quasar | bb49e8609de534fee476cdc8a0db81248e169f023a2ac7d7e8fae21127a03660

Analysis

max time kernel
30s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2023 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BitRat Cracked.exe
Size

28.7MB
MD5

cf7429f7c62ad8bd2e3badc42befbb3a
SHA1

c93f97d3db5e3ee06611ca4b4e037d024098e94f
SHA256

a52e2fd8be23a1efd9eb4d0b165f30a089c129a790c9d4b65acef032fbd44c8e
SHA512

5cc5ed688d3a83087f59141adf32d8e37678e483170bdfdced8bc7d287e4b8a521d526265068d7c423f5582522e315283cece5e32480b4d8c5dabf506609f565
SSDEEP

393216:6oirBgdxc1lGOHYae79hLhq3QXCjHnLAusN/IaXwQVL9YbE0kmCGJ6GLR5YjIn4S:H/TOHCHtq3QXCT4t79YbE0RJPOxtH5O

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

smtp.yassine-bolard.nl:72

82.65.150.176:72

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
oacDd8MguAxsN1YILaEK
install_name
$77Discord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord_Update
subdirectory
Discord_Updater

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Program Files\Windows_Apps\$77-Venom72.exe	disable_win_def
C:\Program Files\Windows_Apps\$77-Venom72.exe	disable_win_def
behavioral1/memory/2596-158-0x0000000000A90000-0x0000000000B26000-memory.dmp	disable_win_def
C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe	disable_win_def
C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

$77-Venom72.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	$77-Venom72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	$77-Venom72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	$77-Venom72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	$77-Venom72.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
C:\Program Files\Windows_Apps\$77-Venom72.exe	family_quasar
C:\Program Files\Windows_Apps\$77-Venom72.exe	family_quasar
behavioral1/memory/2596-158-0x0000000000A90000-0x0000000000B26000-memory.dmp	family_quasar
C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe	family_quasar
C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Nirsoft 5 IoCs

Processes:

resource	yara_rule
C:\Program Files\Windows_Security\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Security\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Security\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Security\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Security\AdvancedRun.exe	Nirsoft

Executes dropped EXE 10 IoCs

Processes:

Discord.exeBitRAT_fix-cleaned.exeDiscord.exeDiscord1.exeAdvancedRun.exeAdvancedRun.exe$77-Venom72.exeAdvancedRun.exeAdvancedRun.exe$77Discord.exe

pid	process
4224	Discord.exe
2204	BitRAT_fix-cleaned.exe
4056	Discord.exe
4164	Discord1.exe
964	AdvancedRun.exe
4536	AdvancedRun.exe
2596	$77-Venom72.exe
4824	AdvancedRun.exe
3000	AdvancedRun.exe
2160	$77Discord.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Discord.exeDiscord.exeDiscord1.exeAdvancedRun.exeAdvancedRun.exe$77-Venom72.exeBitRat Cracked.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Discord1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	$77-Venom72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	BitRat Cracked.exe

Loads dropped DLL 3 IoCs

Processes:

BitRAT_fix-cleaned.exe

pid process

2204 BitRAT_fix-cleaned.exe
2204 BitRAT_fix-cleaned.exe
2204 BitRAT_fix-cleaned.exe

pid	process
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

$77-Venom72.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	$77-Venom72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	$77-Venom72.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com

flow	ioc
12	ip-api.com

Drops file in System32 directory 5 IoCs

Processes:

$77-Venom72.exe$77Discord.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe	$77-Venom72.exe
File opened for modification	C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe	$77Discord.exe
File opened for modification	C:\Windows\SysWOW64\Discord_Updater	$77Discord.exe
File created	C:\Windows\SysWOW64\Discord_Updater\r77-x64.dll	$77-Venom72.exe
File created	C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe	$77-Venom72.exe

Drops file in Program Files directory 64 IoCs

Processes:

