quasar | cb760ff3655cc34bbd5c4f42264703e45d5381259f1bb6416c61feb8667a856d

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

roarile.exe
Size

3.1MB
MD5

562bbec6f7effdc4c1b054833a331771
SHA1

394610de86c61959c31530c8e1415b7575067525
SHA256

cb760ff3655cc34bbd5c4f42264703e45d5381259f1bb6416c61feb8667a856d
SHA512

7a924145233f23d22b5255db2bb0c3796ef349f84c17e568a7078fad358e8be80679864316d27450fff8b9149d3d9a8472555bd89d67a6dbc0d52c5797f9f564
SSDEEP

49152:KvrI22SsaNYfdPBldt698dBcjHioe2ECsAk/6WUoGdExgTHHB72eh2NT:KvU22SsaNYfdPBldt6+dBcjHioe6F

Score

10^/10

quasar roar discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

roar

roarwasd12312-34767.portmap.host:34767

Mutex

9102d6bd-6fb5-4536-a902-98f788c7e43a

Attributes

encryption_key
C5904FDD788EA00F921C538B9FE80C0B0A0DE728
install_name
roar.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 14 IoCs

resource	yara_rule
behavioral1/memory/352-1-0x00000000009E0000-0x0000000000D04000-memory.dmp	family_quasar
behavioral1/files/0x0008000000019227-6.dat	family_quasar
behavioral1/memory/3032-9-0x0000000001320000-0x0000000001644000-memory.dmp	family_quasar
behavioral1/memory/2824-23-0x00000000003C0000-0x00000000006E4000-memory.dmp	family_quasar
behavioral1/memory/1228-34-0x0000000000F90000-0x00000000012B4000-memory.dmp	family_quasar
behavioral1/memory/2960-45-0x0000000000280000-0x00000000005A4000-memory.dmp	family_quasar
behavioral1/memory/1504-56-0x0000000000980000-0x0000000000CA4000-memory.dmp	family_quasar
behavioral1/memory/624-67-0x00000000009F0000-0x0000000000D14000-memory.dmp	family_quasar
behavioral1/memory/2228-79-0x0000000000D00000-0x0000000001024000-memory.dmp	family_quasar
behavioral1/memory/1528-111-0x0000000000330000-0x0000000000654000-memory.dmp	family_quasar
behavioral1/memory/2364-122-0x00000000009C0000-0x0000000000CE4000-memory.dmp	family_quasar
behavioral1/memory/3064-133-0x00000000002D0000-0x00000000005F4000-memory.dmp	family_quasar
behavioral1/memory/1524-144-0x00000000008B0000-0x0000000000BD4000-memory.dmp	family_quasar
behavioral1/memory/2112-165-0x0000000000F30000-0x0000000001254000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
3032	roar.exe
2824	roar.exe
1228	roar.exe
2960	roar.exe
1504	roar.exe
624	roar.exe
2228	roar.exe
756	roar.exe
2536	roar.exe
1528	roar.exe
2364	roar.exe
3064	roar.exe
1524	roar.exe
1268	roar.exe
2112	roar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1072	PING.EXE
1600	PING.EXE
2276	PING.EXE
2180	PING.EXE
2656	PING.EXE
1744	PING.EXE
1368	PING.EXE
1156	PING.EXE
3000	PING.EXE
2152	PING.EXE
1568	PING.EXE
1456	PING.EXE
2548	PING.EXE
2876	PING.EXE
1600	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1600	PING.EXE
2276	PING.EXE
1368	PING.EXE
2180	PING.EXE
1600	PING.EXE
1156	PING.EXE
3000	PING.EXE
2656	PING.EXE
1072	PING.EXE
1744	PING.EXE
1456	PING.EXE
2876	PING.EXE
1568	PING.EXE
2548	PING.EXE
2152	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1528	schtasks.exe
2712	schtasks.exe
2144	schtasks.exe
1232	schtasks.exe
1596	schtasks.exe
2856	schtasks.exe
2544	schtasks.exe
1624	schtasks.exe
3064	schtasks.exe
1700	schtasks.exe
2100	schtasks.exe
340	schtasks.exe
2912	schtasks.exe
1904	schtasks.exe
1544	schtasks.exe
1660	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	352	roarile.exe
Token: SeDebugPrivilege	3032	roar.exe
Token: SeDebugPrivilege	2824	roar.exe
Token: SeDebugPrivilege	1228	roar.exe
Token: SeDebugPrivilege	2960	roar.exe
Token: SeDebugPrivilege	1504	roar.exe
Token: SeDebugPrivilege	624	roar.exe
Token: SeDebugPrivilege	2228	roar.exe
Token: SeDebugPrivilege	756	roar.exe
Token: SeDebugPrivilege	2536	roar.exe
Token: SeDebugPrivilege	1528	roar.exe
Token: SeDebugPrivilege	2364	roar.exe
Token: SeDebugPrivilege	3064	roar.exe
Token: SeDebugPrivilege	1524	roar.exe
Token: SeDebugPrivilege	1268	roar.exe
Token: SeDebugPrivilege	2112	roar.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 1660	352	roarile.exe	30
PID 352 wrote to memory of 1660	352	roarile.exe	30
PID 352 wrote to memory of 1660	352	roarile.exe	30
PID 352 wrote to memory of 3032	352	roarile.exe	32
PID 352 wrote to memory of 3032	352	roarile.exe	32
PID 352 wrote to memory of 3032	352	roarile.exe	32
PID 3032 wrote to memory of 340	3032	roar.exe	33
PID 3032 wrote to memory of 340	3032	roar.exe	33
PID 3032 wrote to memory of 340	3032	roar.exe	33
PID 3032 wrote to memory of 2684	3032	roar.exe	35
PID 3032 wrote to memory of 2684	3032	roar.exe	35
PID 3032 wrote to memory of 2684	3032	roar.exe	35
PID 2684 wrote to memory of 820	2684	cmd.exe	37
PID 2684 wrote to memory of 820	2684	cmd.exe	37
PID 2684 wrote to memory of 820	2684	cmd.exe	37
PID 2684 wrote to memory of 2656	2684	cmd.exe	38
PID 2684 wrote to memory of 2656	2684	cmd.exe	38
PID 2684 wrote to memory of 2656	2684	cmd.exe	38
PID 2684 wrote to memory of 2824	2684	cmd.exe	40
PID 2684 wrote to memory of 2824	2684	cmd.exe	40
PID 2684 wrote to memory of 2824	2684	cmd.exe	40
PID 2824 wrote to memory of 2544	2824	roar.exe	41
PID 2824 wrote to memory of 2544	2824	roar.exe	41
PID 2824 wrote to memory of 2544	2824	roar.exe	41
PID 2824 wrote to memory of 2700	2824	roar.exe	43
PID 2824 wrote to memory of 2700	2824	roar.exe	43
PID 2824 wrote to memory of 2700	2824	roar.exe	43
PID 2700 wrote to memory of 2776	2700	cmd.exe	45
PID 2700 wrote to memory of 2776	2700	cmd.exe	45
PID 2700 wrote to memory of 2776	2700	cmd.exe	45
PID 2700 wrote to memory of 1072	2700	cmd.exe	46
PID 2700 wrote to memory of 1072	2700	cmd.exe	46
PID 2700 wrote to memory of 1072	2700	cmd.exe	46
PID 2700 wrote to memory of 1228	2700	cmd.exe	47
PID 2700 wrote to memory of 1228	2700	cmd.exe	47
PID 2700 wrote to memory of 1228	2700	cmd.exe	47
PID 1228 wrote to memory of 1528	1228	roar.exe	48
PID 1228 wrote to memory of 1528	1228	roar.exe	48
PID 1228 wrote to memory of 1528	1228	roar.exe	48
PID 1228 wrote to memory of 2948	1228	roar.exe	50
PID 1228 wrote to memory of 2948	1228	roar.exe	50
PID 1228 wrote to memory of 2948	1228	roar.exe	50
PID 2948 wrote to memory of 2432	2948	cmd.exe	52
PID 2948 wrote to memory of 2432	2948	cmd.exe	52
PID 2948 wrote to memory of 2432	2948	cmd.exe	52
PID 2948 wrote to memory of 1744	2948	cmd.exe	53
PID 2948 wrote to memory of 1744	2948	cmd.exe	53
PID 2948 wrote to memory of 1744	2948	cmd.exe	53
PID 2948 wrote to memory of 2960	2948	cmd.exe	54
PID 2948 wrote to memory of 2960	2948	cmd.exe	54
PID 2948 wrote to memory of 2960	2948	cmd.exe	54
PID 2960 wrote to memory of 2912	2960	roar.exe	55
PID 2960 wrote to memory of 2912	2960	roar.exe	55
PID 2960 wrote to memory of 2912	2960	roar.exe	55
PID 2960 wrote to memory of 2264	2960	roar.exe	57
PID 2960 wrote to memory of 2264	2960	roar.exe	57
PID 2960 wrote to memory of 2264	2960	roar.exe	57
PID 2264 wrote to memory of 560	2264	cmd.exe	59
PID 2264 wrote to memory of 560	2264	cmd.exe	59
PID 2264 wrote to memory of 560	2264	cmd.exe	59
PID 2264 wrote to memory of 1568	2264	cmd.exe	60
PID 2264 wrote to memory of 1568	2264	cmd.exe	60
PID 2264 wrote to memory of 1568	2264	cmd.exe	60
PID 2264 wrote to memory of 1504	2264	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\roarile.exe
"C:\Users\Admin\AppData\Local\Temp\roarile.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1660
- C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:340
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\6WJN8PXCQym1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:820
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2656
  - - C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2544
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIVUjwWo4Aoj.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2776
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1072
      - C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1528
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\y4Za7MXg1rXk.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5CKAZ7oTqD0J.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3064
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YFk6KXy9eJtf.bat" "
        11⤵
        
        PID:1692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1700
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWudqeSPnVKV.bat" "
        13⤵
        
        PID:484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4O8x1wJ0LXSL.bat" "
        15⤵
        
        PID:3052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2712
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dn3sFWKkk7sO.bat" "
        17⤵
        
        PID:2656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2144
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6CVaWbDtAlBY.bat" "
        19⤵
        
        PID:1516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1232
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yVsrftvxSBMh.bat" "
        21⤵
        
        PID:1736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1368
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2100
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5z71uzQ5JCD5.bat" "
        23⤵
        
        PID:3020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1624
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mPRBynVYU7xt.bat" "
        25⤵
        
        PID:1000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YNqGDRjQKdo7.bat" "
        27⤵
        
        PID:1432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1544
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VIKbysEQSelI.bat" "
        29⤵
        
        PID:2304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2856
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Bh68oktr9AAm.bat" "
        31⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        32⤵
        
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4O8x1wJ0LXSL.bat

Filesize
205B

MD5
c6841ffa1152a48c77f04e3f6e56f070

SHA1
c9fdfbe2d8cbac6ebd4f20026b34954f9de742e2

SHA256
aa2bbd8f19b970a2f1d0652ab0abc49cca7d4912747af04868a106667b1ddff0

SHA512
9099122ef9696816d19081c76bca3c19074ed4261f21e0ec023a5839a14bf6264bc03790da42b69083c1fc69dc2dd2db96975ac5d369e462dec99da879b653ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CKAZ7oTqD0J.bat

Filesize
205B

MD5
4e9c9949d5a7e838bb5bad4d95bc9e82

SHA1
c4d4cdec379636514bace85ef366d428c56e2423

SHA256
ec0b7f64b31e98ea533449fec5edfd1ef121e46dbb23f398ddb4bd9645c6dc92

SHA512
6eb52f5169eabde6056c1bf77e5e20376df7b849f2d60188656c36451dade38eea23df996bcc861f1dac10d14fdf97ef1917d425d8a76bd262f2dc247914ee03

Download Submit
C:\Users\Admin\AppData\Local\Temp\5z71uzQ5JCD5.bat

Filesize
205B

MD5
880c0b8cf5615eb5e306821fc838b40a

SHA1
7ba410fb872cd15c2fae566a92f6d7d1ca8c49f4

SHA256
18bd8d4a7e5a2fcb648ce4684417baafcc450f95532050a5fd2b6658f86d2f8f

SHA512
59336c7b515996ab7306a4b744899959f5293242b4822e694e77c5aad67a120e65bb8f2185feefdf59299dc232c90afa017ea57f5b86dcdcee3ab5bbc226d3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CVaWbDtAlBY.bat

Filesize
205B

MD5
d8722141f74f56d01007c55e70a3f614

SHA1
f498a2fe3ed0f8d61931b0bb1bfd974f34fabc22

SHA256
056d026047b40ae634016521cb5a8909288d324ea50951f37919955563271a24

SHA512
95592cceefa75127f6219cf88051c8df4dc3ef9f4fd47820c72c4fa19b13e5a36a21658cbf16504e04efd82271a0eae32c3c29039b22023fe7ec67d230d16792

Download Submit
C:\Users\Admin\AppData\Local\Temp\6WJN8PXCQym1.bat

Filesize
205B

MD5
3f8ec5c552d865b0ae4a97618fd3e0fc

SHA1
641dab71ae5bfc9f69ed84a971cbe443a82b1626

SHA256
2f65237cf87363cae08be7a7fe42add2fcce4179c42fe9755e51079f8e46eaff

SHA512
444b1d6f51059797177c218074b66fb24c2fca82025a472f828517ae61048b25f874977cda9c6e02df93e319b139aa1513287d880d250e068d73359d87ef9ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bh68oktr9AAm.bat

Filesize
205B

MD5
64831a0ca57271f7f10f4ec1faac5fda

SHA1
90be05aa2c97423be0277c4ce4dbcdb8c12a792e

SHA256
d9819890e9a8e3e7134d34ed8e2837d28d0634a72f6cc0ef82b64fa9c0708a36

SHA512
451a2223be3d0f99aacf7bc6cc2f7b7488510f845ae6166bf0a49a638f0ffc2a3aca36d5c77bc02f58752633d0a741c5595e74a3b1e91c229c49672c4d8502a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIVUjwWo4Aoj.bat

Filesize
205B

MD5
15342d49b1e65588e772bf44aa060a73

SHA1
221be7046a41f9f0e29e49520775839a5fa1eadb

SHA256
20645c414beb1e8a879d5b2a9909317db2d467a7b67c45474176f62587f82512

SHA512
235704c23fbe8ea1da38386951e30d10d1c8ae4da0f84b62913dc8faa202395da9ff006b5a9b365adbdc911f2637adff2721a08223132b365c9a2c1df439cc99

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIKbysEQSelI.bat

Filesize
205B

MD5
15ab3322dec2bc6fc0171db46a0e2de7

SHA1
2ae73c69812c4528a29a466d1474bf34f34a7ebc

SHA256
74f4c66346c4dadeec2018dff4fad054d87dbd2fb04bbc665dd66d4213f31349

SHA512
914329d843bda67423d7d0f6f02aa1f7206a764936d971367562ba902f8ef4ec66801a2445a9de5c534fa99fd844c4d05336fcea8d178ffc9e8d9911b109c1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWudqeSPnVKV.bat

Filesize
205B

MD5
60a12d7d5cb830a07cdf9f8c28e5bc3f

SHA1
fca07e191c4ba5158878a5cdd353c5d56f9e1650

SHA256
b7a318f170b98e3b51ea294fd6918ee6a67c56a1d79dd507fb7265819753b4b5

SHA512
eb8315d5e9e74759c5ed19b545cfe09a235175d7f410db1fdfb415611570b83699babd1cf35f8c166ac705a43870edd4f85e89a8c3501cb003207225d8057525

Download Submit
C:\Users\Admin\AppData\Local\Temp\YFk6KXy9eJtf.bat

Filesize
205B

MD5
7968b8f060f68c538b1c66e5dfd42058

SHA1
166e7fe16bb7c402e8671994181aba1abdb360f3

SHA256
5817e96be2bbd84732afb84ac788a9769a34a8e35217c44a2291eca439aa9ad0

SHA512
29cb09639df0404ad7ce0da6d180117580888b4d34ff3b9d1ab99f4b494a1829a7e68db044b8ca5b8752dc0115a8aaec0fe2878628a49126de759d0f78e9e81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YNqGDRjQKdo7.bat

Filesize
205B

MD5
af423e67cc9f8c5f7973053f6c30e5f8

SHA1
ac4675c55669284af711844ffd06c7d454857124

SHA256
fe602b3f21afba377971b74032377949a2c36cd434fb8bb0f9a7ddde7e4cc352

SHA512
f9100f877682bcd68b205e7fae0dda548666b166dfaf59474ebc03a7ef0ef684010a0c6a945378a34cff70294a45451392c138e97fba122c7280ed66858fa169

Download Submit
C:\Users\Admin\AppData\Local\Temp\dn3sFWKkk7sO.bat

Filesize
205B

MD5
8b99e48fb2a35de06d3fe78175dd2491

SHA1
297aa31270eda8a87b8449ff3e42ddb09a70b979

SHA256
e973e16bbdf683091cf24a12204892e38af26f1983df06eded7bcbeea217f0f9

SHA512
6bcd71311deda4737567e5e0cb6ff316464294f52a959f0fc67121a1d10ef5f075b52475fdc5dd37cc5c073f3f6de0cec34e8e3d2ef16853f58208d8f3adac14

Download Submit
C:\Users\Admin\AppData\Local\Temp\mPRBynVYU7xt.bat

Filesize
205B

MD5
bdaa423fcdc4d8ba5894d9b2e7997a54

SHA1
b3c52e95b20fb850ed87fdf2f1afc44d28a539be

SHA256
6ea24f8257144ee5910ea1cb3c386be55b132d0fd1dde03567cd8fe1d859541c

SHA512
8d2bff29d4f0d9595fba904348f291a677d031f89970a2ab0c90fae49125371a2fd3513293a1273d8fd2372446fae99a278c65277c3f700d17b97cdc1ad2ba94

Download Submit
C:\Users\Admin\AppData\Local\Temp\y4Za7MXg1rXk.bat

Filesize
205B

MD5
e08d279f2821a8297dd83887bd5a1b56

SHA1
e69e0e5ab6064f410fb88cc536c0ddd23f89e8d9

SHA256
a783f99a51f38337f0757ae9dd62d0ac669f20393920062341fb15fc1b00f2bb

SHA512
4126d3801f359c1c0bd716e4ac8601be589982774b34c3a0a080777dad30aae39d05f5a195fb9eb61054a365be27f1593ae9da4757515a0558fa1dff16f652db

Download Submit
C:\Users\Admin\AppData\Local\Temp\yVsrftvxSBMh.bat

Filesize
205B

MD5
ff4d8bd089e2b2e11ab8bb18aadbbe6a

SHA1
9d1be9ef9b176d0fb6b19c265eef129fd8c2f1d4

SHA256
1fa673dadc4d2e16e7dff070151d0d0c2a88290b110c25ae76a0c88b1737cb61

SHA512
bb8147e22171e9ebd199acd13369239379b85cb5546919a44cb3df7b2ac5ad001f17a645a3b78b454c74e4331d1ec5f31e69d66d95f5add5fcf208cf91b837be

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\roar.exe

Filesize
1.8MB

MD5
c6b8e8f2966fd0e69006194c157be4c0

SHA1
f43126a6bcdfb2066d8352520e55ad85183f85c4

SHA256
280adf4eeac6a6e4209fd98002b790001f98a6e9422a7ca47fc616d2e605f3cf

SHA512
e40ee1ef4228a93e9cb8bb6491b641c8ba8c80ad4faa4a6c01ba53642f244e4843ed79e4f877a4f77e8ba3f99e82e68bc5a10f6b439f4667188e6c0598eea5d5

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\roar.exe

Filesize
3.1MB

MD5
562bbec6f7effdc4c1b054833a331771

SHA1
394610de86c61959c31530c8e1415b7575067525

SHA256
cb760ff3655cc34bbd5c4f42264703e45d5381259f1bb6416c61feb8667a856d

SHA512
7a924145233f23d22b5255db2bb0c3796ef349f84c17e568a7078fad358e8be80679864316d27450fff8b9149d3d9a8472555bd89d67a6dbc0d52c5797f9f564

Download Submit
memory/352-2-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/352-0-0x000007FEF6083000-0x000007FEF6084000-memory.dmp

Filesize
4KB

Download
memory/352-1-0x00000000009E0000-0x0000000000D04000-memory.dmp

Filesize
3.1MB

Download
memory/352-10-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/624-67-0x00000000009F0000-0x0000000000D14000-memory.dmp

Filesize
3.1MB

Download
memory/1228-34-0x0000000000F90000-0x00000000012B4000-memory.dmp

Filesize
3.1MB

Download
memory/1504-56-0x0000000000980000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/1524-144-0x00000000008B0000-0x0000000000BD4000-memory.dmp

Filesize
3.1MB

Download
memory/1528-111-0x0000000000330000-0x0000000000654000-memory.dmp

Filesize
3.1MB

Download
memory/2112-165-0x0000000000F30000-0x0000000001254000-memory.dmp

Filesize
3.1MB

Download
memory/2228-79-0x0000000000D00000-0x0000000001024000-memory.dmp

Filesize
3.1MB

Download
memory/2364-122-0x00000000009C0000-0x0000000000CE4000-memory.dmp

Filesize
3.1MB

Download
memory/2604-176-0x0000000001060000-0x0000000001384000-memory.dmp

Filesize
3.1MB

Download
memory/2824-23-0x00000000003C0000-0x00000000006E4000-memory.dmp

Filesize
3.1MB

Download
memory/2960-45-0x0000000000280000-0x00000000005A4000-memory.dmp

Filesize
3.1MB

Download
memory/3032-21-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-11-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-9-0x0000000001320000-0x0000000001644000-memory.dmp

Filesize
3.1MB

Download
memory/3032-8-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-133-0x00000000002D0000-0x00000000005F4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads