bitrat | cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-09-2022 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

7.0MB
MD5

90d11bc40e17839b51fcf6a2f0aebb12
SHA1

66139f98aa2efbde94c5a6d5b6abd7099b1ac8b7
SHA256

cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
SHA512

27298c219857f990a8cd8920e6380ffcac3d2952690df6b5d88833a085abaca2933a4637b7aeabbe83ed3c069d59895b583eb60950742ae299b718271d82e29b
SSDEEP

196608:SmA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:ST20NKKI/0BfjFj0U5mEqddH/qW907NE

Score

10^/10

bitrat quasar yoworld aspackv2 persistence spyware trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

anubisgod.duckdns.org:1440

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
spottifyy
install_file
spottifyy.exe
tor_process
tor

Extracted

Family

quasar

Version

1.4.0

Botnet

Yoworld

anubisgod.duckdns.org:1338

Mutex

ec434dcc-84b6-4a93-9358-be83ce93fef5

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
Dlscord.exe
log_directory
DlscordLogs
reconnect_delay
3000
startup_key
Dlscord
subdirectory
Dlscord

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
behavioral1/memory/788-98-0x0000000000160000-0x000000000042A000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe	family_quasar
behavioral1/memory/2020-107-0x0000000001270000-0x000000000153A000-memory.dmp	family_quasar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242

Executes dropped EXE 6 IoCs

Processes:

WaZjnQ.exeBVGExpliot.exeBitduckspottifynew.exeWgUvKD.exeYoworld.exeDlscord.exe

pid process

1968 WaZjnQ.exe
1632 BVGExpliot.exe
1036 Bitduckspottifynew.exe
1496 WgUvKD.exe
788 Yoworld.exe
2020 Dlscord.exe
Loads dropped DLL 9 IoCs

Processes:

tmp.execmd.execmd.exeBitduckspottifynew.execmd.exe

pid process

2020 tmp.exe
2020 tmp.exe
1080 cmd.exe
1080 cmd.exe
1468 cmd.exe
1468 cmd.exe
1036 Bitduckspottifynew.exe
1036 Bitduckspottifynew.exe
1796 cmd.exe

pid	process
1968	WaZjnQ.exe
1632	BVGExpliot.exe
1036	Bitduckspottifynew.exe
1496	WgUvKD.exe
788	Yoworld.exe
2020	Dlscord.exe

pid	process
2020	tmp.exe
2020	tmp.exe
1080	cmd.exe
1080	cmd.exe
1468	cmd.exe
1468	cmd.exe
1036	Bitduckspottifynew.exe
1036	Bitduckspottifynew.exe
1796	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bitduckspottifynew.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\spottifyy = "C:\\Users\\Admin\\AppData\\Local\\spottifyy\\spottifyy.exe"	Bitduckspottifynew.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Bitduckspottifynew.exe

pid process

1036 Bitduckspottifynew.exe
1036 Bitduckspottifynew.exe
1036 Bitduckspottifynew.exe
1036 Bitduckspottifynew.exe

pid	process
1036	Bitduckspottifynew.exe
1036	Bitduckspottifynew.exe
1036	Bitduckspottifynew.exe
1036	Bitduckspottifynew.exe

Drops file in Program Files directory 64 IoCs

Processes:

WaZjnQ.exeWgUvKD.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	WgUvKD.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	WaZjnQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1692 schtasks.exe
1072 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exeBVGExpliot.exe

pid process

1076 powershell.exe
1136 powershell.exe
1632 BVGExpliot.exe

pid	process
1692	schtasks.exe
1072	schtasks.exe

pid	process
1076	powershell.exe
1136	powershell.exe
1632	BVGExpliot.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Bitduckspottifynew.exeYoworld.exepowershell.exeDlscord.exepowershell.exeBVGExpliot.exe

description	pid	process
Token: SeDebugPrivilege	1036	Bitduckspottifynew.exe
Token: SeShutdownPrivilege	1036	Bitduckspottifynew.exe
Token: SeDebugPrivilege	788	Yoworld.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	2020	Dlscord.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	1632	BVGExpliot.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Bitduckspottifynew.exeDlscord.exe

pid process

1036 Bitduckspottifynew.exe
1036 Bitduckspottifynew.exe
2020 Dlscord.exe

pid	process
1036	Bitduckspottifynew.exe
1036	Bitduckspottifynew.exe
2020	Dlscord.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.execmd.execmd.exeBitduckspottifynew.execmd.exeYoworld.exeDlscord.exeWaZjnQ.exeWgUvKD.exe

description	pid	process	target process
PID 2020 wrote to memory of 1968	2020	tmp.exe	WaZjnQ.exe
PID 2020 wrote to memory of 1968	2020	tmp.exe	WaZjnQ.exe
PID 2020 wrote to memory of 1968	2020	tmp.exe	WaZjnQ.exe
PID 2020 wrote to memory of 1968	2020	tmp.exe	WaZjnQ.exe
PID 2020 wrote to memory of 1560	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1560	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1560	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1560	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1308	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1308	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1308	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1308	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1080	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1080	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1080	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1080	2020	tmp.exe	cmd.exe
PID 1560 wrote to memory of 1076	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1076	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1076	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1076	1560	cmd.exe	powershell.exe
PID 2020 wrote to memory of 1468	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1468	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1468	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1468	2020	tmp.exe	cmd.exe
PID 1080 wrote to memory of 1632	1080	cmd.exe	BVGExpliot.exe
PID 1080 wrote to memory of 1632	1080	cmd.exe	BVGExpliot.exe
PID 1080 wrote to memory of 1632	1080	cmd.exe	BVGExpliot.exe
PID 1080 wrote to memory of 1632	1080	cmd.exe	BVGExpliot.exe
PID 2020 wrote to memory of 1796	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1796	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1796	2020	tmp.exe	cmd.exe
PID 2020 wrote to memory of 1796	2020	tmp.exe	cmd.exe
PID 1468 wrote to memory of 1036	1468	cmd.exe	Bitduckspottifynew.exe
PID 1468 wrote to memory of 1036	1468	cmd.exe	Bitduckspottifynew.exe
PID 1468 wrote to memory of 1036	1468	cmd.exe	Bitduckspottifynew.exe
PID 1468 wrote to memory of 1036	1468	cmd.exe	Bitduckspottifynew.exe
PID 1036 wrote to memory of 1496	1036	Bitduckspottifynew.exe	WgUvKD.exe
PID 1036 wrote to memory of 1496	1036	Bitduckspottifynew.exe	WgUvKD.exe
PID 1036 wrote to memory of 1496	1036	Bitduckspottifynew.exe	WgUvKD.exe
PID 1036 wrote to memory of 1496	1036	Bitduckspottifynew.exe	WgUvKD.exe
PID 1796 wrote to memory of 788	1796	cmd.exe	Yoworld.exe
PID 1796 wrote to memory of 788	1796	cmd.exe	Yoworld.exe
PID 1796 wrote to memory of 788	1796	cmd.exe	Yoworld.exe
PID 1796 wrote to memory of 788	1796	cmd.exe	Yoworld.exe
PID 788 wrote to memory of 1692	788	Yoworld.exe	schtasks.exe
PID 788 wrote to memory of 1692	788	Yoworld.exe	schtasks.exe
PID 788 wrote to memory of 1692	788	Yoworld.exe	schtasks.exe
PID 788 wrote to memory of 2020	788	Yoworld.exe	Dlscord.exe
PID 788 wrote to memory of 2020	788	Yoworld.exe	Dlscord.exe
PID 788 wrote to memory of 2020	788	Yoworld.exe	Dlscord.exe
PID 1560 wrote to memory of 1136	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1136	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1136	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1136	1560	cmd.exe	powershell.exe
PID 2020 wrote to memory of 1072	2020	Dlscord.exe	schtasks.exe
PID 2020 wrote to memory of 1072	2020	Dlscord.exe	schtasks.exe
PID 2020 wrote to memory of 1072	2020	Dlscord.exe	schtasks.exe
PID 1968 wrote to memory of 1816	1968	WaZjnQ.exe	cmd.exe
PID 1968 wrote to memory of 1816	1968	WaZjnQ.exe	cmd.exe
PID 1968 wrote to memory of 1816	1968	WaZjnQ.exe	cmd.exe
PID 1968 wrote to memory of 1816	1968	WaZjnQ.exe	cmd.exe
PID 1496 wrote to memory of 1148	1496	WgUvKD.exe	cmd.exe
PID 1496 wrote to memory of 1148	1496	WgUvKD.exe	cmd.exe
PID 1496 wrote to memory of 1148	1496	WgUvKD.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4b423d80.bat" "
3⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\Trace eraser.reg
2⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\Yoworld.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Roaming\Yoworld.exe
C:\Users\Admin\AppData\Roaming\Yoworld.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Yoworld.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1692

C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe
"C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1072

C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\23222d2c.bat" "
2⤵
PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe

Filesize
272KB

MD5
5e8f538065e15ae04e04e7ede191684e

SHA1
71913b4f5f545a499d097be7cda67c6e84b033c5

SHA256
dd3e12cd09665882146b720ec5996c97c25a7333f94c7b61cfe071d46c2b1de5

SHA512
0abe01c9c297e834953d77be493c3be6938224c8fcfef48ce7bbbf0fe16fbd0585ad1499e4655f318d940c56fe235f06d50589fd5923572aa56ce7998be8205f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
31KB

MD5
636beef5cc468477f796c3ac5f49f10c

SHA1
7ce0ff2e82b9ff2ab3de5909359beed5665c236b

SHA256
fb1b0a049c6f038d408bc97cbd2180fab76cd679f85139e1426ef6c1080d3b65

SHA512
976731aa59e8f0253a1f9dbf826a8f929c3992aa1c6037f96b5f03c14dfe408a7df8ebf7bd1dca4cdae18f13f81707b07340ea1b1a60cefee55eb69780edfb2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CASMTSF8\k3[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB6YKGN8\k1[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\23222d2c.bat

Filesize
187B

MD5
e444325a63ea21ef8943d548804e3342

SHA1
32fb8ed3714aa0ae1f89a45c0fe8a91262174c09

SHA256
571c799d250d3ce52a0522c3b3aa1591529bd05f7142f251c2d63a1f3c31fe8e

SHA512
cb7b9ccc8fb29db8f1886a150849c07207073875ea603f5f93b2a0494ee56ff1f45ae0551c53401d6aa4e87d35b51e25b8f02c2b6cb49e05ecf1d3832b1100bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b423d80.bat

Filesize
187B

MD5
540166927ea1667c4011752fe45ddf9e

SHA1
a36182d5e7b7a6ebffa2e731656a6a9c7c4bd9de

SHA256
71829a2c6d79712f1698ffec0f6641b727b2bc988e232cf6f1310c5b7d908bb4

SHA512
33a5f4b1b46e94b9f635229e3945b36278ba02301313480ab5a1904bbbdf5a5d992f84bf313509fcda21b610193c5f5dae437fff49633f83e2761ee9c908f030

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7a5a8b211596c9b4e3e4877eb7ad4d20

SHA1
a6dfc5918379415ccda89cdabcd42074a455ff85

SHA256
c0c1db7496f145985707789427d46a5c2f3d89e72fd77332e1261ccfd5c38141

SHA512
d2e90a14aba0adf39194310850602c425ace39be0d75ecc44c01ba4ca45cf5731a9ac0e60d379b3ea2d62f8a93248afe17a5ed48095134c6b9f26f21e48b13f9

Download Submit
C:\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
\Users\Admin\AppData\Local\Temp\WaZjnQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\WaZjnQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
memory/788-98-0x0000000000160000-0x000000000042A000-memory.dmp

Filesize
2.8MB

Download
memory/788-92-0x0000000000000000-mapping.dmp

Download
memory/1036-125-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/1036-76-0x0000000000000000-mapping.dmp

Download
memory/1036-89-0x0000000000B20000-0x0000000000B29000-memory.dmp

Filesize
36KB

Download
memory/1036-91-0x0000000000B20000-0x0000000000B29000-memory.dmp

Filesize
36KB

Download
memory/1036-93-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/1072-112-0x0000000000000000-mapping.dmp

Download
memory/1076-109-0x00000000738E0000-0x0000000073E8B000-memory.dmp

Filesize
5.7MB

Download
memory/1076-64-0x0000000000000000-mapping.dmp

Download
memory/1076-99-0x00000000738E0000-0x0000000073E8B000-memory.dmp

Filesize
5.7MB

Download
memory/1080-62-0x0000000000000000-mapping.dmp

Download
memory/1136-110-0x0000000000000000-mapping.dmp

Download
memory/1136-115-0x0000000073330000-0x00000000738DB000-memory.dmp

Filesize
5.7MB

Download
memory/1148-121-0x0000000000000000-mapping.dmp

Download
memory/1308-61-0x0000000000000000-mapping.dmp

Download
memory/1468-66-0x0000000000000000-mapping.dmp

Download
memory/1496-81-0x0000000000000000-mapping.dmp

Download
memory/1496-122-0x0000000000B20000-0x0000000000B29000-memory.dmp

Filesize
36KB

Download
memory/1496-94-0x0000000000B20000-0x0000000000B29000-memory.dmp

Filesize
36KB

Download
memory/1560-60-0x0000000000000000-mapping.dmp

Download
memory/1632-100-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/1632-124-0x000000001B1C6000-0x000000001B1E5000-memory.dmp

Filesize
124KB

Download
memory/1632-97-0x00000000009B0000-0x0000000000A16000-memory.dmp

Filesize
408KB

Download
memory/1632-70-0x0000000000000000-mapping.dmp

Download
memory/1692-103-0x0000000000000000-mapping.dmp

Download
memory/1796-72-0x0000000000000000-mapping.dmp

Download
memory/1816-118-0x0000000000000000-mapping.dmp

Download
memory/1968-90-0x00000000012F0000-0x00000000012F9000-memory.dmp

Filesize
36KB

Download
memory/1968-119-0x00000000012F0000-0x00000000012F9000-memory.dmp

Filesize
36KB

Download
memory/1968-58-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1968-56-0x0000000000000000-mapping.dmp

Download
memory/2020-84-0x00000000012F0000-0x00000000012F9000-memory.dmp

Filesize
36KB

Download
memory/2020-104-0x0000000000000000-mapping.dmp

Download
memory/2020-107-0x0000000001270000-0x000000000153A000-memory.dmp

Filesize
2.8MB

Download
memory/2020-79-0x0000000000400000-0x0000000000AFD000-memory.dmp

Filesize
7.0MB

Download