quasar | 43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WenzCord.exe
Size

3.1MB
MD5

f21aa436096afece0b8c39c36bf4a9ab
SHA1

976b74c6a4e59e59a812c06032aae71a0516236a
SHA256

43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10
SHA512

44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b
SSDEEP

49152:pvrI22SsaNYfdPBldt698dBcjHKO06CBxDPoGd9THHB72eh2NT:pvU22SsaNYfdPBldt6+dBcjH06O

Score

10^/10

quasar wenzcordrat discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

WenzCordRat

nickhill112-22345.portmap.host:22345

Mutex

7ee1db41-359a-46b2-bba3-791dc7cde5e1

Attributes

encryption_key
985DB7D034DB1B5D52F524873569DDDE4080F31C
install_name
WenzCord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update.exe
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/1528-1-0x0000000000990000-0x0000000000CBA000-memory.dmp	family_quasar
behavioral1/files/0x000800000001932a-6.dat	family_quasar
behavioral1/memory/1200-8-0x0000000001130000-0x000000000145A000-memory.dmp	family_quasar
behavioral1/memory/2908-23-0x00000000001B0000-0x00000000004DA000-memory.dmp	family_quasar
behavioral1/memory/664-34-0x0000000000200000-0x000000000052A000-memory.dmp	family_quasar
behavioral1/memory/2132-45-0x0000000000CC0000-0x0000000000FEA000-memory.dmp	family_quasar
behavioral1/memory/1364-66-0x0000000000D30000-0x000000000105A000-memory.dmp	family_quasar
behavioral1/memory/2160-78-0x0000000000E90000-0x00000000011BA000-memory.dmp	family_quasar
behavioral1/memory/1256-99-0x0000000000F90000-0x00000000012BA000-memory.dmp	family_quasar
behavioral1/memory/2148-151-0x00000000000C0000-0x00000000003EA000-memory.dmp	family_quasar
behavioral1/memory/2044-163-0x0000000000360000-0x000000000068A000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
1200	WenzCord.exe
2908	WenzCord.exe
664	WenzCord.exe
2132	WenzCord.exe
1656	WenzCord.exe
1364	WenzCord.exe
2160	WenzCord.exe
2392	WenzCord.exe
1256	WenzCord.exe
316	WenzCord.exe
2256	WenzCord.exe
1124	WenzCord.exe
968	WenzCord.exe
2148	WenzCord.exe
2044	WenzCord.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1816	PING.EXE
2132	PING.EXE
2840	PING.EXE
2956	PING.EXE
2904	PING.EXE
2052	PING.EXE
2092	PING.EXE
2356	PING.EXE
2328	PING.EXE
1860	PING.EXE
2332	PING.EXE
1848	PING.EXE
2704	PING.EXE
2408	PING.EXE
2852	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2356	PING.EXE
2132	PING.EXE
2852	PING.EXE
2052	PING.EXE
2408	PING.EXE
2332	PING.EXE
1816	PING.EXE
1848	PING.EXE
2956	PING.EXE
2704	PING.EXE
2328	PING.EXE
1860	PING.EXE
2904	PING.EXE
2092	PING.EXE
2840	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1080	schtasks.exe
1708	schtasks.exe
2992	schtasks.exe
2720	schtasks.exe
1720	schtasks.exe
2712	schtasks.exe
1512	schtasks.exe
2968	schtasks.exe
2872	schtasks.exe
2136	schtasks.exe
2044	schtasks.exe
2336	schtasks.exe
652	schtasks.exe
2740	schtasks.exe
2236	schtasks.exe
2884	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	WenzCord.exe
Token: SeDebugPrivilege	1200	WenzCord.exe
Token: SeDebugPrivilege	2908	WenzCord.exe
Token: SeDebugPrivilege	664	WenzCord.exe
Token: SeDebugPrivilege	2132	WenzCord.exe
Token: SeDebugPrivilege	1656	WenzCord.exe
Token: SeDebugPrivilege	1364	WenzCord.exe
Token: SeDebugPrivilege	2160	WenzCord.exe
Token: SeDebugPrivilege	2392	WenzCord.exe
Token: SeDebugPrivilege	1256	WenzCord.exe
Token: SeDebugPrivilege	316	WenzCord.exe
Token: SeDebugPrivilege	2256	WenzCord.exe
Token: SeDebugPrivilege	1124	WenzCord.exe
Token: SeDebugPrivilege	968	WenzCord.exe
Token: SeDebugPrivilege	2148	WenzCord.exe
Token: SeDebugPrivilege	2044	WenzCord.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 1512	1528	WenzCord.exe	30
PID 1528 wrote to memory of 1512	1528	WenzCord.exe	30
PID 1528 wrote to memory of 1512	1528	WenzCord.exe	30
PID 1528 wrote to memory of 1200	1528	WenzCord.exe	32
PID 1528 wrote to memory of 1200	1528	WenzCord.exe	32
PID 1528 wrote to memory of 1200	1528	WenzCord.exe	32
