quasar | cb760ff3655cc34bbd5c4f42264703e45d5381259f1bb6416c61feb8667a856d

Analysis

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-12-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

roarile.exe
Size

3.1MB
MD5

562bbec6f7effdc4c1b054833a331771
SHA1

394610de86c61959c31530c8e1415b7575067525
SHA256

cb760ff3655cc34bbd5c4f42264703e45d5381259f1bb6416c61feb8667a856d
SHA512

7a924145233f23d22b5255db2bb0c3796ef349f84c17e568a7078fad358e8be80679864316d27450fff8b9149d3d9a8472555bd89d67a6dbc0d52c5797f9f564
SSDEEP

49152:KvrI22SsaNYfdPBldt698dBcjHioe2ECsAk/6WUoGdExgTHHB72eh2NT:KvU22SsaNYfdPBldt6+dBcjHioe6F

Score

10^/10

quasar roar discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

roar

roarwasd12312-34767.portmap.host:34767

Mutex

9102d6bd-6fb5-4536-a902-98f788c7e43a

Attributes

encryption_key
C5904FDD788EA00F921C538B9FE80C0B0A0DE728
install_name
roar.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/5012-1-0x0000000000A50000-0x0000000000D74000-memory.dmp	family_quasar
behavioral1/files/0x001e00000002aac8-6.dat	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
3464	roar.exe
3280	roar.exe
3520	roar.exe
572	roar.exe
5104	roar.exe
2800	roar.exe
4336	roar.exe
560	roar.exe
2952	roar.exe
4872	roar.exe
3152	roar.exe
2928	roar.exe
5116	roar.exe
4164	roar.exe
4332	roar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2976	PING.EXE
3540	PING.EXE
1436	PING.EXE
4752	PING.EXE
456	PING.EXE
4280	PING.EXE
2940	PING.EXE
1600	PING.EXE
4628	PING.EXE
1772	PING.EXE
5072	PING.EXE
4820	PING.EXE
4748	PING.EXE
4008	PING.EXE
2076	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4752	PING.EXE
4280	PING.EXE
3540	PING.EXE
4748	PING.EXE
1600	PING.EXE
4820	PING.EXE
456	PING.EXE
4008	PING.EXE
5072	PING.EXE
2940	PING.EXE
1436	PING.EXE
2076	PING.EXE
4628	PING.EXE
2976	PING.EXE
1772	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
440	schtasks.exe
1468	schtasks.exe
3624	schtasks.exe
4880	schtasks.exe
1292	schtasks.exe
3980	schtasks.exe
2308	schtasks.exe
3628	schtasks.exe
4352	schtasks.exe
1412	schtasks.exe
2924	schtasks.exe
4188	schtasks.exe
5084	schtasks.exe
2024	schtasks.exe
4568	schtasks.exe
32	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	roarile.exe
Token: SeDebugPrivilege	3464	roar.exe
Token: SeDebugPrivilege	3280	roar.exe
Token: SeDebugPrivilege	3520	roar.exe
Token: SeDebugPrivilege	572	roar.exe
Token: SeDebugPrivilege	5104	roar.exe
Token: SeDebugPrivilege	2800	roar.exe
Token: SeDebugPrivilege	4336	roar.exe
Token: SeDebugPrivilege	560	roar.exe
Token: SeDebugPrivilege	2952	roar.exe
Token: SeDebugPrivilege	4872	roar.exe
Token: SeDebugPrivilege	3152	roar.exe
Token: SeDebugPrivilege	2928	roar.exe
Token: SeDebugPrivilege	5116	roar.exe
Token: SeDebugPrivilege	4164	roar.exe
Token: SeDebugPrivilege	4332	roar.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 4188	5012	roarile.exe	77
PID 5012 wrote to memory of 4188	5012	roarile.exe	77
PID 5012 wrote to memory of 3464	5012	roarile.exe	79
PID 5012 wrote to memory of 3464	5012	roarile.exe	79
PID 3464 wrote to memory of 4880	3464	roar.exe	80
PID 3464 wrote to memory of 4880	3464	roar.exe	80
PID 3464 wrote to memory of 4180	3464	roar.exe	82
PID 3464 wrote to memory of 4180	3464	roar.exe	82
PID 4180 wrote to memory of 380	4180	cmd.exe	84
PID 4180 wrote to memory of 380	4180	cmd.exe	84
PID 4180 wrote to memory of 4748	4180	cmd.exe	85
PID 4180 wrote to memory of 4748	4180	cmd.exe	85
PID 4180 wrote to memory of 3280	4180	cmd.exe	86
PID 4180 wrote to memory of 3280	4180	cmd.exe	86
PID 3280 wrote to memory of 5084	3280	roar.exe	87
