Analysis
-
max time kernel
431s -
max time network
1156s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/03/2024, 10:22
Behavioral task
behavioral1
Sample
nyMr9D3bkD.rar
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
nyMr9D3bkD/b9RCiDQEqT.exe
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
nyMr9D3bkD/krampus more like kracked.exe
Resource
win11-20240221-en
General
-
Target
nyMr9D3bkD/krampus more like kracked.exe
-
Size
3.1MB
-
MD5
236ce233b606ae8a5c0d9718c41e1025
-
SHA1
391cbbda35a59fcda95e751bb9398bb86db904b9
-
SHA256
49376d9766f6944866c5d917905a57b9e41bf100457fd3d9b389f6c3c0abbb92
-
SHA512
1bdf7f4ae94f4a3b82fcaafc8a5bd2187e00ad466793481e59dfe90afee2e5730e59e49d009d629930b903a44d11e029120fa5e8203e0ea8b1ab2496b7a1e793
-
SSDEEP
49152:MvIt62XlaSFNWPjljiFa2RoUYItsHGmzJLoGd0R1THHB72eh2NT:MvE62XlaSFNWPjljiFXRoUYItsHBkR
Malware Config
Extracted
quasar
1.4.1
nyMr9D3bkD
192.168.0.24:4782
6b2c33e5-70a8-47f8-8746-f28159049692
-
encryption_key
019832365CF4EA9C63CDBF032EFC8FA4C72C6F0D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral3/memory/3572-0-0x0000000000E20000-0x000000000114C000-memory.dmp family_quasar -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5060 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3572 krampus more like kracked.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3572 wrote to memory of 5060 3572 krampus more like kracked.exe 80 PID 3572 wrote to memory of 5060 3572 krampus more like kracked.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe"C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:5060
-