BitRat Cracked.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\ua.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\tor\libcrypto-1_1.dll	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\tor\zlib1.dll	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\status\away.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\bb.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\mr.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\nz.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\sc.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\plugins\inj64.plg	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\id.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\mc.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\do.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\mn.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\tt.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\tor\libssp-0.dll	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\az.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\cv.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\misc\signal1.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\ye.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\tor\libevent_extra-2-1-6.dll	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\ax.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\ie.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\ro.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\sn.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\wf.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\cl.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\mo.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\pw.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\mm.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\ms.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\pw.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\ru.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\ba.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\bm.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\kz.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\kr.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\mw.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\tz.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\sl.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\BitRAT_fix-cleaned.exe	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\plugins\ar.plg	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\gy.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\bz.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\ly.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\sd.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\ug.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\BouncyCastle.Crypto.dll	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\audio\online.wav	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\bg.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\mz.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\status\online.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\vc.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\bi.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\gd.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\tz.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\ml.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\misc\user.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\do.png	BitRat Cracked.exe
File opened for modification	C:\Program Files\Windows_Update\data\media\flags\fi.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\gf.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\nr.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\data\media\flags\ug.png	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\ObjectListView.dll	BitRat Cracked.exe
File created	C:\Program Files\Windows_Update\Zeroit.Framework.UIThemes.dll	BitRat Cracked.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2168 schtasks.exe
4020 schtasks.exe

pid	process
2168	schtasks.exe
4020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeBitRAT_fix-cleaned.exepowershell.exe$77-Venom72.exe

pid	process
964	AdvancedRun.exe
964	AdvancedRun.exe
964	AdvancedRun.exe
964	AdvancedRun.exe
4536	AdvancedRun.exe
4536	AdvancedRun.exe
4536	AdvancedRun.exe
4536	AdvancedRun.exe
4824	AdvancedRun.exe
4824	AdvancedRun.exe
3000	AdvancedRun.exe
3000	AdvancedRun.exe
4824	AdvancedRun.exe
4824	AdvancedRun.exe
3000	AdvancedRun.exe
3000	AdvancedRun.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
2204	BitRAT_fix-cleaned.exe
4256	powershell.exe
4256	powershell.exe
2596	$77-Venom72.exe
2596	$77-Venom72.exe
2596	$77-Venom72.exe
2596	$77-Venom72.exe
2596	$77-Venom72.exe
2596	$77-Venom72.exe
2596	$77-Venom72.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe$77-Venom72.exepowershell.exe$77Discord.exe

description	pid	process
Token: SeDebugPrivilege	964	AdvancedRun.exe
Token: SeImpersonatePrivilege	964	AdvancedRun.exe
Token: SeDebugPrivilege	4536	AdvancedRun.exe
Token: SeImpersonatePrivilege	4536	AdvancedRun.exe
Token: SeDebugPrivilege	4824	AdvancedRun.exe
Token: SeDebugPrivilege	3000	AdvancedRun.exe
Token: SeImpersonatePrivilege	4824	AdvancedRun.exe
Token: SeImpersonatePrivilege	3000	AdvancedRun.exe
Token: SeDebugPrivilege	2596	$77-Venom72.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	2160	$77Discord.exe
Token: SeDebugPrivilege	2160	$77Discord.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Discord.exeDiscord.exeDiscord1.exeAdvancedRun.exeAdvancedRun.exeBitRAT_fix-cleaned.exe$77Discord.exe

pid process

4224 Discord.exe
4056 Discord.exe
4164 Discord1.exe
964 AdvancedRun.exe
4536 AdvancedRun.exe
2204 BitRAT_fix-cleaned.exe
2160 $77Discord.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

