Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2022 18:08
Static task
static1
Behavioral task
behavioral1
Sample
ODEME.exe
Resource
win7-20220812-en
General
-
Target
ODEME.exe
-
Size
1.8MB
-
MD5
e40f64fd383df33b756de97b76508dc4
-
SHA1
8ea35ba8262b532748633d555ef1a5b5fb219562
-
SHA256
408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38
-
SHA512
cccbbb34e768cab2b4ffeede69536b068e60789738a74f2b6fcc3628ba0b6e89d4b3d2dbc3400e33258505fddbbcefcc02a9eb41acea0822c175dc7a16f17b2f
-
SSDEEP
24576:bGHCm8uPdJdbmQGE6GnkKsTgV7OlsUpQpqmjVxMebNVzNFm0TSG:auWBiEHs8VGs0Qsmpyeb32G
Malware Config
Extracted
quasar
1.3.0.0
top
dnuocc.com:64594
www.dnuocc.com:64594
QSR_MUTEX_NKzsG6279pND1MmPDw
-
encryption_key
6c7zzdS2IXrGaCb9wrMU
-
install_name
tors.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
tdm
-
subdirectory
tilk
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3480-144-0x0000000000000000-mapping.dmp family_quasar behavioral2/memory/3480-145-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral2/memory/216-155-0x0000000000000000-mapping.dmp family_quasar -
Executes dropped EXE 5 IoCs
Processes:
gfxgx.sfx.exegfxgx.exegfxgx.exetors.exetors.exepid process 4032 gfxgx.sfx.exe 4872 gfxgx.exe 3480 gfxgx.exe 2652 tors.exe 216 tors.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ODEME.exegfxgx.sfx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ODEME.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation gfxgx.sfx.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
gfxgx.exetors.exedescription pid process target process PID 4872 set thread context of 3480 4872 gfxgx.exe gfxgx.exe PID 2652 set thread context of 216 2652 tors.exe tors.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1688 schtasks.exe 4740 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
gfxgx.exegfxgx.exetors.exetors.exedescription pid process Token: SeDebugPrivilege 4872 gfxgx.exe Token: SeDebugPrivilege 3480 gfxgx.exe Token: SeDebugPrivilege 2652 tors.exe Token: SeDebugPrivilege 216 tors.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
ODEME.execmd.exegfxgx.sfx.exegfxgx.exegfxgx.exetors.exetors.exedescription pid process target process PID 4308 wrote to memory of 4808 4308 ODEME.exe cmd.exe PID 4308 wrote to memory of 4808 4308 ODEME.exe cmd.exe PID 4308 wrote to memory of 4808 4308 ODEME.exe cmd.exe PID 4808 wrote to memory of 4032 4808 cmd.exe gfxgx.sfx.exe PID 4808 wrote to memory of 4032 4808 cmd.exe gfxgx.sfx.exe PID 4808 wrote to memory of 4032 4808 cmd.exe gfxgx.sfx.exe PID 4032 wrote to memory of 4872 4032 gfxgx.sfx.exe gfxgx.exe PID 4032 wrote to memory of 4872 4032 gfxgx.sfx.exe gfxgx.exe PID 4032 wrote to memory of 4872 4032 gfxgx.sfx.exe gfxgx.exe PID 4872 wrote to memory of 3480 4872 gfxgx.exe gfxgx.exe PID 4872 wrote to memory of 3480 4872 gfxgx.exe gfxgx.exe PID 4872 wrote to memory of 3480 4872 gfxgx.exe gfxgx.exe PID 4872 wrote to memory of 3480 4872 gfxgx.exe gfxgx.exe PID 4872 wrote to memory of 3480 4872 gfxgx.exe gfxgx.exe PID 4872 wrote to memory of 3480 4872 gfxgx.exe gfxgx.exe PID 4872 wrote to memory of 3480 4872 gfxgx.exe gfxgx.exe PID 4872 wrote to memory of 3480 4872 gfxgx.exe gfxgx.exe PID 3480 wrote to memory of 1688 3480 gfxgx.exe schtasks.exe PID 3480 wrote to memory of 1688 3480 gfxgx.exe schtasks.exe PID 3480 wrote to memory of 1688 3480 gfxgx.exe schtasks.exe PID 3480 wrote to memory of 2652 3480 gfxgx.exe tors.exe PID 3480 wrote to memory of 2652 3480 gfxgx.exe tors.exe PID 3480 wrote to memory of 2652 3480 gfxgx.exe tors.exe PID 2652 wrote to memory of 216 2652 tors.exe tors.exe PID 2652 wrote to memory of 216 2652 tors.exe tors.exe PID 2652 wrote to memory of 216 2652 tors.exe tors.exe PID 2652 wrote to memory of 216 2652 tors.exe tors.exe PID 2652 wrote to memory of 216 2652 tors.exe tors.exe PID 2652 wrote to memory of 216 2652 tors.exe tors.exe PID 2652 wrote to memory of 216 2652 tors.exe tors.exe PID 2652 wrote to memory of 216 2652 tors.exe tors.exe PID 216 wrote to memory of 4740 216 tors.exe schtasks.exe PID 216 wrote to memory of 4740 216 tors.exe schtasks.exe PID 216 wrote to memory of 4740 216 tors.