bitrat | cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5

Analysis

max time kernel
150s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22-09-2022 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

7.0MB
MD5

90d11bc40e17839b51fcf6a2f0aebb12
SHA1

66139f98aa2efbde94c5a6d5b6abd7099b1ac8b7
SHA256

cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
SHA512

27298c219857f990a8cd8920e6380ffcac3d2952690df6b5d88833a085abaca2933a4637b7aeabbe83ed3c069d59895b583eb60950742ae299b718271d82e29b
SSDEEP

196608:SmA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:ST20NKKI/0BfjFj0U5mEqddH/qW907NE

Score

10^/10

bitrat quasar yoworld aspackv2 persistence spyware trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

anubisgod.duckdns.org:1440

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
spottifyy
install_file
spottifyy.exe
tor_process
tor

Extracted

Family

quasar

Version

1.4.0

Botnet

Yoworld

anubisgod.duckdns.org:1338

Mutex

ec434dcc-84b6-4a93-9358-be83ce93fef5

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
Dlscord.exe
log_directory
DlscordLogs
reconnect_delay
3000
startup_key
Dlscord
subdirectory
Dlscord

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
behavioral1/memory/1696-98-0x0000000000B40000-0x0000000000E0A000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe	family_quasar
behavioral1/memory/1796-109-0x0000000000B00000-0x0000000000DCA000-memory.dmp	family_quasar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242

Executes dropped EXE 6 IoCs

Processes:

WaZjnQ.exeBVGExpliot.exeBitduckspottifynew.exeWgUvKD.exeYoworld.exeDlscord.exe

pid process

1652 WaZjnQ.exe
656 BVGExpliot.exe
1540 Bitduckspottifynew.exe
524 WgUvKD.exe
1696 Yoworld.exe
1796 Dlscord.exe
Loads dropped DLL 9 IoCs

Processes:

tmp.execmd.execmd.execmd.exeBitduckspottifynew.exe

pid process

752 tmp.exe
752 tmp.exe
1060 cmd.exe
1060 cmd.exe
320 cmd.exe
320 cmd.exe
1816 cmd.exe
1540 Bitduckspottifynew.exe
1540 Bitduckspottifynew.exe

pid	process
1652	WaZjnQ.exe
656	BVGExpliot.exe
1540	Bitduckspottifynew.exe
524	WgUvKD.exe
1696	Yoworld.exe
1796	Dlscord.exe

pid	process
752	tmp.exe
752	tmp.exe
1060	cmd.exe
1060	cmd.exe
320	cmd.exe
320	cmd.exe
1816	cmd.exe
1540	Bitduckspottifynew.exe
1540	Bitduckspottifynew.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bitduckspottifynew.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\spottifyy = "C:\\Users\\Admin\\AppData\\Local\\spottifyy\\spottifyy.exe"	Bitduckspottifynew.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Bitduckspottifynew.exe

pid process

1540 Bitduckspottifynew.exe
1540 Bitduckspottifynew.exe
1540 Bitduckspottifynew.exe
1540 Bitduckspottifynew.exe
1540 Bitduckspottifynew.exe

pid	process
1540	Bitduckspottifynew.exe
1540	Bitduckspottifynew.exe
1540	Bitduckspottifynew.exe
1540	Bitduckspottifynew.exe
1540	Bitduckspottifynew.exe

Drops file in Program Files directory 64 IoCs

Processes:

WgUvKD.exeWaZjnQ.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	WaZjnQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1996 schtasks.exe
1064 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exeBVGExpliot.exe

pid process

2008 powershell.exe
2020 powershell.exe
656 BVGExpliot.exe

pid	process
1996	schtasks.exe
1064	schtasks.exe

pid	process
2008	powershell.exe
2020	powershell.exe
656	BVGExpliot.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeYoworld.exeBitduckspottifynew.exeDlscord.exepowershell.exeBVGExpliot.exe

description	pid	process
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1696	Yoworld.exe
Token: SeDebugPrivilege	1540	Bitduckspottifynew.exe
Token: SeShutdownPrivilege	1540	Bitduckspottifynew.exe
Token: SeDebugPrivilege	1796	Dlscord.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	656	BVGExpliot.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Bitduckspottifynew.exeDlscord.exe

pid process

1540 Bitduckspottifynew.exe
1540 Bitduckspottifynew.exe
1796 Dlscord.exe

pid	process
1540	Bitduckspottifynew.exe
1540	Bitduckspottifynew.exe
1796	Dlscord.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.execmd.execmd.exeBitduckspottifynew.execmd.exeYoworld.exeDlscord.exeWgUvKD.exeWaZjnQ.exe

description	pid	process	target process
PID 752 wrote to memory of 1652	752	tmp.exe	WaZjnQ.exe
PID 752 wrote to memory of 1652	752	tmp.exe	WaZjnQ.exe
PID 752 wrote to memory of 1652	752	tmp.exe	WaZjnQ.exe
PID 752 wrote to memory of 1652	752	tmp.exe	WaZjnQ.exe
PID 752 wrote to memory of 824	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 824	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 824	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 824	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 820	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 820	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 820	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 820	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 1060	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 1060	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 1060	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 1060	752	tmp.exe	cmd.exe
PID 824 wrote to memory of 2008	824	cmd.exe	powershell.exe
PID 824 wrote to memory of 2008	824	cmd.exe	powershell.exe
PID 824 wrote to memory of 2008	824	cmd.exe	powershell.exe
PID 824 wrote to memory of 2008	824	cmd.exe	powershell.exe
PID 752 wrote to memory of 320	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 320	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 320	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 320	752	tmp.exe	cmd.exe
PID 1060 wrote to memory of 656	1060	cmd.exe	BVGExpliot.exe
PID 1060 wrote to memory of 656	1060	cmd.exe	BVGExpliot.exe
PID 1060 wrote to memory of 656	1060	cmd.exe	BVGExpliot.exe
PID 1060 wrote to memory of 656	1060	cmd.exe	BVGExpliot.exe
PID 752 wrote to memory of 1816	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 1816	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 1816	752	tmp.exe	cmd.exe
PID 752 wrote to memory of 1816	752	tmp.exe	cmd.exe
PID 320 wrote to memory of 1540	320	cmd.exe	Bitduckspottifynew.exe
PID 320 wrote to memory of 1540	320	cmd.exe	Bitduckspottifynew.exe
PID 320 wrote to memory of 1540	320	cmd.exe	Bitduckspottifynew.exe
PID 320 wrote to memory of 1540	320	cmd.exe	Bitduckspottifynew.exe
PID 1540 wrote to memory of 524	1540	Bitduckspottifynew.exe	WgUvKD.exe
PID 1540 wrote to memory of 524	1540	Bitduckspottifynew.exe	WgUvKD.exe
PID 1540 wrote to memory of 524	1540	Bitduckspottifynew.exe	WgUvKD.exe
PID 1540 wrote to memory of 524	1540	Bitduckspottifynew.exe	WgUvKD.exe
PID 1816 wrote to memory of 1696	1816	cmd.exe	Yoworld.exe
PID 1816 wrote to memory of 1696	1816	cmd.exe	Yoworld.exe
PID 1816 wrote to memory of 1696	1816	cmd.exe	Yoworld.exe
PID 1816 wrote to memory of 1696	1816	cmd.exe	Yoworld.exe
PID 1696 wrote to memory of 1996	1696	Yoworld.exe	schtasks.exe
PID 1696 wrote to memory of 1996	1696	Yoworld.exe	schtasks.exe
PID 1696 wrote to memory of 1996	1696	Yoworld.exe	schtasks.exe
PID 824 wrote to memory of 2020	824	cmd.exe	powershell.exe
PID 824 wrote to memory of 2020	824	cmd.exe	powershell.exe
PID 824 wrote to memory of 2020	824	cmd.exe	powershell.exe
PID 824 wrote to memory of 2020	824	cmd.exe	powershell.exe
PID 1696 wrote to memory of 1796	1696	Yoworld.exe	Dlscord.exe
PID 1696 wrote to memory of 1796	1696	Yoworld.exe	Dlscord.exe
PID 1696 wrote to memory of 1796	1696	Yoworld.exe	Dlscord.exe
PID 1796 wrote to memory of 1064	1796	Dlscord.exe	schtasks.exe
PID 1796 wrote to memory of 1064	1796	Dlscord.exe	schtasks.exe
PID 1796 wrote to memory of 1064	1796	Dlscord.exe	schtasks.exe
PID 524 wrote to memory of 2004	524	WgUvKD.exe	cmd.exe
PID 524 wrote to memory of 2004	524	WgUvKD.exe	cmd.exe
PID 524 wrote to memory of 2004	524	WgUvKD.exe	cmd.exe
PID 524 wrote to memory of 2004	524	WgUvKD.exe	cmd.exe
PID 1652 wrote to memory of 1532	1652	WaZjnQ.exe	cmd.exe
PID 1652 wrote to memory of 1532	1652	WaZjnQ.exe	cmd.exe
PID 1652 wrote to memory of 1532	1652	WaZjnQ.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\53a054a5.bat" "
3⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\Trace eraser.reg
2⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\07c14d0b.bat" "
5⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\Yoworld.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Roaming\Yoworld.exe
C:\Users\Admin\AppData\Roaming\Yoworld.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Yoworld.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1996

C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe
"C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe

Filesize
31KB

MD5
1905d4187836d80327891d0926d6283c

SHA1
0494f1569671b5bea309959a4db9bef1b35af936

SHA256
6384df7c6fe3fcea57f4b68734502cb9d465045fda8d43d36c24220db2e51d16

SHA512
08d2f784a6ca81e52e01767099413dfeffd5bf49ba0715e3b25dcfc0cf6cd013015f39939075064baa3b5624d4d62cbd48a8255ab8d50db8a3a839754c9f83ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CASMTSF8\k3[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB6YKGN8\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\07c14d0b.bat

Filesize
187B

MD5
22e57c48def9e646c94252a02543fecc

SHA1
a52e09814281a28c961abc747877d224fc72b83d

SHA256
17ba592fe022cb5cd2e0dd8a1c80274c86e4afaa46adb725a82a9c4d0b419418

SHA512
c4885036baf6a3818410c9d07cdc5f3123952412bc4feb9714a39197c47d43740db5e28ab672869b3ef9e1d1c007b1828538af7bb1af46ea2606a1398fda8ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\53a054a5.bat

Filesize
187B

MD5
1a264edad907c7af67a674b47063991f

SHA1
874c6a3516ad587006589a85bfad924c4997a567

SHA256
b0086ab6a9bce15dbfe83e7582d6dd1a2a06b0dfecf2b72b83ba6c474f6dd0fa

SHA512
0fcfac0495f052b98f43d694e29d5e5d20e95bfb1f5df643028e4fd46eb798c535fbfd4bbc8c286f98d148acf96a76e4f296bee30cdbd7231ee1c25678e88bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e4fcd08ae6aa27b463da494c961167f0

SHA1
fc5a94859d07d97ea8ffa5d4ece407916d18217d

SHA256
0ab71aa520a70026f0cd1ba328a46b53f529e960bdf6e6aec93b2cf253f2780c

SHA512
6d8927be7a6eea4ba6f855d6287a927f9f4f61ecdf01f5494be7aeff9dd708673258f140a22294e724b733272e9893eacf82f0e447f4b4eaa9573c4779d03a3b

Download Submit
C:\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
\Users\Admin\AppData\Local\Temp\WaZjnQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\WaZjnQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
memory/320-65-0x0000000000000000-mapping.dmp

Download
memory/524-120-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/524-83-0x0000000000000000-mapping.dmp

Download
memory/524-96-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/656-125-0x000000001B126000-0x000000001B145000-memory.dmp

Filesize
124KB

Download
memory/656-99-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/656-69-0x0000000000000000-mapping.dmp

Download
memory/656-97-0x00000000009B0000-0x0000000000A16000-memory.dmp

Filesize
408KB

Download
memory/752-74-0x00000000013C0000-0x00000000013C9000-memory.dmp

Filesize
36KB

Download
memory/752-73-0x0000000000400000-0x0000000000AFD000-memory.dmp

Filesize
7.0MB

Download
memory/820-61-0x0000000000000000-mapping.dmp

Download
memory/824-60-0x0000000000000000-mapping.dmp

Download
memory/1060-62-0x0000000000000000-mapping.dmp

Download
memory/1064-115-0x0000000000000000-mapping.dmp

Download
memory/1532-122-0x0000000000000000-mapping.dmp

Download
memory/1540-92-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/1540-127-0x0000000002510000-0x000000000251A000-memory.dmp

Filesize
40KB

Download
memory/1540-130-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/1540-129-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/1540-78-0x0000000000000000-mapping.dmp

Download
memory/1540-128-0x0000000002510000-0x000000000251A000-memory.dmp

Filesize
40KB

Download
memory/1540-93-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/1540-126-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/1540-94-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/1540-112-0x0000000002510000-0x000000000251A000-memory.dmp

Filesize
40KB

Download
memory/1540-113-0x0000000002510000-0x000000000251A000-memory.dmp

Filesize
40KB

Download
memory/1652-58-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1652-95-0x00000000013C0000-0x00000000013C9000-memory.dmp

Filesize
36KB

Download
memory/1652-123-0x00000000013C0000-0x00000000013C9000-memory.dmp

Filesize
36KB

Download
memory/1652-56-0x0000000000000000-mapping.dmp

Download
memory/1696-98-0x0000000000B40000-0x0000000000E0A000-memory.dmp

Filesize
2.8MB

Download
memory/1696-84-0x0000000000000000-mapping.dmp

Download
memory/1796-109-0x0000000000B00000-0x0000000000DCA000-memory.dmp

Filesize
2.8MB

Download
memory/1796-105-0x0000000000000000-mapping.dmp

Download
memory/1816-72-0x0000000000000000-mapping.dmp

Download
memory/1996-102-0x0000000000000000-mapping.dmp

Download
memory/2004-119-0x0000000000000000-mapping.dmp

Download
memory/2008-64-0x0000000000000000-mapping.dmp

Download
memory/2008-101-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-103-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-116-0x0000000073370000-0x000000007391B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-114-0x0000000073370000-0x000000007391B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-104-0x0000000000000000-mapping.dmp

Download