Analysis Overview
SHA256
ca46530a37639b1994d97ebe3b47d002247dc87b98f15401f4b0356a56bfc94d
Threat Level: Known bad
The file nyMr9D3bkD.rar was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Quasar family
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-30 10:22
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-30 10:22
Reported
2024-03-30 10:54
Platform
win11-20240221-en
Max time kernel
1789s
Max time network
1802s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\nyMr9D3bkD\b9RCiDQEqT.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD.rar"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe
"C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\Desktop\nyMr9D3bkD\b9RCiDQEqT.exe
"C:\Users\Admin\Desktop\nyMr9D3bkD\b9RCiDQEqT.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | loader.live | udp |
| RU | 185.149.120.169:80 | loader.live | tcp |
| N/A | 192.168.0.24:4782 | tcp | |
| RU | 185.149.120.169:443 | loader.live | tcp |
| N/A | 127.0.0.1:49769 | tcp | |
| N/A | 127.0.0.1:49774 | tcp | |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| N/A | 192.168.0.24:4782 | tcp | |
| GB | 104.86.110.106:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 52.168.117.171:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 2.18.66.59:443 | www.bing.com | tcp |
| GB | 2.18.66.59:443 | www.bing.com | tcp |
| GB | 2.18.66.59:443 | www.bing.com | tcp |
| GB | 2.18.66.59:443 | www.bing.com | tcp |
| GB | 2.18.66.59:443 | www.bing.com | tcp |
| GB | 2.18.66.59:443 | www.bing.com | tcp |
| GB | 2.18.66.59:443 | www.bing.com | tcp |
| GB | 2.18.66.59:443 | www.bing.com | tcp |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp | |
| N/A | 192.168.0.24:4782 | tcp |
Files
C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe
| MD5 | 236ce233b606ae8a5c0d9718c41e1025 |
| SHA1 | 391cbbda35a59fcda95e751bb9398bb86db904b9 |
| SHA256 | 49376d9766f6944866c5d917905a57b9e41bf100457fd3d9b389f6c3c0abbb92 |
| SHA512 | 1bdf7f4ae94f4a3b82fcaafc8a5bd2187e00ad466793481e59dfe90afee2e5730e59e49d009d629930b903a44d11e029120fa5e8203e0ea8b1ab2496b7a1e793 |
memory/3056-8-0x00000000001F0000-0x000000000051C000-memory.dmp
memory/3056-10-0x000000001B2A0000-0x000000001B2B0000-memory.dmp
memory/3056-9-0x00007FFEDA580000-0x00007FFEDB042000-memory.dmp
memory/3056-16-0x00007FFEDA580000-0x00007FFEDB042000-memory.dmp
memory/2840-17-0x00007FFEDA580000-0x00007FFEDB042000-memory.dmp
memory/2840-18-0x0000000001380000-0x0000000001390000-memory.dmp
C:\Users\Admin\Desktop\nyMr9D3bkD\b9RCiDQEqT.exe
| MD5 | 5617f3c2904f7376fc9b8da1e98ec8db |
| SHA1 | 0b46078d6f0ecda18a52346ffdc59ebe37711548 |
| SHA256 | adb05152e06fe820ad357b596e359c8a6f219f1024393d2168fba4b497b7df04 |
| SHA512 | 56a3a647fec403a0512afb1b5dd5ac89482f9c916bdebabc98db550950f77dbd0aaf544b4014c008b460de4f84d8f2bae8fe02147a461d08cf01115272ccb008 |
memory/2840-20-0x0000000002D40000-0x0000000002D90000-memory.dmp
memory/2840-21-0x000000001C4E0000-0x000000001C592000-memory.dmp
memory/2840-23-0x00007FFEDA580000-0x00007FFEDB042000-memory.dmp
memory/2840-24-0x0000000001380000-0x0000000001390000-memory.dmp
memory/2840-25-0x000000001CE20000-0x000000001D348000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-30 10:22
Reported
2024-03-30 10:54
Platform
win11-20240221-en
Max time kernel
447s
Max time network
1172s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\b9RCiDQEqT.exe
"C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\b9RCiDQEqT.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | loader.live | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| RU | 185.149.120.169:80 | loader.live | tcp |
| RU | 185.149.120.169:443 | loader.live | tcp |
| N/A | 127.0.0.1:49756 | tcp | |
| N/A | 127.0.0.1:49759 | tcp | |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.143.101.95.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-30 10:22
Reported
2024-03-30 10:54
Platform
win11-20240221-en
Max time kernel
431s
Max time network
1156s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3572 wrote to memory of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3572 wrote to memory of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe
"C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
Files
memory/3572-0-0x0000000000E20000-0x000000000114C000-memory.dmp
memory/3572-1-0x00007FFF05740000-0x00007FFF06202000-memory.dmp
memory/3572-2-0x000000001BD60000-0x000000001BD70000-memory.dmp
memory/3572-4-0x00007FFF05740000-0x00007FFF06202000-memory.dmp
memory/3572-5-0x000000001BD60000-0x000000001BD70000-memory.dmp