Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 02:36
Behavioral task
behavioral1
Sample
5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
Resource
win10v2004-20241007-en
General
-
Target
5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
-
Size
3.2MB
-
MD5
3dc1d39a2ebeb5dc85da7e8c3d6e3aaa
-
SHA1
4cfcddc23cc0949ca620474edef6c82a2c2280d3
-
SHA256
5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4
-
SHA512
77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a
-
SSDEEP
49152:tkvXI22SsaNYfdPBldt698dBcjHIGRJ6ybR3LoGdJTHHB72eh2NTC:OvY22SsaNYfdPBldt6+dBcjHIGRJ6sZ
Malware Config
Extracted
quasar
1.4.1
hacked-fud1
192.168.100.10:1412
a685d3ed-d174-40b7-9655-c2bfab3ed130
-
encryption_key
2A5F3DAC380078962166175BD172DE2D4AA07E26
-
install_name
fud2.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Service
-
subdirectory
SubDir
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023ca5-7.dat family_quasar behavioral2/memory/3788-10-0x0000000000010000-0x0000000000334000-memory.dmp family_quasar behavioral2/files/0x0007000000023ca8-21.dat family_quasar -
Executes dropped EXE 8 IoCs
pid Process 3788 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3592 icsys.icn.exe 4416 fud2.exe 4848 explorer.exe 2260 explorer.exe 1140 spoolsv.exe 2508 svchost.exe 4716 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\SubDir 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File created C:\Windows\system32\SubDir\fud2.exe 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe File opened for modification C:\Windows\system32\SubDir\fud2.exe 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fud2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3384 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 3592 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4848 explorer.exe 2508 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3788 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 3592 icsys.icn.exe 3592 icsys.icn.exe 4416 fud2.exe 4416 fud2.exe 4848 explorer.exe 4848 explorer.exe 2260 explorer.exe 2260 explorer.exe 1140 spoolsv.exe 1140 spoolsv.exe 2508 svchost.exe 2508 svchost.exe 4716 spoolsv.exe 4716 spoolsv.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3336 wrote to memory of 3788 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 81 PID 3336 wrote to memory of 3788 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 81 PID 3788 wrote to memory of 3384 3788 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 83 PID 3788 wrote to memory of 3384 3788 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 83 PID 3336 wrote to memory of 3592 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 85 PID 3336 wrote to memory of 3592 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 85 PID 3336 wrote to memory of 3592 3336 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 85 PID 3788 wrote to memory of 4416 3788 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 86 PID 3788 wrote to memory of 4416 3788 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 86 PID 3788 wrote to memory of 4416 3788 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe 86 PID 3592 wrote to memory of 4848 3592 icsys.icn.exe 87 PID 3592 wrote to memory of 4848 3592 icsys.icn.exe 87 PID 3592 wrote to memory of 4848 3592 icsys.icn.exe 87 PID 4416 wrote to memory of 2260 4416 fud2.exe 88 PID 4416 wrote to memory of 2260 4416 fud2.exe 88 PID 4416 wrote to memory of 2260 4416 fud2.exe 88 PID 4848 wrote to memory of 1140 4848 explorer.exe 89 PID 4848 wrote to memory of 1140 4848 explorer.exe 89 PID 4848 wrote to memory of 1140 4848 explorer.exe 89 PID 1140 wrote to memory of 2508 1140 spoolsv.exe 90 PID 1140 wrote to memory of 2508 1140 spoolsv.exe 90 PID 1140 wrote to memory of 2508 1140 spoolsv.exe 90 PID 2508 wrote to memory of 4716 2508 svchost.exe 91 PID 2508 wrote to memory of 4716 2508 svchost.exe 91 PID 2508 wrote to memory of 4716 2508 svchost.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe"C:\Users\Admin\AppData\Local\Temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\users\admin\appdata\local\temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exec:\users\admin\appdata\local\temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\fud2.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3384
-
-
C:\Windows\system32\SubDir\fud2.exe"C:\Windows\system32\SubDir\fud2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2260
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4716
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
Filesize3.1MB
MD5f2fde7b36d929112d10c35f88597e643
SHA1ecfb40c3f75cbabf3787d7cc466f4ab3e0bfb59a
SHA2562a1b24e284eb329bcac58cfe90ef04e390aef10f4c0cc4eddf6077d113e5e591
SHA51299dda7073d391e3ada814df8bad4f3e817adb2d274e005cedcf378d2031a3695ddd8afeecfa8ceacf9569f400b08f1dc357d4d90d72b9ba0372f267668f399df
-
Filesize
135KB
MD5f5cf3bfccd4d27bf6e232aaaf289b0da
SHA14230ddaf3dc45b2efac73806f2448471222c2578
SHA256e40d0e7673b9c508e3550e6cc7f812e779fa621279d4c84569ee6073f717e729
SHA5121e93891b267ef8ebd342f90a4e4a3896cf6b8c3537d912d1ae42592a307c03718e5423a03839d097aac7dda77497969e01cac9ce116985e93d69db4fb72022df
-
Filesize
135KB
MD5dba332c1832b99f7c7d078a0082874ed
SHA1f339233684c867e70ec06f09cae6f938ba7f6dd0
SHA256d14ca80e7ae57bfa56b7614372feb89b5c35397451dd2c38156558b3a577c397
SHA512410746bd8242436f4c8ea8700f9e4dd93270aab3dd494e539b877fcbefc76a5e9111e4de720ba3daeb21722ce568adffa347407b798fc8e87e8fa8b5b7b42482
-
Filesize
135KB
MD5b491264b845364622cee3fa34a7a6cf4
SHA1880cc6d7a2ed64dbae0e0096c7dcb4da67649200
SHA25689e0af58417f22b75522cdd9834fce3def4b06eff2ac9dfeee8200cbd9495389
SHA5121acf0be7a57e5744b5bbc95f2063771571de97aaa15555d7510c6fcddd05b615f697057202c9f88af390b7501924e711d0b9518a9f4bdd82fde3651962bcec2e
-
Filesize
135KB
MD5309b154628a821ab2f996bcde56da383
SHA170469c9417817b7db3fcb27812a12dc0a4beed8b
SHA256758be50d67bc51e58ed815fe4e0c08db609ee2dfcb27499383ad4e967c884ed6
SHA512140b7cdf0b03d4330b12e0236ad8b122a708dd1e2ab93ef29d446342acc6c897df2c7f6ca01af8297275e6e166d1e4b17cde49376fd5f7129644ff2aa833f1bd
-
Filesize
3.2MB
MD53dc1d39a2ebeb5dc85da7e8c3d6e3aaa
SHA14cfcddc23cc0949ca620474edef6c82a2c2280d3
SHA2565ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4
SHA51277dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a