PID 3280 wrote to memory of 5084	3280	roar.exe	87
PID 3280 wrote to memory of 1652	3280	roar.exe	89
PID 3280 wrote to memory of 1652	3280	roar.exe	89
PID 1652 wrote to memory of 3436	1652	cmd.exe	91
PID 1652 wrote to memory of 3436	1652	cmd.exe	91
PID 1652 wrote to memory of 4752	1652	cmd.exe	92
PID 1652 wrote to memory of 4752	1652	cmd.exe	92
PID 1652 wrote to memory of 3520	1652	cmd.exe	93
PID 1652 wrote to memory of 3520	1652	cmd.exe	93
PID 3520 wrote to memory of 2024	3520	roar.exe	94
PID 3520 wrote to memory of 2024	3520	roar.exe	94
PID 3520 wrote to memory of 2592	3520	roar.exe	96
PID 3520 wrote to memory of 2592	3520	roar.exe	96
PID 2592 wrote to memory of 3512	2592	cmd.exe	98
PID 2592 wrote to memory of 3512	2592	cmd.exe	98
PID 2592 wrote to memory of 456	2592	cmd.exe	99
PID 2592 wrote to memory of 456	2592	cmd.exe	99
PID 2592 wrote to memory of 572	2592	cmd.exe	100
PID 2592 wrote to memory of 572	2592	cmd.exe	100
PID 572 wrote to memory of 4568	572	roar.exe	101
PID 572 wrote to memory of 4568	572	roar.exe	101
PID 572 wrote to memory of 1440	572	roar.exe	103
PID 572 wrote to memory of 1440	572	roar.exe	103
PID 1440 wrote to memory of 3668	1440	cmd.exe	105
PID 1440 wrote to memory of 3668	1440	cmd.exe	105
PID 1440 wrote to memory of 4008	1440	cmd.exe	106
PID 1440 wrote to memory of 4008	1440	cmd.exe	106
PID 1440 wrote to memory of 5104	1440	cmd.exe	107
PID 1440 wrote to memory of 5104	1440	cmd.exe	107
PID 5104 wrote to memory of 1292	5104	roar.exe	108
PID 5104 wrote to memory of 1292	5104	roar.exe	108
PID 5104 wrote to memory of 4564	5104	roar.exe	110
PID 5104 wrote to memory of 4564	5104	roar.exe	110
PID 4564 wrote to memory of 4636	4564	cmd.exe	112
PID 4564 wrote to memory of 4636	4564	cmd.exe	112
PID 4564 wrote to memory of 2076	4564	cmd.exe	113
PID 4564 wrote to memory of 2076	4564	cmd.exe	113
PID 4564 wrote to memory of 2800	4564	cmd.exe	114
PID 4564 wrote to memory of 2800	4564	cmd.exe	114
PID 2800 wrote to memory of 3628	2800	roar.exe	115
PID 2800 wrote to memory of 3628	2800	roar.exe	115
PID 2800 wrote to memory of 3048	2800	roar.exe	117
PID 2800 wrote to memory of 3048	2800	roar.exe	117
PID 3048 wrote to memory of 2392	3048	cmd.exe	119
PID 3048 wrote to memory of 2392	3048	cmd.exe	119
PID 3048 wrote to memory of 1600	3048	cmd.exe	120
PID 3048 wrote to memory of 1600	3048	cmd.exe	120
PID 3048 wrote to memory of 4336	3048	cmd.exe	121
PID 3048 wrote to memory of 4336	3048	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\roarile.exe
"C:\Users\Admin\AppData\Local\Temp\roarile.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4188
- C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbTmnZwW701x.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:380
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4748
  - - C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3280
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyIbHU92BrL0.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3436
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4752
      - C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VBv6lA64fP1Z.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:456
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hm0hJaunUeyd.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4008
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x7IPoeot1Rl0.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9fInLCMeJwEF.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svPUzDYNbQZd.bat" "
        15⤵
        
        PID:1324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4628
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PdtvzcWOisBC.bat" "
        17⤵
        
        PID:4764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4280
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l8RjVaWEyoHh.bat" "
        19⤵
        
        PID:4916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGcfw5lmu6Cr.bat" "
        21⤵
        
        PID:2964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3540
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgnCApIFDdA6.bat" "
        23⤵
        
        PID:3436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:32
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wTOrjHN8tP2U.bat" "
        25⤵
        
        PID:556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nbk92svFdeZq.bat" "
        27⤵
        
        PID:4536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5072
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCxEFbfoS79S.bat" "
        29⤵
        
        PID:1860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b939Bb56DJix.bat" "
        31⤵
        
        PID:692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\roar.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fInLCMeJwEF.bat

Filesize
205B

MD5
42b0b22a80ede2389a59323333c3ea2f

SHA1
f4c5c2cb5ad918af62443228bc1d0ece86f98abd

SHA256
a06cbe29ec074d7863f348ccc75c8127bb761eb0e8d8459c9399872c2eb08483

SHA512
3df7aab06dfb81faaef15713a567ec62b3fcd7512110a06aa0591544e5944f3b9aeff3896b0ca63d23701c0aeeebb27ade79bd0d5e68574c39d78f4e46ec808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BgnCApIFDdA6.bat

Filesize
205B

MD5
3b6984c391bd7ea350ffd54e6893e226

SHA1
94f5ac580bf17b7d97c021d5a40e13c233de8440

SHA256
261d11c017828b58dfee7b5cbd3fc3752c154081ad3e5efda35368854af9dcf4

SHA512
b8badef8e65bbca2a2fa744b999a292ad900c202ca590ba16ce279a647b2bca6ecabc46cd4f5a777977d410014d2735c4520faff0a87c6b36a947b0537eeb819

Download Submit
C:\Users\Admin\AppData\Local\Temp\NCxEFbfoS79S.bat

Filesize
205B

MD5
59b7e895d29647cae53b017361e9b892

SHA1
573cb708eb0394e68664f41420709478fe42c42c

SHA256
ec22bcf2e29286539062d11b8badde6891d4b140322b991ba191e5c31300b9c7

SHA512
c54a349f4609be38ae21e15632efa52f175d46f43c5643aab1c48f35917ede02687bfc7ed4f107b0458d8fdbd273a4637f4efd970a8c19c383374725d3e5c4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nbk92svFdeZq.bat

Filesize
205B

MD5
4a91238d97343c2b28e4fca6cfd7539f

SHA1
baa328110ea1474e769669ebe688cf63aa087bb6

SHA256
f5711f74e087974669a725aebccae40218338f8bc73e7aafec7b0bad3903eeb7

SHA512
8b60239b12aa3eb423d4088ff9de3b3f0c81e77201e7f53a6f643e4e3e6b94f932ca8f1e79b8e9d64cf83c3b810b99a9cda815b6eb50452853bc2b7fce16d461

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdtvzcWOisBC.bat

Filesize
205B

MD5
b10fe73ca7985d27ef6b1b437d9c5a45

SHA1
63929ed4046ed8d697a562f8df68f967685488c8

SHA256
761e58ac311b72282495152b33e686033fcc0af58527fbae0cd23a74bd726a43

SHA512
b90fd2a5aa042e29b410ba00b3139809ae078d198c2714ea53393874e2f7a6512fd9823e22a5865295ca3e58a6278785922df708de6ab1a1c5d76fa4e2189262

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBv6lA64fP1Z.bat

Filesize
205B

MD5
978c2d855178d52b8b8d1b406b09b5d0

SHA1
92827d0687f32bbddc99e3c861a6fadcacc29bd2

SHA256
37b2801a5ee652758d6c8ed8a04973debb8da66230efa15c69353f9579caea22

SHA512
3958795850420de878b2ed9e66a8be50bd2be2ef0db6c0a6c2e5e15764402dd06b12d9b96333018c0f57b1649549dcd06685ddf3cd4c2b45a08e511538029f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGcfw5lmu6Cr.bat

Filesize
205B

MD5
1408b96d8188e616a3a7f663328d70b3

SHA1
1c021d186308c463791791d01abc1d2a97a563e1

SHA256
a2b4d7dc0256a6cf125ee9c8d6e329ea9fb4248946ba2df27fa04705e057f068

SHA512
937046a2852d59f724671f0527c889039e6bbd37b77bf6542f3d21115d8abae6d75aa514f98d56b901a9f3c6209e932073f1764df33b01e917c2b7054347587b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b939Bb56DJix.bat

Filesize
205B

MD5
76980d72de41cf720e8f95ec92258660

SHA1
0d813898578893c2dea8829cea42aed4c063e18b

SHA256
7210f232bc38404287d0f09166fc9dc48c103e07bdb1f378ea05cec37d270a23

SHA512
6cdc7f6a1f3080a5b30027dde603e35369f1f92c1b9c1f7cefd7812952f78dc2a4321f1e2ebe0c9f5411ebbc365578a56198bf935d685f0fb20c37ffabab32bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hm0hJaunUeyd.bat

Filesize
205B

MD5
bb3f8061a9c2cf38ba8e4290093f9a0d

SHA1
4e27ca773249ec75c83c6daf492a214ee30a7c9a

SHA256
519da7148ac6dede5761d599b564a636ba9ef3349d83fab2386de852107f952f

SHA512
1e275cea818ca00892821c6bfa63a23b68ac09bcea259d0d802535bbb818244f6b91bea07b5d0479ebf6fe332dbc5618c034430b6c34178406c6d6859e9cc765

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8RjVaWEyoHh.bat

Filesize
205B

MD5
9d4e8a4a58a41623c705acf50dbef63e

SHA1
768dbdad10b2ff548d380fb658bf9cf6aa051e8c

SHA256
07960096544ed7e0a5eb067e19a47ddab07bdb8b7cba9b374b395ace9441c9d0

SHA512
4b6b71c4482f2b44708386ccf865fcb369dfeb8fc51a5ec9302fd429ef455a2495971e16c0dad7042c295285b3e65ab5cbd19c7404f2c2b51530f5f9b84ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svPUzDYNbQZd.bat

Filesize
205B

MD5
209692348498fc2c67df23fcb03aa931

SHA1
31a69e3d7e484fec4d1494b15205df01f2443c1b

SHA256
b657a8fddcb1281504f86f015eee8f764931222687b8ad22061e24d280579e11

SHA512
e7ed68d8219260c7561ef7ef96b9bfbfc3110c295a3d4df7029aa07ee8bf1373bca2f33d0dccd4a02ac9adc50a9b8182a7c670b0397ae70ee379ef5b4e7f1476

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyIbHU92BrL0.bat

Filesize
205B

MD5
b1bab7ab280f4dab8b0b17f6aac3e11e

SHA1
e65c5d45f97598501a74e457a08248c76918ba35

SHA256
f6c148420123cbb005476d333c61d4ef7cd10ad8e59aa9e36e91d5ac35c0beb7

SHA512
bca35ccd85b3b1f9762adc027a99d510256e47507e497c7fbbd20d82ecd291c2796d31263b9b1b8d1238cafbe42d61ad0f170b028639f5fd6ed6cd5f2d4df907

Download Submit
C:\Users\Admin\AppData\Local\Temp\wTOrjHN8tP2U.bat

Filesize
205B

MD5
57934a2bb63d41ce4b0beff115fae368

SHA1
620762e44cd81773053a0fd9bf0facf4ff8a7814

SHA256
ab95c295575821c3f00c9eb41608794a663cb0c7dce331ff043632b5cf7fce74

SHA512
349ddd202fe91a7e269425bb04bd82e6b94eacc42764f5027b9d1ba8c1cab0e223da74cdb24f9a2645dc1297535b822298bebed647aac52bc182ec32ec8d148e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x7IPoeot1Rl0.bat

Filesize
205B

MD5
faee23dd076be3f97d142094aa0b8c59

SHA1
76f69e5e2a1129bf21ce996c5a55e49b0fc338cb

SHA256
3be68520439b4a007a8409cf2b23ed0cbb1b86914a66f30399acc49957a21493

SHA512
8df614b979463e236ebb42ca1caa3f3e7e8d9d9f21365d1b8b7e8eae52673b77ee1d3a727a581e36322f54fa48ce98bfaf2f76ad396d1617bffacfbe4491af80

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbTmnZwW701x.bat

Filesize
205B

MD5
230ad801827e0dd27a73e83de5decb2a

SHA1
2be0406a07a25a4f64025ba7ef6cb9481f181dbb

SHA256
db930154adea6befd9bacf32f619080e5e03d4fbc200e3c76a96e232afd8289e

SHA512
7c5c4807da15bb57a4cce9cf69dec1c9dab2f4773f191de4583d9b35a368d049bf731bf07cc7d7952a5a6d8ddc7ae52a4270e900fd32bec2c49914d6e6e93619

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\roar.exe

Filesize
3.1MB

MD5
562bbec6f7effdc4c1b054833a331771

SHA1
394610de86c61959c31530c8e1415b7575067525

SHA256
cb760ff3655cc34bbd5c4f42264703e45d5381259f1bb6416c61feb8667a856d

SHA512
7a924145233f23d22b5255db2bb0c3796ef349f84c17e568a7078fad358e8be80679864316d27450fff8b9149d3d9a8472555bd89d67a6dbc0d52c5797f9f564

Download Submit
memory/3464-18-0x00007FF8EBB50000-0x00007FF8EC612000-memory.dmp

Filesize
10.8MB

Download
memory/3464-12-0x000000001C170000-0x000000001C1C0000-memory.dmp

Filesize
320KB

Download
memory/3464-11-0x00007FF8EBB50000-0x00007FF8EC612000-memory.dmp

Filesize
10.8MB

Download
memory/3464-10-0x00007FF8EBB50000-0x00007FF8EC612000-memory.dmp

Filesize
10.8MB

Download
memory/3464-13-0x000000001C280000-0x000000001C332000-memory.dmp

Filesize
712KB

Download
memory/5012-9-0x00007FF8EBB50000-0x00007FF8EC612000-memory.dmp

Filesize
10.8MB

Download
memory/5012-0-0x00007FF8EBB53000-0x00007FF8EBB55000-memory.dmp

Filesize
8KB

Download
memory/5012-2-0x00007FF8EBB50000-0x00007FF8EC612000-memory.dmp

Filesize
10.8MB

Download
memory/5012-1-0x0000000000A50000-0x0000000000D74000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads