Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:41
Behavioral task
behavioral1
Sample
WenzCord.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
WenzCord.exe
Resource
win10v2004-20241007-en
General
-
Target
WenzCord.exe
-
Size
3.1MB
-
MD5
f21aa436096afece0b8c39c36bf4a9ab
-
SHA1
976b74c6a4e59e59a812c06032aae71a0516236a
-
SHA256
43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10
-
SHA512
44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b
-
SSDEEP
49152:pvrI22SsaNYfdPBldt698dBcjHKO06CBxDPoGd9THHB72eh2NT:pvU22SsaNYfdPBldt6+dBcjH06O
Malware Config
Extracted
quasar
1.4.1
WenzCordRat
nickhill112-22345.portmap.host:22345
7ee1db41-359a-46b2-bba3-791dc7cde5e1
-
encryption_key
985DB7D034DB1B5D52F524873569DDDE4080F31C
-
install_name
WenzCord.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update.exe
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3612-1-0x0000000000C80000-0x0000000000FAA000-memory.dmp family_quasar behavioral2/files/0x000a000000023c73-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WenzCord.exe -
Executes dropped EXE 15 IoCs
pid Process 1812 WenzCord.exe 1684 WenzCord.exe 3472 WenzCord.exe 1128 WenzCord.exe 1356 WenzCord.exe 3492 WenzCord.exe 3028 WenzCord.exe 1436 WenzCord.exe 4532 WenzCord.exe 1756 WenzCord.exe 1576 WenzCord.exe 3304 WenzCord.exe 552 WenzCord.exe 3808 WenzCord.exe 672 WenzCord.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2168 PING.EXE 3064 PING.EXE 5116 PING.EXE 380 PING.EXE 872 PING.EXE 4948 PING.EXE 3532 PING.EXE 4948 PING.EXE 4852 PING.EXE 1112 PING.EXE 2884 PING.EXE 1464 PING.EXE 3536 PING.EXE 924 PING.EXE 540 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 3536 PING.EXE 5116 PING.EXE 2884 PING.EXE 3532 PING.EXE 1464 PING.EXE 4948 PING.EXE 1112 PING.EXE 4852 PING.EXE 4948 PING.EXE 2168 PING.EXE 3064 PING.EXE 540 PING.EXE 380 PING.EXE 872 PING.EXE 924 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3640 schtasks.exe 2152 schtasks.exe 4480 schtasks.exe 220 schtasks.exe 2876 schtasks.exe 5016 schtasks.exe 5048 schtasks.exe 348 schtasks.exe 456 schtasks.exe 2632 schtasks.exe 3988 schtasks.exe 1828 schtasks.exe 4756 schtasks.exe 2424 schtasks.exe 5028 schtasks.exe 2072 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3612 WenzCord.exe Token: SeDebugPrivilege 1812 WenzCord.exe Token: SeDebugPrivilege 1684 WenzCord.exe Token: SeDebugPrivilege 3472 WenzCord.exe Token: SeDebugPrivilege 1128 WenzCord.exe Token: SeDebugPrivilege 1356 WenzCord.exe Token: SeDebugPrivilege 3492 WenzCord.exe Token: SeDebugPrivilege 3028 WenzCord.exe Token: SeDebugPrivilege 1436 WenzCord.exe Token: SeDebugPrivilege 4532 WenzCord.exe Token: SeDebugPrivilege 1756 WenzCord.exe Token: SeDebugPrivilege 1576 WenzCord.exe Token: SeDebugPrivilege 3304 WenzCord.exe Token: SeDebugPrivilege 552 WenzCord.exe Token: SeDebugPrivilege 3808 WenzCord.exe Token: SeDebugPrivilege 672 WenzCord.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3808 WenzCord.exe 672 WenzCord.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3612 wrote to memory of 1828 3612 WenzCord.exe 83 PID 3612 wrote to memory of 1828 3612 WenzCord.exe 83 PID 3612 wrote to memory of 1812 3612 WenzCord.exe 85 PID 3612 wrote to memory of 1812 3612 WenzCord.exe 85 PID 1812 wrote to memory of 3640 1812 WenzCord.exe 86 PID 1812 wrote to memory of 3640 1812 WenzCord.exe 86 PID 1812 wrote to memory of 4748 1812 WenzCord.exe 88 PID 1812 wrote to memory of 4748 1812 WenzCord.exe 88 PID 4748 wrote to memory of 4332 4748 cmd.exe 90 PID 4748 wrote to memory of 4332 4748 cmd.exe 90 PID 4748 wrote to memory of 380 4748 