Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 06:32

General

  • Target

    fud2.exe

  • Size

    3.2MB

  • MD5

    3dc1d39a2ebeb5dc85da7e8c3d6e3aaa

  • SHA1

    4cfcddc23cc0949ca620474edef6c82a2c2280d3

  • SHA256

    5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4

  • SHA512

    77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a

  • SSDEEP

    49152:tkvXI22SsaNYfdPBldt698dBcjHIGRJ6ybR3LoGdJTHHB72eh2NTC:OvY22SsaNYfdPBldt6+dBcjHIGRJ6sZ

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

hacked-fud1

C2

192.168.100.10:1412

Mutex

a685d3ed-d174-40b7-9655-c2bfab3ed130

Attributes
  • encryption_key

    2A5F3DAC380078962166175BD172DE2D4AA07E26

  • install_name

    fud2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft Service

  • subdirectory

    SubDir

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\fud2.exe
    "C:\Users\Admin\AppData\Local\Temp\fud2.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4292
    • \??\c:\users\admin\appdata\local\temp\fud2.exe 
      c:\users\admin\appdata\local\temp\fud2.exe 
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\fud2.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4536
      • C:\Windows\system32\SubDir\fud2.exe
        "C:\Windows\system32\SubDir\fud2.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5116
        • \??\c:\windows\resources\themes\explorer.exe
          c:\windows\resources\themes\explorer.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4388
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3772
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3100
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3312
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1816
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fud2.exe 

    Filesize

    3.1MB

    MD5

    f2fde7b36d929112d10c35f88597e643

    SHA1

    ecfb40c3f75cbabf3787d7cc466f4ab3e0bfb59a

    SHA256

    2a1b24e284eb329bcac58cfe90ef04e390aef10f4c0cc4eddf6077d113e5e591

    SHA512

    99dda7073d391e3ada814df8bad4f3e817adb2d274e005cedcf378d2031a3695ddd8afeecfa8ceacf9569f400b08f1dc357d4d90d72b9ba0372f267668f399df

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    135KB

    MD5

    26d245792619fd68395955060531ad2d

    SHA1

    5f8c5fb0d79b75b43109f4c318d34009972c6ab9

    SHA256

    aabc14ad0e63c7b2f960a05501d311c12f13cc7b517ba1bffaa51ce31249464e

    SHA512

    ebc901be69354758294d47f7ed7d8eb77de3bd261520052e7d39b2f1aa2c52242cd63b5c536ae420080a0ccd090097c7c88e2e839b11a020409bdf4ef1b89e9a

  • C:\Windows\Resources\Themes\icsys.icn.exe

    Filesize

    135KB

    MD5

    dba332c1832b99f7c7d078a0082874ed

    SHA1

    f339233684c867e70ec06f09cae6f938ba7f6dd0

    SHA256

    d14ca80e7ae57bfa56b7614372feb89b5c35397451dd2c38156558b3a577c397

    SHA512

    410746bd8242436f4c8ea8700f9e4dd93270aab3dd494e539b877fcbefc76a5e9111e4de720ba3daeb21722ce568adffa347407b798fc8e87e8fa8b5b7b42482

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    9908fc04a5f47f0528acae777c18e744

    SHA1

    c2e8b73b90bdd38b89fc39b2237c7e0a1d9d099e

    SHA256

    d64fea72d5b73b80effe9505a8cfc80f1bd4b5bd840a6b03f6d7fa27cd599b4a

    SHA512

    0b23564909f0c59f788fbbbcd509039279959e3832f7a696a7a0bbfbe1e67b362195de33037edd372102212cb151e0121a624bf302b3bcde05ddbae7d064a7e9

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    51c2035fd6d40d382b3fa08b6578d504

    SHA1

    ae4c51bac9fedbac69454552a868d5ff7234d9c5

    SHA256

    edf7c9e669684d4a574b3bb83cf9751a9c8cd8bda037ecebd2dcd076864659b2

    SHA512

    82a29a87439c6578f8a0f70ee3ad2766fb154b1b06e5b25d3669891f4177e2cee0e1fdd6e7806e8677979318f453e5ba92c9963182dbfe0e520cd6619943c443

  • C:\Windows\System32\SubDir\fud2.exe

    Filesize

    3.2MB

    MD5

    3dc1d39a2ebeb5dc85da7e8c3d6e3aaa

    SHA1

    4cfcddc23cc0949ca620474edef6c82a2c2280d3

    SHA256

    5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4

    SHA512

    77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a

  • memory/1076-62-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1816-67-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2340-10-0x0000000000250000-0x0000000000574000-memory.dmp

    Filesize

    3.1MB

  • memory/2340-9-0x00007FFC0E1E3000-0x00007FFC0E1E5000-memory.dmp

    Filesize

    8KB

  • memory/2340-35-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

    Filesize

    10.8MB

  • memory/2340-11-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

    Filesize

    10.8MB

  • memory/3100-66-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3312-63-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3772-64-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3772-16-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4292-65-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4292-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4388-57-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/5116-56-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB