Analysis
-
max time kernel
1789s -
max time network
1802s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/03/2024, 10:22
Behavioral task
behavioral1
Sample
nyMr9D3bkD.rar
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
nyMr9D3bkD/b9RCiDQEqT.exe
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
nyMr9D3bkD/krampus more like kracked.exe
Resource
win11-20240221-en
General
-
Target
nyMr9D3bkD.rar
-
Size
1.5MB
-
MD5
9ab5809be4bf0c4cbe6e7209146f518a
-
SHA1
62106ecca34e85a792442735a89c4c9a609704e1
-
SHA256
ca46530a37639b1994d97ebe3b47d002247dc87b98f15401f4b0356a56bfc94d
-
SHA512
f5a63402d34c68804ae50c11d3af8fac3fd45b552ee21a6d86aad42f5d498bd493486c57e4672a0cd7fc341cba13a6bf326bcca75017faeb06e72231978d2984
-
SSDEEP
24576:xeGy48ZGvVNCCWQpBZDQjgA0cgQQ9wy/LGNTcPuV2UqVjQhnb26mApPV1:xBftV8CWQpbw0c9Q9/aN022njQjNH
Malware Config
Extracted
quasar
1.4.1
nyMr9D3bkD
192.168.0.24:4782
6b2c33e5-70a8-47f8-8746-f28159049692
-
encryption_key
019832365CF4EA9C63CDBF032EFC8FA4C72C6F0D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x000100000002a7d7-6.dat family_quasar behavioral1/memory/3056-8-0x00000000001F0000-0x000000000051C000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 3056 krampus more like kracked.exe 2840 Client.exe 4524 b9RCiDQEqT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3008 schtasks.exe 4956 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4916 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 4916 7zFM.exe Token: 35 4916 7zFM.exe Token: SeSecurityPrivilege 4916 7zFM.exe Token: SeDebugPrivilege 3056 krampus more like kracked.exe Token: SeDebugPrivilege 2840 Client.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4916 7zFM.exe 4916 7zFM.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4416 MiniSearchHost.exe 2840 Client.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1540 wrote to memory of 4916 1540 cmd.exe 80 PID 1540 wrote to memory of 4916 1540 cmd.exe 80 PID 3056 wrote to memory of 3008 3056 krampus more like kracked.exe 88 PID 3056 wrote to memory of 3008 3056 krampus more like kracked.exe 88 PID 3056 wrote to memory of 2840 3056 krampus more like kracked.exe 90 PID 3056 wrote to memory of 2840 3056 krampus more like kracked.exe 90 PID 2840 wrote to memory of 4956 2840 Client.exe 91 PID 2840 wrote to memory of 4956 2840 Client.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD.rar1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4916
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4416
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:932
-
C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe"C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:3008
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4956
-
-
-
C:\Users\Admin\Desktop\nyMr9D3bkD\b9RCiDQEqT.exe"C:\Users\Admin\Desktop\nyMr9D3bkD\b9RCiDQEqT.exe"1⤵
- Executes dropped EXE
PID:4524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD55617f3c2904f7376fc9b8da1e98ec8db
SHA10b46078d6f0ecda18a52346ffdc59ebe37711548
SHA256adb05152e06fe820ad357b596e359c8a6f219f1024393d2168fba4b497b7df04
SHA51256a3a647fec403a0512afb1b5dd5ac89482f9c916bdebabc98db550950f77dbd0aaf544b4014c008b460de4f84d8f2bae8fe02147a461d08cf01115272ccb008
-
Filesize
3.1MB
MD5236ce233b606ae8a5c0d9718c41e1025
SHA1391cbbda35a59fcda95e751bb9398bb86db904b9
SHA25649376d9766f6944866c5d917905a57b9e41bf100457fd3d9b389f6c3c0abbb92
SHA5121bdf7f4ae94f4a3b82fcaafc8a5bd2187e00ad466793481e59dfe90afee2e5730e59e49d009d629930b903a44d11e029120fa5e8203e0ea8b1ab2496b7a1e793