bitrat | cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-09-2022 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

7.0MB
MD5

90d11bc40e17839b51fcf6a2f0aebb12
SHA1

66139f98aa2efbde94c5a6d5b6abd7099b1ac8b7
SHA256

cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
SHA512

27298c219857f990a8cd8920e6380ffcac3d2952690df6b5d88833a085abaca2933a4637b7aeabbe83ed3c069d59895b583eb60950742ae299b718271d82e29b
SSDEEP

196608:SmA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:ST20NKKI/0BfjFj0U5mEqddH/qW907NE

Score

10^/10

bitrat quasar yoworld aspackv2 persistence spyware trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

anubisgod.duckdns.org:1440

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
spottifyy
install_file
spottifyy.exe
tor_process
tor

Extracted

Family

quasar

Version

1.4.0

Botnet

Yoworld

anubisgod.duckdns.org:1338

Mutex

ec434dcc-84b6-4a93-9358-be83ce93fef5

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
Dlscord.exe
log_directory
DlscordLogs
reconnect_delay
3000
startup_key
Dlscord
subdirectory
Dlscord

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
behavioral1/memory/1760-83-0x0000000000AE0000-0x0000000000DAA000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe	family_quasar
behavioral1/memory/1656-105-0x00000000013C0000-0x000000000168A000-memory.dmp	family_quasar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242

Executes dropped EXE 6 IoCs

Processes:

WaZjnQ.exeBVGExpliot.exeYoworld.exeBitduckspottifynew.exeWgUvKD.exeDlscord.exe

pid process

1168 WaZjnQ.exe
908 BVGExpliot.exe
1760 Yoworld.exe
1736 Bitduckspottifynew.exe
1848 WgUvKD.exe
1656 Dlscord.exe
Loads dropped DLL 9 IoCs

Processes:

tmp.execmd.execmd.execmd.exeBitduckspottifynew.exe

pid process

1884 tmp.exe
1884 tmp.exe
1656 cmd.exe
1656 cmd.exe
1076 cmd.exe
1076 cmd.exe
292 cmd.exe
1736 Bitduckspottifynew.exe
1736 Bitduckspottifynew.exe

pid	process
1168	WaZjnQ.exe
908	BVGExpliot.exe
1760	Yoworld.exe
1736	Bitduckspottifynew.exe
1848	WgUvKD.exe
1656	Dlscord.exe

pid	process
1884	tmp.exe
1884	tmp.exe
1656	cmd.exe
1656	cmd.exe
1076	cmd.exe
1076	cmd.exe
292	cmd.exe
1736	Bitduckspottifynew.exe
1736	Bitduckspottifynew.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bitduckspottifynew.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\spottifyy = "C:\\Users\\Admin\\AppData\\Local\\spottifyy\\spottifyy.exe"	Bitduckspottifynew.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Bitduckspottifynew.exe

pid process

1736 Bitduckspottifynew.exe
1736 Bitduckspottifynew.exe
1736 Bitduckspottifynew.exe
1736 Bitduckspottifynew.exe

pid	process
1736	Bitduckspottifynew.exe
1736	Bitduckspottifynew.exe
1736	Bitduckspottifynew.exe
1736	Bitduckspottifynew.exe

Drops file in Program Files directory 64 IoCs

Processes:

WgUvKD.exeWaZjnQ.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	WaZjnQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

900 schtasks.exe
880 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exeBVGExpliot.exe

pid process

2016 powershell.exe
1536 powershell.exe
908 BVGExpliot.exe

pid	process
900	schtasks.exe
880	schtasks.exe

pid	process
2016	powershell.exe
1536	powershell.exe
908	BVGExpliot.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Yoworld.exepowershell.exeBitduckspottifynew.exeDlscord.exepowershell.exeBVGExpliot.exe

description	pid	process
Token: SeDebugPrivilege	1760	Yoworld.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1736	Bitduckspottifynew.exe
Token: SeShutdownPrivilege	1736	Bitduckspottifynew.exe
Token: SeDebugPrivilege	1656	Dlscord.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	908	BVGExpliot.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Bitduckspottifynew.exeDlscord.exe

pid process

1736 Bitduckspottifynew.exe
1736 Bitduckspottifynew.exe
1656 Dlscord.exe

pid	process
1736	Bitduckspottifynew.exe
1736	Bitduckspottifynew.exe
1656	Dlscord.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.execmd.execmd.execmd.exeBitduckspottifynew.exeYoworld.exeDlscord.exeWaZjnQ.exeWgUvKD.exe