BitRat Cracked.exeDiscord.exeDiscord.exeDiscord1.exeAdvancedRun.exeAdvancedRun.exe$77-Venom72.exe$77Discord.execmd.exe

description	pid	process	target process
PID 4524 wrote to memory of 4224	4524	BitRat Cracked.exe	Discord.exe
PID 4524 wrote to memory of 4224	4524	BitRat Cracked.exe	Discord.exe
PID 4524 wrote to memory of 4224	4524	BitRat Cracked.exe	Discord.exe
PID 4524 wrote to memory of 2204	4524	BitRat Cracked.exe	BitRAT_fix-cleaned.exe
PID 4524 wrote to memory of 2204	4524	BitRat Cracked.exe	BitRAT_fix-cleaned.exe
PID 4224 wrote to memory of 4056	4224	Discord.exe	Discord.exe
PID 4224 wrote to memory of 4056	4224	Discord.exe	Discord.exe
PID 4224 wrote to memory of 4056	4224	Discord.exe	Discord.exe
PID 4224 wrote to memory of 4164	4224	Discord.exe	Discord1.exe
PID 4224 wrote to memory of 4164	4224	Discord.exe	Discord1.exe
PID 4224 wrote to memory of 4164	4224	Discord.exe	Discord1.exe
PID 4056 wrote to memory of 964	4056	Discord.exe	AdvancedRun.exe
PID 4056 wrote to memory of 964	4056	Discord.exe	AdvancedRun.exe
PID 4056 wrote to memory of 4536	4056	Discord.exe	AdvancedRun.exe
PID 4056 wrote to memory of 4536	4056	Discord.exe	AdvancedRun.exe
PID 4164 wrote to memory of 2596	4164	Discord1.exe	$77-Venom72.exe
PID 4164 wrote to memory of 2596	4164	Discord1.exe	$77-Venom72.exe
PID 4164 wrote to memory of 2596	4164	Discord1.exe	$77-Venom72.exe
PID 964 wrote to memory of 4824	964	AdvancedRun.exe	AdvancedRun.exe
PID 964 wrote to memory of 4824	964	AdvancedRun.exe	AdvancedRun.exe
PID 4536 wrote to memory of 3000	4536	AdvancedRun.exe	AdvancedRun.exe
PID 4536 wrote to memory of 3000	4536	AdvancedRun.exe	AdvancedRun.exe
PID 2596 wrote to memory of 2168	2596	$77-Venom72.exe	schtasks.exe
PID 2596 wrote to memory of 2168	2596	$77-Venom72.exe	schtasks.exe
PID 2596 wrote to memory of 2168	2596	$77-Venom72.exe	schtasks.exe
PID 2596 wrote to memory of 2160	2596	$77-Venom72.exe	$77Discord.exe
PID 2596 wrote to memory of 2160	2596	$77-Venom72.exe	$77Discord.exe
PID 2596 wrote to memory of 2160	2596	$77-Venom72.exe	$77Discord.exe
PID 2596 wrote to memory of 4256	2596	$77-Venom72.exe	powershell.exe
PID 2596 wrote to memory of 4256	2596	$77-Venom72.exe	powershell.exe
PID 2596 wrote to memory of 4256	2596	$77-Venom72.exe	powershell.exe
PID 2160 wrote to memory of 4020	2160	$77Discord.exe	schtasks.exe
PID 2160 wrote to memory of 4020	2160	$77Discord.exe	schtasks.exe
PID 2160 wrote to memory of 4020	2160	$77Discord.exe	schtasks.exe
PID 2596 wrote to memory of 1696	2596	$77-Venom72.exe	cmd.exe
PID 2596 wrote to memory of 1696	2596	$77-Venom72.exe	cmd.exe
PID 2596 wrote to memory of 1696	2596	$77-Venom72.exe	cmd.exe
PID 1696 wrote to memory of 4480	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 4480	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 4480	1696	cmd.exe	cmd.exe
PID 2596 wrote to memory of 868	2596	$77-Venom72.exe	cmd.exe
PID 2596 wrote to memory of 868	2596	$77-Venom72.exe	cmd.exe
PID 2596 wrote to memory of 868	2596	$77-Venom72.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\BitRat Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\BitRat Cracked.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4524

C:\Program Files\Windows_Update\Discord.exe
"C:\Program Files\Windows_Update\Discord.exe" -pKazutoSan72@$%
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224

C:\Program Files\Windows_Security\Discord.exe
"C:\Program Files\Windows_Security\Discord.exe" -pKazutoSan72@$%?:YB381
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056

