Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 06:32
Behavioral task
behavioral1
Sample
fud2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fud2.exe
Resource
win10v2004-20241007-en
General
-
Target
fud2.exe
-
Size
3.2MB
-
MD5
3dc1d39a2ebeb5dc85da7e8c3d6e3aaa
-
SHA1
4cfcddc23cc0949ca620474edef6c82a2c2280d3
-
SHA256
5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4
-
SHA512
77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a
-
SSDEEP
49152:tkvXI22SsaNYfdPBldt698dBcjHIGRJ6ybR3LoGdJTHHB72eh2NTC:OvY22SsaNYfdPBldt6+dBcjHIGRJ6sZ
Malware Config
Extracted
quasar
1.4.1
hacked-fud1
192.168.100.10:1412
a685d3ed-d174-40b7-9655-c2bfab3ed130
-
encryption_key
2A5F3DAC380078962166175BD172DE2D4AA07E26
-
install_name
fud2.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Service
-
subdirectory
SubDir
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral2/files/0x0008000000023c02-7.dat family_quasar behavioral2/memory/2340-10-0x0000000000250000-0x0000000000574000-memory.dmp family_quasar behavioral2/files/0x0008000000023c04-21.dat family_quasar -
Executes dropped EXE 8 IoCs
pid Process 2340 fud2.exe 3772 icsys.icn.exe 5116 fud2.exe 3100 explorer.exe 3312 spoolsv.exe 4388 explorer.exe 1816 svchost.exe 1076 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\SubDir\fud2.exe fud2.exe File opened for modification C:\Windows\system32\SubDir fud2.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File created C:\Windows\system32\SubDir\fud2.exe fud2.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe fud2.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fud2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fud2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4536 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 4292 fud2.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 3772 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3100 explorer.exe 1816 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2340 fud2.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 4292 fud2.exe 4292 fud2.exe 3772 icsys.icn.exe 3772 icsys.icn.exe 5116 fud2.exe 5116 fud2.exe 3100 explorer.exe 3100 explorer.exe 3312 spoolsv.exe 3312 spoolsv.exe 4388 explorer.exe 4388 explorer.exe 1816 svchost.exe 1816 svchost.exe 1076 spoolsv.exe 1076 spoolsv.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4292 wrote to memory of 2340 4292 fud2.exe 82 PID 4292 wrote to memory of 2340 4292 fud2.exe 82 PID 2340 wrote to memory of 4536 2340 fud2.exe 83 PID 2340 wrote to memory of 4536 2340 fud2.exe 83 PID 4292 wrote to memory of 3772 4292 fud2.exe 85 PID 4292 wrote to memory of 3772 4292 fud2.exe 85 PID 4292 wrote to memory of 3772 4292 fud2.exe 85 PID 2340 wrote to memory of 5116 2340 fud2.exe 86 PID 2340 wrote to memory of 5116 2340 fud2.exe 86 PID 2340 wrote to memory of 5116 2340 fud2.exe 86 PID 3772 wrote to memory of 3100 3772 icsys.icn.exe 87 PID 3772 wrote to memory of 3100 3772 icsys.icn.exe 87 PID 3772 wrote to memory of 3100 3772 icsys.icn.exe 87 PID 3100 wrote to memory of 3312 3100 explorer.exe 88 PID 3100 wrote to memory of 3312 3100 explorer.exe 88 PID 3100 wrote to memory of 3312 3100 explorer.exe 88 PID 5116 wrote to memory of 4388 5116 fud2.exe 89 PID 5116 wrote to memory of 4388 5116 fud2.exe 89 PID 5116 wrote to memory of 4388 5116 fud2.exe 89 PID 3312 wrote to memory of 1816 3312 spoolsv.exe 90 PID 3312 wrote to memory of 1816 3312 spoolsv.exe 90 PID 3312 wrote to memory of 1816 3312 spoolsv.exe 90 PID 1816 wrote to memory of 1076 1816 svchost.exe 91 PID 1816 wrote to memory of 1076 1816 svchost.exe 91 PID 1816 wrote to memory of 1076 1816 svchost.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fud2.exe"C:\Users\Admin\AppData\Local\Temp\fud2.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\users\admin\appdata\local\temp\fud2.exec:\users\admin\appdata\local\temp\fud2.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\fud2.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4536
-
-
C:\Windows\system32\SubDir\fud2.exe"C:\Windows\system32\SubDir\fud2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4388
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1076
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5f2fde7b36d929112d10c35f88597e643
SHA1ecfb40c3f75cbabf3787d7cc466f4ab3e0bfb59a
SHA2562a1b24e284eb329bcac58cfe90ef04e390aef10f4c0cc4eddf6077d113e5e591
SHA51299dda7073d391e3ada814df8bad4f3e817adb2d274e005cedcf378d2031a3695ddd8afeecfa8ceacf9569f400b08f1dc357d4d90d72b9ba0372f267668f399df
-
Filesize
135KB
MD526d245792619fd68395955060531ad2d
SHA15f8c5fb0d79b75b43109f4c318d34009972c6ab9
SHA256aabc14ad0e63c7b2f960a05501d311c12f13cc7b517ba1bffaa51ce31249464e
SHA512ebc901be69354758294d47f7ed7d8eb77de3bd261520052e7d39b2f1aa2c52242cd63b5c536ae420080a0ccd090097c7c88e2e839b11a020409bdf4ef1b89e9a
-
Filesize
135KB
MD5dba332c1832b99f7c7d078a0082874ed
SHA1f339233684c867e70ec06f09cae6f938ba7f6dd0
SHA256d14ca80e7ae57bfa56b7614372feb89b5c35397451dd2c38156558b3a577c397
SHA512410746bd8242436f4c8ea8700f9e4dd93270aab3dd494e539b877fcbefc76a5e9111e4de720ba3daeb21722ce568adffa347407b798fc8e87e8fa8b5b7b42482
-
Filesize
135KB
MD59908fc04a5f47f0528acae777c18e744
SHA1c2e8b73b90bdd38b89fc39b2237c7e0a1d9d099e
SHA256d64fea72d5b73b80effe9505a8cfc80f1bd4b5bd840a6b03f6d7fa27cd599b4a
SHA5120b23564909f0c59f788fbbbcd509039279959e3832f7a696a7a0bbfbe1e67b362195de33037edd372102212cb151e0121a624bf302b3bcde05ddbae7d064a7e9
-
Filesize
135KB
MD551c2035fd6d40d382b3fa08b6578d504
SHA1ae4c51bac9fedbac69454552a868d5ff7234d9c5
SHA256edf7c9e669684d4a574b3bb83cf9751a9c8cd8bda037ecebd2dcd076864659b2
SHA51282a29a87439c6578f8a0f70ee3ad2766fb154b1b06e5b25d3669891f4177e2cee0e1fdd6e7806e8677979318f453e5ba92c9963182dbfe0e520cd6619943c443
-
Filesize
3.2MB
MD53dc1d39a2ebeb5dc85da7e8c3d6e3aaa
SHA14cfcddc23cc0949ca620474edef6c82a2c2280d3
SHA2565ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4
SHA51277dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a