PID 1200 wrote to memory of 2044	1200	WenzCord.exe	33
PID 1200 wrote to memory of 2044	1200	WenzCord.exe	33
PID 1200 wrote to memory of 2044	1200	WenzCord.exe	33
PID 1200 wrote to memory of 3008	1200	WenzCord.exe	35
PID 1200 wrote to memory of 3008	1200	WenzCord.exe	35
PID 1200 wrote to memory of 3008	1200	WenzCord.exe	35
PID 3008 wrote to memory of 2820	3008	cmd.exe	37
PID 3008 wrote to memory of 2820	3008	cmd.exe	37
PID 3008 wrote to memory of 2820	3008	cmd.exe	37
PID 3008 wrote to memory of 2840	3008	cmd.exe	38
PID 3008 wrote to memory of 2840	3008	cmd.exe	38
PID 3008 wrote to memory of 2840	3008	cmd.exe	38
PID 3008 wrote to memory of 2908	3008	cmd.exe	39
PID 3008 wrote to memory of 2908	3008	cmd.exe	39
PID 3008 wrote to memory of 2908	3008	cmd.exe	39
PID 2908 wrote to memory of 2968	2908	WenzCord.exe	40
PID 2908 wrote to memory of 2968	2908	WenzCord.exe	40
PID 2908 wrote to memory of 2968	2908	WenzCord.exe	40
PID 2908 wrote to memory of 2628	2908	WenzCord.exe	42
PID 2908 wrote to memory of 2628	2908	WenzCord.exe	42
PID 2908 wrote to memory of 2628	2908	WenzCord.exe	42
PID 2628 wrote to memory of 2680	2628	cmd.exe	44
PID 2628 wrote to memory of 2680	2628	cmd.exe	44
PID 2628 wrote to memory of 2680	2628	cmd.exe	44
PID 2628 wrote to memory of 2704	2628	cmd.exe	45
PID 2628 wrote to memory of 2704	2628	cmd.exe	45
PID 2628 wrote to memory of 2704	2628	cmd.exe	45
PID 2628 wrote to memory of 664	2628	cmd.exe	47
PID 2628 wrote to memory of 664	2628	cmd.exe	47
PID 2628 wrote to memory of 664	2628	cmd.exe	47
PID 664 wrote to memory of 2884	664	WenzCord.exe	48
PID 664 wrote to memory of 2884	664	WenzCord.exe	48
PID 664 wrote to memory of 2884	664	WenzCord.exe	48
PID 664 wrote to memory of 1272	664	WenzCord.exe	50
PID 664 wrote to memory of 1272	664	WenzCord.exe	50
PID 664 wrote to memory of 1272	664	WenzCord.exe	50
PID 1272 wrote to memory of 2616	1272	cmd.exe	52
PID 1272 wrote to memory of 2616	1272	cmd.exe	52
PID 1272 wrote to memory of 2616	1272	cmd.exe	52
PID 1272 wrote to memory of 2956	1272	cmd.exe	53
PID 1272 wrote to memory of 2956	1272	cmd.exe	53
PID 1272 wrote to memory of 2956	1272	cmd.exe	53
PID 1272 wrote to memory of 2132	1272	cmd.exe	54
PID 1272 wrote to memory of 2132	1272	cmd.exe	54
PID 1272 wrote to memory of 2132	1272	cmd.exe	54
PID 2132 wrote to memory of 2336	2132	WenzCord.exe	55
PID 2132 wrote to memory of 2336	2132	WenzCord.exe	55
PID 2132 wrote to memory of 2336	2132	WenzCord.exe	55
PID 2132 wrote to memory of 2056	2132	WenzCord.exe	57
PID 2132 wrote to memory of 2056	2132	WenzCord.exe	57
PID 2132 wrote to memory of 2056	2132	WenzCord.exe	57
PID 2056 wrote to memory of 2348	2056	cmd.exe	59
PID 2056 wrote to memory of 2348	2056	cmd.exe	59
PID 2056 wrote to memory of 2348	2056	cmd.exe	59
PID 2056 wrote to memory of 2328	2056	cmd.exe	60
PID 2056 wrote to memory of 2328	2056	cmd.exe	60
PID 2056 wrote to memory of 2328	2056	cmd.exe	60
PID 2056 wrote to memory of 1656	2056	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WenzCord.exe
"C:\Users\Admin\AppData\Local\Temp\WenzCord.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1512
- C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2044
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\iSpxQjwxiURw.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2820
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2840
  - - C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2968
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\C5V2FuTGZHNC.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2680
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2704
      - C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2884
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7uYmG5jQScFu.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NPysaX9p1p1I.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1080
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\apJffjAAK24j.bat" "
        11⤵
        
