bitrat | 5b5df0d2cd1454c347a973e5278c8289830383bf937afa7c26b20426617f2462

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-09-2022 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

7.0MB
MD5

1e5e25ae0b7ae0990dfac7d92a280213
SHA1

3202d9ba9cc4a372b0b48a82b22a97fd7576b5ff
SHA256

5b5df0d2cd1454c347a973e5278c8289830383bf937afa7c26b20426617f2462
SHA512

da5982c4b95449fa0a639beda9bcd1d86bda997a56c69a2e6358ea378b54ee2b2be18030a4ac6f563669da2cda5994ceba83b3ad02a701ca4e56ce51a4d1cabb
SSDEEP

196608:7mA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:7T20NKKI/0BfjFj0U5mEqddH/qW907NE

Score

10^/10

bitrat quasar yoworld aspackv2 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Yoworld

anubisgod.duckdns.org:1338

Mutex

ec434dcc-84b6-4a93-9358-be83ce93fef5

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
Dlscord.exe
log_directory
DlscordLogs
reconnect_delay
3000
startup_key
Dlscord
subdirectory
Dlscord

Extracted

Family

bitrat

Version

1.38

anubisgod.duckdns.org:1440

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
spottifyy
install_file
spottifyy.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
behavioral1/memory/1656-86-0x00000000009A0000-0x0000000000C6A000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe	family_quasar
behavioral1/memory/944-102-0x0000000000F90000-0x000000000125A000-memory.dmp	family_quasar

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242

Executes dropped EXE 5 IoCs

Processes:

BVGExpliot.exeBitduckspottifynew.exeWgUvKD.exeYoworld.exeDlscord.exe

pid process

1196 BVGExpliot.exe
832 Bitduckspottifynew.exe
1472 WgUvKD.exe
1656 Yoworld.exe
944 Dlscord.exe
Loads dropped DLL 7 IoCs

Processes:

cmd.execmd.execmd.exeBitduckspottifynew.exe

pid process

1872 cmd.exe
1872 cmd.exe
1704 cmd.exe
544 cmd.exe
544 cmd.exe
832 Bitduckspottifynew.exe
832 Bitduckspottifynew.exe

pid	process
1196	BVGExpliot.exe
832	Bitduckspottifynew.exe
1472	WgUvKD.exe
1656	Yoworld.exe
944	Dlscord.exe

pid	process
1872	cmd.exe
1872	cmd.exe
1704	cmd.exe
544	cmd.exe
544	cmd.exe
832	Bitduckspottifynew.exe
832	Bitduckspottifynew.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bitduckspottifynew.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\spottifyy = "C:\\Users\\Admin\\AppData\\Local\\spottifyy\\spottifyy.exe"	Bitduckspottifynew.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Bitduckspottifynew.exe

pid process

832 Bitduckspottifynew.exe
832 Bitduckspottifynew.exe
832 Bitduckspottifynew.exe
832 Bitduckspottifynew.exe
832 Bitduckspottifynew.exe

pid	process
832	Bitduckspottifynew.exe
832	Bitduckspottifynew.exe
832	Bitduckspottifynew.exe
832	Bitduckspottifynew.exe
832	Bitduckspottifynew.exe

Drops file in Program Files directory 64 IoCs

Processes:

WgUvKD.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateSetup.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	WgUvKD.exe
File opened for modification	C:\Program Files\ConfirmUnlock.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	WgUvKD.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	WgUvKD.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	WgUvKD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

828 schtasks.exe
1760 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exeBVGExpliot.exe

pid process

1624 powershell.exe
1968 powershell.exe
1196 BVGExpliot.exe

pid	process
828	schtasks.exe
1760	schtasks.exe

pid	process
1624	powershell.exe
1968	powershell.exe
1196	BVGExpliot.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Yoworld.exepowershell.exeBitduckspottifynew.exepowershell.exeDlscord.exeBVGExpliot.exe

description	pid	process
Token: SeDebugPrivilege	1656	Yoworld.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	832	Bitduckspottifynew.exe
Token: SeShutdownPrivilege	832	Bitduckspottifynew.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	944	Dlscord.exe
Token: SeDebugPrivilege	1196	BVGExpliot.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Bitduckspottifynew.exeDlscord.exe

pid process

832 Bitduckspottifynew.exe
832 Bitduckspottifynew.exe
944 Dlscord.exe

pid	process
832	Bitduckspottifynew.exe
832	Bitduckspottifynew.exe
944	Dlscord.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

tmp.execmd.execmd.execmd.execmd.exeBitduckspottifynew.exeYoworld.exeDlscord.exeWgUvKD.exe

description	pid	process	target process
PID 1364 wrote to memory of 1260	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 1260	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 1260	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 1260	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 820	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 820	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 820	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 820	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 1872	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 1872	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 1872	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 1872	1364	tmp.exe	cmd.exe
PID 1260 wrote to memory of 1624	1260	cmd.exe	powershell.exe
PID 1260 wrote to memory of 1624	1260	cmd.exe	powershell.exe
PID 1260 wrote to memory of 1624	1260	cmd.exe	powershell.exe
PID 1260 wrote to memory of 1624	1260	cmd.exe	powershell.exe
PID 1364 wrote to memory of 544	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 544	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 544	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 544	1364	tmp.exe	cmd.exe
PID 1872 wrote to memory of 1196	1872	cmd.exe	BVGExpliot.exe
PID 1872 wrote to memory of 1196	1872	cmd.exe	BVGExpliot.exe
PID 1872 wrote to memory of 1196	1872	cmd.exe	BVGExpliot.exe
PID 1872 wrote to memory of 1196	1872	cmd.exe	BVGExpliot.exe
PID 1364 wrote to memory of 1704	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 1704	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 1704	1364	tmp.exe	cmd.exe
PID 1364 wrote to memory of 1704	1364	tmp.exe	cmd.exe
PID 1704 wrote to memory of 1656	1704	cmd.exe	Yoworld.exe
PID 1704 wrote to memory of 1656	1704	cmd.exe	Yoworld.exe
PID 1704 wrote to memory of 1656	1704	cmd.exe	Yoworld.exe
PID 1704 wrote to memory of 1656	1704	cmd.exe	Yoworld.exe
PID 544 wrote to memory of 832	544	cmd.exe	Bitduckspottifynew.exe
PID 544 wrote to memory of 832	544	cmd.exe	Bitduckspottifynew.exe
PID 544 wrote to memory of 832	544	cmd.exe	Bitduckspottifynew.exe
PID 544 wrote to memory of 832	544	cmd.exe	Bitduckspottifynew.exe
PID 832 wrote to memory of 1472	832	Bitduckspottifynew.exe	WgUvKD.exe
PID 832 wrote to memory of 1472	832	Bitduckspottifynew.exe	WgUvKD.exe
PID 832 wrote to memory of 1472	832	Bitduckspottifynew.exe	WgUvKD.exe
PID 832 wrote to memory of 1472	832	Bitduckspottifynew.exe	WgUvKD.exe
PID 1656 wrote to memory of 828	1656	Yoworld.exe	schtasks.exe
PID 1656 wrote to memory of 828	1656	Yoworld.exe	schtasks.exe
PID 1656 wrote to memory of 828	1656	Yoworld.exe	schtasks.exe
PID 1260 wrote to memory of 1968	1260	cmd.exe	powershell.exe
PID 1260 wrote to memory of 1968	1260	cmd.exe	powershell.exe
PID 1260 wrote to memory of 1968	1260	cmd.exe	powershell.exe
PID 1260 wrote to memory of 1968	1260	cmd.exe	powershell.exe
PID 1656 wrote to memory of 944	1656	Yoworld.exe	Dlscord.exe
PID 1656 wrote to memory of 944	1656	Yoworld.exe	Dlscord.exe
PID 1656 wrote to memory of 944	1656	Yoworld.exe	Dlscord.exe
PID 944 wrote to memory of 1760	944	Dlscord.exe	schtasks.exe
PID 944 wrote to memory of 1760	944	Dlscord.exe	schtasks.exe
PID 944 wrote to memory of 1760	944	Dlscord.exe	schtasks.exe
PID 1472 wrote to memory of 1576	1472	WgUvKD.exe	cmd.exe
PID 1472 wrote to memory of 1576	1472	WgUvKD.exe	cmd.exe
PID 1472 wrote to memory of 1576	1472	WgUvKD.exe	cmd.exe
PID 1472 wrote to memory of 1576	1472	WgUvKD.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\Trace eraser.reg
2⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\Yoworld.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Roaming\Yoworld.exe
C:\Users\Admin\AppData\Roaming\Yoworld.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Yoworld.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:828

C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe
"C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1760

C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6cb34903.bat" "
2⤵
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6cb34903.bat

Filesize
187B

MD5
3a9590fb262e58341f78c462e5b69bce

SHA1
c9303c0a4a84d407d445f3d986ee1d1c3746e6ee

SHA256
00a6ce8ac3c50a74db9dcd02910fa193aca6a41894d531d1b2088ce0f7d5593e

SHA512
005609023945a6d7fb5f4e1dd2b546a1a4a3df2db9002361bbec46322f1f9b412a3fb81caa829e31201645f77b60d2a3bb2d6e7ea66635f65ec28d5c95820bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fa4bca3a2376fd09d9e71cc304210fad

SHA1
a830decfe81cab1c96d9b2b29adc71cb216f30e1

SHA256
943a2afa00e55e2de06a7955c98d4df9ded2fa8dbf6a9779ce8114a3d7c799e6

SHA512
0d007649db3adfe38fd2255c2cc40a3e046affe364bddf0afd65305a0b3b127ea373a693c79f657ec9228478ea84c7fba6afa158ef72ca3245ee979bd910d718

Download Submit
C:\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
memory/544-59-0x0000000000000000-mapping.dmp

Download
memory/820-58-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/820-55-0x0000000000000000-mapping.dmp

Download
memory/828-92-0x0000000000000000-mapping.dmp

Download
memory/832-85-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

Filesize
36KB

Download
memory/832-94-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/832-114-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

Filesize
36KB

Download
memory/832-96-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/832-72-0x0000000000000000-mapping.dmp

Download
memory/832-83-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/832-113-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/832-87-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

Filesize
36KB

Download
memory/832-112-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/832-111-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/944-99-0x0000000000000000-mapping.dmp

Download
memory/944-102-0x0000000000F90000-0x000000000125A000-memory.dmp

Filesize
2.8MB

Download
memory/1196-89-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1196-110-0x0000000000F56000-0x0000000000F75000-memory.dmp

Filesize
124KB

Download
memory/1196-84-0x0000000001000000-0x0000000001066000-memory.dmp

Filesize
408KB

Download
memory/1196-63-0x0000000000000000-mapping.dmp

Download
memory/1260-54-0x0000000000000000-mapping.dmp

Download
memory/1472-88-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

Filesize
36KB

Download
memory/1472-76-0x0000000000000000-mapping.dmp

Download
memory/1472-108-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

Filesize
36KB

Download
memory/1576-107-0x0000000000000000-mapping.dmp

Download
memory/1624-93-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/1624-91-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/1624-57-0x0000000000000000-mapping.dmp

Download
memory/1656-68-0x0000000000000000-mapping.dmp

Download
memory/1656-86-0x00000000009A0000-0x0000000000C6A000-memory.dmp

Filesize
2.8MB

Download
memory/1704-65-0x0000000000000000-mapping.dmp

Download
memory/1760-106-0x0000000000000000-mapping.dmp

Download
memory/1872-56-0x0000000000000000-mapping.dmp

Download
memory/1968-105-0x0000000073420000-0x00000000739CB000-memory.dmp

Filesize
5.7MB

Download
memory/1968-104-0x0000000073420000-0x00000000739CB000-memory.dmp

Filesize
5.7MB

Download
memory/1968-95-0x0000000000000000-mapping.dmp

Download