Analysis
-
max time kernel
141s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 17:17
Static task
static1
Behavioral task
behavioral1
Sample
QuasarInstaller.exe
Resource
win7-20240611-en
General
-
Target
QuasarInstaller.exe
-
Size
491KB
-
MD5
8def0ef788602675c4d6fc2a72f93944
-
SHA1
b153631a58aa2b88120412f84493fb3250673e4c
-
SHA256
2862c2fdbd071dd3308fb352a626da5e5f010c9b5ee9b3b1f6671e78c556dd55
-
SHA512
e10bbc8b382accb4e946e1058c3bf17305a8df53d3d034dace25b7506d2fb7d56b47b5ed6552c3fc0a32d492f9eccf92d95664591091f7d0c30aac882a3ea45b
-
SSDEEP
12288:5CQjgAtAHM+vetZxF5EWry8AJGy0vC8JLY8V1/3sRRAw:55ZWs+OZVEWry8AF18JLYgUR1
Malware Config
Extracted
xenorat
127.0.0.1
Xeno_rat_nd8912d
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
Quasar
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation QuasarInstaller.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Quasar-Installer.exe -
Executes dropped EXE 2 IoCs
pid Process 2536 Quasar-Installer.exe 348 Quasar-Installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3116 schtasks.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3100 wrote to memory of 2536 3100 QuasarInstaller.exe 80 PID 3100 wrote to memory of 2536 3100 QuasarInstaller.exe 80 PID 3100 wrote to memory of 2536 3100 QuasarInstaller.exe 80 PID 2536 wrote to memory of 348 2536 Quasar-Installer.exe 82 PID 2536 wrote to memory of 348 2536 Quasar-Installer.exe 82 PID 2536 wrote to memory of 348 2536 Quasar-Installer.exe 82 PID 348 wrote to memory of 3116 348 Quasar-Installer.exe 83 PID 348 wrote to memory of 3116 348 Quasar-Installer.exe 83 PID 348 wrote to memory of 3116 348 Quasar-Installer.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\QuasarInstaller.exe"C:\Users\Admin\AppData\Local\Temp\QuasarInstaller.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Quasar-Installer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Quasar-Installer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\XenoManager\Quasar-Installer.exe"C:\Users\Admin\AppData\Roaming\XenoManager\Quasar-Installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Quasar" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69E5.tmp" /F4⤵
- Scheduled Task/Job: Scheduled Task
PID:3116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
57KB
MD5800a317039e17efeb46d6879adf7c19f
SHA1110fc941037e9ad167b436db313e4ef3e43e18e6
SHA2567bae7a85d03bf751b5fee0b6141a314c03023c904be6e28d7a90f1cd3910741c
SHA512ff01e97fc00310b6b766f82971f455a5b0c88505e8e0b4ac2dbfa8991d38375d72751045ea2c799f871074fd497a205671f0ad87e4f7d22187cf2b3ae21d9ed6
-
Filesize
1KB
MD5c7c6824afe2d715ccc1f958697662e6c
SHA1e8f3e3216ffca69f7cca1f567787f74966b71d96
SHA256233f565186c07ecbce427bed376789a60ae8ed601bcac3726fe340c5421e9d23
SHA512c586982443aedcd9a7dc360ab3f5b034e7dfd74cebef490c173e43e3469ddb25c6c05dff679f0c63fd68ac1bbaf9433a97486262d0fafa0f947dd279f801b317