Analysis
-
max time kernel
143s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:50
Behavioral task
behavioral1
Sample
WenzCord.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
WenzCord.exe
Resource
win10v2004-20241007-en
General
-
Target
WenzCord.exe
-
Size
3.1MB
-
MD5
f21aa436096afece0b8c39c36bf4a9ab
-
SHA1
976b74c6a4e59e59a812c06032aae71a0516236a
-
SHA256
43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10
-
SHA512
44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b
-
SSDEEP
49152:pvrI22SsaNYfdPBldt698dBcjHKO06CBxDPoGd9THHB72eh2NT:pvU22SsaNYfdPBldt6+dBcjH06O
Malware Config
Extracted
quasar
1.4.1
WenzCordRat
nickhill112-22345.portmap.host:22345
7ee1db41-359a-46b2-bba3-791dc7cde5e1
-
encryption_key
985DB7D034DB1B5D52F524873569DDDE4080F31C
-
install_name
WenzCord.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update.exe
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 16 IoCs
resource yara_rule behavioral1/memory/2060-1-0x00000000009F0000-0x0000000000D1A000-memory.dmp family_quasar behavioral1/files/0x0008000000017525-6.dat family_quasar behavioral1/memory/796-10-0x0000000000BC0000-0x0000000000EEA000-memory.dmp family_quasar behavioral1/memory/2748-23-0x0000000000CB0000-0x0000000000FDA000-memory.dmp family_quasar behavioral1/memory/2040-34-0x00000000000C0000-0x00000000003EA000-memory.dmp family_quasar behavioral1/memory/2148-45-0x0000000000270000-0x000000000059A000-memory.dmp family_quasar behavioral1/memory/1096-56-0x0000000000DC0000-0x00000000010EA000-memory.dmp family_quasar behavioral1/memory/2264-67-0x0000000000080000-0x00000000003AA000-memory.dmp family_quasar behavioral1/memory/2076-79-0x0000000000990000-0x0000000000CBA000-memory.dmp family_quasar behavioral1/memory/2552-90-0x0000000000BD0000-0x0000000000EFA000-memory.dmp family_quasar behavioral1/memory/1840-101-0x0000000000D90000-0x00000000010BA000-memory.dmp family_quasar behavioral1/memory/2836-112-0x0000000001350000-0x000000000167A000-memory.dmp family_quasar behavioral1/memory/748-133-0x0000000000180000-0x00000000004AA000-memory.dmp family_quasar behavioral1/memory/2988-144-0x00000000011D0000-0x00000000014FA000-memory.dmp family_quasar behavioral1/memory/1588-155-0x00000000002A0000-0x00000000005CA000-memory.dmp family_quasar behavioral1/memory/2648-166-0x0000000001320000-0x000000000164A000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 796 WenzCord.exe 2748 WenzCord.exe 2040 WenzCord.exe 2148 WenzCord.exe 1096 WenzCord.exe 2264 WenzCord.exe 2076 WenzCord.exe 2552 WenzCord.exe 1840 WenzCord.exe 2836 WenzCord.exe 3048 WenzCord.exe 748 WenzCord.exe 2988 WenzCord.exe 1588 WenzCord.exe 2648 WenzCord.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1816 PING.EXE 2544 PING.EXE 1936 PING.EXE 2724 PING.EXE 920 PING.EXE 2892 PING.EXE 1056 PING.EXE 1332 PING.EXE 2232 PING.EXE 1784 PING.EXE 2896 PING.EXE 2344 PING.EXE 2268 PING.EXE 2072 PING.EXE 2784 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2268 PING.EXE 2232 PING.EXE 2784 PING.EXE 2896 PING.EXE 1816 PING.EXE 2724 PING.EXE 1056 PING.EXE 1332 PING.EXE 920 PING.EXE 2892 PING.EXE 1936 PING.EXE 2344 PING.EXE 2072 PING.EXE 1784 PING.EXE 2544 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 588 schtasks.exe 2660 schtasks.exe 2548 schtasks.exe 2120 schtasks.exe 2280 schtasks.exe 2296 schtasks.exe 2060 schtasks.exe 1516 schtasks.exe 2500 schtasks.exe 2328 schtasks.exe 840 schtasks.exe 832 schtasks.exe 2268 schtasks.exe 1476 schtasks.exe 1372 schtasks.exe 2212 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2060 WenzCord.exe Token: SeDebugPrivilege 796 WenzCord.exe Token: SeDebugPrivilege 2748 WenzCord.exe Token: SeDebugPrivilege 2040 WenzCord.exe Token: SeDebugPrivilege 2148 WenzCord.exe Token: SeDebugPrivilege 1096 WenzCord.exe Token: SeDebugPrivilege 2264 WenzCord.exe Token: SeDebugPrivilege 2076 WenzCord.exe Token: SeDebugPrivilege 2552 WenzCord.exe Token: SeDebugPrivilege 1840 WenzCord.exe Token: SeDebugPrivilege 2836 WenzCord.exe Token: SeDebugPrivilege 3048 WenzCord.exe Token: SeDebugPrivilege 748 WenzCord.exe Token: SeDebugPrivilege 2988 WenzCord.exe Token: SeDebugPrivilege 1588 WenzCord.exe Token: SeDebugPrivilege 2648 WenzCord.