bitrat | cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2022 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

7.0MB
MD5

90d11bc40e17839b51fcf6a2f0aebb12
SHA1

66139f98aa2efbde94c5a6d5b6abd7099b1ac8b7
SHA256

cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
SHA512

27298c219857f990a8cd8920e6380ffcac3d2952690df6b5d88833a085abaca2933a4637b7aeabbe83ed3c069d59895b583eb60950742ae299b718271d82e29b
SSDEEP

196608:SmA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:ST20NKKI/0BfjFj0U5mEqddH/qW907NE

Score

10^/10

bitrat quasar yoworld aspackv2 persistence spyware trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

anubisgod.duckdns.org:1440

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
spottifyy
install_file
spottifyy.exe
tor_process
tor

Extracted

Family

quasar

Version

1.4.0

Botnet

Yoworld

anubisgod.duckdns.org:1338

Mutex

ec434dcc-84b6-4a93-9358-be83ce93fef5

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
Dlscord.exe
log_directory
DlscordLogs
reconnect_delay
3000
startup_key
Dlscord
subdirectory
Dlscord

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Yoworld.exe	family_quasar
behavioral2/memory/840-153-0x00000000006C0000-0x000000000098A000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe	family_quasar

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242

Executes dropped EXE 6 IoCs

Processes:

WaZjnQ.exeBVGExpliot.exeYoworld.exeBitduckspottifynew.exeWgUvKD.exeDlscord.exe

pid process

3020 WaZjnQ.exe
1580 BVGExpliot.exe
840 Yoworld.exe
4884 Bitduckspottifynew.exe
4340 WgUvKD.exe
4348 Dlscord.exe

pid	process
3020	WaZjnQ.exe
1580	BVGExpliot.exe
840	Yoworld.exe
4884	Bitduckspottifynew.exe
4340	WgUvKD.exe
4348	Dlscord.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WgUvKD.exeWaZjnQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WgUvKD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WaZjnQ.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bitduckspottifynew.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spottifyy = "C:\\Users\\Admin\\AppData\\Local\\spottifyy\\spottifyy.exe耀"	Bitduckspottifynew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spottifyy = "C:\\Users\\Admin\\AppData\\Local\\spottifyy\\spottifyy.exe"	Bitduckspottifynew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spottifyy = "C:\\Users\\Admin\\AppData\\Local\\spottifyy\\spottifyy.exe㤀"	Bitduckspottifynew.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Bitduckspottifynew.exe

pid process

4884 Bitduckspottifynew.exe
4884 Bitduckspottifynew.exe
4884 Bitduckspottifynew.exe
4884 Bitduckspottifynew.exe

pid	process
4884	Bitduckspottifynew.exe
4884	Bitduckspottifynew.exe
4884	Bitduckspottifynew.exe
4884	Bitduckspottifynew.exe

Drops file in Program Files directory 64 IoCs

Processes:

WaZjnQ.exeWgUvKD.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	WgUvKD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	WaZjnQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	WaZjnQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\chrome_installer.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	WgUvKD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	WgUvKD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	WaZjnQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe	WgUvKD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5060 schtasks.exe
3776 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeBVGExpliot.exepowershell.exe

pid process

4540 powershell.exe
1580 BVGExpliot.exe
4540 powershell.exe
3172 powershell.exe
3172 powershell.exe

pid	process
5060	schtasks.exe
3776	schtasks.exe

pid	process
4540	powershell.exe
1580	BVGExpliot.exe
4540	powershell.exe
3172	powershell.exe
3172	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Yoworld.exepowershell.exeBVGExpliot.exeBitduckspottifynew.exeDlscord.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	840	Yoworld.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	1580	BVGExpliot.exe
Token: SeShutdownPrivilege	4884	Bitduckspottifynew.exe
Token: SeDebugPrivilege	4348	Dlscord.exe
Token: SeDebugPrivilege	3172	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Bitduckspottifynew.exeDlscord.exe

pid process

4884 Bitduckspottifynew.exe
4884 Bitduckspottifynew.exe
4348 Dlscord.exe

pid	process
4884	Bitduckspottifynew.exe
4884	Bitduckspottifynew.exe
4348	Dlscord.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