description	pid	process	target process
PID 1884 wrote to memory of 1168	1884	tmp.exe	WaZjnQ.exe
PID 1884 wrote to memory of 1168	1884	tmp.exe	WaZjnQ.exe
PID 1884 wrote to memory of 1168	1884	tmp.exe	WaZjnQ.exe
PID 1884 wrote to memory of 1168	1884	tmp.exe	WaZjnQ.exe
PID 1884 wrote to memory of 1988	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1988	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1988	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1988	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1956	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1956	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1956	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1956	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1656	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1656	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1656	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1656	1884	tmp.exe	cmd.exe
PID 1988 wrote to memory of 2016	1988	cmd.exe	powershell.exe
PID 1988 wrote to memory of 2016	1988	cmd.exe	powershell.exe
PID 1988 wrote to memory of 2016	1988	cmd.exe	powershell.exe
PID 1988 wrote to memory of 2016	1988	cmd.exe	powershell.exe
PID 1656 wrote to memory of 908	1656	cmd.exe	BVGExpliot.exe
PID 1656 wrote to memory of 908	1656	cmd.exe	BVGExpliot.exe
PID 1656 wrote to memory of 908	1656	cmd.exe	BVGExpliot.exe
PID 1656 wrote to memory of 908	1656	cmd.exe	BVGExpliot.exe
PID 1884 wrote to memory of 1076	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1076	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1076	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 1076	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 292	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 292	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 292	1884	tmp.exe	cmd.exe
PID 1884 wrote to memory of 292	1884	tmp.exe	cmd.exe
PID 1076 wrote to memory of 1736	1076	cmd.exe	Bitduckspottifynew.exe
PID 1076 wrote to memory of 1736	1076	cmd.exe	Bitduckspottifynew.exe
PID 1076 wrote to memory of 1736	1076	cmd.exe	Bitduckspottifynew.exe
PID 1076 wrote to memory of 1736	1076	cmd.exe	Bitduckspottifynew.exe
PID 292 wrote to memory of 1760	292	cmd.exe	Yoworld.exe
PID 292 wrote to memory of 1760	292	cmd.exe	Yoworld.exe
PID 292 wrote to memory of 1760	292	cmd.exe	Yoworld.exe
PID 292 wrote to memory of 1760	292	cmd.exe	Yoworld.exe
PID 1736 wrote to memory of 1848	1736	Bitduckspottifynew.exe	WgUvKD.exe
PID 1736 wrote to memory of 1848	1736	Bitduckspottifynew.exe	WgUvKD.exe
PID 1736 wrote to memory of 1848	1736	Bitduckspottifynew.exe	WgUvKD.exe
PID 1736 wrote to memory of 1848	1736	Bitduckspottifynew.exe	WgUvKD.exe
PID 1760 wrote to memory of 900	1760	Yoworld.exe	schtasks.exe
PID 1760 wrote to memory of 900	1760	Yoworld.exe	schtasks.exe
PID 1760 wrote to memory of 900	1760	Yoworld.exe	schtasks.exe
PID 1760 wrote to memory of 1656	1760	Yoworld.exe	Dlscord.exe
PID 1760 wrote to memory of 1656	1760	Yoworld.exe	Dlscord.exe
PID 1760 wrote to memory of 1656	1760	Yoworld.exe	Dlscord.exe
PID 1988 wrote to memory of 1536	1988	cmd.exe	powershell.exe
PID 1988 wrote to memory of 1536	1988	cmd.exe	powershell.exe
PID 1988 wrote to memory of 1536	1988	cmd.exe	powershell.exe
PID 1988 wrote to memory of 1536	1988	cmd.exe	powershell.exe
PID 1656 wrote to memory of 880	1656	Dlscord.exe	schtasks.exe
PID 1656 wrote to memory of 880	1656	Dlscord.exe	schtasks.exe
PID 1656 wrote to memory of 880	1656	Dlscord.exe	schtasks.exe
PID 1168 wrote to memory of 1696	1168	WaZjnQ.exe	cmd.exe
PID 1168 wrote to memory of 1696	1168	WaZjnQ.exe	cmd.exe
PID 1168 wrote to memory of 1696	1168	WaZjnQ.exe	cmd.exe
PID 1168 wrote to memory of 1696	1168	WaZjnQ.exe	cmd.exe
PID 1848 wrote to memory of 436	1848	WgUvKD.exe	cmd.exe
PID 1848 wrote to memory of 436	1848	WgUvKD.exe	cmd.exe
PID 1848 wrote to memory of 436	1848	WgUvKD.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\120d7a8e.bat" "
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\Trace eraser.reg
2⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\172f4812.bat" "
5⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\Yoworld.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Roaming\Yoworld.exe
C:\Users\Admin\AppData\Roaming\Yoworld.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Yoworld.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:900

C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe
"C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe
Filesize
31KB

