Analysis

  • max time kernel
    150s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 06:32

General

  • Target

    fud2.exe

  • Size

    3.2MB

  • MD5

    3dc1d39a2ebeb5dc85da7e8c3d6e3aaa

  • SHA1

    4cfcddc23cc0949ca620474edef6c82a2c2280d3

  • SHA256

    5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4

  • SHA512

    77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a

  • SSDEEP

    49152:tkvXI22SsaNYfdPBldt698dBcjHIGRJ6ybR3LoGdJTHHB72eh2NTC:OvY22SsaNYfdPBldt6+dBcjHIGRJ6sZ

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

hacked-fud1

C2

192.168.100.10:1412

Mutex

a685d3ed-d174-40b7-9655-c2bfab3ed130

Attributes
  • encryption_key

    2A5F3DAC380078962166175BD172DE2D4AA07E26

  • install_name

    fud2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft Service

  • subdirectory

    SubDir

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\fud2.exe
    "C:\Users\Admin\AppData\Local\Temp\fud2.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2172
    • \??\c:\users\admin\appdata\local\temp\fud2.exe 
      c:\users\admin\appdata\local\temp\fud2.exe 
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\fud2.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2360
      • C:\Windows\system32\SubDir\fud2.exe
        "C:\Windows\system32\SubDir\fud2.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2080
        • \??\c:\windows\resources\themes\explorer.exe
          c:\windows\resources\themes\explorer.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1964
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2388
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2712
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2560
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2224
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2212
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:34 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2320
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:35 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1844
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:36 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1352
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2340

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      135KB

      MD5

      f24b9fceebb9c1491147c89658c2cefc

      SHA1

      5e1d6e10e661a04e006d1c67c6ad23be27136248

      SHA256

      e6e0ae1b5c78e12de9cd8f93f1c38cbe906203d4a6db3097413e7bdd08ceb058

      SHA512

      209d4a0ffa8718fed92d0057a46ea681879b0dbe2d5f644fd00748a99f5d57649845b3fb8b2130a9971c6e005ccceadd38288a7494cb498353753e905ec841bf

    • C:\Windows\Resources\Themes\icsys.icn.exe

      Filesize

      135KB

      MD5

      dba332c1832b99f7c7d078a0082874ed

      SHA1

      f339233684c867e70ec06f09cae6f938ba7f6dd0

      SHA256

      d14ca80e7ae57bfa56b7614372feb89b5c35397451dd2c38156558b3a577c397

      SHA512

      410746bd8242436f4c8ea8700f9e4dd93270aab3dd494e539b877fcbefc76a5e9111e4de720ba3daeb21722ce568adffa347407b798fc8e87e8fa8b5b7b42482

    • C:\Windows\Resources\svchost.exe

      Filesize

      135KB

      MD5

      a655661d0a159b3225083e68f3d64ff7

      SHA1

      d3f0f88dd436ff1b5393500e6acd1722c0cfceea

      SHA256

      52ccae6d1eb190567b2a465ce19c6eb8b0df2220dcd198f8e1cfe71a769b456a

      SHA512

      9ec2d95b7231de48681304394a1b3987b2cf8abdf0d4dcffdc058903b25bb34457c6f532f06470745f84209ed477ef60a51cbb19115e2d97503678579e14dba4

    • C:\Windows\System32\SubDir\fud2.exe

      Filesize

      3.2MB

      MD5

      3dc1d39a2ebeb5dc85da7e8c3d6e3aaa

      SHA1

      4cfcddc23cc0949ca620474edef6c82a2c2280d3

      SHA256

      5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4

      SHA512

      77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a

    • \Users\Admin\AppData\Local\Temp\fud2.exe 

      Filesize

      3.1MB

      MD5

      f2fde7b36d929112d10c35f88597e643

      SHA1

      ecfb40c3f75cbabf3787d7cc466f4ab3e0bfb59a

      SHA256

      2a1b24e284eb329bcac58cfe90ef04e390aef10f4c0cc4eddf6077d113e5e591

      SHA512

      99dda7073d391e3ada814df8bad4f3e817adb2d274e005cedcf378d2031a3695ddd8afeecfa8ceacf9569f400b08f1dc357d4d90d72b9ba0372f267668f399df

    • \Windows\Resources\spoolsv.exe

      Filesize

      135KB

      MD5

      ca3701324f4079b9f50dd4590e6116ed

      SHA1

      53c04b66086073197940aa72e530ea40e33f8ce8

      SHA256

      854e7318406bed723bbfa4f10856abdc362abf90089656dcc095187b558332b6

      SHA512

      9432a1e737b851efee5f6f19297656b2852daa8948f5c63de72ef2d5be683702a9cf701843fc29be42d5a972c91cceb6eafb07b7b44c7ae90df1dfa2380f7845

    • memory/1964-79-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2080-78-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2080-71-0x0000000000420000-0x000000000043F000-memory.dmp

      Filesize

      124KB

    • memory/2172-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2172-18-0x00000000002C0000-0x00000000002DF000-memory.dmp

      Filesize

      124KB

    • memory/2172-80-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2212-75-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2224-62-0x00000000002B0000-0x00000000002CF000-memory.dmp

      Filesize

      124KB

    • memory/2224-83-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2224-84-0x00000000002B0000-0x00000000002CF000-memory.dmp

      Filesize

      124KB

    • memory/2388-81-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2388-27-0x00000000003E0000-0x00000000003FF000-memory.dmp

      Filesize

      124KB

    • memory/2560-50-0x0000000000290000-0x00000000002AF000-memory.dmp

      Filesize

      124KB

    • memory/2560-77-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2712-82-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2776-11-0x0000000001230000-0x0000000001554000-memory.dmp

      Filesize

      3.1MB

    • memory/2776-61-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

      Filesize

      9.9MB

    • memory/2776-12-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

      Filesize

      9.9MB

    • memory/2776-57-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

      Filesize

      4KB

    • memory/2776-10-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

      Filesize

      4KB