Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 06:32
Behavioral task
behavioral1
Sample
fud2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fud2.exe
Resource
win10v2004-20241007-en
General
-
Target
fud2.exe
-
Size
3.2MB
-
MD5
3dc1d39a2ebeb5dc85da7e8c3d6e3aaa
-
SHA1
4cfcddc23cc0949ca620474edef6c82a2c2280d3
-
SHA256
5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4
-
SHA512
77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a
-
SSDEEP
49152:tkvXI22SsaNYfdPBldt698dBcjHIGRJ6ybR3LoGdJTHHB72eh2NTC:OvY22SsaNYfdPBldt6+dBcjHIGRJ6sZ
Malware Config
Extracted
quasar
1.4.1
hacked-fud1
192.168.100.10:1412
a685d3ed-d174-40b7-9655-c2bfab3ed130
-
encryption_key
2A5F3DAC380078962166175BD172DE2D4AA07E26
-
install_name
fud2.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Service
-
subdirectory
SubDir
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000018687-6.dat family_quasar behavioral1/memory/2776-11-0x0000000001230000-0x0000000001554000-memory.dmp family_quasar behavioral1/files/0x0007000000018c1a-54.dat family_quasar -
Executes dropped EXE 8 IoCs
pid Process 2776 fud2.exe 2388 icsys.icn.exe 2712 explorer.exe 2560 spoolsv.exe 2224 svchost.exe 2080 fud2.exe 2212 spoolsv.exe 1964 explorer.exe -
Loads dropped DLL 7 IoCs
pid Process 2172 fud2.exe 2172 fud2.exe 2388 icsys.icn.exe 2712 explorer.exe 2560 spoolsv.exe 2224 svchost.exe 2080 fud2.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\SubDir\fud2.exe fud2.exe File opened for modification C:\Windows\system32\SubDir\fud2.exe fud2.exe File opened for modification C:\Windows\system32\SubDir fud2.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe fud2.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fud2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fud2.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2360 schtasks.exe 2320 schtasks.exe 1844 schtasks.exe 1352 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2172 fud2.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2712 explorer.exe 2224 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2776 fud2.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2172 fud2.exe 2172 fud2.exe 2388 icsys.icn.exe 2388 icsys.icn.exe 2712 explorer.exe 2712 explorer.exe 2560 spoolsv.exe 2560 spoolsv.exe 2224 svchost.exe 2224 svchost.exe 2080 fud2.exe 2080 fud2.exe 2212 spoolsv.exe 2212 spoolsv.exe 1964 explorer.exe 1964 explorer.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2776 2172 fud2.exe 30 PID 2172 wrote to memory of 2776 2172 fud2.exe 30 PID 2172 wrote to memory of 2776 2172 fud2.exe 30 PID 2172 wrote to memory of 2776 2172 fud2.exe 30 PID 2776 wrote to memory of 2360 2776 fud2.exe 31 PID 2776 wrote to memory of 2360 2776 fud2.exe 31 PID 2776 wrote to memory of 2360 2776 fud2.exe 31 PID 2172 wrote to memory of 2388 2172 fud2.exe 33 PID 2172 wrote to memory of 2388 2172 fud2.exe 33 PID 2172 wrote to memory of 2388 2172 fud2.exe 33 PID 2172 wrote to memory of 2388 2172 fud2.exe 33 PID 2388 wrote to memory of 2712 2388 icsys.icn.exe 34 PID 2388 wrote to memory of 2712 2388 icsys.icn.exe 34 PID 2388 wrote to memory of 2712 2388 icsys.icn.exe 34 PID 2388 wrote to memory of 2712 2388 icsys.icn.exe 34 PID 2712 wrote to memory of 2560 2712 explorer.exe 35 PID 2712 wrote to memory of 2560 2712 explorer.exe 35 PID 2712 wrote to memory of 2560 2712 explorer.exe 35 PID 2712 wrote to memory of 2560 2712 explorer.exe 35 PID 2560 wrote to memory of 2224 2560 spoolsv.exe 36 PID 2560 wrote to memory of 2224 2560 spoolsv.exe 36 PID 2560 wrote to memory of 2224 2560 spoolsv.exe 36 PID 2560 wrote to memory of 2224 2560 spoolsv.exe 36 PID 2776 wrote to memory of 2080 2776 fud2.exe 37 PID 2776 wrote to memory of 2080 2776 fud2.exe 37 PID 2776 wrote to memory of 2080 2776 fud2.exe 37 PID 2776 wrote to memory of 2080 2776 fud2.exe 37 PID 2224 wrote to memory of 2212 2224 svchost.exe 38 PID 2224 wrote to memory of 2212 2224 svchost.exe 38 PID 2224 wrote to memory of 2212 2224 svchost.exe 38 PID 2224 wrote to memory of 2212 2224 svchost.exe 38 PID 2080 wrote to memory of 1964 2080 fud2.exe 39 PID 2080 wrote to memory of 1964 2080 fud2.exe 39 PID 2080 wrote to memory of 1964 2080 fud2.exe 39 PID 2080 wrote to memory of 1964 2080 fud2.exe 39 PID 2712 wrote to memory of 2340 2712 explorer.exe 40 PID 2712 wrote to memory of 2340 2712 explorer.exe 40 PID 2712 wrote to memory of 2340 2712 explorer.exe 40 PID 2712 wrote to memory of 2340 2712 explorer.exe 40 PID 2224 wrote to memory of 2320 2224 svchost.exe 41 PID 2224 wrote to memory of 2320 2224 svchost.exe 41 PID 2224 wrote to memory of 2320 2224 svchost.exe 41 PID 2224 wrote to memory of 2320 2224 svchost.exe 41 PID 2224 wrote to memory of 1844 2224 svchost.exe 44 PID 2224 wrote to memory of 1844 2224 svchost.exe 44 PID 2224 wrote to memory of 1844 2224 svchost.exe 44 PID 2224 wrote to memory of 1844 2224 svchost.exe 44 PID 2224 wrote to memory of 1352 2224 svchost.exe 46 PID 2224 wrote to memory of 1352 2224 svchost.exe 46 PID 2224 wrote to memory of 1352 2224 svchost.exe 46 PID 2224 wrote to memory of 1352 2224 svchost.exe 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fud2.exe"C:\Users\Admin\AppData\Local\Temp\fud2.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\users\admin\appdata\local\temp\fud2.exec:\users\admin\appdata\local\temp\fud2.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\fud2.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2360
-
-
C:\Windows\system32\SubDir\fud2.exe"C:\Windows\system32\SubDir\fud2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1964
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2212
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:34 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2320
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:35 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1844
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:36 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1352
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2340
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5f24b9fceebb9c1491147c89658c2cefc
SHA15e1d6e10e661a04e006d1c67c6ad23be27136248
SHA256e6e0ae1b5c78e12de9cd8f93f1c38cbe906203d4a6db3097413e7bdd08ceb058
SHA512209d4a0ffa8718fed92d0057a46ea681879b0dbe2d5f644fd00748a99f5d57649845b3fb8b2130a9971c6e005ccceadd38288a7494cb498353753e905ec841bf
-
Filesize
135KB
MD5dba332c1832b99f7c7d078a0082874ed
SHA1f339233684c867e70ec06f09cae6f938ba7f6dd0
SHA256d14ca80e7ae57bfa56b7614372feb89b5c35397451dd2c38156558b3a577c397
SHA512410746bd8242436f4c8ea8700f9e4dd93270aab3dd494e539b877fcbefc76a5e9111e4de720ba3daeb21722ce568adffa347407b798fc8e87e8fa8b5b7b42482
-
Filesize
135KB
MD5a655661d0a159b3225083e68f3d64ff7
SHA1d3f0f88dd436ff1b5393500e6acd1722c0cfceea
SHA25652ccae6d1eb190567b2a465ce19c6eb8b0df2220dcd198f8e1cfe71a769b456a
SHA5129ec2d95b7231de48681304394a1b3987b2cf8abdf0d4dcffdc058903b25bb34457c6f532f06470745f84209ed477ef60a51cbb19115e2d97503678579e14dba4
-
Filesize
3.2MB
MD53dc1d39a2ebeb5dc85da7e8c3d6e3aaa
SHA14cfcddc23cc0949ca620474edef6c82a2c2280d3
SHA2565ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4
SHA51277dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a
-
Filesize
3.1MB
MD5f2fde7b36d929112d10c35f88597e643
SHA1ecfb40c3f75cbabf3787d7cc466f4ab3e0bfb59a
SHA2562a1b24e284eb329bcac58cfe90ef04e390aef10f4c0cc4eddf6077d113e5e591
SHA51299dda7073d391e3ada814df8bad4f3e817adb2d274e005cedcf378d2031a3695ddd8afeecfa8ceacf9569f400b08f1dc357d4d90d72b9ba0372f267668f399df
-
Filesize
135KB
MD5ca3701324f4079b9f50dd4590e6116ed
SHA153c04b66086073197940aa72e530ea40e33f8ce8
SHA256854e7318406bed723bbfa4f10856abdc362abf90089656dcc095187b558332b6
SHA5129432a1e737b851efee5f6f19297656b2852daa8948f5c63de72ef2d5be683702a9cf701843fc29be42d5a972c91cceb6eafb07b7b44c7ae90df1dfa2380f7845