MD5
9459a7a7f158f7413e1f2fdb2ea1173a

SHA1
a31706da36c0fc947682ce9b65be1ff44bea5692

SHA256
d82f8df732bedac206a1802e25682addb7f10d9a1e93be01aa98141cad87b417

SHA512
0622648c0d0ba3c02c94099f51a46df022c488d5648eaa5e8b00a18dd572318ada265488d56ec6c19cc418225163612d4392eeb5ee026df441a30927667a1868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\k2[1].rar
Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ORS647J\k4[1].rar
Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\k1[1].rar
Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\k5[1].rar
Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V72XLT2Z\k3[1].rar
Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\120d7a8e.bat
Filesize
187B

MD5
d295cc67a19f9e7f0cd7037430f6b248

SHA1
7723598d0001b520e35ba495e7b136767a6a10b0

SHA256
8c33044ec18439fb922cc9db73f660f278030f4fda4deac726b16309c54e1052

SHA512
2f776cb3b9316b3a809a03688e4ae7e3eeaa44fb63276ffd25a17faba26cee94e8912ae9b613f6f5d68bddc1aae6ca58eac2d310202471ffd57e7f138dccc3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\172f4812.bat
Filesize
187B

MD5
c910537e03cffaa37a44504ca6713d81

SHA1
94ebdc23d80dbedc26c4f612150115c32157da7c

SHA256
eb3fdb716206b32da5814c65a7e9b10cf3d739893947568b20d55c3088d12f34

SHA512
1b53da239d2e37bf00ddbaf8604f4783b88f68ce4d08016db4c5a6d058a5cee1d50a73c205641c67af272428d757cfde5a8a984bd6401e61adb5800d8c571a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe
Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe
Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
f199fccd447738d2f1328b9c097568fa

SHA1
6f92959bd336db431d7fb1fdb0d3bc8ab4b6e43d

SHA256
0afa68bf5ff173ae5149a08884d0ec55d1326d03a920206f5f473965b33e6e48

SHA512
378e02259b02d2c294b435a978bf94c8fe923850f672094b9afbad02d4c4d357b53d011455cf0ffaa46d48debf2b23fb784cd662eb2f4cb12e35e96f218b4258

Download Submit
C:\Users\Admin\AppData\Roaming\Yoworld.exe
Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Yoworld.exe
Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\WgUvKD.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\WgUvKD.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
\Users\Admin\AppData\Roaming\Yoworld.exe
Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
memory/292-72-0x0000000000000000-mapping.dmp

Download
memory/436-122-0x0000000000000000-mapping.dmp

Download
memory/880-111-0x0000000000000000-mapping.dmp

Download
memory/900-101-0x0000000000000000-mapping.dmp

Download
memory/908-69-0x0000000000000000-mapping.dmp

Download
memory/908-82-0x0000000001310000-0x0000000001376000-memory.dmp

Filesize
408KB

Download
memory/908-118-0x0000000000C86000-0x0000000000CA5000-memory.dmp

Filesize
124KB

Download
memory/908-98-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmp

Filesize
8KB

Download
memory/1076-70-0x0000000000000000-mapping.dmp

Download
memory/1168-94-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1168-58-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1168-116-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1168-56-0x0000000000000000-mapping.dmp

Download
memory/1536-108-0x0000000000000000-mapping.dmp

Download
memory/1536-112-0x00000000727D0000-0x0000000072D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-105-0x00000000013C0000-0x000000000168A000-memory.dmp

Filesize
2.8MB

Download
memory/1656-62-0x0000000000000000-mapping.dmp

Download
memory/1656-102-0x0000000000000000-mapping.dmp

Download
memory/1696-115-0x0000000000000000-mapping.dmp

Download
memory/1736-126-0x0000000001040000-0x0000000001049000-memory.dmp

Filesize
36KB

Download
memory/1736-125-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/1736-93-0x0000000001040000-0x0000000001049000-memory.dmp

Filesize
36KB

Download
memory/1736-92-0x0000000001040000-0x0000000001049000-memory.dmp

Filesize
36KB

Download
memory/1736-91-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/1736-77-0x0000000000000000-mapping.dmp

Download
memory/1760-83-0x0000000000AE0000-0x0000000000DAA000-memory.dmp

Filesize
2.8MB

Download
memory/1760-79-0x0000000000000000-mapping.dmp

Download
memory/1848-87-0x0000000000000000-mapping.dmp

Download
memory/1848-95-0x0000000001040000-0x0000000001049000-memory.dmp

Filesize
36KB

Download
memory/1848-123-0x0000000001040000-0x0000000001049000-memory.dmp

Filesize
36KB

Download
memory/1884-73-0x0000000000400000-0x0000000000AFD000-memory.dmp

Filesize
7.0MB

Download
memory/1956-61-0x0000000000000000-mapping.dmp

Download
memory/1988-60-0x0000000000000000-mapping.dmp

Download
memory/2016-64-0x0000000000000000-mapping.dmp

Download
memory/2016-107-0x0000000072D80000-0x000000007332B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-99-0x0000000072D80000-0x000000007332B000-memory.dmp

Filesize
5.7MB

Download