tmp.execmd.execmd.execmd.execmd.exeBitduckspottifynew.exeYoworld.exeWgUvKD.exeDlscord.exeWaZjnQ.exe

description	pid	process	target process
PID 5048 wrote to memory of 3020	5048	tmp.exe	WaZjnQ.exe
PID 5048 wrote to memory of 3020	5048	tmp.exe	WaZjnQ.exe
PID 5048 wrote to memory of 3020	5048	tmp.exe	WaZjnQ.exe
PID 5048 wrote to memory of 4916	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 4916	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 4916	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 1760	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 1760	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 1760	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 4900	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 4900	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 4900	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 716	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 716	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 716	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 1824	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 1824	5048	tmp.exe	cmd.exe
PID 5048 wrote to memory of 1824	5048	tmp.exe	cmd.exe
PID 4916 wrote to memory of 4540	4916	cmd.exe	powershell.exe
PID 4916 wrote to memory of 4540	4916	cmd.exe	powershell.exe
PID 4916 wrote to memory of 4540	4916	cmd.exe	powershell.exe
PID 4900 wrote to memory of 1580	4900	cmd.exe	BVGExpliot.exe
PID 4900 wrote to memory of 1580	4900	cmd.exe	BVGExpliot.exe
PID 1824 wrote to memory of 840	1824	cmd.exe	Yoworld.exe
PID 1824 wrote to memory of 840	1824	cmd.exe	Yoworld.exe
PID 716 wrote to memory of 4884	716	cmd.exe	Bitduckspottifynew.exe
PID 716 wrote to memory of 4884	716	cmd.exe	Bitduckspottifynew.exe
PID 716 wrote to memory of 4884	716	cmd.exe	Bitduckspottifynew.exe
PID 4884 wrote to memory of 4340	4884	Bitduckspottifynew.exe	WgUvKD.exe
PID 4884 wrote to memory of 4340	4884	Bitduckspottifynew.exe	WgUvKD.exe
PID 4884 wrote to memory of 4340	4884	Bitduckspottifynew.exe	WgUvKD.exe
PID 840 wrote to memory of 5060	840	Yoworld.exe	schtasks.exe
PID 840 wrote to memory of 5060	840	Yoworld.exe	schtasks.exe
PID 840 wrote to memory of 4348	840	Yoworld.exe	Dlscord.exe
PID 840 wrote to memory of 4348	840	Yoworld.exe	Dlscord.exe
PID 4340 wrote to memory of 1204	4340	WgUvKD.exe	cmd.exe
PID 4340 wrote to memory of 1204	4340	WgUvKD.exe	cmd.exe
PID 4340 wrote to memory of 1204	4340	WgUvKD.exe	cmd.exe
PID 4348 wrote to memory of 3776	4348	Dlscord.exe	schtasks.exe
PID 4348 wrote to memory of 3776	4348	Dlscord.exe	schtasks.exe
PID 4916 wrote to memory of 3172	4916	cmd.exe	powershell.exe
PID 4916 wrote to memory of 3172	4916	cmd.exe	powershell.exe
PID 4916 wrote to memory of 3172	4916	cmd.exe	powershell.exe
PID 3020 wrote to memory of 928	3020	WaZjnQ.exe	cmd.exe
PID 3020 wrote to memory of 928	3020	WaZjnQ.exe	cmd.exe
PID 3020 wrote to memory of 928	3020	WaZjnQ.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0c44492d.bat" "
3⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\Trace eraser.reg
2⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:716

C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Roaming\Yoworld.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Roaming\Yoworld.exe
C:\Users\Admin\AppData\Roaming\Yoworld.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Yoworld.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:5060

C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe
"C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3776

C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\33d8281d.bat" "
2⤵
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe

Filesize
31KB

MD5
46705f60c103b0f39c2ae236ef33845b

SHA1
84d855cb4a0a6a6c37fbd91b2983dcbea9d0b181

SHA256
5afcbec5b7f7cc02c958895076a045d8bcc2bad417701810bc5e03f6d80b33d8

SHA512
4d6752f0127546832f59f102f89e5f26ed13ea7ab43bfcaf94c641b743a1cf77f4b01e4950baa01ffe4a26305acb55ed376be5cf6baea947a1b11e3605fc10f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
628011eae8aec4d84ccd4e14896cf16d

