Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 02:36

General

  • Target

    5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe

  • Size

    3.2MB

  • MD5

    3dc1d39a2ebeb5dc85da7e8c3d6e3aaa

  • SHA1

    4cfcddc23cc0949ca620474edef6c82a2c2280d3

  • SHA256

    5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4

  • SHA512

    77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a

  • SSDEEP

    49152:tkvXI22SsaNYfdPBldt698dBcjHIGRJ6ybR3LoGdJTHHB72eh2NTC:OvY22SsaNYfdPBldt6+dBcjHIGRJ6sZ

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

hacked-fud1

C2

192.168.100.10:1412

Mutex

a685d3ed-d174-40b7-9655-c2bfab3ed130

Attributes
  • encryption_key

    2A5F3DAC380078962166175BD172DE2D4AA07E26

  • install_name

    fud2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft Service

  • subdirectory

    SubDir

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
    "C:\Users\Admin\AppData\Local\Temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3336
    • \??\c:\users\admin\appdata\local\temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 
      c:\users\admin\appdata\local\temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3788
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\fud2.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3384
      • C:\Windows\system32\SubDir\fud2.exe
        "C:\Windows\system32\SubDir\fud2.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4416
        • \??\c:\windows\resources\themes\explorer.exe
          c:\windows\resources\themes\explorer.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2260
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3592
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4848
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1140
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2508
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 

    Filesize

    3.1MB

    MD5

    f2fde7b36d929112d10c35f88597e643

    SHA1

    ecfb40c3f75cbabf3787d7cc466f4ab3e0bfb59a

    SHA256

    2a1b24e284eb329bcac58cfe90ef04e390aef10f4c0cc4eddf6077d113e5e591

    SHA512

    99dda7073d391e3ada814df8bad4f3e817adb2d274e005cedcf378d2031a3695ddd8afeecfa8ceacf9569f400b08f1dc357d4d90d72b9ba0372f267668f399df

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    135KB

    MD5

    f5cf3bfccd4d27bf6e232aaaf289b0da

    SHA1

    4230ddaf3dc45b2efac73806f2448471222c2578

    SHA256

    e40d0e7673b9c508e3550e6cc7f812e779fa621279d4c84569ee6073f717e729

    SHA512

    1e93891b267ef8ebd342f90a4e4a3896cf6b8c3537d912d1ae42592a307c03718e5423a03839d097aac7dda77497969e01cac9ce116985e93d69db4fb72022df

  • C:\Windows\Resources\Themes\icsys.icn.exe

    Filesize

    135KB

    MD5

    dba332c1832b99f7c7d078a0082874ed

    SHA1

    f339233684c867e70ec06f09cae6f938ba7f6dd0

    SHA256

    d14ca80e7ae57bfa56b7614372feb89b5c35397451dd2c38156558b3a577c397

    SHA512

    410746bd8242436f4c8ea8700f9e4dd93270aab3dd494e539b877fcbefc76a5e9111e4de720ba3daeb21722ce568adffa347407b798fc8e87e8fa8b5b7b42482

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    b491264b845364622cee3fa34a7a6cf4

    SHA1

    880cc6d7a2ed64dbae0e0096c7dcb4da67649200

    SHA256

    89e0af58417f22b75522cdd9834fce3def4b06eff2ac9dfeee8200cbd9495389

    SHA512

    1acf0be7a57e5744b5bbc95f2063771571de97aaa15555d7510c6fcddd05b615f697057202c9f88af390b7501924e711d0b9518a9f4bdd82fde3651962bcec2e

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    309b154628a821ab2f996bcde56da383

    SHA1

    70469c9417817b7db3fcb27812a12dc0a4beed8b

    SHA256

    758be50d67bc51e58ed815fe4e0c08db609ee2dfcb27499383ad4e967c884ed6

    SHA512

    140b7cdf0b03d4330b12e0236ad8b122a708dd1e2ab93ef29d446342acc6c897df2c7f6ca01af8297275e6e166d1e4b17cde49376fd5f7129644ff2aa833f1bd

  • C:\Windows\System32\SubDir\fud2.exe

    Filesize

    3.2MB

    MD5

    3dc1d39a2ebeb5dc85da7e8c3d6e3aaa

    SHA1

    4cfcddc23cc0949ca620474edef6c82a2c2280d3

    SHA256

    5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4

    SHA512

    77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a

  • memory/1140-63-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2260-46-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2508-67-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3336-65-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3336-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3592-16-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3592-64-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3788-9-0x00007FFC76C43000-0x00007FFC76C45000-memory.dmp

    Filesize

    8KB

  • memory/3788-32-0x00007FFC76C40000-0x00007FFC77701000-memory.dmp

    Filesize

    10.8MB

  • memory/3788-11-0x00007FFC76C40000-0x00007FFC77701000-memory.dmp

    Filesize

    10.8MB

  • memory/3788-10-0x0000000000010000-0x0000000000334000-memory.dmp

    Filesize

    3.1MB

  • memory/4416-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4716-62-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4848-66-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB