBA0000-0x000000000F144000-memory.dmp

Filesize
5.6MB

Download
memory/620-141-0x000000000E550000-0x000000000E5EC000-memory.dmp

Filesize
624KB

Download
memory/620-140-0x0000000000D30000-0x0000000000E66000-memory.dmp

Filesize
1.2MB

Download
memory/1516-152-0x0000000000000000-mapping.dmp

Download
memory/2096-151-0x0000000000000000-mapping.dmp

Download
memory/2156-132-0x0000000000000000-mapping.dmp

Download
memory/3656-158-0x0000000000000000-mapping.dmp

Download
memory/4196-134-0x0000000000000000-mapping.dmp

Download
memory/4220-144-0x0000000000000000-mapping.dmp

Download
memory/4220-150-0x00000000066D0000-0x000000000670C000-memory.dmp

Filesize
240KB

Download
memory/4220-149-0x00000000058B0000-0x00000000058C2000-memory.dmp

Filesize
72KB

Download
memory/4220-148-0x0000000005130000-0x0000000005196000-memory.dmp

Filesize
408KB

Download
memory/4220-145-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5032-155-0x0000000000000000-mapping.dmp

Download
memory/5032-159-0x0000000006950000-0x000000000695A000-memory.dmp

Filesize
40KB

Download