SHA1
b505231cedd8828941eea6bfbfd6aecfb39ba51b

SHA256
c7056131a5b458589e814bfe64a0a345c9afd724df7d5c44866bdbb131acd35b

SHA512
e865fd897018edb82ff46085a7c814c2c4d36b5a45e8a07f03fb9bb4762cd22070a062a714c4e432abd00cba4693d1f9c463cc8d6c8d9500ee71ad5255394cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c44492d.bat

Filesize
187B

MD5
8dd9e983ccd13cb6ed5cda3d37068680

SHA1
d206d22de97245ff324bddd92c559397a08b7b8d

SHA256
a1fea63717f5e2567ca10fb8bd6cc8ad40826d3a1c7754567c0d7e0bbaf48845

SHA512
ef2ca6b2fa5708cf71955fff7f3373a6e58d80e7e8ab4cf2ce46718e5fff832c006ac22d58bdc0e4b77f6c58d56598166ed3927d878b56054b16b5de1e624fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\33d8281d.bat

Filesize
187B

MD5
8f645ca050adbdf872a905d74dd354ea

SHA1
4b748a9a9cf569e040fbbece46af3bd9910f10f6

SHA256
e4707bd27c2cfee134253d434fdf7a52862ee9ebb57a473b772286df7c47456c

SHA512
ea15ef29e86a8a344d4049b7812c17d14e7999bbeeb8c57ddfd1748a79609d5a460875c512fa093e54a9a3c830e536c0482b1bb084d4e8e76d56057fd96a4eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVGExpliot.exe

Filesize
379KB

MD5
1a57ddbff38a587a70eb6b79cd2601e6

SHA1
aa72d592d8f70bd4ae1548c52faca921f57ea784

SHA256
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc

SHA512
54a91c427a112227a94fa388e0502c75f8b494e7cec42eafbea87e0c7cefdd7f546cf788fc2714a7750c1f11aad4f48be5377f394d26be9e731ca147a0d79d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaZjnQ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
C:\Users\Admin\AppData\Roaming\Bitduckspottifynew.exe

Filesize
3.8MB

MD5
d208502b720a4c00ae55379a1adff4fe

SHA1
e2c71e9ba414e0070992a9d31e73c9203b48e876

SHA256
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

SHA512
a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363

Download Submit
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Dlscord\Dlscord.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
C:\Users\Admin\AppData\Roaming\Yoworld.exe

Filesize
2.8MB

MD5
8df0a6df45fc592b75ac6b99b2093c88

SHA1
63b0688d48a9fb81a87d81d4a523854428a526af

SHA256
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587

SHA512
f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db

Download Submit
memory/716-139-0x0000000000000000-mapping.dmp

Download
memory/840-153-0x00000000006C0000-0x000000000098A000-memory.dmp

Filesize
2.8MB

Download
memory/840-161-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/840-173-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/840-145-0x0000000000000000-mapping.dmp

Download
memory/928-199-0x0000000000000000-mapping.dmp

Download
memory/1204-176-0x0000000000000000-mapping.dmp

Download
memory/1580-152-0x00000000009C0000-0x0000000000A26000-memory.dmp

Filesize
408KB

Download
memory/1580-142-0x0000000000000000-mapping.dmp

Download
memory/1580-160-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/1580-192-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/1760-136-0x0000000000000000-mapping.dmp