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ODEME.exe"C:\Users\Admin\AppData\Local\Temp\ODEME.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gfxgx.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exegfxgx.sfx.exe -pyqdkffiqncmcjufgjkflgfhfjgukjvcghjfjcGHmfgkfughkfjumkSKrgbfknnsracznyvoGgfmfcgjhmvzgnbmgcjfbncgdpodnfionJjgimaabihqgdbwvhewhken -dC:\Users\Admin\AppData\Roaming3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gfxgx.exe"C:\Users\Admin\AppData\Roaming\gfxgx.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeC:\Users\Admin\AppData\Roaming\gfxgx.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfxgx.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exe"C:\Users\Admin\AppData\Roaming\tilk\tors.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeC:\Users\Admin\AppData\Roaming\tilk\tors.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\tilk\tors.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gfxgx.exe.logFilesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tors.exe.logFilesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.batFilesize
155B
MD59d4164a125a4f7d232458f0a6cddbdfb
SHA123ca2c2908a97b2543fa1e0241189d3a4676ca84
SHA25647c8ed3502b9de43a918da9abdf6f708ca5fc44febb3ab16314ff2b0aad55afd
SHA5120f4b499bfdbafd6fda1dcaa7821443d74f8421b3b587264ad992586b3312a9b1a2e2e19d4739b31e93289e90cd5bc0be48e8f17645a42cc274ea044aa9542225
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exeFilesize
1.2MB
MD550fc280c07ded77779e61a87a3d861fe
SHA1f025a667489005ac753064e5eb494abe46a97393
SHA256f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169
SHA512dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666
-
C:\Users\Admin\AppData\Local\Temp\gfxgx.sfx.exeFilesize
1.2MB
MD550fc280c07ded77779e61a87a3d861fe
SHA1f025a667489005ac753064e5eb494abe46a97393
SHA256f4dff2c58d583ed5f7e21c505b788aca5f82f6a173f293acf615fdf10e7c9169
SHA512dc42373945d9e43eb45470653de06e74d56fb8ff54d2c0f64509724f08b45440300c7fcccc64838fb0937bbbf13329198c524fdd949c3ea89ba715b80d87c666
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\gfxgx.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
1.2MB
MD545c405bb47177a4ecdd9bc5ff88923eb
SHA1a8605148e035dca5ce970d99fdb12d86f70eeef8
SHA256e0be8a13f930fd4d337b7df74e3bd4bac4d9f1cf8fea0c46ce1ce066ed40d8aa
SHA512b28043255d5c5f2f64de4359d57c45fccc82b04460c6a27ccd49841646b3ee84565098bfa6ab6f09d0dc835dc54665d4273e144a0fb5e3c61a10151b6803d210
-
memory/216-160-0x0000000006A90000-0x0000000006A9A000-memory.dmpFilesize
40KB
-
memory/216-155-0x0000000000000000-mapping.dmp
-
memory/1688-151-0x0000000000000000-mapping.dmp
-
memory/2652-152-0x0000000000000000-mapping.dmp
-
memory/3480-144-0x0000000000000000-mapping.dmp
-
memory/3480-148-0x0000000005A90000-0x0000000005AF6000-memory.dmpFilesize
408KB
-
memory/3480-149-0x00000000067E0000-0x00000000067F2000-memory.dmpFilesize
72KB
-
memory/3480-150-0x0000000006D40000-0x0000000006D7C000-memory.dmpFilesize
240KB
-
memory/3480-145-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4032-134-0x0000000000000000-mapping.dmp
-
memory/4740-159-0x0000000000000000-mapping.dmp
-
memory/4808-132-0x0000000000000000-mapping.dmp
-
memory/4872-137-0x0000000000000000-mapping.dmp
-
memory/4872-143-0x000000000E8F0000-0x000000000E982000-memory.dmpFilesize
584KB
-
memory/4872-142-0x000000000EE00000-0x000000000F3A4000-memory.dmpFilesize
5.6MB
-
memory/4872-141-0x000000000E7B0000-0x000000000E84C000-memory.dmpFilesize
624KB
-
memory/4872-140-0x0000000000FD0000-0x0000000001106000-memory.dmpFilesize
1.2MB