Analysis
-
max time kernel
48s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-11-2022 18:08
Static task
static1
Behavioral task
behavioral1
Sample
ODEME.exe
Resource
win7-20220812-en
General
-
Target
ODEME.exe
-
Size
1.8MB
-
MD5
e40f64fd383df33b756de97b76508dc4
-
SHA1
8ea35ba8262b532748633d555ef1a5b5fb219562
-
SHA256
408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38
-
SHA512
cccbbb34e768cab2b4ffeede69536b068e60789738a74f2b6fcc3628ba0b6e89d4b3d2dbc3400e33258505fddbbcefcc02a9eb41acea0822c175dc7a16f17b2f
-
SSDEEP
24576:bGHCm8uPdJdbmQGE6GnkKsTgV7OlsUpQpqmjVxMebNVzNFm0TSG:auWBiEHs8VGs0Qsmpyeb32G
Malware Config
Extracted
quasar
1.3.0.0
top
dnuocc.com:64594
www.dnuocc.com:64594
QSR_MUTEX_NKzsG6279pND1MmPDw
-
encryption_key
6c7zzdS2IXrGaCb9wrMU
-
install_name
tors.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
tdm
-
subdirectory
tilk
Signatures
-
Quasar payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1048-73-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/1048-74-0x00000000004581BE-mapping.dmp family_quasar behavioral1/memory/1048-77-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/1048-79-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/816-88-0x00000000004581BE-mapping.dmp family_quasar -
Executes dropped EXE 5 IoCs
Processes:
gfxgx.sfx.exegfxgx.exegfxgx.exetors.exetors.exepid process 1124 gfxgx.sfx.exe 2044 gfxgx.exe 1048 gfxgx.exe 1336 tors.exe 816 tors.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exegfxgx.sfx.exegfxgx.exepid process 1792 cmd.exe 1124 gfxgx.sfx.exe 1124 gfxgx.sfx.exe 1124 gfxgx.sfx.exe 1124 gfxgx.sfx.exe 1048 gfxgx.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
gfxgx.exetors.exedescription pid process target process PID 2044 set thread context of 1048 2044 gfxgx.exe gfxgx.exe PID 1336 set thread context of 816 1336 tors.exe tors.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1200 schtasks.exe 1120 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
gfxgx.exegfxgx.exetors.exetors.exedescription pid process Token: SeDebugPrivilege 2044 gfxgx.exe Token: SeDebugPrivilege 1048 gfxgx.exe Token: SeDebugPrivilege 1336 tors.exe Token: SeDebugPrivilege 816 tors.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
ODEME.execmd.exegfxgx.sfx.exegfxgx.exegfxgx.exetors.exetors.exedescription pid process target process PID 112 wrote to memory of 1792 112 ODEME.exe cmd.exe PID 112 wrote to memory of 1792 112 ODEME.exe cmd.exe PID 112 wrote to memory of 1792 112 ODEME.exe cmd.exe PID 112 wrote to memory of 1792 112 ODEME.exe cmd.exe PID 1792 wrote to memory of 1124 1792 cmd.exe gfxgx.sfx.exe PID 1792 wrote to memory of 1124 1792 cmd.exe gfxgx.sfx.exe PID 1792 wrote to memory of 1124 1792 cmd.exe gfxgx.sfx.exe PID 1792 wrote to memory of 1124 1792 cmd.exe gfxgx.sfx.exe PID 1124 wrote to memory of 2044 1124 gfxgx.sfx.exe gfxgx.exe PID 1124 wrote to memory of 2044 1124 gfxgx.sfx.exe gfxgx.exe PID 1124 wrote to memory of 2044 1124 gfxgx.sfx.exe gfxgx.exe PID 1124 wrote to memory of 2044 1124 gfxgx.sfx.exe gfxgx.exe PID 2044 wrote to memory of 1048 2044 gfxgx.exe gfxgx.exe PID 2044 wrote to memory of 1048 2044 gfxgx.exe gfxgx.exe PID 2044 wrote to memory of 1048 2044 gfxgx.exe gfxgx.exe PID 2044 wrote to memory of 1048 2044 gfxgx.exe gfxgx.exe PID 2044 wrote to memory of 1048 2044 gfxgx.exe gfxgx.exe PID 2044 wrote to memory of 1048 2044 gfxgx.exe gfxgx.exe PID 2044 wrote to memory of 1048 2044 gfxgx.exe gfxgx.exe PID 2044 wrote to memory of 1048 2044 gfxgx.exe gfxgx.exe PID 2044 wrote to memory of 1048 2044 gfxgx.exe gfxgx.exe PID 1048 wrote to memory of 1200 1048 gfxgx.exe schtasks.exe PID 1048 wrote to memory of 1200 1048 gfxgx.exe schtasks.exe PID 1048 wrote to memory of 1200 1048 gfxgx.exe schtasks.exe PID 1048 wrote to memory of 1200 1048 gfxgx.exe schtasks.exe PID 1048 wrote to memory of 1336 1048 gfxgx.exe tors.exe PID 1048 wrote to memory of 1336 1048 gfxgx.exe tors.exe PID 1048 wrote to memory of 1336 1048 gfxgx.exe tors.exe PID 1048 wrote to memory of 1336 1048 gfxgx.exe tors.exe PID 1336 wrote to memory of 816 1336 tors.exe tors.exe PID 1336 wrote to memory of 816 1336 tors.exe tors.exe PID 1336 wrote to memory of 816 1336 tors.exe tors.exe PID 1336 wrote to memory of 816 1336 tors.exe tors.exe PID 1336 wrote to memory of 816 1336 tors.exe tors.exe PID 1336 wrote to memory of 816 1336 tors.exe tors.exe PID 1336 wrote to memory of 816 1336 tors.exe tors.exe PID 1336 wrote to memory of 816 1336 tors.exe tors.exe PID 1336 wrote to memory of 816 1336 tors.exe tors.exe PID 816 wrote to memory of 1120 816 tors.exe schtasks.exe PID 816 wrote to memory of 1120 816 tors.exe schtasks.exe PID 816 wrote to memory of 1120 816 tors.exe schtasks.exe PID 816 wrote to memory of 1120 816 tors.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ODEME.exe"C:\Users\Admin\AppData\Local\Temp\ODEME.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gfxgx.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exegfxgx.sfx.exe -pyqdkffiqncmcjufgjkflgfhfjgukjvcghjfjcGHmfgkfughkfjumkSKrgbfknnsracznyvoGgfmfcgjhmvzgnbmgcjfbncgdpodnfionJjgimaabihqgdbwvhewhken -dC:\Users\Admin\AppData\Roaming3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gfxgx.exe"C:\Users\Admin\AppData\Roaming\gfxgx.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeC:\Users\Admin\AppData\Roaming\gfxgx.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfxgx.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exe"C:\Users\Admin\AppData\Roaming\tilk\tors.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeC:\Users\Admin\AppData\Roaming\tilk\tors.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\tilk\tors.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.batFilesize
155B
MD59d4164a125a4f7d232458f0a6cddbdfb
SHA123ca2c2908a97b2543fa1e0241189d3a4676ca84
SHA25647c8ed3502b9de43a918da9abdf6f708ca5fc44febb3ab16314ff2b0aad55afd
SHA5120f4b499bfdbafd6fda1dcaa7821443d74f8421b3b587264ad992586b3312a9b1a2e2e19d4739b31e93289e90cd5bc0be48e8f17645a42cc274ea044aa9542225
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exeFilesize
1.2MB
MD550fc280c07ded77779e61a87a3d861fe
SHA1f025a667489005ac753064e5eb494abe46a97393
SHA256f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169
SHA512dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exeFilesize
1.2MB
MD550fc280c07ded77779e61a87a3d861fe
SHA1f025a667489005ac753064e5eb494abe46a97393
SHA256f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169
SHA512dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exeFilesize
1.2MB
MD550fc280c07ded77779e61a87a3d861fe
SHA1f025a667489005ac753064e5eb494abe46a97393
SHA256f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169
SHA512dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666
-
\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
memory/112-54-0x0000000074C11000-0x0000000074C13000-memory.dmpFilesize
8KB
-
memory/816-88-0x00000000004581BE-mapping.dmp
-
memory/1048-79-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1048-73-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1048-74-0x00000000004581BE-mapping.dmp
-
memory/1048-77-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1120-95-0x0000000000000000-mapping.dmp
-
memory/1124-59-0x0000000000000000-mapping.dmp
-
memory/1200-81-0x0000000000000000-mapping.dmp
-
memory/1336-86-0x00000000013E0000-0x0000000001516000-memory.dmpFilesize
1.2MB
-
memory/1336-83-0x0000000000000000-mapping.dmp
-
memory/1792-55-0x0000000000000000-mapping.dmp
-
memory/2044-69-0x0000000001140000-0x0000000001276000-memory.dmpFilesize
1.2MB
-
memory/2044-66-0x0000000000000000-mapping.dmp
-
memory/2044-70-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB
-
memory/2044-72-0x00000000003A0000-0x00000000003A6000-memory.dmpFilesize
24KB
-
memory/2044-71-0x0000000007F80000-0x00000000080CA000-memory.dmpFilesize
1.3MB