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 588 2060 WenzCord.exe 31 PID 2060 wrote to memory of 588 2060 WenzCord.exe 31 PID 2060 wrote to memory of 588 2060 WenzCord.exe 31 PID 2060 wrote to memory of 796 2060 WenzCord.exe 33 PID 2060 wrote to memory of 796 2060 WenzCord.exe 33 PID 2060 wrote to memory of 796 2060 WenzCord.exe 33 PID 796 wrote to memory of 2660 796 WenzCord.exe 34 PID 796 wrote to memory of 2660 796 WenzCord.exe 34 PID 796 wrote to memory of 2660 796 WenzCord.exe 34 PID 796 wrote to memory of 2680 796 WenzCord.exe 36 PID 796 wrote to memory of 2680 796 WenzCord.exe 36 PID 796 wrote to memory of 2680 796 WenzCord.exe 36 PID 2680 wrote to memory of 2756 2680 cmd.exe 38 PID 2680 wrote to memory of 2756 2680 cmd.exe 38 PID 2680 wrote to memory of 2756 2680 cmd.exe 38 PID 2680 wrote to memory of 2892 2680 cmd.exe 39 PID 2680 wrote to memory of 2892 2680 cmd.exe 39 PID 2680 wrote to memory of 2892 2680 cmd.exe 39 PID 2680 wrote to memory of 2748 2680 cmd.exe 40 PID 2680 wrote to memory of 2748 2680 cmd.exe 40 PID 2680 wrote to memory of 2748 2680 cmd.exe 40 PID 2748 wrote to memory of 2548 2748 WenzCord.exe 41 PID 2748 wrote to memory of 2548 2748 WenzCord.exe 41 PID 2748 wrote to memory of 2548 2748 WenzCord.exe 41 PID 2748 wrote to memory of 3036 2748 WenzCord.exe 43 PID 2748 wrote to memory of 3036 2748 WenzCord.exe 43 PID 2748 wrote to memory of 3036 2748 WenzCord.exe 43 PID 3036 wrote to memory of 1708 3036 cmd.exe 45 PID 3036 wrote to memory of 1708 3036 cmd.exe 45 PID 3036 wrote to memory of 1708 3036 cmd.exe 45 PID 3036 wrote to memory of 1936 3036 cmd.exe 46 PID 3036 wrote to memory of 1936 3036 cmd.exe 46 PID 3036 wrote to memory of 1936 3036 cmd.exe 46 PID 3036 wrote to memory of 2040 3036 cmd.exe 47 PID 3036 wrote to memory of 2040 3036 cmd.exe 47 PID 3036 wrote to memory of 2040 3036 cmd.exe 47 PID 2040 wrote to memory of 2268 2040 WenzCord.exe 48 PID 2040 wrote to memory of 2268 2040 WenzCord.exe 48 PID 2040 wrote to memory of 2268 2040 WenzCord.exe 48 PID 2040 wrote to memory of 1220 2040 WenzCord.exe 50 PID 2040 wrote to memory of 1220 2040 WenzCord.exe 50 PID 2040 wrote to memory of 1220 2040 WenzCord.exe 50 PID 1220 wrote to memory of 3068 1220 cmd.exe 52 PID 1220 wrote to memory of 3068 1220 cmd.exe 52 PID 1220 wrote to memory of 3068 1220 cmd.exe 52 PID 1220 wrote to memory of 1784 1220 cmd.exe 53 PID 1220 wrote to memory of 1784 1220 cmd.exe 53 PID 1220 wrote to memory of 1784 1220 cmd.exe 53 PID 1220 wrote to memory of 2148 1220 cmd.exe 54 PID 1220 wrote to memory of 2148 1220 cmd.exe 54 PID 1220 wrote to memory of 2148 1220 cmd.exe 54 PID 2148 wrote to memory of 1476 2148 WenzCord.exe 55 PID 2148 wrote to memory of 1476 2148 WenzCord.exe 55 PID 2148 wrote to memory of 1476 2148 WenzCord.exe 55 PID 2148 wrote to memory of 2952 2148 WenzCord.exe 57 PID 2148 wrote to memory of 2952 2148 WenzCord.exe 57 PID 2148 wrote to memory of 2952 2148 WenzCord.exe 57 PID 2952 wrote to memory of 3000 2952 cmd.exe 59 PID 2952 wrote to memory of 3000 2952 cmd.exe 59 PID 2952 wrote to memory of 3000 2952 cmd.exe 59 PID 2952 wrote to memory of 2896 2952 cmd.exe 60 PID 2952 wrote to memory of 2896 2952 cmd.exe 60 PID 2952 wrote to memory of 2896 2952 cmd.exe 60 PID 2952 wrote to memory of 1096 2952 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WenzCord.exe"C:\Users\Admin\AppData\Local\Temp\WenzCord.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:588
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2660
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\KGKWvV9yJhPO.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2756
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2892
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2548
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\69AN5Mj9w52v.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1708
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1936
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2268