C:\Program Files\Windows_Security\AdvancedRun.exe
"C:\Program Files\Windows_Security\AdvancedRun.exe" /EXEFilename Test.bat /RunAs 8 /Run
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964

C:\Program Files\Windows_Security\AdvancedRun.exe
"C:\Program Files\Windows_Security\AdvancedRun.exe" /SpecialRun 14001f2b0 964
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Program Files\Windows_Security\AdvancedRun.exe
"C:\Program Files\Windows_Security\AdvancedRun.exe" /EXEFilename Test.bat /RunAs 8 /Run
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536

C:\Program Files\Windows_Security\AdvancedRun.exe
"C:\Program Files\Windows_Security\AdvancedRun.exe" /SpecialRun 14001f2b0 4536
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Program Files\Windows_Security\Discord1.exe
"C:\Program Files\Windows_Security\Discord1.exe" -pKazutoSan72@$%?:YB381
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4164

C:\Program Files\Windows_Apps\$77-Venom72.exe
"C:\Program Files\Windows_Apps\$77-Venom72.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Discord_Update" /sc ONLOGON /tr "C:\Program Files\Windows_Apps\$77-Venom72.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2168

C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe
"C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Discord_Update" /sc ONLOGON /tr "C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
6⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOjZW2EA00sg.bat" "
5⤵
PID:868

C:\Program Files\Windows_Update\BitRAT_fix-cleaned.exe
"C:\Program Files\Windows_Update\BitRAT_fix-cleaned.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows_Apps\$77-Venom72.exe
Filesize
576KB

MD5
80495befd515f6af32389c1cfb3e8c5b

SHA1
29ec599e91edffe758d0613540fa02da686f1746

SHA256
775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b

SHA512
bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f

Download Submit
C:\Program Files\Windows_Apps\$77-Venom72.exe
Filesize
576KB

MD5
80495befd515f6af32389c1cfb3e8c5b

SHA1
29ec599e91edffe758d0613540fa02da686f1746

SHA256
775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b

SHA512
bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f

Download Submit
C:\Program Files\Windows_Security\AdvancedRun.exe
Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Security\AdvancedRun.exe
Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Security\AdvancedRun.exe
Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Security\AdvancedRun.exe
Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Security\AdvancedRun.exe
Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Security\Discord.exe
Filesize
339KB

MD5
7982a3c8d157fab1222054474d772332

SHA1
f134d7ce11e37e30e07a73f0d8c7bc0a87c04492

SHA256
7dc4ae41a5820fbdfc912cd1ef586f7ad80e77ca0b4f6c364255cfb01dac648c

SHA512
182bd93ebd698850bd112779f4e06f1b561edbdcb6243d5df5112fedb95a267f47a548d3b9e0fde7ae3ed1fbdb72881405757b7ea7326810d42ea78123562d97

Download Submit
C:\Program Files\Windows_Security\Discord.exe
Filesize
339KB

MD5
7982a3c8d157fab1222054474d772332

SHA1
f134d7ce11e37e30e07a73f0d8c7bc0a87c04492

SHA256
7dc4ae41a5820fbdfc912cd1ef586f7ad80e77ca0b4f6c364255cfb01dac648c

SHA512
182bd93ebd698850bd112779f4e06f1b561edbdcb6243d5df5112fedb95a267f47a548d3b9e0fde7ae3ed1fbdb72881405757b7ea7326810d42ea78123562d97

Download Submit
C:\Program Files\Windows_Security\Discord1.exe
Filesize
541KB

MD5
dead320a00168f6625dd7be9b6b70e20

SHA1
51624ff21ffaf610c8655826ca17ea833fa611f7

SHA256
1d5053b75e4199446b32a86f358928669397c5fb2cf17049e1e9241cb1b1b7c5

SHA512
713f32bce99fbf09164a53e18506ae260c5ac12efea5420eb81510ebb27309e8f7cbdc4e001c8b28de1cb83c51f0014458cb060c64dcc0fd1a5b2a29d8455218

Download Submit
C:\Program Files\Windows_Security\Discord1.exe
Filesize
541KB

MD5
dead320a00168f6625dd7be9b6b70e20

SHA1
51624ff21ffaf610c8655826ca17ea833fa611f7

SHA256
1d5053b75e4199446b32a86f358928669397c5fb2cf17049e1e9241cb1b1b7c5

SHA512
713f32bce99fbf09164a53e18506ae260c5ac12efea5420eb81510ebb27309e8f7cbdc4e001c8b28de1cb83c51f0014458cb060c64dcc0fd1a5b2a29d8455218

Download Submit
C:\Program Files\Windows_Update\BitRAT_fix-cleaned.exe
Filesize
38.2MB

MD5
84a1766670e0410a9127c4f531113bf7

SHA1
3c5d8a37800719cac558f20b2d29894b4660bd0f

SHA256
9a727321f210af2a38a8c9ab4502b3bb87969177b20f5c06801c231831095bd6

SHA512
bed63e75ea52eb0d87b07465bc114be47681ea2fff4fcfb8d76f89d6e1f6980aa9f05cfbc79a3df19cfb0ef19cd98f876d456fc25e9e17f3e3c6b7b746df166d

Download Submit
C:\Program Files\Windows_Update\BitRAT_fix-cleaned.exe
Filesize
38.2MB

MD5
84a1766670e0410a9127c4f531113bf7

SHA1
3c5d8a37800719cac558f20b2d29894b4660bd0f

SHA256
9a727321f210af2a38a8c9ab4502b3bb87969177b20f5c06801c231831095bd6

SHA512
bed63e75ea52eb0d87b07465bc114be47681ea2fff4fcfb8d76f89d6e1f6980aa9f05cfbc79a3df19cfb0ef19cd98f876d456fc25e9e17f3e3c6b7b746df166d

Download Submit
C:\Program Files\Windows_Update\Discord.exe
Filesize
790KB

MD5
ffbf8505009dcfee149e8a8c240ef82f

SHA1
f07334436f15956c5078a5cfeb9a4305819e220d

SHA256
308a6e24a3eeb14fdd7038566460b55db3bfe81ede2721a0128f1e142aeb41cb

SHA512
307eac44f3c052603aa1126a24986ac3bc2cccde81379d229ed29a23f1936a917942a4967b07c266b7b6ec546e31707dad0a94f5adddac0707453927f4f8a8d8

Download Submit
C:\Program Files\Windows_Update\Discord.exe
Filesize
790KB

MD5
ffbf8505009dcfee149e8a8c240ef82f

SHA1
f07334436f15956c5078a5cfeb9a4305819e220d

SHA256
308a6e24a3eeb14fdd7038566460b55db3bfe81ede2721a0128f1e142aeb41cb

SHA512
307eac44f3c052603aa1126a24986ac3bc2cccde81379d229ed29a23f1936a917942a4967b07c266b7b6ec546e31707dad0a94f5adddac0707453927f4f8a8d8

Download Submit
C:\Program Files\Windows_Update\ObjectListView.dll
Filesize
434KB

MD5
b490bb6c6bbb4af7c43c15071c0e5034

SHA1
828a03191d6df0d17975007f6bef8c56e371069d

SHA256
0b94b3824761723400dc0357e7d490085a5ccf3415e332155c5b8d6c7bfb8788

SHA512
27c60b0c7e85d22249332aeaf5fe1f0d6083e8f68cc461e4e97e3a394e108601378fd2bc7ec39c1fc2dc8338db87f5555511337e95921d63ab9ff7d5d18056a6

Download Submit
C:\Program Files\Windows_Update\SkinSoft.VisualStyler.dll
Filesize
1.0MB

MD5
60ac512e63a6b95eb37cfd530a01b94e

SHA1
4b5a1fa50008439ac074d732447ab9032a157114

SHA256
9f3e7ea22d052fee0e5be8cd904ac4425f3840df7452c760d5cc5357830c394e

SHA512
a6cbf2f1f6eedcb142aeca7218334dd16058b9f643e51cee4771e1a0f7124676361deac0c48d61468296e88035e4dd49b55fd139b80ece54c86c0338bdedd681

Download Submit
C:\Program Files\Windows_Update\Zeroit.Framework.Progress.dll
Filesize
4.3MB

MD5
ec5d2e878ad0432b246901e0e41e9f25

SHA1
b6032f95b0fc77a682628365cbbe7f1f3392e744

SHA256
a249008a635defa206f4568dcaae7c598e4dcf605bcace5117a407a8ac23da96

SHA512
0fe13c6cdf6f38db58340f4a0e1cbc8d069ba58df9d49fd9c6039a41cfb8ddd4c987f192de6dc9d776f5898cb891c89b2aac137505b18728579c592c23a34f78

Download Submit
C:\Program Files\Windows_Update\ssapihook.dll
Filesize
67KB

MD5
4d9943a0adc1a3bd1472bdbab649a436

SHA1
f0f36e014a71e21e629cabaa835f39a4e775e092

SHA256
87dd71ac71bca50d9f1179215bbc4a25783c6a959def5c1850683eb41f6b0322

SHA512
21766452cd53a2344c321b042984a08bcb46dac5e2b06dcd25f1a740e4018cb0f90d39b95414febd76d4c1447efc0dcae6dfa1ee176fdfab654a4efd2e705492

Download Submit
C:\Program Files\Windows_Update\ssapihook.dll
Filesize
67KB

MD5
4d9943a0adc1a3bd1472bdbab649a436

SHA1
f0f36e014a71e21e629cabaa835f39a4e775e092

SHA256
87dd71ac71bca50d9f1179215bbc4a25783c6a959def5c1850683eb41f6b0322

SHA512
21766452cd53a2344c321b042984a08bcb46dac5e2b06dcd25f1a740e4018cb0f90d39b95414febd76d4c1447efc0dcae6dfa1ee176fdfab654a4efd2e705492

Download Submit
C:\Program Files\Windows_Update\ssapihook.dll
Filesize
67KB

MD5
4d9943a0adc1a3bd1472bdbab649a436

SHA1
f0f36e014a71e21e629cabaa835f39a4e775e092

SHA256
87dd71ac71bca50d9f1179215bbc4a25783c6a959def5c1850683eb41f6b0322

SHA512
21766452cd53a2344c321b042984a08bcb46dac5e2b06dcd25f1a740e4018cb0f90d39b95414febd76d4c1447efc0dcae6dfa1ee176fdfab654a4efd2e705492

Download Submit
C:\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.4.59444.6\x64\ssapihook.dll
Filesize
67KB

MD5
4d9943a0adc1a3bd1472bdbab649a436

SHA1
f0f36e014a71e21e629cabaa835f39a4e775e092

SHA256
87dd71ac71bca50d9f1179215bbc4a25783c6a959def5c1850683eb41f6b0322

SHA512
21766452cd53a2344c321b042984a08bcb46dac5e2b06dcd25f1a740e4018cb0f90d39b95414febd76d4c1447efc0dcae6dfa1ee176fdfab654a4efd2e705492

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOjZW2EA00sg.bat
Filesize
204B

MD5
893393a81cff7ab7c361d71ba896185c

SHA1
c993c1700c1be05f4154884c8a156878e775989a

SHA256
dc85c52222e49b2c09de56469686fa497f99a3b22c1b379d8e2fa4c9821e6881

SHA512
217cf1c501b53fd3ad5c7fe0b0178dcf959b6bca0c9b929f9194f347e70726e9c645c0c263fbd1330f8f2e8ee044caebf6ab2b4f5389042d7ccccd0ae8a62bca

Download Submit
C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe
Filesize
576KB

MD5
80495befd515f6af32389c1cfb3e8c5b

SHA1
29ec599e91edffe758d0613540fa02da686f1746

SHA256
775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b

SHA512
bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f

Download Submit
C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe
Filesize
576KB

MD5
80495befd515f6af32389c1cfb3e8c5b

SHA1
29ec599e91edffe758d0613540fa02da686f1746

SHA256
775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b

SHA512
bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f

Download Submit
memory/868-199-0x0000000000000000-mapping.dmp

Download
memory/964-144-0x0000000000000000-mapping.dmp

Download
memory/1696-197-0x0000000000000000-mapping.dmp

Download
memory/2160-175-0x0000000000000000-mapping.dmp

Download
memory/2160-185-0x0000000007120000-0x000000000712A000-memory.dmp

Filesize
40KB

Download
memory/2168-174-0x0000000000000000-mapping.dmp

Download
memory/2204-151-0x00007FFC99F60000-0x00007FFC9AA21000-memory.dmp

Filesize
10.8MB

Download
memory/2204-171-0x0000024CC11E0000-0x0000024CC162E000-memory.dmp

Filesize
4.3MB

Download
memory/2204-196-0x00007FFC99F60000-0x00007FFC9AA21000-memory.dmp

Filesize
10.8MB

Download
memory/2204-135-0x0000000000000000-mapping.dmp

Download
memory/2204-149-0x0000024CA1950000-0x0000024CA3F86000-memory.dmp

Filesize
38.2MB

Download
memory/2204-162-0x0000024CBF180000-0x0000024CBF28E000-memory.dmp

Filesize
1.1MB

Download
memory/2204-169-0x0000024CC0D10000-0x0000024CC0D84000-memory.dmp

Filesize
464KB

Download
memory/2596-158-0x0000000000A90000-0x0000000000B26000-memory.dmp

Filesize
600KB

Download
memory/2596-172-0x00000000063E0000-0x00000000063F2000-memory.dmp

Filesize
72KB

Download
memory/2596-173-0x0000000006800000-0x000000000683C000-memory.dmp

Filesize
240KB

Download
memory/2596-150-0x0000000000000000-mapping.dmp

Download
memory/2596-167-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/2596-159-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/2596-160-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/3000-154-0x0000000000000000-mapping.dmp

Download
memory/4020-183-0x0000000000000000-mapping.dmp

Download
memory/4056-138-0x0000000000000000-mapping.dmp

Download
memory/4164-141-0x0000000000000000-mapping.dmp

Download
memory/4224-132-0x0000000000000000-mapping.dmp

Download
memory/4256-182-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/4256-191-0x0000000007A20000-0x0000000007A2A000-memory.dmp

Filesize
40KB

Download
memory/4256-184-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/4256-180-0x0000000005890000-0x0000000005EB8000-memory.dmp

Filesize
6.2MB

Download
memory/4256-186-0x0000000006C60000-0x0000000006C92000-memory.dmp

Filesize
200KB

Download
memory/4256-187-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/4256-188-0x0000000006CA0000-0x0000000006CBE000-memory.dmp

Filesize
120KB

Download
memory/4256-189-0x0000000007FF0000-0x000000000866A000-memory.dmp

Filesize
6.5MB

Download
memory/4256-190-0x00000000079B0000-0x00000000079CA000-memory.dmp

Filesize
104KB

Download
memory/4256-181-0x0000000005F00000-0x0000000005F22000-memory.dmp

Filesize
136KB

Download
memory/4256-192-0x0000000007C30000-0x0000000007CC6000-memory.dmp

Filesize
600KB

Download
memory/4256-193-0x0000000007BE0000-0x0000000007BEE000-memory.dmp

Filesize
56KB

Download
memory/4256-194-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

Filesize
104KB

Download
memory/4256-195-0x0000000007CD0000-0x0000000007CD8000-memory.dmp

Filesize
32KB

Download
memory/4256-179-0x0000000002D90000-0x0000000002DC6000-memory.dmp

Filesize
216KB

Download
memory/4256-178-0x0000000000000000-mapping.dmp

Download
memory/4480-198-0x0000000000000000-mapping.dmp

Download
memory/4536-147-0x0000000000000000-mapping.dmp

Download
memory/4824-155-0x0000000000000000-mapping.dmp

Download