Analysis
-
max time kernel
147s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 17:17
Static task
static1
Behavioral task
behavioral1
Sample
QuasarInstaller.exe
Resource
win7-20240611-en
General
-
Target
QuasarInstaller.exe
-
Size
491KB
-
MD5
8def0ef788602675c4d6fc2a72f93944
-
SHA1
b153631a58aa2b88120412f84493fb3250673e4c
-
SHA256
2862c2fdbd071dd3308fb352a626da5e5f010c9b5ee9b3b1f6671e78c556dd55
-
SHA512
e10bbc8b382accb4e946e1058c3bf17305a8df53d3d034dace25b7506d2fb7d56b47b5ed6552c3fc0a32d492f9eccf92d95664591091f7d0c30aac882a3ea45b
-
SSDEEP
12288:5CQjgAtAHM+vetZxF5EWry8AJGy0vC8JLY8V1/3sRRAw:55ZWs+OZVEWry8AF18JLYgUR1
Malware Config
Extracted
xenorat
127.0.0.1
Xeno_rat_nd8912d
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
Quasar
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1100 Quasar-Installer.exe 2624 Quasar-Installer.exe -
Loads dropped DLL 1 IoCs
pid Process 1100 Quasar-Installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2132 schtasks.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1100 2204 QuasarInstaller.exe 28 PID 2204 wrote to memory of 1100 2204 QuasarInstaller.exe 28 PID 2204 wrote to memory of 1100 2204 QuasarInstaller.exe 28 PID 2204 wrote to memory of 1100 2204 QuasarInstaller.exe 28 PID 2204 wrote to memory of 1100 2204 QuasarInstaller.exe 28 PID 2204 wrote to memory of 1100 2204 QuasarInstaller.exe 28 PID 2204 wrote to memory of 1100 2204 QuasarInstaller.exe 28 PID 1100 wrote to memory of 2624 1100 Quasar-Installer.exe 29 PID 1100 wrote to memory of 2624 1100 Quasar-Installer.exe 29 PID 1100 wrote to memory of 2624 1100 Quasar-Installer.exe 29 PID 1100 wrote to memory of 2624 1100 Quasar-Installer.exe 29 PID 1100 wrote to memory of 2624 1100 Quasar-Installer.exe 29 PID 1100 wrote to memory of 2624 1100 Quasar-Installer.exe 29 PID 1100 wrote to memory of 2624 1100 Quasar-Installer.exe 29 PID 2624 wrote to memory of 2132 2624 Quasar-Installer.exe 30 PID 2624 wrote to memory of 2132 2624 Quasar-Installer.exe 30 PID 2624 wrote to memory of 2132 2624 Quasar-Installer.exe 30 PID 2624 wrote to memory of 2132 2624 Quasar-Installer.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\QuasarInstaller.exe"C:\Users\Admin\AppData\Local\Temp\QuasarInstaller.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Quasar-Installer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Quasar-Installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Roaming\XenoManager\Quasar-Installer.exe"C:\Users\Admin\AppData\Roaming\XenoManager\Quasar-Installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Quasar" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F3C.tmp" /F4⤵
- Scheduled Task/Job: Scheduled Task
PID:2132
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5800a317039e17efeb46d6879adf7c19f
SHA1110fc941037e9ad167b436db313e4ef3e43e18e6
SHA2567bae7a85d03bf751b5fee0b6141a314c03023c904be6e28d7a90f1cd3910741c
SHA512ff01e97fc00310b6b766f82971f455a5b0c88505e8e0b4ac2dbfa8991d38375d72751045ea2c799f871074fd497a205671f0ad87e4f7d22187cf2b3ae21d9ed6
-
Filesize
1KB
MD5c7c6824afe2d715ccc1f958697662e6c
SHA1e8f3e3216ffca69f7cca1f567787f74966b71d96
SHA256233f565186c07ecbce427bed376789a60ae8ed601bcac3726fe340c5421e9d23
SHA512c586982443aedcd9a7dc360ab3f5b034e7dfd74cebef490c173e43e3469ddb25c6c05dff679f0c63fd68ac1bbaf9433a97486262d0fafa0f947dd279f801b317