cmd.exe 91 PID 4748 wrote to memory of 380 4748 cmd.exe 91 PID 4748 wrote to memory of 1684 4748 cmd.exe 101 PID 4748 wrote to memory of 1684 4748 cmd.exe 101 PID 1684 wrote to memory of 2152 1684 WenzCord.exe 102 PID 1684 wrote to memory of 2152 1684 WenzCord.exe 102 PID 1684 wrote to memory of 4020 1684 WenzCord.exe 105 PID 1684 wrote to memory of 4020 1684 WenzCord.exe 105 PID 4020 wrote to memory of 4236 4020 cmd.exe 107 PID 4020 wrote to memory of 4236 4020 cmd.exe 107 PID 4020 wrote to memory of 1464 4020 cmd.exe 108 PID 4020 wrote to memory of 1464 4020 cmd.exe 108 PID 4020 wrote to memory of 3472 4020 cmd.exe 114 PID 4020 wrote to memory of 3472 4020 cmd.exe 114 PID 3472 wrote to memory of 4480 3472 WenzCord.exe 115 PID 3472 wrote to memory of 4480 3472 WenzCord.exe 115 PID 3472 wrote to memory of 3408 3472 WenzCord.exe 118 PID 3472 wrote to memory of 3408 3472 WenzCord.exe 118 PID 3408 wrote to memory of 2072 3408 cmd.exe 120 PID 3408 wrote to memory of 2072 3408 cmd.exe 120 PID 3408 wrote to memory of 872 3408 cmd.exe 121 PID 3408 wrote to memory of 872 3408 cmd.exe 121 PID 3408 wrote to memory of 1128 3408 cmd.exe 124 PID 3408 wrote to memory of 1128 3408 cmd.exe 124 PID 1128 wrote to memory of 4756 1128 WenzCord.exe 125 PID 1128 wrote to memory of 4756 1128 WenzCord.exe 125 PID 1128 wrote to memory of 3068 1128 WenzCord.exe 128 PID 1128 wrote to memory of 3068 1128 WenzCord.exe 128 PID 3068 wrote to memory of 3340 3068 cmd.exe 131 PID 3068 wrote to memory of 3340 3068 cmd.exe 131 PID 3068 wrote to memory of 3536 3068 cmd.exe 132 PID 3068 wrote to memory of 3536 3068 cmd.exe 132 PID 3068 wrote to memory of 1356 3068 cmd.exe 133 PID 3068 wrote to memory of 1356 3068 cmd.exe 133 PID 1356 wrote to memory of 5016 1356 WenzCord.exe 134 PID 1356 wrote to memory of 5016 1356 WenzCord.exe 134 PID 1356 wrote to memory of 3624 1356 WenzCord.exe 137 PID 1356 wrote to memory of 3624 1356 WenzCord.exe 137 PID 3624 wrote to memory of 3956 3624 cmd.exe 139 PID 3624 wrote to memory of 3956 3624 cmd.exe 139 PID 3624 wrote to memory of 4948 3624 cmd.exe 140 PID 3624 wrote to memory of 4948 3624 cmd.exe 140 PID 3624 wrote to memory of 3492 3624 cmd.exe 141 PID 3624 wrote to memory of 3492 3624 cmd.exe 141 PID 3492 wrote to memory of 2424 3492 WenzCord.exe 142 PID 3492 wrote to memory of 2424 3492 WenzCord.exe 142 PID 3492 wrote to memory of 5020 3492 WenzCord.exe 145 PID 3492 wrote to memory of 5020 3492 WenzCord.exe 145 PID 5020 wrote to memory of 3620 5020 cmd.exe 147 PID 5020 wrote to memory of 3620 5020 cmd.exe 147 PID 5020 wrote to memory of 924 5020 cmd.exe 148 PID 5020 wrote to memory of 924 5020 cmd.exe 148 PID 5020 wrote to memory of 3028 5020 cmd.exe 150 PID 5020 wrote to memory of 3028 5020 cmd.exe 150 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WenzCord.exe"C:\Users\Admin\AppData\Local\Temp\WenzCord.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1828
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Myzzt5GhEHDE.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4332
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:380
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOPBVloFfpY3.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4236
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1464
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4VuKhIhPbeay.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2072
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:872
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Crt5fOh39Xd.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3340