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\cjseCTe8nkwU.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3068
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1784
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1476
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9yiw8kjumYqZ.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3000
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2896
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2120
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kqbD27fRBGMe.bat" "11⤵PID:2396
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1528
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2344
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2264 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2280
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zwqcg4N1Xnwr.bat" "13⤵PID:2368
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1000
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1816
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2296
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\f8jkGjrbW7EE.bat" "15⤵PID:2308
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2140
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2724
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2060
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pdU8Hkcci5hb.bat" "17⤵PID:2692
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2252
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2544
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1840 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1516
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8XXJPBpdeU5b.bat" "19⤵PID:772
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2604
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2268
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1372
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uENNbAq5oFNN.bat" "21⤵PID:848
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1048
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2072
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2500
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\VsTdmNVknVgI.bat" "23⤵PID:2884
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:900
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1056
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:748 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:840
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\peMMHbb5DUZJ.bat" "25⤵PID:2200
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2972
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1332
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:832
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CLEtm8s9SiUP.bat" "27⤵PID:1672
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:920
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2212
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HzllDMr837Wf.bat" "29⤵PID:2440
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1304
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2232
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2328
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Sz3OENQ1LTOF.bat" "31⤵PID:2044
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2176
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209B
MD57fbbf573851ef81b22512ed415713efb
SHA1e3a4e7374bd0a1adf4cf6553b0ce8ddf2bbf1739
SHA256768888886db0fb50fddbab47daba600b74e5550faa9883350159698e43a3ee9f
SHA5127ac55c6cf0e76956e648417f68d9577de5c88530329ddf1a827ea2afa4edf9aa7f05b1fc072347fcc2c3ce073ef61f918e5684848a0200b4d3e5fd483587ee84
-
Filesize
209B
MD5e9bd505ad0ed2e8a9d7489beabf9ff83
SHA1c409dff713dc330eca3580b868caeedbd9d8d8d9
SHA2562d9fbf9bdb1bf57ef451fa39d8c6f2123ec926a045d750d0af35da92cbdc7e37
SHA51256efdf380af329735cfbb6d4660fce25978492aa20308b5629a202c2d18a27d6c09306a51cb412b6e269200a94f08e8e8b835d878bb3c21d65a33ce9e16fbade
-
Filesize
209B
MD56060a4bb67e64d6e9f758c93c3f2a519
SHA11cb8709f3f1401c192c149b3b8320973bae3fd1d
SHA2561d359fb83409a421eb751585421ee9c09d49c121e481b4d5594c1ae2635c22cc
SHA5123e9b8396cf99b6306732d21c38f0c3cb5f4e8d6371d4552ad54b0c369d6d8fb9f09fe7db7c187e383187c2eb88e8420bd2600621fae403508a239927a322e7c4
-
Filesize
209B
MD51f3cc09cfdc3ecc2bd35feb54146f3ca
SHA1a3d04752dbda09d1fbbdae197a9e726a19cc5cf0
SHA256c3a505e08a007efd677a3b6ac47eae816b4ee6f0c93dd77b8ff0be96dda3016e
SHA512c300520ca9ead814a30f3c6027212b1915474e47fbcba46efa07d02836efa2a5533a15b41dc634c7a1bd53d82d8c4c80847df969acc538b009c2e5c052e68651
-
Filesize
209B
MD5b79b0b816c7646f8d019942eda2dc09e
SHA1aed498c2507b90736a29fff2db57db77268ec049
SHA256a65bdd529e218166ea0fc03b13df7cde5d62fb470fdd3dd52742873e3cc138a0
SHA51252c882dcb6de402accfcf49da06ae76e3ee8137ee898dacfb2c50a51a58d03c2f5ba095d8ac5b9b94d107802994fe115146f50d823041bc26940208e2bcdae7a
-
Filesize
209B
MD5bef8b82d73b938f20648713cf9b2d7f1
SHA16f42cdfdfa197f6faf1d33a0c1bc3fc9a55bef9f
SHA25620cb6c11b977cf22a35697521726da33307ba221282b0dc11b47687e310560b2
SHA512208df893572d0ea741fd7347b42308bf41d84b33530dbc965366d1547a6e949fe4707730906c5cd821549d5174396fba809232bde171e5f0cd24729d502f207d
-
Filesize
209B
MD526da780f64c2b7db396cb6f1d06c85a4
SHA1e72b56860f4b15759c0cff2ba8c423941abbe222
SHA2563a904251ebcae4914cf1ae57020d1bc04d53a2b3982fe43a1fcf851dd439d591
SHA5120c6d0ca81ed637c113bebf7c3d51811289b293d0178c8714261c059a71e2dabb75672393353c16ec296acbd976f41e7f602612afd98633f35dd3a5c048e33483
-
Filesize
209B
MD51a74d5a20478abb1bd70d78ca79c4bf8
SHA1590f3d86529426c2c56a4ac2c3f5293836e70296
SHA256a8d13ceba64bd7ebd9942ae8c23df4b4a2f770a4ee2cea5da046e4fcfcef98ff
SHA512e752d0463e0272789730da464c81173fb1d4fa00f176de84bfc9afe31a46a560017a7684d060d1b594593f8836ac86b71fa1d26928f81cd08d6d0a8780504ccc
-
Filesize
209B
MD5069cd22e4a48a704674252fc66d74805
SHA1258c501d2f5a7bbdccca3f403a10376026350abc
SHA256238d06ee9f6c3cafb4fa0f0ab56e0cf37f5a140d5df1c45b02dd237d8ce89a50
SHA5128730831a1446b4c63b29ed14315f4f39361db4ff001ca780ae4753b12b81a3c27fd2fd1a66ea5ee2ddacdfe97f8a9f3cc45a7e22aa22b9c81ff556c22c3a1779
-
Filesize
209B
MD5ebc1ba83ff7c283e81f097279f77ddc3
SHA1e947805afb62dc0512f2461c8bebe5f799e0d5ea
SHA256b86aee0fe22d2d03aa2db29942e0b90b12f341ace163d3fad65681696d8170a0
SHA512610d518fcebde9863a9c42456102105a74208db8fbaa540d0fc3e9b58fff1a8d7e7320d75bd6e08065ccd2800ff21474539adf009c7bf7594dc17d1cbaecd819
-
Filesize
209B
MD54a047b54fd038b723183d9108891b6f2
SHA14beec5f1558499834fb362ac1610910059747705
SHA256f356603174b52569516f42753aedbd98b1876ad16dcd28f57d80d2a26f4156fd
SHA51215a5a877cdb6cbc80932ee646bcc302d213e838720b0b1d5e51af953d0e3c6f446eee9b81bf443385a39a7c751bbe79c3436e0a443b60e103e05c702f05dcd02
-
Filesize
209B
MD5aa220a49af29c604d04639d9dba6a7e8
SHA18449cef8b5108d7e0b1a29f2f9843669fdbc87b5
SHA256988ddd5da9183e3a9e2955ba3a019ef8755145e354214270e4b4d8131f2849cd
SHA51241c8feb6ccafcecafd219cffdfe4c7c79ff38aa160a662e9cf4af7141de150b2eb3dd07e5bcb5251f5fe4d1e2c36547686fad102d745361ca3b94baa46736826
-
Filesize
209B
MD545597608aa475f9ff3a41db3e6eacb14
SHA114bf02713a153af33d0bc0a75a523802a6f6739a
SHA256f0e19e7907ecf72626c1fd81222ff11f46d437631ab484497bc15694c8107d59
SHA5128051ae247924821030a9a35d920422d1c6a52fa7041e5b2697309e8b37d216cfbc4f900fd911035f978796160ea98387c422ea22b9948711147285d67cf2c6a6
-
Filesize
209B
MD555c9d7b91f337a5ab491926a9693a260
SHA1945d4fac9c9aa34c64bdb1fc50865dc30584d6e8
SHA256932a7706b81720e13f4fed4e6b27256231177cd478e17367b810fb2d3efd316d
SHA5128d99b57476a353790e1206058f48b93a61349289f25c397e35a4f3aafd2323db89d7039207da8311fd6c0cf186bdae4c9596ccdedb4ec6894e951a2138932cb1
-
Filesize
209B
MD595b8cdd861776824342307608b9f9a31
SHA17a43a77820e2acbff077aea73abac0b44a597edb
SHA25699d7d10c0c57d711107978762d71361a19258f42042be49a0fdcd2e8a451f85e
SHA51245ad45f1ddcd739dc10c0b30bf35b4f9e5dbce94f3459347f73eefaea0da45a65bc35c2af64ef20844958cc1e9245a6ecb33aafd25491892982802851b17e696
-
Filesize
3.1MB
MD5f21aa436096afece0b8c39c36bf4a9ab
SHA1976b74c6a4e59e59a812c06032aae71a0516236a
SHA25643e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10
SHA51244500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b