quasar | 5e3de562ed2c319e226748878cf483d43b07880c89c82b9b2657ee501a4e4339

Analysis

max time kernel
48s
max time network
53s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-11-2022 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ODEME.exe
Size

1.8MB
MD5

e40f64fd383df33b756de97b76508dc4
SHA1

8ea35ba8262b532748633d555ef1a5b5fb219562
SHA256

408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38
SHA512

cccbbb34e768cab2b4ffeede69536b068e60789738a74f2b6fcc3628ba0b6e89d4b3d2dbc3400e33258505fddbbcefcc02a9eb41acea0822c175dc7a16f17b2f
SSDEEP

24576:bGHCm8uPdJdbmQGE6GnkKsTgV7OlsUpQpqmjVxMebNVzNFm0TSG:auWBiEHs8VGs0Qsmpyeb32G

Score

10^/10

quasar top spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

top

dnuocc.com:64594

www.dnuocc.com:64594

Mutex

QSR_MUTEX_NKzsG6279pND1MmPDw

Attributes

encryption_key
6c7zzdS2IXrGaCb9wrMU
install_name
tors.exe
log_directory
Logs
reconnect_delay
5000
startup_key
tdm
subdirectory
tilk

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1048-73-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/1048-74-0x00000000004581BE-mapping.dmp	family_quasar
behavioral1/memory/1048-77-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/1048-79-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/816-88-0x00000000004581BE-mapping.dmp	family_quasar

Executes dropped EXE 5 IoCs

Processes:

gfxgx.sfx.exegfxgx.exegfxgx.exetors.exetors.exe

pid process

1124 gfxgx.sfx.exe
2044 gfxgx.exe
1048 gfxgx.exe
1336 tors.exe
816 tors.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exegfxgx.sfx.exegfxgx.exe

pid process

1792 cmd.exe
1124 gfxgx.sfx.exe
1124 gfxgx.sfx.exe
1124 gfxgx.sfx.exe
1124 gfxgx.sfx.exe
1048 gfxgx.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Suspicious use of SetThreadContext 2 IoCs

Processes:

gfxgx.exetors.exe

description pid process target process

PID 2044 set thread context of 1048 2044 gfxgx.exe gfxgx.exe
PID 1336 set thread context of 816 1336 tors.exe tors.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1200 schtasks.exe
1120 schtasks.exe

pid	process
1124	gfxgx.sfx.exe
2044	gfxgx.exe
1048	gfxgx.exe
1336	tors.exe
816	tors.exe

pid	process
1792	cmd.exe
1124	gfxgx.sfx.exe
1124	gfxgx.sfx.exe
1124	gfxgx.sfx.exe
1124	gfxgx.sfx.exe
1048	gfxgx.exe

flow	ioc
1	ip-api.com

description	pid	process	target process
PID 2044 set thread context of 1048	2044	gfxgx.exe	gfxgx.exe
PID 1336 set thread context of 816	1336	tors.exe	tors.exe

pid	process
1200	schtasks.exe
1120	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

gfxgx.exegfxgx.exetors.exetors.exe

description	pid	process
Token: SeDebugPrivilege	2044	gfxgx.exe
Token: SeDebugPrivilege	1048	gfxgx.exe
Token: SeDebugPrivilege	1336	tors.exe
Token: SeDebugPrivilege	816	tors.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

ODEME.execmd.exegfxgx.sfx.exegfxgx.exegfxgx.exetors.exetors.exe

description	pid	process	target process
PID 112 wrote to memory of 1792	112	ODEME.exe	cmd.exe
PID 112 wrote to memory of 1792	112	ODEME.exe	cmd.exe
PID 112 wrote to memory of 1792	112	ODEME.exe	cmd.exe
PID 112 wrote to memory of 1792	112	ODEME.exe	cmd.exe
PID 1792 wrote to memory of 1124	1792	cmd.exe	gfxgx.sfx.exe
PID 1792 wrote to memory of 1124	1792	cmd.exe	gfxgx.sfx.exe
PID 1792 wrote to memory of 1124	1792	cmd.exe	gfxgx.sfx.exe
PID 1792 wrote to memory of 1124	1792	cmd.exe	gfxgx.sfx.exe
PID 1124 wrote to memory of 2044	1124	gfxgx.sfx.exe	gfxgx.exe
PID 1124 wrote to memory of 2044	1124	gfxgx.sfx.exe	gfxgx.exe
PID 1124 wrote to memory of 2044	1124	gfxgx.sfx.exe	gfxgx.exe
PID 1124 wrote to memory of 2044	1124	gfxgx.sfx.exe	gfxgx.exe
PID 2044 wrote to memory of 1048	2044	gfxgx.exe	gfxgx.exe
PID 2044 wrote to memory of 1048	2044	gfxgx.exe	gfxgx.exe
PID 2044 wrote to memory of 1048	2044	gfxgx.exe	gfxgx.exe
PID 2044 wrote to memory of 1048	2044	gfxgx.exe	gfxgx.exe
PID 2044 wrote to memory of 1048	2044	gfxgx.exe	gfxgx.exe
PID 2044 wrote to memory of 1048	2044	gfxgx.exe	gfxgx.exe
PID 2044 wrote to memory of 1048	2044	gfxgx.exe	gfxgx.exe
PID 2044 wrote to memory of 1048	2044	gfxgx.exe	gfxgx.exe
PID 2044 wrote to memory of 1048	2044	gfxgx.exe	gfxgx.exe
PID 1048 wrote to memory of 1200	1048	gfxgx.exe	schtasks.exe
PID 1048 wrote to memory of 1200	1048	gfxgx.exe	schtasks.exe
PID 1048 wrote to memory of 1200	1048	gfxgx.exe	schtasks.exe
PID 1048 wrote to memory of 1200	1048	gfxgx.exe	schtasks.exe
PID 1048 wrote to memory of 1336	1048	gfxgx.exe	tors.exe
PID 1048 wrote to memory of 1336	1048	gfxgx.exe	tors.exe
PID 1048 wrote to memory of 1336	1048	gfxgx.exe	tors.exe
PID 1048 wrote to memory of 1336	1048	gfxgx.exe	tors.exe
PID 1336 wrote to memory of 816	1336	tors.exe	tors.exe
PID 1336 wrote to memory of 816	1336	tors.exe	tors.exe
PID 1336 wrote to memory of 816	1336	tors.exe	tors.exe
PID 1336 wrote to memory of 816	1336	tors.exe	tors.exe
PID 1336 wrote to memory of 816	1336	tors.exe	tors.exe
PID 1336 wrote to memory of 816	1336	tors.exe	tors.exe
PID 1336 wrote to memory of 816	1336	tors.exe	tors.exe
PID 1336 wrote to memory of 816	1336	tors.exe	tors.exe
PID 1336 wrote to memory of 816	1336	tors.exe	tors.exe
PID 816 wrote to memory of 1120	816	tors.exe	schtasks.exe
PID 816 wrote to memory of 1120	816	tors.exe	schtasks.exe
PID 816 wrote to memory of 1120	816	tors.exe	schtasks.exe
PID 816 wrote to memory of 1120	816	tors.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ODEME.exe
"C:\Users\Admin\AppData\Local\Temp\ODEME.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gfxgx.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exe
gfxgx.sfx.exe -pyqdkffiqncmcjufgjkflgfhfjgukjvcghjfjcGHmfgkfughkfjumkSKrgbfknnsracznyvoGgfmfcgjhmvzgnbmgcjfbncgdpodnfionJjgimaabihqgdbwvhewhken -dC:\Users\Admin\AppData\Roaming
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Roaming\gfxgx.exe
"C:\Users\Admin\AppData\Roaming\gfxgx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Roaming\gfxgx.exe
C:\Users\Admin\AppData\Roaming\gfxgx.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfxgx.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1200

C:\Users\Admin\AppData\Roaming\tilk\tors.exe
"C:\Users\Admin\AppData\Roaming\tilk\tors.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Roaming\tilk\tors.exe
C:\Users\Admin\AppData\Roaming\tilk\tors.exe
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\tilk\tors.exe" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gfxgx.bat
Filesize
155B

MD5
9d4164a125a4f7d232458f0a6cddbdfb

SHA1
23ca2c2908a97b2543fa1e0241189d3a4676ca84

SHA256
47c8ed3502b9de43a918da9abdf6f708ca5fc44febb3ab16314ff2b0aad55afd

SHA512
0f4b499bfdbafd6fda1dcaa7821443d74f8421b3b587264ad992586b3312a9b1a2e2e19d4739b31e93289e90cd5bc0be48e8f17645a42cc274ea044aa9542225

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exe
Filesize
1.2MB

MD5
50fc280c07ded77779e61a87a3d861fe

SHA1
f025a667489005ac753064e5eb494abe46a97393

SHA256
f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169

SHA512
dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exe
Filesize
1.2MB

MD5
50fc280c07ded77779e61a87a3d861fe

SHA1
f025a667489005ac753064e5eb494abe46a97393

SHA256
f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169

SHA512
dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666

Download Submit
C:\Users\Admin\AppData\Roaming\gfxgx.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
C:\Users\Admin\AppData\Roaming\gfxgx.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
C:\Users\Admin\AppData\Roaming\gfxgx.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
C:\Users\Admin\AppData\Roaming\tilk\tors.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
C:\Users\Admin\AppData\Roaming\tilk\tors.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
C:\Users\Admin\AppData\Roaming\tilk\tors.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exe
Filesize
1.2MB

MD5
50fc280c07ded77779e61a87a3d861fe

SHA1
f025a667489005ac753064e5eb494abe46a97393

SHA256
f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169

SHA512
dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666

Download Submit
\Users\Admin\AppData\Roaming\gfxgx.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
\Users\Admin\AppData\Roaming\gfxgx.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
\Users\Admin\AppData\Roaming\gfxgx.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
\Users\Admin\AppData\Roaming\gfxgx.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
\Users\Admin\AppData\Roaming\tilk\tors.exe
Filesize
1.2MB

MD5
45c405bb47177a4ecdd9bc5ff88923eb

SHA1
a8605148e035dca5ce970d99fdb12d86f70eeef8

SHA256
e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa

SHA512
b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210

Download Submit
memory/112-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/816-88-0x00000000004581BE-mapping.dmp

Download
memory/1048-79-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1048-73-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1048-74-0x00000000004581BE-mapping.dmp

Download
memory/1048-77-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1120-95-0x0000000000000000-mapping.dmp

Download
memory/1124-59-0x0000000000000000-mapping.dmp

Download
memory/1200-81-0x0000000000000000-mapping.dmp

Download
memory/1336-86-0x00000000013E0000-0x0000000001516000-memory.dmp

Filesize
1.2MB

Download
memory/1336-83-0x0000000000000000-mapping.dmp

Download
memory/1792-55-0x0000000000000000-mapping.dmp

Download
memory/2044-69-0x0000000001140000-0x0000000001276000-memory.dmp

Filesize
1.2MB

Download
memory/2044-66-0x0000000000000000-mapping.dmp

Download
memory/2044-70-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2044-72-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/2044-71-0x0000000007F80000-0x00000000080CA000-memory.dmp

Filesize
1.3MB

Download