quasar | cb760ff3655cc34bbd5c4f42264703e45d5381259f1bb6416c61feb8667a856d

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

roarile.exe
Size

3.1MB
MD5

562bbec6f7effdc4c1b054833a331771
SHA1

394610de86c61959c31530c8e1415b7575067525
SHA256

cb760ff3655cc34bbd5c4f42264703e45d5381259f1bb6416c61feb8667a856d
SHA512

7a924145233f23d22b5255db2bb0c3796ef349f84c17e568a7078fad358e8be80679864316d27450fff8b9149d3d9a8472555bd89d67a6dbc0d52c5797f9f564
SSDEEP

49152:KvrI22SsaNYfdPBldt698dBcjHioe2ECsAk/6WUoGdExgTHHB72eh2NT:KvU22SsaNYfdPBldt6+dBcjHioe6F

Score

10^/10

quasar roar discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

roar

roarwasd12312-34767.portmap.host:34767

Mutex

9102d6bd-6fb5-4536-a902-98f788c7e43a

Attributes

encryption_key
C5904FDD788EA00F921C538B9FE80C0B0A0DE728
install_name
roar.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2988-1-0x0000000000B80000-0x0000000000EA4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c94-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	roar.exe

Executes dropped EXE 15 IoCs

pid	Process
5000	roar.exe
3440	roar.exe
1724	roar.exe
3472	roar.exe
3296	roar.exe
3564	roar.exe
3148	roar.exe
3804	roar.exe
4564	roar.exe
5040	roar.exe
4788	roar.exe
3200	roar.exe
848	roar.exe
4908	roar.exe
1120	roar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3680	PING.EXE
1044	PING.EXE
3748	PING.EXE
4784	PING.EXE
2912	PING.EXE
1544	PING.EXE
3184	PING.EXE
1664	PING.EXE
744	PING.EXE
5064	PING.EXE
1768	PING.EXE
4544	PING.EXE
4656	PING.EXE
1728	PING.EXE
2632	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1664	PING.EXE
5064	PING.EXE
4544	PING.EXE
2912	PING.EXE
1544	PING.EXE
3680	PING.EXE
3184	PING.EXE
1044	PING.EXE
4784	PING.EXE
4656	PING.EXE
1728	PING.EXE
3748	PING.EXE
744	PING.EXE
2632	PING.EXE
1768	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3556	schtasks.exe
2716	schtasks.exe
3316	schtasks.exe
3592	schtasks.exe
4828	schtasks.exe
3484	schtasks.exe
2652	schtasks.exe
3240	schtasks.exe
4700	schtasks.exe
1636	schtasks.exe
4812	schtasks.exe
2136	schtasks.exe
4200	schtasks.exe
4996	schtasks.exe
2200	schtasks.exe
3968	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	roarile.exe
Token: SeDebugPrivilege	5000	roar.exe
Token: SeDebugPrivilege	3440	roar.exe
Token: SeDebugPrivilege	1724	roar.exe
Token: SeDebugPrivilege	3472	roar.exe
Token: SeDebugPrivilege	3296	roar.exe
Token: SeDebugPrivilege	3564	roar.exe
Token: SeDebugPrivilege	3148	roar.exe
Token: SeDebugPrivilege	3804	roar.exe
Token: SeDebugPrivilege	4564	roar.exe
Token: SeDebugPrivilege	5040	roar.exe
Token: SeDebugPrivilege	4788	roar.exe
Token: SeDebugPrivilege	3200	roar.exe
Token: SeDebugPrivilege	848	roar.exe
Token: SeDebugPrivilege	4908	roar.exe
Token: SeDebugPrivilege	1120	roar.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 4996	2988	roarile.exe	82
PID 2988 wrote to memory of 4996	2988	roarile.exe	82
PID 2988 wrote to memory of 5000	2988	roarile.exe	84
PID 2988 wrote to memory of 5000	2988	roarile.exe	84
PID 5000 wrote to memory of 2652	5000	roar.exe	85
PID 5000 wrote to memory of 2652	5000	roar.exe	85
PID 5000 wrote to memory of 912	5000	roar.exe	87
PID 5000 wrote to memory of 912	5000	roar.exe	87
PID 912 wrote to memory of 3484	912	cmd.exe	89
PID 912 wrote to memory of 3484	912	cmd.exe	89
PID 912 wrote to memory of 2912	912	cmd.exe	90
PID 912 wrote to memory of 2912	912	cmd.exe	90
PID 912 wrote to memory of 3440	912	cmd.exe	98
PID 912 wrote to memory of 3440	912	cmd.exe	98
PID 3440 wrote to memory of 3240	3440	roar.exe	99
PID 3440 wrote to memory of 3240	3440	roar.exe	99
PID 3440 wrote to memory of 1332	3440	roar.exe	101
PID 3440 wrote to memory of 1332	3440	roar.exe	101
PID 1332 wrote to memory of 3136	1332	cmd.exe	103
PID 1332 wrote to memory of 3136	1332	cmd.exe	103
PID 1332 wrote to memory of 4656	1332	cmd.exe	104
PID 1332 wrote to memory of 4656	1332	cmd.exe	104
PID 1332 wrote to memory of 1724	1332	cmd.exe	105
PID 1332 wrote to memory of 1724	1332	cmd.exe	105
PID 1724 wrote to memory of 2200	1724	roar.exe	106
PID 1724 wrote to memory of 2200	1724	roar.exe	106
PID 1724 wrote to memory of 3820	1724	roar.exe	108
PID 1724 wrote to memory of 3820	1724	roar.exe	108
PID 3820 wrote to memory of 4828	3820	cmd.exe	110
PID 3820 wrote to memory of 4828	3820	cmd.exe	110
PID 3820 wrote to memory of 1664	3820	cmd.exe	111
PID 3820 wrote to memory of 1664	3820	cmd.exe	111
PID 3820 wrote to memory of 3472	3820	cmd.exe	114
PID 3820 wrote to memory of 3472	3820	cmd.exe	114
PID 3472 wrote to memory of 3316	3472	roar.exe	115
PID 3472 wrote to memory of 3316	3472	roar.exe	115
PID 3472 wrote to memory of 4992	3472	roar.exe	117
PID 3472 wrote to memory of 4992	3472	roar.exe	117
PID 4992 wrote to memory of 1056	4992	cmd.exe	119
PID 4992 wrote to memory of 1056	4992	cmd.exe	119
PID 4992 wrote to memory of 1728	4992	cmd.exe	120
PID 4992 wrote to memory of 1728	4992	cmd.exe	120
PID 4992 wrote to memory of 3296	4992	cmd.exe	121
PID 4992 wrote to memory of 3296	4992	cmd.exe	121
PID 3296 wrote to memory of 4700	3296	roar.exe	122
PID 3296 wrote to memory of 4700	3296	roar.exe	122
PID 3296 wrote to memory of 4816	3296	roar.exe	124
PID 3296 wrote to memory of 4816	3296	roar.exe	124
PID 4816 wrote to memory of 4996	4816	cmd.exe	126
PID 4816 wrote to memory of 4996	4816	cmd.exe	126
PID 4816 wrote to memory of 1044	4816	cmd.exe	127
PID 4816 wrote to memory of 1044	4816	cmd.exe	127
PID 4816 wrote to memory of 3564	4816	cmd.exe	128
PID 4816 wrote to memory of 3564	4816	cmd.exe	128
PID 3564 wrote to memory of 3592	3564	roar.exe	129
PID 3564 wrote to memory of 3592	3564	roar.exe	129
PID 3564 wrote to memory of 4640	3564	roar.exe	131
PID 3564 wrote to memory of 4640	3564	roar.exe	131
PID 4640 wrote to memory of 2580	4640	cmd.exe	133
PID 4640 wrote to memory of 2580	4640	cmd.exe	133
PID 4640 wrote to memory of 3748	4640	cmd.exe	134
PID 4640 wrote to memory of 3748	4640	cmd.exe	134
PID 4640 wrote to memory of 3148	4640	cmd.exe	135
PID 4640 wrote to memory of 3148	4640	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\roarile.exe
"C:\Users\Admin\AppData\Local\Temp\roarile.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4996
- C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\phH9z65ZxdL5.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3484
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2912
  - - C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3240
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wP9RaS70mqEt.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1332
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3136
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4656
      - C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HjRK3PCZWcmN.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEepOGoxZUQZ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ohXQ4qWUs3at.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fVGvjBWLK7a3.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3748
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76WUsZ6Iftk8.bat" "
        15⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IRmC8luzayRD.bat" "
        17⤵
        
        PID:2492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8t3i4mGiU9CD.bat" "
        19⤵
        
        PID:632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4784
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XLQ2Imj5Gr68.bat" "
        21⤵
        
        PID:4920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0K6hNtdfgaZZ.bat" "
        23⤵
        
        PID:448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3680
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQwoHgkxvyn7.bat" "
        25⤵
        
        PID:2604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5064
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LfTqS07Mbp0O.bat" "
        27⤵
        
        PID:4480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytsEJkh1wMuS.bat" "
        29⤵
        
        PID:4880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4544
        
        C:\Users\Admin\AppData\Roaming\SubDir\roar.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\roar.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IdFRU3rEiaiq.bat" "
        31⤵
        
        PID:4304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\roar.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0K6hNtdfgaZZ.bat

Filesize
205B

MD5
8119a3ff31bff0d34a5ce498d8a5ec51

SHA1
de065469c1b5cec2f555cab0beb05513267d31f6

SHA256
53a799fc17d7a2510a505208dca5726309d5906cbe61d81628380ec6297c2863

SHA512
50c40d42868776e3ba579f15a528018f5b1a83b83353d2477cd08591c270979d07c6fdcc339f5a91f29b7fd6376014c90b2e5bd30322686562329b0eb2e366e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\76WUsZ6Iftk8.bat

Filesize
205B

MD5
0991c8b39f16469da27b6aa4a0bec967

SHA1
a8a2c6b62aa0804c4d156369a3a6720af324ab57

SHA256
593d85fad0edc4370da70d3d069f04f174b673f8076611f010242f406afae762

SHA512
9af1e883e1008873029369f2618a9c670d8fb13f53effe703cac77aee136913cde7a0c0f6a5caa25b21bf91b8c076a9bdbee83352afed7e13dc58c06cd37d006

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t3i4mGiU9CD.bat

Filesize
205B

MD5
dd66ea76468fa0b94b2b2d2f34d7f798

SHA1
2f93982a15e33164c6b19c1924d542315a6b81f2

SHA256
c0e49d8de64460bb8b16d3ee2d3070d239c27e2f86a25a8f3fa40a0a81c305f9

SHA512
e92e24f36e59a185e5c87082989a5664e6218c8e130e0aa41fbcc9e69f36a3f7e1fe67239c2634dfadf1dbafc7848873db6c5b207c6ee0a2b50e9edf3d1add8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HjRK3PCZWcmN.bat

Filesize
205B

MD5
7d0671de3c966d0d6e5c1ce2ad2e04fc

SHA1
76fc19af895309f64cfca7a126d746d1e28e2ff5

SHA256
3a43ecbdf683f41cb4b7b660907655291296830f94bef934203b27eb3e9f742d

SHA512
442dc18896e1620e4bbacf2eea77d1d22f1b4007d7f4a99ff7cfeb46da8d784094fa852179e81de10cd64453968873d7bc2d07767318fbf9b5c682936085ef19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRmC8luzayRD.bat

Filesize
205B

MD5
5fd1a400aecc93bb38ac75037102d7bc

SHA1
e2f025fc1b02ee0c98b663107589bf7ad991e6b4

SHA256
f8f398133b88db89c3a795aaee2113f13f6091ad4ddc00a6ef2a3cdb195a150b

SHA512
3a17257db1763c923383d7387773ab37475cf7866c5a372db597c69c20b1d116838931157d5fa187f575a073045d3d17fb9e35c884d19f7408e0c05e88623ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\IdFRU3rEiaiq.bat

Filesize
205B

MD5
3f8235d0b9c604914574d594c2bf2c96

SHA1
b946a1d2742b1b713ce19d9a2554a4023f6e84e4

SHA256
8cdae87552ae67c3366f6a9ebd48e8a016e2a10aad77b98a56880c516060d632

SHA512
8874134bf05eec34822ff32f4d93eecd4292ebcdb90ef139044dff8267204b8caa9b79ca7cf66931072609c561563fbe8086c3e9e783257d9565f99b0f4d47d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEepOGoxZUQZ.bat

Filesize
205B

MD5
3fbbee1f71cda0f1dcedb4b15a683ee3

SHA1
9b10cb23a03c74a1ac49d48d83f057a3dacfa3ec

SHA256
3aad4df11857314c91c773a2bc87884cfecc3f0b7bcd1034bb5b5612ad01af04

SHA512
548640b0e4f4462a6769a4c2fa6cb24920d344ff0bd1dbfbf8280985ac382f109ba5e22e435c8c145a38f7ab13efe8cd8cd0a2d0f51f438f7c5c4cefc2c9c799

Download Submit
C:\Users\Admin\AppData\Local\Temp\LfTqS07Mbp0O.bat

Filesize
205B

MD5
70174ade0111a24ede6e5d627f924bdc

SHA1
2dace17c22e43b00c05868469c230c8f2fd73475

SHA256
facb6b5296289fdfb235e5deaf45f9227b333593eceea84576a2296a8bc50e34

SHA512
17f6c5593fa2db157fb6e84fdf782fb4aade5265ce6add4d8d241532d0942429ec0b925378c61502402c3302e40962879a7f3433e420f9d04106986cc5457f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XLQ2Imj5Gr68.bat

Filesize
205B

MD5
fa3f0389a3be4d48837b2b5c3df87ada

SHA1
15de266f1b9bb4359bd8166b02cbceb8cbbeeca1

SHA256
c9b4816f9d59f5709e91dc6f26ef610a4666b0de96ca57fb1e2e0d62ba8aaef3

SHA512
2bfe9896c1c8b226d9e1ff1c8e63dabd7199fa23b9d995abb4f81c58c80ee9e07dff77b7bbaa40314a04b8b91b3f285e545f7a1154a0b156ff7039c27ca60c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\fVGvjBWLK7a3.bat

Filesize
205B

MD5
fbafa784c1b1c2f84088ab6794cc9692

SHA1
983ae5d5f4ab11fc85d9efd3a6eda604e10044bb

SHA256
94b8d1db5200da5ae81dcdb484c381d2bf437817217e48d975893336ba7e0375

SHA512
57ad2f4e4bb41608ca0c58c15ae981cd6c563e560b45231efe15dc43cf4da2ea12cdbc5fd210f2003864e9ea1c7080c3613b9c332951225fc3f47ca6b816b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQwoHgkxvyn7.bat

Filesize
205B

MD5
84bd4933051ace9b0eca9ec39826d3b0

SHA1
0e5e63449e32e83738f83e1006de551577713c09

SHA256
029b6f65bd239134f0ba373ab9a0c2afe554908f92b26c1500b6cccec510fed6

SHA512
da22776da39a455273e2bd8d734e383f53ffd8711165c48376ec7fdd968c1dc97f986afcdf244e250a23d598bf791daf00569b49ce286c069aeab6426d776487

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohXQ4qWUs3at.bat

Filesize
205B

MD5
5aba7a9389d844c26d39b583c962181b

SHA1
842bbb8ce0c677e7144687d6f596f1820c721874

SHA256
c23dee1334ebd7b1b59beb7ec4c1d25935e67327c11929d4f0f3eeaa7a550bc3

SHA512
57b0c3f606a2499fba6848647925b6bc6a551e2dfc90f1ac18e8d01b07dcaa6dccf9e707cbac68f6ff6f674046f94d43d34bfe410c9b849ede31afb561b6ea53

Download Submit
C:\Users\Admin\AppData\Local\Temp\phH9z65ZxdL5.bat

Filesize
205B

MD5
9b29d56300d64487501993015205fb53

SHA1
f1e38ced9e4866af6ef5d69b09fea8385cdca805

SHA256
474f09c9d068f53d075a2016b49aa881e73c682085c8b5b7a41a7f51caca4ab4

SHA512
eff1ba69469823fc88ffa7174a845963cb3baa28993cd9fe9fef912a456aa22cac638c657310ee169437f537243805df74de86fdc3d671f96b542084b39c8644

Download Submit
C:\Users\Admin\AppData\Local\Temp\wP9RaS70mqEt.bat

Filesize
205B

MD5
5f4a8106caad38fc585363aabf32b8ca

SHA1
e4584c2385fc1308dd6a2c3b1364cd1ccb0b6b55

SHA256
77076f244fe74d7b8ee5d6d243fb9e0b72f945ac76bc3f52229982abe25dfd94

SHA512
4fdfb42a94bdc634af203941d7edc4f20fa7fbf287d9257950295d527ec9b12c46df65eb507f9e30de373ca6bf43b3cbc65c000be5fb01f011fe70dfd7ffaeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytsEJkh1wMuS.bat

Filesize
205B

MD5
b4822528b42afa4b6fc67d2a8141865a

SHA1
05c03135e1925d48221f545569b7f02a1458cf18

SHA256
aad9f1f9c1cae8218d1d65a8a0c786a95f726b7464034e7ded4fba3dc3021590

SHA512
3233e4e00ad576a0cfc45027da7b91991d6777921122428e59fb83d9430f7a7b7c85cde74ed2bd12200007ce0e667b2a0e2e826fbdc5a510cb22fa4dc05b6bfa

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\roar.exe

Filesize
3.1MB

MD5
562bbec6f7effdc4c1b054833a331771

SHA1
394610de86c61959c31530c8e1415b7575067525

SHA256
cb760ff3655cc34bbd5c4f42264703e45d5381259f1bb6416c61feb8667a856d

SHA512
7a924145233f23d22b5255db2bb0c3796ef349f84c17e568a7078fad358e8be80679864316d27450fff8b9149d3d9a8472555bd89d67a6dbc0d52c5797f9f564

Download Submit
memory/2988-0-0x00007FFFD20B3000-0x00007FFFD20B5000-memory.dmp

Filesize
8KB

Download
memory/2988-9-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download
memory/2988-2-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download
memory/2988-1-0x0000000000B80000-0x0000000000EA4000-memory.dmp

Filesize
3.1MB

Download
memory/5000-18-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download
memory/5000-13-0x000000001D910000-0x000000001D9C2000-memory.dmp

Filesize
712KB

Download
memory/5000-12-0x000000001B870000-0x000000001B8C0000-memory.dmp

Filesize
320KB

Download
memory/5000-11-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download
memory/5000-10-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads