Analysis
-
max time kernel
30s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
13-01-2023 11:42
Static task
static1
Behavioral task
behavioral1
Sample
BitRat Cracked.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral2
Sample
BitShitBuilder.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
data/modules/hvnc.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral4
Sample
data/tor/tor.exe
Resource
win10v2004-20221111-en
General
-
Target
BitRat Cracked.exe
-
Size
28.7MB
-
MD5
cf7429f7c62ad8bd2e3badc42befbb3a
-
SHA1
c93f97d3db5e3ee06611ca4b4e037d024098e94f
-
SHA256
a52e2fd8be23a1efd9eb4d0b165f30a089c129a790c9d4b65acef032fbd44c8e
-
SHA512
5cc5ed688d3a83087f59141adf32d8e37678e483170bdfdced8bc7d287e4b8a521d526265068d7c423f5582522e315283cece5e32480b4d8c5dabf506609f565
-
SSDEEP
393216:6oirBgdxc1lGOHYae79hLhq3QXCjHnLAusN/IaXwQVL9YbE0kmCGJ6GLR5YjIn4S:H/TOHCHtq3QXCT4t79YbE0RJPOxtH5O
Malware Config
Extracted
quasar
2.1.0.0
Office04
smtp.yassine-bolard.nl:72
82.65.150.176:72
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
oacDd8MguAxsN1YILaEK
-
install_name
$77Discord.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord_Update
-
subdirectory
Discord_Updater
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Program Files\Windows_Apps\$77-Venom72.exe disable_win_def C:\Program Files\Windows_Apps\$77-Venom72.exe disable_win_def behavioral1/memory/2596-158-0x0000000000A90000-0x0000000000B26000-memory.dmp disable_win_def C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe disable_win_def C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe disable_win_def -
Processes:
$77-Venom72.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection $77-Venom72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" $77-Venom72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" $77-Venom72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" $77-Venom72.exe -
Quasar payload 5 IoCs
Processes:
resource yara_rule C:\Program Files\Windows_Apps\$77-Venom72.exe family_quasar C:\Program Files\Windows_Apps\$77-Venom72.exe family_quasar behavioral1/memory/2596-158-0x0000000000A90000-0x0000000000B26000-memory.dmp family_quasar C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe family_quasar C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe family_quasar -
Nirsoft 5 IoCs
Processes:
resource yara_rule C:\Program Files\Windows_Security\AdvancedRun.exe Nirsoft C:\Program Files\Windows_Security\AdvancedRun.exe Nirsoft C:\Program Files\Windows_Security\AdvancedRun.exe Nirsoft C:\Program Files\Windows_Security\AdvancedRun.exe Nirsoft C:\Program Files\Windows_Security\AdvancedRun.exe Nirsoft -
Executes dropped EXE 10 IoCs
Processes:
Discord.exeBitRAT_fix-cleaned.exeDiscord.exeDiscord1.exeAdvancedRun.exeAdvancedRun.exe$77-Venom72.exeAdvancedRun.exeAdvancedRun.exe$77Discord.exepid process 4224 Discord.exe 2204 BitRAT_fix-cleaned.exe 4056 Discord.exe 4164 Discord1.exe 964 AdvancedRun.exe 4536 AdvancedRun.exe 2596 $77-Venom72.exe 4824 AdvancedRun.exe 3000 AdvancedRun.exe 2160 $77Discord.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Discord.exeDiscord.exeDiscord1.exeAdvancedRun.exeAdvancedRun.exe$77-Venom72.exeBitRat Cracked.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Discord.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Discord.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Discord1.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation AdvancedRun.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation AdvancedRun.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation $77-Venom72.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation BitRat Cracked.exe -
Loads dropped DLL 3 IoCs
Processes:
BitRAT_fix-cleaned.exepid process 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe -
Processes:
$77-Venom72.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features $77-Venom72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" $77-Venom72.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Drops file in System32 directory 5 IoCs
Processes:
$77-Venom72.exe$77Discord.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe $77-Venom72.exe File opened for modification C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe $77Discord.exe File opened for modification C:\Windows\SysWOW64\Discord_Updater $77Discord.exe File created C:\Windows\SysWOW64\Discord_Updater\r77-x64.dll $77-Venom72.exe File created C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe $77-Venom72.exe -
Drops file in Program Files directory 64 IoCs
Processes:
BitRat Cracked.exedescription ioc process File opened for modification C:\Program Files\Windows_Update\data\media\flags\ua.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\tor\libcrypto-1_1.dll BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\tor\zlib1.dll BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\status\away.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\bb.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\mr.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\nz.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\sc.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\plugins\inj64.plg BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\id.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\mc.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\do.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\mn.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\tt.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\tor\libssp-0.dll BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\az.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\cv.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\misc\signal1.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\ye.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\tor\libevent_extra-2-1-6.dll BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\ax.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\ie.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\ro.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\sn.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\wf.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\cl.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\mo.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\pw.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\mm.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\ms.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\pw.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\ru.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\ba.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\bm.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\kz.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\kr.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\mw.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\tz.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\sl.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\BitRAT_fix-cleaned.exe BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\plugins\ar.plg BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\gy.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\bz.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\ly.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\sd.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\ug.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\BouncyCastle.Crypto.dll BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\audio\online.wav BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\bg.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\mz.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\status\online.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\vc.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\bi.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\gd.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\tz.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\ml.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\misc\user.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\do.png BitRat Cracked.exe File opened for modification C:\Program Files\Windows_Update\data\media\flags\fi.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\gf.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\nr.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\data\media\flags\ug.png BitRat Cracked.exe File created C:\Program Files\Windows_Update\ObjectListView.dll BitRat Cracked.exe File created C:\Program Files\Windows_Update\Zeroit.Framework.UIThemes.dll BitRat Cracked.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2168 schtasks.exe 4020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeBitRAT_fix-cleaned.exepowershell.exe$77-Venom72.exepid process 964 AdvancedRun.exe 964 AdvancedRun.exe 964 AdvancedRun.exe 964 AdvancedRun.exe 4536 AdvancedRun.exe 4536 AdvancedRun.exe 4536 AdvancedRun.exe 4536 AdvancedRun.exe 4824 AdvancedRun.exe 4824 AdvancedRun.exe 3000 AdvancedRun.exe 3000 AdvancedRun.exe 4824 AdvancedRun.exe 4824 AdvancedRun.exe 3000 AdvancedRun.exe 3000 AdvancedRun.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 2204 BitRAT_fix-cleaned.exe 4256 powershell.exe 4256 powershell.exe 2596 $77-Venom72.exe 2596 $77-Venom72.exe 2596 $77-Venom72.exe 2596 $77-Venom72.exe 2596 $77-Venom72.exe 2596 $77-Venom72.exe 2596 $77-Venom72.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe$77-Venom72.exepowershell.exe$77Discord.exedescription pid process Token: SeDebugPrivilege 964 AdvancedRun.exe Token: SeImpersonatePrivilege 964 AdvancedRun.exe Token: SeDebugPrivilege 4536 AdvancedRun.exe Token: SeImpersonatePrivilege 4536 AdvancedRun.exe Token: SeDebugPrivilege 4824 AdvancedRun.exe Token: SeDebugPrivilege 3000 AdvancedRun.exe Token: SeImpersonatePrivilege 4824 AdvancedRun.exe Token: SeImpersonatePrivilege 3000 AdvancedRun.exe Token: SeDebugPrivilege 2596 $77-Venom72.exe Token: SeDebugPrivilege 4256 powershell.exe Token: SeDebugPrivilege 2160 $77Discord.exe Token: SeDebugPrivilege 2160 $77Discord.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
Discord.exeDiscord.exeDiscord1.exeAdvancedRun.exeAdvancedRun.exeBitRAT_fix-cleaned.exe$77Discord.exepid process 4224 Discord.exe 4056 Discord.exe 4164 Discord1.exe 964 AdvancedRun.exe 4536 AdvancedRun.exe 2204 BitRAT_fix-cleaned.exe 2160 $77Discord.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
BitRat Cracked.exeDiscord.exeDiscord.exeDiscord1.exeAdvancedRun.exeAdvancedRun.exe$77-Venom72.exe$77Discord.execmd.exedescription pid process target process PID 4524 wrote to memory of 4224 4524 BitRat Cracked.exe Discord.exe PID 4524 wrote to memory of 4224 4524 BitRat Cracked.exe Discord.exe PID 4524 wrote to memory of 4224 4524 BitRat Cracked.exe Discord.exe PID 4524 wrote to memory of 2204 4524 BitRat Cracked.exe BitRAT_fix-cleaned.exe PID 4524 wrote to memory of 2204 4524 BitRat Cracked.exe BitRAT_fix-cleaned.exe PID 4224 wrote to memory of 4056 4224 Discord.exe Discord.exe PID 4224 wrote to memory of 4056 4224 Discord.exe Discord.exe PID 4224 wrote to memory of 4056 4224 Discord.exe Discord.exe PID 4224 wrote to memory of 4164 4224 Discord.exe Discord1.exe PID 4224 wrote to memory of 4164 4224 Discord.exe Discord1.exe PID 4224 wrote to memory of 4164 4224 Discord.exe Discord1.exe PID 4056 wrote to memory of 964 4056 Discord.exe AdvancedRun.exe PID 4056 wrote to memory of 964 4056 Discord.exe AdvancedRun.exe PID 4056 wrote to memory of 4536 4056 Discord.exe AdvancedRun.exe PID 4056 wrote to memory of 4536 4056 Discord.exe AdvancedRun.exe PID 4164 wrote to memory of 2596 4164 Discord1.exe $77-Venom72.exe PID 4164 wrote to memory of 2596 4164 Discord1.exe $77-Venom72.exe PID 4164 wrote to memory of 2596 4164 Discord1.exe $77-Venom72.exe PID 964 wrote to memory of 4824 964 AdvancedRun.exe AdvancedRun.exe PID 964 wrote to memory of 4824 964 AdvancedRun.exe AdvancedRun.exe PID 4536 wrote to memory of 3000 4536 AdvancedRun.exe AdvancedRun.exe PID 4536 wrote to memory of 3000 4536 AdvancedRun.exe AdvancedRun.exe PID 2596 wrote to memory of 2168 2596 $77-Venom72.exe schtasks.exe PID 2596 wrote to memory of 2168 2596 $77-Venom72.exe schtasks.exe PID 2596 wrote to memory of 2168 2596 $77-Venom72.exe schtasks.exe PID 2596 wrote to memory of 2160 2596 $77-Venom72.exe $77Discord.exe PID 2596 wrote to memory of 2160 2596 $77-Venom72.exe $77Discord.exe PID 2596 wrote to memory of 2160 2596 $77-Venom72.exe $77Discord.exe PID 2596 wrote to memory of 4256 2596 $77-Venom72.exe powershell.exe PID 2596 wrote to memory of 4256 2596 $77-Venom72.exe powershell.exe PID 2596 wrote to memory of 4256 2596 $77-Venom72.exe powershell.exe PID 2160 wrote to memory of 4020 2160 $77Discord.exe schtasks.exe PID 2160 wrote to memory of 4020 2160 $77Discord.exe schtasks.exe PID 2160 wrote to memory of 4020 2160 $77Discord.exe schtasks.exe PID 2596 wrote to memory of 1696 2596 $77-Venom72.exe cmd.exe PID 2596 wrote to memory of 1696 2596 $77-Venom72.exe cmd.exe PID 2596 wrote to memory of 1696 2596 $77-Venom72.exe cmd.exe PID 1696 wrote to memory of 4480 1696 cmd.exe cmd.exe PID 1696 wrote to memory of 4480 1696 cmd.exe cmd.exe PID 1696 wrote to memory of 4480 1696 cmd.exe cmd.exe PID 2596 wrote to memory of 868 2596 $77-Venom72.exe cmd.exe PID 2596 wrote to memory of 868 2596 $77-Venom72.exe cmd.exe PID 2596 wrote to memory of 868 2596 $77-Venom72.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BitRat Cracked.exe"C:\Users\Admin\AppData\Local\Temp\BitRat Cracked.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows_Update\Discord.exe"C:\Program Files\Windows_Update\Discord.exe" -pKazutoSan72@$%2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows_Security\Discord.exe"C:\Program Files\Windows_Security\Discord.exe" -pKazutoSan72@$%?:YB3813⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows_Security\AdvancedRun.exe"C:\Program Files\Windows_Security\AdvancedRun.exe" /EXEFilename Test.bat /RunAs 8 /Run4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows_Security\AdvancedRun.exe"C:\Program Files\Windows_Security\AdvancedRun.exe" /SpecialRun 14001f2b0 9645⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows_Security\AdvancedRun.exe"C:\Program Files\Windows_Security\AdvancedRun.exe" /EXEFilename Test.bat /RunAs 8 /Run4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows_Security\AdvancedRun.exe"C:\Program Files\Windows_Security\AdvancedRun.exe" /SpecialRun 14001f2b0 45365⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows_Security\Discord1.exe"C:\Program Files\Windows_Security\Discord1.exe" -pKazutoSan72@$%?:YB3813⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows_Apps\$77-Venom72.exe"C:\Program Files\Windows_Apps\$77-Venom72.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord_Update" /sc ONLOGON /tr "C:\Program Files\Windows_Apps\$77-Venom72.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe"C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord_Update" /sc ONLOGON /tr "C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOjZW2EA00sg.bat" "5⤵
-
C:\Program Files\Windows_Update\BitRAT_fix-cleaned.exe"C:\Program Files\Windows_Update\BitRAT_fix-cleaned.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows_Apps\$77-Venom72.exeFilesize
576KB
MD580495befd515f6af32389c1cfb3e8c5b
SHA129ec599e91edffe758d0613540fa02da686f1746
SHA256775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b
SHA512bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f
-
C:\Program Files\Windows_Apps\$77-Venom72.exeFilesize
576KB
MD580495befd515f6af32389c1cfb3e8c5b
SHA129ec599e91edffe758d0613540fa02da686f1746
SHA256775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b
SHA512bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f
-
C:\Program Files\Windows_Security\AdvancedRun.exeFilesize
148KB
MD5fd048f729a521a51273897c937b0a132
SHA13ba5137721c135fe125f9667c45b01b9728d21ed
SHA25671750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4
SHA5129a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec
-
C:\Program Files\Windows_Security\AdvancedRun.exeFilesize
148KB
MD5fd048f729a521a51273897c937b0a132
SHA13ba5137721c135fe125f9667c45b01b9728d21ed
SHA25671750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4
SHA5129a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec
-
C:\Program Files\Windows_Security\AdvancedRun.exeFilesize
148KB
MD5fd048f729a521a51273897c937b0a132
SHA13ba5137721c135fe125f9667c45b01b9728d21ed
SHA25671750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4
SHA5129a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec
-
C:\Program Files\Windows_Security\AdvancedRun.exeFilesize
148KB
MD5fd048f729a521a51273897c937b0a132
SHA13ba5137721c135fe125f9667c45b01b9728d21ed
SHA25671750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4
SHA5129a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec
-
C:\Program Files\Windows_Security\AdvancedRun.exeFilesize
148KB
MD5fd048f729a521a51273897c937b0a132
SHA13ba5137721c135fe125f9667c45b01b9728d21ed
SHA25671750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4
SHA5129a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec
-
C:\Program Files\Windows_Security\Discord.exeFilesize
339KB
MD57982a3c8d157fab1222054474d772332
SHA1f134d7ce11e37e30e07a73f0d8c7bc0a87c04492
SHA2567dc4ae41a5820fbdfc912cd1ef586f7ad80e77ca0b4f6c364255cfb01dac648c
SHA512182bd93ebd698850bd112779f4e06f1b561edbdcb6243d5df5112fedb95a267f47a548d3b9e0fde7ae3ed1fbdb72881405757b7ea7326810d42ea78123562d97
-
C:\Program Files\Windows_Security\Discord.exeFilesize
339KB
MD57982a3c8d157fab1222054474d772332
SHA1f134d7ce11e37e30e07a73f0d8c7bc0a87c04492
SHA2567dc4ae41a5820fbdfc912cd1ef586f7ad80e77ca0b4f6c364255cfb01dac648c
SHA512182bd93ebd698850bd112779f4e06f1b561edbdcb6243d5df5112fedb95a267f47a548d3b9e0fde7ae3ed1fbdb72881405757b7ea7326810d42ea78123562d97
-
C:\Program Files\Windows_Security\Discord1.exeFilesize
541KB
MD5dead320a00168f6625dd7be9b6b70e20
SHA151624ff21ffaf610c8655826ca17ea833fa611f7
SHA2561d5053b75e4199446b32a86f358928669397c5fb2cf17049e1e9241cb1b1b7c5
SHA512713f32bce99fbf09164a53e18506ae260c5ac12efea5420eb81510ebb27309e8f7cbdc4e001c8b28de1cb83c51f0014458cb060c64dcc0fd1a5b2a29d8455218
-
C:\Program Files\Windows_Security\Discord1.exeFilesize
541KB
MD5dead320a00168f6625dd7be9b6b70e20
SHA151624ff21ffaf610c8655826ca17ea833fa611f7
SHA2561d5053b75e4199446b32a86f358928669397c5fb2cf17049e1e9241cb1b1b7c5
SHA512713f32bce99fbf09164a53e18506ae260c5ac12efea5420eb81510ebb27309e8f7cbdc4e001c8b28de1cb83c51f0014458cb060c64dcc0fd1a5b2a29d8455218
-
C:\Program Files\Windows_Update\BitRAT_fix-cleaned.exeFilesize
38.2MB
MD584a1766670e0410a9127c4f531113bf7
SHA13c5d8a37800719cac558f20b2d29894b4660bd0f
SHA2569a727321f210af2a38a8c9ab4502b3bb87969177b20f5c06801c231831095bd6
SHA512bed63e75ea52eb0d87b07465bc114be47681ea2fff4fcfb8d76f89d6e1f6980aa9f05cfbc79a3df19cfb0ef19cd98f876d456fc25e9e17f3e3c6b7b746df166d
-
C:\Program Files\Windows_Update\BitRAT_fix-cleaned.exeFilesize
38.2MB
MD584a1766670e0410a9127c4f531113bf7
SHA13c5d8a37800719cac558f20b2d29894b4660bd0f
SHA2569a727321f210af2a38a8c9ab4502b3bb87969177b20f5c06801c231831095bd6
SHA512bed63e75ea52eb0d87b07465bc114be47681ea2fff4fcfb8d76f89d6e1f6980aa9f05cfbc79a3df19cfb0ef19cd98f876d456fc25e9e17f3e3c6b7b746df166d
-
C:\Program Files\Windows_Update\Discord.exeFilesize
790KB
MD5ffbf8505009dcfee149e8a8c240ef82f
SHA1f07334436f15956c5078a5cfeb9a4305819e220d
SHA256308a6e24a3eeb14fdd7038566460b55db3bfe81ede2721a0128f1e142aeb41cb
SHA512307eac44f3c052603aa1126a24986ac3bc2cccde81379d229ed29a23f1936a917942a4967b07c266b7b6ec546e31707dad0a94f5adddac0707453927f4f8a8d8
-
C:\Program Files\Windows_Update\Discord.exeFilesize
790KB
MD5ffbf8505009dcfee149e8a8c240ef82f
SHA1f07334436f15956c5078a5cfeb9a4305819e220d
SHA256308a6e24a3eeb14fdd7038566460b55db3bfe81ede2721a0128f1e142aeb41cb
SHA512307eac44f3c052603aa1126a24986ac3bc2cccde81379d229ed29a23f1936a917942a4967b07c266b7b6ec546e31707dad0a94f5adddac0707453927f4f8a8d8
-
C:\Program Files\Windows_Update\ObjectListView.dllFilesize
434KB
MD5b490bb6c6bbb4af7c43c15071c0e5034
SHA1828a03191d6df0d17975007f6bef8c56e371069d
SHA2560b94b3824761723400dc0357e7d490085a5ccf3415e332155c5b8d6c7bfb8788
SHA51227c60b0c7e85d22249332aeaf5fe1f0d6083e8f68cc461e4e97e3a394e108601378fd2bc7ec39c1fc2dc8338db87f5555511337e95921d63ab9ff7d5d18056a6
-
C:\Program Files\Windows_Update\SkinSoft.VisualStyler.dllFilesize
1.0MB
MD560ac512e63a6b95eb37cfd530a01b94e
SHA14b5a1fa50008439ac074d732447ab9032a157114
SHA2569f3e7ea22d052fee0e5be8cd904ac4425f3840df7452c760d5cc5357830c394e
SHA512a6cbf2f1f6eedcb142aeca7218334dd16058b9f643e51cee4771e1a0f7124676361deac0c48d61468296e88035e4dd49b55fd139b80ece54c86c0338bdedd681
-
C:\Program Files\Windows_Update\Zeroit.Framework.Progress.dllFilesize
4.3MB
MD5ec5d2e878ad0432b246901e0e41e9f25
SHA1b6032f95b0fc77a682628365cbbe7f1f3392e744
SHA256a249008a635defa206f4568dcaae7c598e4dcf605bcace5117a407a8ac23da96
SHA5120fe13c6cdf6f38db58340f4a0e1cbc8d069ba58df9d49fd9c6039a41cfb8ddd4c987f192de6dc9d776f5898cb891c89b2aac137505b18728579c592c23a34f78
-
C:\Program Files\Windows_Update\ssapihook.dllFilesize
67KB
MD54d9943a0adc1a3bd1472bdbab649a436
SHA1f0f36e014a71e21e629cabaa835f39a4e775e092
SHA25687dd71ac71bca50d9f1179215bbc4a25783c6a959def5c1850683eb41f6b0322
SHA51221766452cd53a2344c321b042984a08bcb46dac5e2b06dcd25f1a740e4018cb0f90d39b95414febd76d4c1447efc0dcae6dfa1ee176fdfab654a4efd2e705492
-
C:\Program Files\Windows_Update\ssapihook.dllFilesize
67KB
MD54d9943a0adc1a3bd1472bdbab649a436
SHA1f0f36e014a71e21e629cabaa835f39a4e775e092
SHA25687dd71ac71bca50d9f1179215bbc4a25783c6a959def5c1850683eb41f6b0322
SHA51221766452cd53a2344c321b042984a08bcb46dac5e2b06dcd25f1a740e4018cb0f90d39b95414febd76d4c1447efc0dcae6dfa1ee176fdfab654a4efd2e705492
-
C:\Program Files\Windows_Update\ssapihook.dllFilesize
67KB
MD54d9943a0adc1a3bd1472bdbab649a436
SHA1f0f36e014a71e21e629cabaa835f39a4e775e092
SHA25687dd71ac71bca50d9f1179215bbc4a25783c6a959def5c1850683eb41f6b0322
SHA51221766452cd53a2344c321b042984a08bcb46dac5e2b06dcd25f1a740e4018cb0f90d39b95414febd76d4c1447efc0dcae6dfa1ee176fdfab654a4efd2e705492
-
C:\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.4.59444.6\x64\ssapihook.dllFilesize
67KB
MD54d9943a0adc1a3bd1472bdbab649a436
SHA1f0f36e014a71e21e629cabaa835f39a4e775e092
SHA25687dd71ac71bca50d9f1179215bbc4a25783c6a959def5c1850683eb41f6b0322
SHA51221766452cd53a2344c321b042984a08bcb46dac5e2b06dcd25f1a740e4018cb0f90d39b95414febd76d4c1447efc0dcae6dfa1ee176fdfab654a4efd2e705492
-
C:\Users\Admin\AppData\Local\Temp\hOjZW2EA00sg.batFilesize
204B
MD5893393a81cff7ab7c361d71ba896185c
SHA1c993c1700c1be05f4154884c8a156878e775989a
SHA256dc85c52222e49b2c09de56469686fa497f99a3b22c1b379d8e2fa4c9821e6881
SHA512217cf1c501b53fd3ad5c7fe0b0178dcf959b6bca0c9b929f9194f347e70726e9c645c0c263fbd1330f8f2e8ee044caebf6ab2b4f5389042d7ccccd0ae8a62bca
-
C:\Windows\SysWOW64\Discord_Updater\$77Discord.exeFilesize
576KB
MD580495befd515f6af32389c1cfb3e8c5b
SHA129ec599e91edffe758d0613540fa02da686f1746
SHA256775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b
SHA512bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f
-
C:\Windows\SysWOW64\Discord_Updater\$77Discord.exeFilesize
576KB
MD580495befd515f6af32389c1cfb3e8c5b
SHA129ec599e91edffe758d0613540fa02da686f1746
SHA256775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b
SHA512bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f
-
memory/868-199-0x0000000000000000-mapping.dmp
-
memory/964-144-0x0000000000000000-mapping.dmp
-
memory/1696-197-0x0000000000000000-mapping.dmp
-
memory/2160-175-0x0000000000000000-mapping.dmp
-
memory/2160-185-0x0000000007120000-0x000000000712A000-memory.dmpFilesize
40KB
-
memory/2168-174-0x0000000000000000-mapping.dmp
-
memory/2204-151-0x00007FFC99F60000-0x00007FFC9AA21000-memory.dmpFilesize
10.8MB
-
memory/2204-171-0x0000024CC11E0000-0x0000024CC162E000-memory.dmpFilesize
4.3MB
-
memory/2204-196-0x00007FFC99F60000-0x00007FFC9AA21000-memory.dmpFilesize
10.8MB
-
memory/2204-135-0x0000000000000000-mapping.dmp
-
memory/2204-149-0x0000024CA1950000-0x0000024CA3F86000-memory.dmpFilesize
38.2MB
-
memory/2204-162-0x0000024CBF180000-0x0000024CBF28E000-memory.dmpFilesize
1.1MB
-
memory/2204-169-0x0000024CC0D10000-0x0000024CC0D84000-memory.dmpFilesize
464KB
-
memory/2596-158-0x0000000000A90000-0x0000000000B26000-memory.dmpFilesize
600KB
-
memory/2596-172-0x00000000063E0000-0x00000000063F2000-memory.dmpFilesize
72KB
-
memory/2596-173-0x0000000006800000-0x000000000683C000-memory.dmpFilesize
240KB
-
memory/2596-150-0x0000000000000000-mapping.dmp
-
memory/2596-167-0x00000000053D0000-0x0000000005436000-memory.dmpFilesize
408KB
-
memory/2596-159-0x0000000005A10000-0x0000000005FB4000-memory.dmpFilesize
5.6MB
-
memory/2596-160-0x0000000005460000-0x00000000054F2000-memory.dmpFilesize
584KB
-
memory/3000-154-0x0000000000000000-mapping.dmp
-
memory/4020-183-0x0000000000000000-mapping.dmp
-
memory/4056-138-0x0000000000000000-mapping.dmp
-
memory/4164-141-0x0000000000000000-mapping.dmp
-
memory/4224-132-0x0000000000000000-mapping.dmp
-
memory/4256-182-0x0000000005FE0000-0x0000000006046000-memory.dmpFilesize
408KB
-
memory/4256-191-0x0000000007A20000-0x0000000007A2A000-memory.dmpFilesize
40KB
-
memory/4256-184-0x00000000066B0000-0x00000000066CE000-memory.dmpFilesize
120KB
-
memory/4256-180-0x0000000005890000-0x0000000005EB8000-memory.dmpFilesize
6.2MB
-
memory/4256-186-0x0000000006C60000-0x0000000006C92000-memory.dmpFilesize
200KB
-
memory/4256-187-0x0000000070650000-0x000000007069C000-memory.dmpFilesize
304KB
-
memory/4256-188-0x0000000006CA0000-0x0000000006CBE000-memory.dmpFilesize
120KB
-
memory/4256-189-0x0000000007FF0000-0x000000000866A000-memory.dmpFilesize
6.5MB
-
memory/4256-190-0x00000000079B0000-0x00000000079CA000-memory.dmpFilesize
104KB
-
memory/4256-181-0x0000000005F00000-0x0000000005F22000-memory.dmpFilesize
136KB
-
memory/4256-192-0x0000000007C30000-0x0000000007CC6000-memory.dmpFilesize
600KB
-
memory/4256-193-0x0000000007BE0000-0x0000000007BEE000-memory.dmpFilesize
56KB
-
memory/4256-194-0x0000000007CF0000-0x0000000007D0A000-memory.dmpFilesize
104KB
-
memory/4256-195-0x0000000007CD0000-0x0000000007CD8000-memory.dmpFilesize
32KB
-
memory/4256-179-0x0000000002D90000-0x0000000002DC6000-memory.dmpFilesize
216KB
-
memory/4256-178-0x0000000000000000-mapping.dmp
-
memory/4480-198-0x0000000000000000-mapping.dmp
-
memory/4536-147-0x0000000000000000-mapping.dmp
-
memory/4824-155-0x0000000000000000-mapping.dmp