Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
14-01-2025 19:12
General
-
Target
vers2.0.0-installx64.exe
-
Size
3.6MB
-
MD5
62af7389396c21b283d8655e7562d106
-
SHA1
c54841ab13b60aaf222b926f787c8669564a8090
-
SHA256
da320fb9d212b7d38eb28a54e1283bb4e9546ee5009540f46aff61083fecbed0
-
SHA512
9967b67006ba3a4ec6c13025b84ba42a112ccce4c38040f3849b001d39d27febf746f6e46e6a2673f3769fdbc4dff94f722fe5593e06d6ee82c176619b7e75c3
-
SSDEEP
98304:9EmUsgCgxpVbU/g6+WJdDldtYqdqbqjom6/JfS1:WVbU/gAhdtYqAgkJfS
Malware Config
Extracted
xworm
127.0.0.1:7000
-
Install_directory
%LocalAppData%
Extracted
quasar
1.4.1
CHXMP
8.8.8.8:4337
d0ee0679-1d6f-403e-a05a-fa08da0e7baa
-
encryption_key
3D2B9436E897CB92D0C2E82EF036B6F461BCAEC4
-
install_name
win10-updateKB087586-x64.exe
-
log_directory
Temp
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
wininst
Signatures
-
Detect Xworm Payload 2 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 5 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\vers2.0.0-installx64.exe"C:\Users\Admin\AppData\Local\Temp\vers2.0.0-installx64.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\firefox.exe"C:\Program Files (x86)\firefox.exe" 02⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\winlogon.exe"C:\Program Files (x86)\winlogon.exe" 02⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\wininst\win10-updateKB087586-x64.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\wininst\win10-updateKB087586-x64.exe"C:\Users\Admin\AppData\Roaming\wininst\win10-updateKB087586-x64.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\wininst\win10-updateKB087586-x64.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5dda99892c0812b8c3560618c6c80306d
SHA14e758b0ac3b1a59ef7f2487c7bbb05ba06b8a079
SHA25641f95b5d0b1e73157b0b61dc5e946a3e941554e45d7eaaabf96b88cf6634ba4e
SHA512562f474c064227d39058b81b6f36c0d5682c8891c588c6b6dc388a53d3dca20e137ca7a666bcc80955088d91672c9defb77013b636d0cca56239216c113701ef
-
Filesize
2.3MB
MD5626eac3eba8dc885b1c4fd56db614a6e
SHA1ab181653bc3bad16d8cfd5a6d6837c4d6775c68f
SHA2562a2272751fc1dfb43f20cf3bba8b4925e38c972573bb30afd8c77229e8d4bb76
SHA5120eb8fa63aaa99d68fad28d7428f0741313d9496b9b4b99e183a726b596e9c5b1e9f3f594b8ff859975be255881ed63574b6a026500bfb746083949197b5d8747
-
Filesize
4KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
224KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.1MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
6.7MB