bitrat | cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

7.0MB
MD5

90d11bc40e17839b51fcf6a2f0aebb12
SHA1

66139f98aa2efbde94c5a6d5b6abd7099b1ac8b7
SHA256

cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
SHA512

27298c219857f990a8cd8920e6380ffcac3d2952690df6b5d88833a085abaca2933a4637b7aeabbe83ed3c069d59895b583eb60950742ae299b718271d82e29b
SSDEEP

196608:SmA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:ST20NKKI/0BfjFj0U5mEqddH/qW907NE

Score

10^/10

bitrat quasar yoworld aspackv2 persistence spyware trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

anubisgod.duckdns.org:1440

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
spottifyy
install_file
spottifyy.exe
tor_process
tor

Extracted

Family

quasar

Version

1.4.0

Botnet

Yoworld

anubisgod.duckdns.org:1338

Mutex

ec434dcc-84b6-4a93-9358-be83ce93fef5

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
Dlscord.exe
log_directory
DlscordLogs
reconnect_delay
3000
startup_key
Dlscord
subdirectory
Dlscord

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
behavioral2/memory/4848-157-0x00000000004E0000-0x00000000007AA000-memory.dmp	family_quasar

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242

Executes dropped EXE 5 IoCs

Processes:

WaZjnQ.exeBVGExpliot.exeBitduckspottifynew.exeYoworld.exeWgUvKD.exe

pid process

536 WaZjnQ.exe
4836 BVGExpliot.exe
4784 Bitduckspottifynew.exe
4848 Yoworld.exe
4332 WgUvKD.exe

pid	process
536	WaZjnQ.exe
4836	BVGExpliot.exe
4784	Bitduckspottifynew.exe
4848	Yoworld.exe
4332	WgUvKD.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WaZjnQ.exeWgUvKD.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WaZjnQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WgUvKD.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bitduckspottifynew.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spottifyy = "C:\\Users\\Admin\\AppData\\Local\\spottifyy\\spottifyy.exe耀"	Bitduckspottifynew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spottifyy = "C:\\Users\\Admin\\AppData\\Local\\spottifyy\\spottifyy.exe"	Bitduckspottifynew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spottifyy = "C:\\Users\\Admin\\AppData\\Local\\spottifyy\\spottifyy.exe氀"	Bitduckspottifynew.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Bitduckspottifynew.exe

pid process

4784 Bitduckspottifynew.exe
4784 Bitduckspottifynew.exe
4784 Bitduckspottifynew.exe
4784 Bitduckspottifynew.exe

pid	process
4784	Bitduckspottifynew.exe
4784	Bitduckspottifynew.exe
4784	Bitduckspottifynew.exe
4784	Bitduckspottifynew.exe

Drops file in Program Files directory 64 IoCs

Processes:

WaZjnQ.exeWgUvKD.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	WgUvKD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe	WgUvKD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	WgUvKD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	WgUvKD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe	WaZjnQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4616 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

BVGExpliot.exepowershell.exepowershell.exe

pid process

4836 BVGExpliot.exe
4396 powershell.exe
4396 powershell.exe
8 powershell.exe
8 powershell.exe

pid	process
4616	schtasks.exe

pid	process
4836	BVGExpliot.exe
4396	powershell.exe
4396	powershell.exe
8	powershell.exe
8	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Yoworld.exeBVGExpliot.exepowershell.exeBitduckspottifynew.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4848	Yoworld.exe
Token: SeDebugPrivilege	4836	BVGExpliot.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeShutdownPrivilege	4784	Bitduckspottifynew.exe
Token: SeDebugPrivilege	8	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Bitduckspottifynew.exe

pid process

4784 Bitduckspottifynew.exe
4784 Bitduckspottifynew.exe

pid	process
4784	Bitduckspottifynew.exe
4784	Bitduckspottifynew.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

tmp.execmd.execmd.execmd.execmd.exeBitduckspottifynew.exeYoworld.exeWgUvKD.exeWaZjnQ.exe

description	pid	process	target process
PID 5000 wrote to memory of 536	5000	tmp.exe	WaZjnQ.exe
PID 5000 wrote to memory of 536	5000	tmp.exe	WaZjnQ.exe
PID 5000 wrote to memory of 536	5000	tmp.exe	WaZjnQ.exe
PID 5000 wrote to memory of 4764	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 4764	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 4764	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 2120	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 2120	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 2120	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 4992	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 4992	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 4992	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 1352	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 1352	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 1352	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 4416	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 4416	5000	tmp.exe	cmd.exe
PID 5000 wrote to memory of 4416	5000	tmp.exe	cmd.exe
PID 4764 wrote to memory of 4396	4764	cmd.exe	powershell.exe
PID 4764 wrote to memory of 4396	4764	cmd.exe	powershell.exe
PID 4764 wrote to memory of 4396	4764	cmd.exe	powershell.exe
PID 4992 wrote to memory of 4836	4992	cmd.exe	BVGExpliot.exe
PID 4992 wrote to memory of 4836	4992	cmd.exe	BVGExpliot.exe
PID 1352 wrote to memory of 4784	1352	cmd.exe	Bitduckspottifynew.exe
PID 1352 wrote to memory of 4784	1352	cmd.exe	Bitduckspottifynew.exe
PID 1352 wrote to memory of 4784	1352	cmd.exe	Bitduckspottifynew.exe
PID 4416 wrote to memory of 4848	4416	cmd.exe	Yoworld.exe
PID 4416 wrote to memory of 4848	4416	cmd.exe	Yoworld.exe
PID 4784 wrote to memory of 4332	4784	Bitduckspottifynew.exe	WgUvKD.exe
PID 4784 wrote to memory of 4332	4784	Bitduckspottifynew.exe	WgUvKD.exe
PID 4784 wrote to memory of 4332	4784	Bitduckspottifynew.exe	WgUvKD.exe
PID 4848 wrote to memory of 4616	4848	Yoworld.exe	schtasks.exe
PID 4848 wrote to memory of 4616	4848	Yoworld.exe	schtasks.exe
PID 4332 wrote to memory of 912	4332	WgUvKD.exe	cmd.exe
PID 4332 wrote to memory of 912	4332	WgUvKD.exe	cmd.exe
PID 4332 wrote to memory of 912	4332	WgUvKD.exe	cmd.exe
PID 536 wrote to memory of 4296	536	WaZjnQ.exe	cmd.exe
PID 536 wrote to memory of 4296	536	WaZjnQ.exe	cmd.exe
PID 536 wrote to memory of 4296	536	WaZjnQ.exe	cmd.exe
PID 4764 wrote to memory of 8	4764	cmd.exe	powershell.exe
PID 4764 wrote to memory of 8	4764	cmd.exe	powershell.exe
PID 4764 wrote to memory of 8	4764	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\49385b69.bat" "
3⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\Trace eraser.reg
2⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3d422760.bat" "
5⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\Yoworld.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Roaming\Yoworld.exe
C:\Users\Admin\AppData\Roaming\Yoworld.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Yoworld.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe

Filesize
31KB

MD5
cd5c417fc787d1983c9063754f018b23

SHA1
24bd031d2354bfeee0f5644d1a19dbf55f5e309a

SHA256
10b1f31492d29bbf0134db87487cfd2ab555595857d61d9b362a86f6b8d9d0ab

SHA512
47d2b035df4655baa68ace2a9032ce463500f91d49f09f12682567f85c3e14d82c71ec4ac032bb6eb3c8054916f40be6582f21d3a4fc64e40c3612f086e5334e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a648a11e48e532b82de54471a5ed8927

SHA1
055761c724aa462d86e4501fedcc5da4b35385d8

SHA256
b367c675625161aa86f11eba48ff32305c36c22b2db92a0b7bbf30302e9a59b1

SHA512
ed5fea9d3c2ae1b65dda810ea4b696432fac097003c3555fb87a7a5d1605d0c78ed15b959bc45da20b20b064a926bc1ec0fa3f7a0f2944dabdd6e8e75e7cb928

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d422760.bat

Filesize
187B

MD5
19da849af0d0ab760683f298a6df966e

SHA1
652707b70884c0edcd3cdaae8f964c9919b13f82

SHA256
0ffd885f28fbf2458e2ae6d4c01d7a306a4478e90d80e44ad549608a007f2636

SHA512
2fbfec50501a7d096a529f64b5087fa47bbbb85739cf54e435b8a9e8c26faf1a3a19d9e82ef838687c227b3c7db8c86081cc3a5af12541874921a539495e051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\49385b69.bat

Filesize
187B

MD5
e440b8dc6a6bf50262d22f093201fe08

SHA1
acf223600f0f6f0b80d4c24eb114031703955fd5

SHA256
1a6588766695fc025eb31a4817c482605b6090181cc21ba98ca7cc48b9303e94

SHA512
523b9b6765b54dd07ecbc4669552953b4005d8864aaeadf0c7e38c3ed17165a22bed538bc3aa81e6ac6ca4752adfaca38d036d58cdfab979eb398c2df27a0bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
C:\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
memory/8-195-0x00000000746C0000-0x000000007470C000-memory.dmp

Filesize
304KB

Download
memory/8-192-0x0000000000000000-mapping.dmp

Download
memory/536-179-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/536-132-0x0000000000000000-mapping.dmp

Download
memory/536-141-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/912-176-0x0000000000000000-mapping.dmp

Download
memory/1352-138-0x0000000000000000-mapping.dmp

Download
memory/2120-136-0x0000000000000000-mapping.dmp

Download
memory/4296-177-0x0000000000000000-mapping.dmp

Download
memory/4332-178-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/4332-163-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/4332-152-0x0000000000000000-mapping.dmp

Download
memory/4396-189-0x0000000007620000-0x000000000762E000-memory.dmp

Filesize
56KB

Download
memory/4396-188-0x0000000007670000-0x0000000007706000-memory.dmp

Filesize
600KB

Download
memory/4396-160-0x00000000050A0000-0x00000000056C8000-memory.dmp

Filesize
6.2MB

Download
memory/4396-183-0x0000000071C40000-0x0000000071C8C000-memory.dmp

Filesize
304KB

Download
memory/4396-158-0x00000000049C0000-0x00000000049F6000-memory.dmp

Filesize
216KB

Download
memory/4396-164-0x00000000056D0000-0x00000000056F2000-memory.dmp

Filesize
136KB

Download
memory/4396-165-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/4396-166-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/4396-142-0x0000000000000000-mapping.dmp

Download
memory/4396-184-0x0000000006600000-0x000000000661E000-memory.dmp

Filesize
120KB

Download
memory/4396-191-0x0000000007660000-0x0000000007668000-memory.dmp

Filesize
32KB

Download
memory/4396-190-0x0000000007710000-0x000000000772A000-memory.dmp

Filesize
104KB

Download
memory/4396-185-0x0000000007A50000-0x00000000080CA000-memory.dmp

Filesize
6.5MB

Download
memory/4396-182-0x0000000006620000-0x0000000006652000-memory.dmp

Filesize
200KB

Download
memory/4396-187-0x0000000007450000-0x000000000745A000-memory.dmp

Filesize
40KB

Download
memory/4396-186-0x00000000073F0000-0x000000000740A000-memory.dmp

Filesize
104KB

Download
memory/4396-175-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/4416-139-0x0000000000000000-mapping.dmp

Download
memory/4616-168-0x0000000000000000-mapping.dmp

Download
memory/4764-134-0x0000000000000000-mapping.dmp

Download
memory/4784-196-0x0000000073EA0000-0x0000000073ED9000-memory.dmp

Filesize
228KB

Download
memory/4784-201-0x000000006FF20000-0x000000006FF59000-memory.dmp

Filesize
228KB

Download
memory/4784-144-0x0000000000000000-mapping.dmp

Download
memory/4784-208-0x0000000074D40000-0x0000000074D79000-memory.dmp

Filesize
228KB

Download
memory/4784-207-0x0000000074D40000-0x0000000074D79000-memory.dmp

Filesize
228KB

Download
memory/4784-206-0x0000000074D40000-0x0000000074D79000-memory.dmp

Filesize
228KB

Download
memory/4784-159-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/4784-205-0x0000000074D40000-0x0000000074D79000-memory.dmp

Filesize
228KB

Download
memory/4784-173-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/4784-204-0x0000000073EA0000-0x0000000073ED9000-memory.dmp

Filesize
228KB

Download
memory/4784-203-0x0000000074D40000-0x0000000074D79000-memory.dmp

Filesize
228KB

Download
memory/4784-170-0x000000006FEA0000-0x000000006FED9000-memory.dmp

Filesize
228KB

Download
memory/4784-169-0x000000006FF20000-0x000000006FF59000-memory.dmp

Filesize
228KB

Download
memory/4784-167-0x000000006FF20000-0x000000006FF59000-memory.dmp

Filesize
228KB

Download
memory/4784-202-0x000000006FEA0000-0x000000006FED9000-memory.dmp

Filesize
228KB

Download
memory/4784-200-0x000000006FF20000-0x000000006FF59000-memory.dmp

Filesize
228KB

Download
memory/4784-199-0x0000000074D40000-0x0000000074D79000-memory.dmp

Filesize
228KB

Download
memory/4784-198-0x0000000074D40000-0x0000000074D79000-memory.dmp

Filesize
228KB

Download
memory/4784-197-0x0000000074D40000-0x0000000074D79000-memory.dmp

Filesize
228KB

Download
memory/4836-161-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

Filesize
10.8MB

Download
memory/4836-172-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

Filesize
10.8MB

Download
memory/4836-156-0x0000000000A00000-0x0000000000A66000-memory.dmp

Filesize
408KB

Download
memory/4836-143-0x0000000000000000-mapping.dmp

Download
memory/4848-162-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

Filesize
10.8MB

Download
memory/4848-145-0x0000000000000000-mapping.dmp

Download
memory/4848-174-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

Filesize
10.8MB

Download
memory/4848-157-0x00000000004E0000-0x00000000007AA000-memory.dmp

Filesize
2.8MB

Download
memory/4992-137-0x0000000000000000-mapping.dmp

Download
memory/5000-140-0x0000000000400000-0x0000000000AFD000-memory.dmp

Filesize
7.0MB

Download
memory/5000-171-0x0000000000400000-0x0000000000AFD000-memory.dmp

Filesize
7.0MB

Download