Download
memory/1824-140-0x0000000000000000-mapping.dmp

Download
memory/3020-200-0x0000000000640000-0x0000000000649000-memory.dmp

Filesize
36KB

Download
memory/3020-158-0x0000000000640000-0x0000000000649000-memory.dmp

Filesize
36KB

Download
memory/3020-132-0x0000000000000000-mapping.dmp

Download
memory/3172-194-0x0000000000000000-mapping.dmp

Download
memory/3172-197-0x0000000070740000-0x000000007078C000-memory.dmp

Filesize
304KB

Download
memory/3776-179-0x0000000000000000-mapping.dmp

Download
memory/4340-177-0x0000000000EA0000-0x0000000000EA9000-memory.dmp

Filesize
36KB

Download
memory/4340-163-0x0000000000EA0000-0x0000000000EA9000-memory.dmp

Filesize
36KB

Download
memory/4340-151-0x0000000000000000-mapping.dmp

Download
memory/4348-169-0x0000000000000000-mapping.dmp

Download
memory/4348-181-0x0000000002F60000-0x0000000002FB0000-memory.dmp

Filesize
320KB

Download
memory/4348-198-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/4348-183-0x000000001D6E0000-0x000000001D792000-memory.dmp

Filesize
712KB

Download
memory/4348-175-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/4540-190-0x00000000074C0000-0x00000000074DA000-memory.dmp

Filesize
104KB

Download
memory/4540-166-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/4540-165-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/4540-164-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/4540-141-0x0000000000000000-mapping.dmp

Download
memory/4540-157-0x00000000048F0000-0x0000000004926000-memory.dmp

Filesize
216KB

Download
memory/4540-182-0x000000006EE80000-0x000000006EECC000-memory.dmp

Filesize
304KB

Download
memory/4540-184-0x0000000006420000-0x000000000643E000-memory.dmp

Filesize
120KB

Download
memory/4540-180-0x0000000006E40000-0x0000000006E72000-memory.dmp

Filesize
200KB

Download
memory/4540-185-0x00000000077D0000-0x0000000007E4A000-memory.dmp

Filesize
6.5MB

Download
memory/4540-186-0x0000000007190000-0x00000000071AA000-memory.dmp

Filesize
104KB

Download
memory/4540-187-0x0000000007200000-0x000000000720A000-memory.dmp

Filesize
40KB

Download
memory/4540-188-0x0000000007420000-0x00000000074B6000-memory.dmp

Filesize
600KB

Download
memory/4540-189-0x00000000073D0000-0x00000000073DE000-memory.dmp

Filesize
56KB

Download
memory/4540-172-0x0000000005E10000-0x0000000005E2E000-memory.dmp

Filesize
120KB

Download
memory/4540-191-0x0000000007410000-0x0000000007418000-memory.dmp

Filesize
32KB

Download
memory/4540-159-0x0000000004FA0000-0x00000000055C8000-memory.dmp

Filesize
6.2MB

Download
memory/4884-193-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/4884-206-0x0000000074AB0000-0x0000000074AE9000-memory.dmp

Filesize
228KB

Download
memory/4884-174-0x000000006EE60000-0x000000006EE99000-memory.dmp

Filesize
228KB

Download
memory/4884-167-0x000000006F230000-0x000000006F269000-memory.dmp

Filesize
228KB

Download
memory/4884-146-0x0000000000000000-mapping.dmp

Download
memory/4884-209-0x0000000074AB0000-0x0000000074AE9000-memory.dmp

Filesize
228KB

Download
memory/4884-208-0x0000000074AB0000-0x0000000074AE9000-memory.dmp

Filesize
228KB

Download
memory/4884-207-0x0000000074AB0000-0x0000000074AE9000-memory.dmp

Filesize
228KB

Download
memory/4884-162-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/4884-202-0x0000000074AB0000-0x0000000074AE9000-memory.dmp

Filesize
228KB

Download
memory/4884-203-0x0000000074AB0000-0x0000000074AE9000-memory.dmp

Filesize
228KB

Download
memory/4884-204-0x000000006F230000-0x000000006F269000-memory.dmp

Filesize
228KB

Download
memory/4884-205-0x000000006EE60000-0x000000006EE99000-memory.dmp

Filesize
228KB

Download
memory/4900-137-0x0000000000000000-mapping.dmp

Download
memory/4916-135-0x0000000000000000-mapping.dmp

Download
memory/5048-138-0x0000000000400000-0x0000000000AFD000-memory.dmp

Filesize
7.0MB

Download
memory/5060-168-0x0000000000000000-mapping.dmp

Download