        PID:1996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Lh5V4kiyByDG.bat" "
        13⤵
        
        PID:2612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:652
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\URVhEisfNTlu.bat" "
        15⤵
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\b3EagoCDRVt4.bat" "
        17⤵
        
        PID:2340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\isAwX2mmZVMm.bat" "
        19⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2992
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lg4ZHTPVa200.bat" "
        21⤵
        
        PID:2320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2720
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmalXOrGt70h.bat" "
        23⤵
        
        PID:2244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2136
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nFJaPqyAahHT.bat" "
        25⤵
        
        PID:1144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1720
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9LRqWN8xY8PX.bat" "
        27⤵
        
        PID:2212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2236
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWfZjTy3Bs9k.bat" "
        29⤵
        
        PID:2588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2712
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\h14N0HUmHopU.bat" "
        31⤵
        
        PID:2312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7uYmG5jQScFu.bat

Filesize
209B

MD5
689253b8c88aa85b867b46951983781c

SHA1
e3a3812689f8d9d747c75cc34e5c9a11fd3811d6

SHA256
e66e71e521a03ad736121dfbccdd820427107ee115bd8a5d35cc7f53166a7b25

SHA512
9f588b64da21f361096bbcce89c1e7b593ea58ed9ccacb83b8858102da885a0876efa2765d680f1a90f873277e6e71709a4aa81910536f416455ba2aedf99bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9LRqWN8xY8PX.bat

Filesize
209B

MD5
619df0b38673c3d57554805cfab592ca

SHA1
8db1e68bd0ec6dca21a027e84600838dd9cae589

SHA256
be973d27ec9ca02156f84c8da347a2db528e237f68834b82f6d29ca64392820b

SHA512
e3ad920e1297e5838b9ec1b452387c03bf04b22bc9b3d942b54674f8cc7f369acd3fe93f2b6c04ac70cf4cd2b6b9aa299cfffeccda093f3ac1fb51d629d1b87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5V2FuTGZHNC.bat

Filesize
209B

MD5
6a280b0fed34ba4e2370e4a265b8368a

SHA1
65d1c0ab7203722e8b5b79719f725d8377e2923d

SHA256
0171aa77421d1201a3281f02defdbd162dd3c87c4d2dcfac9a34161b0d80886e

SHA512
71fa5f000fbb4ef0152edd18502274e0a88e3b54c4280bf558527e8c8c2eac8f8e2d4167dec99234e756e2b0051d0d43a68cab2b140b014250a176e3cb6e360c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lh5V4kiyByDG.bat

