Edit tour
Windows
Analysis Report
QuarkHub.dll
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Deletes itself after installation
Enables a proxy for the internet explorer
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Sets a proxy for the internet explorer
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Stores large binary data to the registry
Tries to load missing DLLs
Uses reg.exe to modify the Windows registry
Classification
- System is w10x64
- loaddll64.exe (PID: 7292 cmdline:
loaddll64. exe "C:\Us ers\user\D esktop\Qua rkHub.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) - conhost.exe (PID: 7300 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7340 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Qua rkHub.dll" ,#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - rundll32.exe (PID: 7368 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Quar kHub.dll", #1 MD5: EF3179D498793BF4234F708D3BE28633) - msiexec.exe (PID: 7432 cmdline:
C:\Windows \System32\ msiexec.ex e MD5: E5DA170027542E25EDE42FC54C929077) - rundll32.exe (PID: 7352 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Quark Hub.dll,Kz uhla MD5: EF3179D498793BF4234F708D3BE28633) - msiexec.exe (PID: 7424 cmdline:
C:\Windows \System32\ msiexec.ex e MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 7564 cmdline:
C:\Windows \System32\ msiexec.ex e MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 7620 cmdline:
C:\Windows \System32\ msiexec.ex e MD5: E5DA170027542E25EDE42FC54C929077) - explorer.exe (PID: 2580 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - reg.exe (PID: 4456 cmdline:
reg add HK CU\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run / f /t REG_S Z /v Quark Hub /d "re gsvr32.exe /s \"C:\U sers\user\ AppData\Ro aming\Pfjs qg\QuarkHu b.dll\"" MD5: 227F63E1D9008B36BDBCC4B397780BE4) - conhost.exe (PID: 4460 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - regsvr32.exe (PID: 7920 cmdline:
C:\Windows \system32\ regsvr32.e xe" /s "C: \Users\use r\AppData\ Roaming\Pf jsqg\Quark Hub.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - msiexec.exe (PID: 2336 cmdline:
C:\Windows \System32\ msiexec.ex e MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 6952 cmdline:
C:\Windows \System32\ msiexec.ex e MD5: E5DA170027542E25EDE42FC54C929077) - regsvr32.exe (PID: 23400 cmdline:
C:\Windows \system32\ regsvr32.e xe" /s "C: \Users\use r\AppData\ Roaming\Pf jsqg\Quark Hub.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - msiexec.exe (PID: 22964 cmdline:
C:\Windows \System32\ msiexec.ex e MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 23088 cmdline:
C:\Windows \System32\ msiexec.ex e MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 7680 cmdline:
C:\Windows \SysWOW64\ msiexec.ex e MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 7784 cmdline:
C:\Windows \SysWOW64\ msiexec.ex e MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 7976 cmdline:
C:\Windows \SysWOW64\ msiexec.ex e MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 8028 cmdline:
C:\Windows \SysWOW64\ msiexec.ex e MD5: 9D09DC1EDA745A5F87553048E57620CF) - reg.exe (PID: 8100 cmdline:
reg add "H KCU\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Inte rnet Setti ngs" /f /t REG_SZ /v "ProxySer ver" /d "1 27.0.0.1:1 0351" MD5: 227F63E1D9008B36BDBCC4B397780BE4) - conhost.exe (PID: 8120 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 8112 cmdline:
reg add "H KCU\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Inte rnet Setti ngs" /f /t REG_DWORD /v "Proxy Enable" /d 1 MD5: 227F63E1D9008B36BDBCC4B397780BE4) - conhost.exe (PID: 8156 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - msiexec.exe (PID: 7088 cmdline:
C:\Windows \System32\ msiexec.ex e MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 7464 cmdline:
C:\Windows \System32\ msiexec.ex e MD5: E5DA170027542E25EDE42FC54C929077)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: |