Analysis

  • max time kernel
    1789s
  • max time network
    1802s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/03/2024, 10:22

General

  • Target

    nyMr9D3bkD.rar

  • Size

    1.5MB

  • MD5

    9ab5809be4bf0c4cbe6e7209146f518a

  • SHA1

    62106ecca34e85a792442735a89c4c9a609704e1

  • SHA256

    ca46530a37639b1994d97ebe3b47d002247dc87b98f15401f4b0356a56bfc94d

  • SHA512

    f5a63402d34c68804ae50c11d3af8fac3fd45b552ee21a6d86aad42f5d498bd493486c57e4672a0cd7fc341cba13a6bf326bcca75017faeb06e72231978d2984

  • SSDEEP

    24576:xeGy48ZGvVNCCWQpBZDQjgA0cgQQ9wy/LGNTcPuV2UqVjQhnb26mApPV1:xBftV8CWQpbw0c9Q9/aN022njQjNH

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

nyMr9D3bkD

C2

192.168.0.24:4782

Mutex

6b2c33e5-70a8-47f8-8746-f28159049692

Attributes
  • encryption_key

    019832365CF4EA9C63CDBF032EFC8FA4C72C6F0D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD.rar
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4916
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4416
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:932
    • C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe
      "C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        2⤵
        • Creates scheduled task(s)
        PID:3008
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:4956
    • C:\Users\Admin\Desktop\nyMr9D3bkD\b9RCiDQEqT.exe
      "C:\Users\Admin\Desktop\nyMr9D3bkD\b9RCiDQEqT.exe"
      1⤵
      • Executes dropped EXE
      PID:4524
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:4760

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\nyMr9D3bkD\b9RCiDQEqT.exe

        Filesize

        1.1MB

        MD5

        5617f3c2904f7376fc9b8da1e98ec8db

        SHA1

        0b46078d6f0ecda18a52346ffdc59ebe37711548

        SHA256

        adb05152e06fe820ad357b596e359c8a6f219f1024393d2168fba4b497b7df04

        SHA512

        56a3a647fec403a0512afb1b5dd5ac89482f9c916bdebabc98db550950f77dbd0aaf544b4014c008b460de4f84d8f2bae8fe02147a461d08cf01115272ccb008

      • C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe

        Filesize

        3.1MB

        MD5

        236ce233b606ae8a5c0d9718c41e1025

        SHA1

        391cbbda35a59fcda95e751bb9398bb86db904b9

        SHA256

        49376d9766f6944866c5d917905a57b9e41bf100457fd3d9b389f6c3c0abbb92

        SHA512

        1bdf7f4ae94f4a3b82fcaafc8a5bd2187e00ad466793481e59dfe90afee2e5730e59e49d009d629930b903a44d11e029120fa5e8203e0ea8b1ab2496b7a1e793

      • memory/2840-21-0x000000001C4E0000-0x000000001C592000-memory.dmp

        Filesize

        712KB

      • memory/2840-17-0x00007FFEDA580000-0x00007FFEDB042000-memory.dmp

        Filesize

        10.8MB

      • memory/2840-18-0x0000000001380000-0x0000000001390000-memory.dmp

        Filesize

        64KB

      • memory/2840-20-0x0000000002D40000-0x0000000002D90000-memory.dmp

        Filesize

        320KB

      • memory/2840-23-0x00007FFEDA580000-0x00007FFEDB042000-memory.dmp

        Filesize

        10.8MB

      • memory/2840-24-0x0000000001380000-0x0000000001390000-memory.dmp

        Filesize

        64KB

      • memory/2840-25-0x000000001CE20000-0x000000001D348000-memory.dmp

        Filesize

        5.2MB

      • memory/3056-9-0x00007FFEDA580000-0x00007FFEDB042000-memory.dmp

        Filesize

        10.8MB

      • memory/3056-16-0x00007FFEDA580000-0x00007FFEDB042000-memory.dmp

        Filesize

        10.8MB

      • memory/3056-10-0x000000001B2A0000-0x000000001B2B0000-memory.dmp

        Filesize

        64KB

      • memory/3056-8-0x00000000001F0000-0x000000000051C000-memory.dmp

        Filesize

        3.2MB