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3536
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G3z9KvMhrgY3.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:3956
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4948
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SV5MQ65lgBRL.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3620
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:924
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lY5TyXMKWOjr.bat" "15⤵PID:5040
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2304
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4852
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1436 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tlFMMFsetEbz.bat" "17⤵PID:2876
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1836
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1112
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TVYmvHEPEivM.bat" "19⤵PID:1488
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:4296
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2884
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2WD79luTW3TV.bat" "21⤵PID:4908
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4336
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4948
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uA6G2GoStdg5.bat" "23⤵PID:64
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2348
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2168
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I1Y7wvCP7tHO.bat" "25⤵PID:4268
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2772
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3064
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YieHjeGPVP1I.bat" "27⤵PID:4292
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:4552
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5116
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3808 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7JbNPUjDasLM.bat" "29⤵PID:4532
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2636
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:540
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:672 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGccZb7whwQH.bat" "31⤵PID:2700
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2608
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
209B
MD563b75612cf802786b4083118b2ddd261
SHA1245846e142a8834565d6e850100e1865fe965efc
SHA2564b3d3c8e84d0c55f42758bfe8982416280ac7fa16e2da7168775f08f7a5b554c
SHA5120c04f597fba7229be6bfadbd979f59e469bfcfe3ebd5694c49cfe7a64f7fa541d59bb91704a37bbbe2b950552263e7608a4c4981e38524b72f55998afac3f61b
-
Filesize
209B
MD5ab08b2db251af267e3aee18916d719f4
SHA19375d4b80a1a7c3ec5c0c4ea4f4874caecb9a31c
SHA256af9ab12faaa26db04fc337765d47000c2e996c024065aaf4bf119e43b73d1fd8
SHA51256584f3fa1a68f31a4086babd396c3f0d89f43cb8ad16c4f5080c1a05965b3caed9cca15844a66e7884170a8ef9d2adb6abe0078a8155693d27384d93813358c
-
Filesize
209B
MD53b0774f82b690fbce477d7229ea1c9a5
SHA15826a488f6ff69c4620ba5546e1d3a04f32c5fcf
SHA256be018832689c687c756fffddfcb0d38c9ebbc4441817f402c8c5f5413f6b167e
SHA5125d8524b13b0a1167a67eb67e93ca8adc9faa31efac808ad161b542d99442fc450de159964f014fbae598efb834f98b0dcb31927f94ee0e8518f7508d5ef83b67
-
Filesize
209B
MD5be8c84589970ec8a826f0c5dad1672f1
SHA17804554301498b214a56cc63c19143f4d63714f4
SHA256e9090a0c54708b73f09081422c7bca211f3a0decc732de13c2de3322158ff166
SHA51262904a690a0e8630aece325c6b022bfb95eede92ca732fed293e9b707e1dc34d831840541e42daa6329a0f7d4ba1bce3720793786ec8ff266a27f9e5c359db82
-
Filesize
209B
MD5a43ccd10960e73e6889b898922086f09
SHA13e8d3af231f452bf01c3c00c85cd0a28caeda230
SHA256a5843c835eade76931955a49bda5a5b5033b8154a8d44f3d8633c346a637e53a
SHA512674b22c18ea51a3f089ddc97af6fbf6d8d7a1658632b5722bebff9d393df7532e6535af14ecc608751a46b396312766585275a18c0a64efd924ad68a6377e014
-
Filesize
209B
MD5ec740df0057fc8da5a2797d655dabfe7
SHA1700014a557cc33efecd66f4ec602e2c3dfd36fc2
SHA2562196e40cbb4948d194d3346f32c74f49641284f98b9c716384b24d6aef49ea55
SHA512ebc4b63ba50b2f67777e6ca0ea2d2493d83236ac300e8e113d169d6784d64af471c3fac4201c143491fce35e2d561a4ad01724a093f9ac10323fc78865df9062
-
Filesize
209B
MD57698e9a6c5ede5b0f5f09c53abf572e5
SHA1aa45cd9ade4b9a029fe8d9d0573df6be4102cf42
SHA256acacac8cb789601a556fa14415f03ca0fdb77563461e1dfca30104d4685888d0
SHA512ccd49fcb791b2e503ec7706ebf307224376f92ef0b0aa97c77f9c4aa679d3ca0cea2cbc60ec9acc44412de0dada0e3ac8bed3dbb85ffee249c904ca79daf7857
-
Filesize
209B
MD51f52b4a9119d472d0ad72820df3e4213
SHA18fc76e35caa52491cec30b4c53669aa117952546
SHA256b658b4f3f60157f34d9abf83b17ee9ca1b887da5fa0b24c1bc5a70a5f23dc71a
SHA5124e94215b98b46a3799c87a68d6d5cf1ea9f7f0100e87919ec1a208b3bc1550d8e6042b9efa9a930811bb6f844a9abbee4131c098e473b577084ff94a9754109e
-
Filesize
209B
MD55f372269ed15df54c97d52a79d36cc4b
SHA15de0f4e2f8139aa55806014f50a3f36986a17293
SHA2565db806484485569e81826cd5f48b6530f60e5ee1da8d1895156fd04ee9d8c457
SHA512057f2668672b35888d17f7035240a119b4e2de5b729ccf88fbca41c1e5be460f7297b07b651e6b4c6aa6664f537c778f2fbb530b09a61e4c6e266214da6b5c24
-
Filesize
209B
MD55ff65acba737bc4e24352835ac431a0d
SHA13d3dca1ffcd8ef1242aed7da5ebcc5e088934697
SHA256debc19e9c15f5d92b3d031b6fa593d4e0dd5bd25a8658887d440dae3d25f3776
SHA512d01c6bc33b5dd78e53753ecfb3df8a9ff5bbccb3a026edca8e2e987e5a62ce2f77918fc5a73e6c4a041c665de40baf25908109e10fe9bab99bf7e4484244972b
-
Filesize
209B
MD50989ae191ef0fb17823f01a222a95017
SHA1e8968847c1d9d5f76df5797b70c24fdf40485ea2
SHA256db57893114a3e09ce735e9d77ae37221ed3dd43384b0756d7d7e850129682881
SHA51269e9d122b428002dea19ee94233bfe4aacd61209e00a3afaf73763d55a391706d6fad1631a5f5e2d67da0730eda3827974a16f1430d618aff61723997b96910d
-
Filesize
209B
MD5c8e5ad913a4b6417692ba5f644533b87
SHA1c1ee6aef38e0063845792067bf4ca3395bcfa332
SHA2565ffc1f832cb15a73676cba314b0eab0a8254879dd26b302db24f4f0606e84290
SHA512e688f1ccfe8407dea88e15323d1a4fb71eb2f81222b8cad8e8c4638692734c9bbab182bc233283b54755a6b4fdc12372cb81a039ffd725a1b439509191e825c7
-
Filesize
209B
MD57fa5159c5641f61dde349c9182fe89e7
SHA1fd36921b903144f068459a6a8cccf8440c931606
SHA2565eb1698ace21b47467a71f25c75509a5fd97587d51318040d1d8c1c464ed638a
SHA512ccb1fc01b101b5f563e0fe22dceea81ef9ed51fb0ea59681d875cb00175753fa02908e08ab88812d6463ca2f14a196cccf3368849c91e928bd49e0f5f67ba9ff
-
Filesize
209B
MD5bf17eec089ca586353280027e373bc9a
SHA1a8425649e7575a52900b8f4d5e7c7afec8e881ed
SHA25649d66856c98eafd2f3f52f9823cdb7b124ebc6401e1c660238872d4febbb0984
SHA512919d217c6f923d9f39acafa7e84d4d38ac019d98a7a97b857926d8dbf33e344828a4f8d9438c8a958a300e24a9d1542a045e289438d9df2e8ee12a3ebbc2c6ce
-
Filesize
209B
MD5e73d2991f568a461eaccf9da3f976bb9
SHA1e26913a4d524d19ee353767a54725cd90686ea18
SHA256bf182dd000b1d0181802db89079598950f94b66b04321ce03112684b7fc2cdfa
SHA512e3a036dd360a6891eefb495f214c8af8f7850ce50b30cd7794f02d41fb90e63c429ab74fad82bbb984b6b435da71f5fd821b77b60b759fda34f58032cad287d9
-
Filesize
3.1MB
MD5f21aa436096afece0b8c39c36bf4a9ab
SHA1976b74c6a4e59e59a812c06032aae71a0516236a
SHA25643e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10
SHA51244500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b