Filesize
209B

MD5
06c2727757c617e214f1ec514378c2b9

SHA1
3a052aec7cb43994d793ac37957e5726981d50f9

SHA256
01be643fe75ce99e1c0bb3ab106e45e9779ff840118735f45566ecc6eae609e4

SHA512
9a199ae45a30dfc0f559d38946c4506311ceb599a5b15c0f0752cd818dfd730b5082f9fd5a96b6905dc97392cd381ef7da7cfebb6f75be952ecadf1cab8f1f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\NPysaX9p1p1I.bat

Filesize
209B

MD5
f6b8b59a4a1c6f361fe36806fc0bfdd1

SHA1
daf7040add461b171a31ab88e1b6c63ad007bc67

SHA256
0530ca71f2e059c345354e0e7cd9c5b126e07ddcec3a78dd44915cbea8d98840

SHA512
9a016f713c8e6d305a7207816f48600bc8ccd78b00b7ea28dabbb1d786b40a5d082252e5f2615a8a835773a2bba0daa3c98e072290c2662eb80177c47b1e6318

Download Submit
C:\Users\Admin\AppData\Local\Temp\URVhEisfNTlu.bat

Filesize
209B

MD5
3ac90bfdef1ea22166bb983242dc6f6b

SHA1
c3e54d2ebdb6151171b734d044276dd440193f4b

SHA256
1cc4ef69323cc9cdbbbc6c70cc1cde7496fc71c5261563477022a0e213dd508c

SHA512
e5fb279c58a690b7a10879a3f73d05b87a3a46f022280c527f73b286356cee7f17658fe2a3ff96667d7978c4129b974986f82e42ba8aa18dbe49dfe62973314a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWfZjTy3Bs9k.bat

Filesize
209B

MD5
3d46dc55f7e8786d369ba18dfd454d29

SHA1
1dcbd6e4da1c4af039777e48f9d22f32431a22d4

SHA256
2000da644af8814e2af8edf531b327d5380fa6a75308780dbbfa4754b7776c4f

SHA512
622bea2d44e0f330a4d5a7fbf84ec79d9f96a2177ab0310b3a6db4d6c2bfacf2496df90838b004a460549170c5c2587a23e3ea3280bebabc829efc42c215b58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\apJffjAAK24j.bat

Filesize
209B

MD5
b047b8d1fba9ea3df07e0cb277fe5898

SHA1
2ab07bc2be69bf9ec001028ffa91d9ad5efa97a5

SHA256
22f3216724163988d744990d036e35dbbbf1bc97a86fe395f23dca4b3818e5d2

SHA512
e46f276e5898fe251d71ba30c067c38e9a2be896004bee64f7716bb0f889137fee2aa39c02d08c8469f95438cf633ffb01856001ac98b28185b1cacd062070e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EagoCDRVt4.bat

Filesize
209B

MD5
40f102433b66592e065b161c87deede4

SHA1
90d2bfb5168c1d14e2e4839c377ec9618f75d724

SHA256
18967a6f25da283d4596efd432d7eff18dc8185c4ffd3b9a5779b59b5a8cfa45

SHA512
6fe6e0a23e87a5c410dd330cda6ad2685ad3fac26459077a93b7d6bb6981525b5b9bf06920207d2a32c9ae343cd1c24764bf4fcf9d2f80e3ffd1fa8904f7eccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\h14N0HUmHopU.bat

Filesize
209B

MD5
4b61f649ee753098c3ed919c11740259

SHA1
098ed5fce51683205fec7939af8ae3c315caa4c1

SHA256
c89e73521dbbd47074845b4fcaf87fa67581cacdd4cfeea518fe7be0987b2ecc

SHA512
f974116f380b808d010ae27b675595b037ba1074adfb9bc2d2f25c5176144167a7729c93121ac41a916d0abec6809b0aea81c23f9d7fc6be185aed7d99abe432

Download Submit
C:\Users\Admin\AppData\Local\Temp\iSpxQjwxiURw.bat

Filesize
209B

MD5
da7a4522ba534555a9c5aa8da7f6b6c3

SHA1
693e50952fe075d2220f85216c31503bd4c85b64

SHA256
d63207d8e74728d5be2d86982ceb84e5f5aa8efaf1a60be185543d741880c475

SHA512
25ac92e6849b3ce4b044fb86f0f383f33048764702d1a77d40a2a88060fae95ec07fcef5d17e4865c14d06bca409ba025cf0b617cf5e3728aa7a1cf05e5512c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\isAwX2mmZVMm.bat

Filesize
209B

MD5
130207617a734cace94f958cdd514210

SHA1
789d39a2551056f88d6fc40b07a88d313c795bfe

SHA256
1a27140caa7ffa9e4bc56c420c1a7fb824cf6aaca8e6873c381d7bdc31ef37e6

SHA512
5d54020b60c42e6156be01c887d6ecc7c9a43e22a50bf8501da80651c411796acfc8bab30b2586019d06a6424fc2cdb392d6f0f77c78f5f329c9b8e0a054c63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmalXOrGt70h.bat

Filesize
209B

MD5
4985f9806c05382190e4bf19abc9292e

SHA1
d9bf09718f104c99c79d8861dc54a29ff019bea2

SHA256
7e453a20f05c13ad9a34f810f1ed24df59535c9d964f97dd337d0d039c70dd85

SHA512
672215b7ac2f6deac6a031ba454cc888ffb786a1bce410941fb9bd6c52f52354ef24229ebcd7ae9986b107b392b48670167422d49c5c84b8cd7e494e9ebd319f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lg4ZHTPVa200.bat

Filesize
209B

MD5
556a09aa8471420f4188f5860375bf74

SHA1
6fa3d5e4dd24f0794f816be3fc249232a1d04f77

SHA256
a240fc002fdb041e6a9943f00788126d77893575300e9a99f2c7d720d1eb6ac6

SHA512
f2170f7e3771048ebb64a21f5a83df0c23e22055314e804fbc4ffe3bb36ee93dbe3776cc582a5b59280ad21d5403b6965672c39cc14104a8701bf08c1e3d221f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nFJaPqyAahHT.bat

Filesize
209B

MD5
e293a639b2122204f516425bd513a8bb

SHA1
657c0df3d2c0ecdede3372d209999eab3a825f53

SHA256
1736066c1f61fe58e35b05183b98a69c22abf67fb0bc600f630643e13a7d5306

SHA512
bc87ccb2eeb31d4dd2d19f4f34eea661f6a4a7606b518154681dd11f302006d11d9e8706cba82c6fda3eb4cc84ebc64e4b38e055ec6762bd8da37dcb062d108d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe

Filesize
3.1MB

MD5
f21aa436096afece0b8c39c36bf4a9ab

SHA1
976b74c6a4e59e59a812c06032aae71a0516236a

SHA256
43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10

SHA512
44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b

Download Submit
memory/664-34-0x0000000000200000-0x000000000052A000-memory.dmp

Filesize
3.2MB

Download
memory/1200-10-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/1200-21-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/1200-11-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/1200-8-0x0000000001130000-0x000000000145A000-memory.dmp

Filesize
3.2MB

Download
memory/1256-99-0x0000000000F90000-0x00000000012BA000-memory.dmp

Filesize
3.2MB

Download
memory/1364-66-0x0000000000D30000-0x000000000105A000-memory.dmp

Filesize
3.2MB

Download
memory/1528-9-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/1528-0-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

Filesize
4KB

Download
memory/1528-2-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/1528-1-0x0000000000990000-0x0000000000CBA000-memory.dmp

Filesize
3.2MB

Download
memory/2044-163-0x0000000000360000-0x000000000068A000-memory.dmp

Filesize
3.2MB

Download
memory/2132-45-0x0000000000CC0000-0x0000000000FEA000-memory.dmp

Filesize
3.2MB

Download
memory/2148-151-0x00000000000C0000-0x00000000003EA000-memory.dmp

Filesize
3.2MB

Download
memory/2160-78-0x0000000000E90000-0x00000000011BA000-memory.dmp

Filesize
3.2MB

Download
memory/2908-23-0x00000000001B0000-0x00000000004DA000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads