quasar | 43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe
Size

3.1MB
MD5

f21aa436096afece0b8c39c36bf4a9ab
SHA1

976b74c6a4e59e59a812c06032aae71a0516236a
SHA256

43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10
SHA512

44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b
SSDEEP

49152:pvrI22SsaNYfdPBldt698dBcjHKO06CBxDPoGd9THHB72eh2NT:pvU22SsaNYfdPBldt6+dBcjH06O

Score

10^/10

quasar wenzcordrat discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

WenzCordRat

nickhill112-22345.portmap.host:22345

Mutex

7ee1db41-359a-46b2-bba3-791dc7cde5e1

Attributes

encryption_key
985DB7D034DB1B5D52F524873569DDDE4080F31C
install_name
WenzCord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update.exe
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3528-1-0x0000000000410000-0x000000000073A000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b71-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WenzCord.exe

Executes dropped EXE 15 IoCs

pid	Process
1776	WenzCord.exe
1952	WenzCord.exe
3680	WenzCord.exe
4008	WenzCord.exe
2676	WenzCord.exe
4928	WenzCord.exe
3472	WenzCord.exe
2744	WenzCord.exe
1924	WenzCord.exe
3960	WenzCord.exe
1576	WenzCord.exe
1340	WenzCord.exe
4916	WenzCord.exe
2940	WenzCord.exe
4004	WenzCord.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
760	PING.EXE
828	PING.EXE
2168	PING.EXE
220	PING.EXE
3576	PING.EXE
4760	PING.EXE
376	PING.EXE
3172	PING.EXE
4460	PING.EXE
3564	PING.EXE
4328	PING.EXE
4044	PING.EXE
1728	PING.EXE
1960	PING.EXE
2440	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1960	PING.EXE
4328	PING.EXE
4044	PING.EXE
760	PING.EXE
828	PING.EXE
2440	PING.EXE
220	PING.EXE
3576	PING.EXE
4460	PING.EXE
4760	PING.EXE
2168	PING.EXE
376	PING.EXE
3172	PING.EXE
1728	PING.EXE
3564	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2500	schtasks.exe
2248	schtasks.exe
4592	schtasks.exe
4244	schtasks.exe
4160	schtasks.exe
1384	schtasks.exe
3328	schtasks.exe
4316	schtasks.exe
2632	schtasks.exe
4752	schtasks.exe
3556	schtasks.exe
1248	schtasks.exe
2188	schtasks.exe
3684	schtasks.exe
752	schtasks.exe
4008	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe
Token: SeDebugPrivilege	1776	WenzCord.exe
Token: SeDebugPrivilege	1952	WenzCord.exe
Token: SeDebugPrivilege	3680	WenzCord.exe
Token: SeDebugPrivilege	4008	WenzCord.exe
Token: SeDebugPrivilege	2676	WenzCord.exe
Token: SeDebugPrivilege	4928	WenzCord.exe
Token: SeDebugPrivilege	3472	WenzCord.exe
Token: SeDebugPrivilege	2744	WenzCord.exe
Token: SeDebugPrivilege	1924	WenzCord.exe
Token: SeDebugPrivilege	3960	WenzCord.exe
Token: SeDebugPrivilege	1576	WenzCord.exe
Token: SeDebugPrivilege	1340	WenzCord.exe
Token: SeDebugPrivilege	4916	WenzCord.exe
Token: SeDebugPrivilege	2940	WenzCord.exe
Token: SeDebugPrivilege	4004	WenzCord.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4316	3528	43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe	83
PID 3528 wrote to memory of 4316	3528	43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe	83
PID 3528 wrote to memory of 1776	3528	43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe	85
PID 3528 wrote to memory of 1776	3528	43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe	85
PID 1776 wrote to memory of 2632	1776	WenzCord.exe	86
PID 1776 wrote to memory of 2632	1776	WenzCord.exe	86
PID 1776 wrote to memory of 4016	1776	WenzCord.exe	88
PID 1776 wrote to memory of 4016	1776	WenzCord.exe	88
PID 4016 wrote to memory of 1008	4016	cmd.exe	90
PID 4016 wrote to memory of 1008	4016	cmd.exe	90
PID 4016 wrote to memory of 4044	4016	cmd.exe	91
PID 4016 wrote to memory of 4044	4016	cmd.exe	91
PID 4016 wrote to memory of 1952	4016	cmd.exe	93
PID 4016 wrote to memory of 1952	4016	cmd.exe	93
PID 1952 wrote to memory of 4160	1952	WenzCord.exe	94
PID 1952 wrote to memory of 4160	1952	WenzCord.exe	94
PID 1952 wrote to memory of 1812	1952	WenzCord.exe	97
PID 1952 wrote to memory of 1812	1952	WenzCord.exe	97
PID 1812 wrote to memory of 4200	1812	cmd.exe	99
PID 1812 wrote to memory of 4200	1812	cmd.exe	99
PID 1812 wrote to memory of 220	1812	cmd.exe	100
PID 1812 wrote to memory of 220	1812	cmd.exe	100
PID 1812 wrote to memory of 3680	1812	cmd.exe	114
PID 1812 wrote to memory of 3680	1812	cmd.exe	114
PID 3680 wrote to memory of 4752	3680	WenzCord.exe	115
PID 3680 wrote to memory of 4752	3680	WenzCord.exe	115
PID 3680 wrote to memory of 1940	3680	WenzCord.exe	118
PID 3680 wrote to memory of 1940	3680	WenzCord.exe	118
PID 1940 wrote to memory of 3720	1940	cmd.exe	120
PID 1940 wrote to memory of 3720	1940	cmd.exe	120
PID 1940 wrote to memory of 760	1940	cmd.exe	121
PID 1940 wrote to memory of 760	1940	cmd.exe	121
PID 1940 wrote to memory of 4008	1940	cmd.exe	125
PID 1940 wrote to memory of 4008	1940	cmd.exe	125
PID 4008 wrote to memory of 2500	4008	WenzCord.exe	127
PID 4008 wrote to memory of 2500	4008	WenzCord.exe	127
PID 4008 wrote to memory of 2044	4008	WenzCord.exe	130
PID 4008 wrote to memory of 2044	4008	WenzCord.exe	130
PID 2044 wrote to memory of 4740	2044	cmd.exe	132
PID 2044 wrote to memory of 4740	2044	cmd.exe	132
PID 2044 wrote to memory of 3576	2044	cmd.exe	133
PID 2044 wrote to memory of 3576	2044	cmd.exe	133
PID 2044 wrote to memory of 2676	2044	cmd.exe	135
PID 2044 wrote to memory of 2676	2044	cmd.exe	135
PID 2676 wrote to memory of 3684	2676	WenzCord.exe	136
PID 2676 wrote to memory of 3684	2676	WenzCord.exe	136
PID 2676 wrote to memory of 3120	2676	WenzCord.exe	139
PID 2676 wrote to memory of 3120	2676	WenzCord.exe	139
PID 3120 wrote to memory of 2612	3120	cmd.exe	141
PID 3120 wrote to memory of 2612	3120	cmd.exe	141
PID 3120 wrote to memory of 376	3120	cmd.exe	142
PID 3120 wrote to memory of 376	3120	cmd.exe	142
PID 3120 wrote to memory of 4928	3120	cmd.exe	143
PID 3120 wrote to memory of 4928	3120	cmd.exe	143
PID 4928 wrote to memory of 2248	4928	WenzCord.exe	144
PID 4928 wrote to memory of 2248	4928	WenzCord.exe	144
PID 4928 wrote to memory of 4728	4928	WenzCord.exe	147
PID 4928 wrote to memory of 4728	4928	WenzCord.exe	147
PID 4728 wrote to memory of 1772	4728	cmd.exe	149
PID 4728 wrote to memory of 1772	4728	cmd.exe	149
PID 4728 wrote to memory of 3172	4728	cmd.exe	150
PID 4728 wrote to memory of 3172	4728	cmd.exe	150
PID 4728 wrote to memory of 3472	4728	cmd.exe	153
PID 4728 wrote to memory of 3472	4728	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe
"C:\Users\Admin\AppData\Local\Temp\43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4316
- C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9CTRRnmnWdxj.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1008
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4044
  - - C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LK2Txqw9rWhB.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4200
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:220
      - C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Aosv3TZuofsF.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:760
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lHFAXDwByyur.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3576
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h8ticX28wOJc.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:376
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bDk7aan2T1zu.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3172
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMsyDQpfuC44.bat" "
        15⤵
        
        PID:2716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2xGn6bME5NQX.bat" "
        17⤵
        
        PID:3292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4460
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QL1jXQfpFznM.bat" "
        19⤵
        
        PID:4740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KrFPcGwe8kd7.bat" "
        21⤵
        
        PID:2420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IV5jwX9N8oi6.bat" "
        23⤵
        
        PID:2752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3564
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEBo5Ncnxz92.bat" "
        25⤵
        
        PID:3148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zs2IAftzVSyx.bat" "
        27⤵
        
        PID:2744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ifx9g1Oa6BaQ.bat" "
        29⤵
        
        PID:1756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4760
        
        C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOsp2tnzkb61.bat" "
        31⤵
        
        PID:3320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WenzCord.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2xGn6bME5NQX.bat

Filesize
209B

MD5
a7760a09ac65a7138a2825af40689c64

SHA1
d42d9e9d97d2e25f1504f105df4f253da1b49a42

SHA256
c04cdbefb6639badae75aa48c8eadce35f2fd760a4cf8b7b400bc7003d341fd3

SHA512
aa29c03352a461d769ffc247aac2e782f6c85a1fd38471b69f35d4ac1f78ab091296b292be6cb4bbb14918851e16dc9caaeab52f047e2840c2516d125d3c73ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CTRRnmnWdxj.bat

Filesize
209B

MD5
2fb926ad97dc59c407ee7a0597e15e08

SHA1
892d105db53f1e18f5d7347b90a4e798e0d19503

SHA256
07a47744c87e7abad58104b19ba12c4b2be399a3914adc576480e76265e85ce7

SHA512
151ac65ddc8f6d9c3dd25183240fdddfa5634b0a660269b37ba9b96fe66e889e9bef03dd1100f2b482b7e925721bf2ea8f1466b650dd4ed91112e9f40b1c1b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEBo5Ncnxz92.bat

Filesize
209B

MD5
d99d361cebef3bc84ac3d3dab47d2ac8

SHA1
7ba896c86ba691cc35b950acdb14d95dabb50dfb

SHA256
1a031fc71f84ab8279cf9a6aef9052f35185f1600a75872e5f7c14201ec49ea0

SHA512
60d2f7dc0e993349e7ab71099963932a45779491ec4d7d5fda9d2248d83936a0e17a2b9a83d655d8be935a69c0d44f47e18754fdca653b63cfd958e473f0a95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aosv3TZuofsF.bat

Filesize
209B

MD5
b3c8bcd585efa758f5c6ec6f366f8cf4

SHA1
233f0b479e35d7727c320b34cf3833c8fadc7dce

SHA256
97681b9f606b1e80d820e27c561efeaaa66fbdc0cf4b694eb7c2ae13e631d261

SHA512
33fd2f686e36234f062b906b2a0fdb19fff75750f40c6eeef80da1a7d62940a02bc952e3ef3e45110da6c2ba6da470e260cc952343b94ad29724eb9ac084bd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IV5jwX9N8oi6.bat

Filesize
209B

MD5
aa33df094128a44112bfc1e469f7fe5b

SHA1
849bb71e9ad23847efbe80f5a64e00b801189b36

SHA256
fcf0adbc06aad1cc3ff1f1f505a89f3bd4b1662cc6bd742fba987d9d3d188a36

SHA512
c9a2fc4ff9b36f922d7ae2de358fa611d720b90c4bc58ba8389f4dcc4b33c0dbd104c8f5a025fcc10e2929b8852546131b190ca793b84df1109c48ca5224d213

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMsyDQpfuC44.bat

Filesize
209B

MD5
0302f1c5a157fb70100b27644241e307

SHA1
2bd7904b7aad36f88de2aae7e457347dc57653e6

SHA256
16c893cff30756bfffd491436e3cf0d09dac8134b72086e56ae9efac77ef8ee8

SHA512
42773133bd18080af78f8e30c5fcfea872eacc49481ad07f97081299bc2ceb95154c2a0db32c91d367d4066585ee0f86aed6249c6636ea8e053c554c3fa66b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KrFPcGwe8kd7.bat

Filesize
209B

MD5
8cd928679fef0fc064ab82053572c3d3

SHA1
5f8cfd568623b4197a835ed8fa5b86513ce409d0

SHA256
a881d4c5a648a3e350141460f0911fae54b9c7556b659f367d94503d465e02a3

SHA512
3a9ba919910c4d6df1ad0602fe4b47ccec2d9d0b34ad5ce1a8eb8971fcc8300320604ef901d04203e5d8c50221dc50a52a0ac5ee2ecf19ad212eaa90eb024557

Download Submit
C:\Users\Admin\AppData\Local\Temp\LK2Txqw9rWhB.bat

Filesize
209B

MD5
12c68f93c3a9ab7b933571b016d8b8e5

SHA1
1b370474010c6782d5a9c2458a6f11f71555bfaa

SHA256
2387bed79643f9f03ca9f6b6692a5244b5eec5bf255a72e4e824627e2a737df9

SHA512
989bedfae2081ded2fa0a75173d667f55d725ed9a8ddd014a49ea2e1493416ad8071d2b8eb8f22fe5ee51f2b37c04c6a3252bc09640d398a8c5ca6bfb0952fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QL1jXQfpFznM.bat

Filesize
209B

MD5
54d386e6f1287bc47c0eee1d87e508ec

SHA1
80aa8f02e61ed43e474960501f16c5a30a15432f

SHA256
09a71b631055b3177875311dea0bff1fa0af13612a0bd91d8ee6df017a82d82d

SHA512
e9e26feffab80ca3c76cdbdb46fadaaa35075a44b579500d718ab3dddfc72f28a5e72185cc547c84e54e8939e7e4e9fdb91b63a2f32ca01fde4193f2c8d80e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zs2IAftzVSyx.bat

Filesize
209B

MD5
deeec572f87cef4e1c0dcc57bc839351

SHA1
2927d174813e5af51164f2e7675007f6b5d791e7

SHA256
188a60fd21e5a074267c3b8a722ab8fe7b27d1ec14c4d491f12f2b4c6f5725eb

SHA512
da87be0d583566019b10eeb830cddc3cc4cd13b933ec4284f548d65006506fa70a58b19e5d14c8fe1aaee50416cd8b42dad57b6ebd8ee0905933f22ba1bdf217

Download Submit
C:\Users\Admin\AppData\Local\Temp\bDk7aan2T1zu.bat

Filesize
209B

MD5
29491c0855ab63836b5a043fa722ede9

SHA1
78e0d5e7038ba45fa1995ffb14c7734760f14c2f

SHA256
2e78a7ce3a48efd5db80a5ed2bb550837ec16f467295841cb088c3c0da195ca7

SHA512
13df38f6fed4b03d6a1a98286f106d6565a1045f1b28e82c6c0533e18f99f7c9c1d483e36feeda324c91e4d793fdbcec15d7edd64a4868f40618ca71c4136ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8ticX28wOJc.bat

Filesize
209B

MD5
0aaf2bbca51aa1746f699b84ff672df8

SHA1
bf4b58cd6986e494d2b7c480fd152a3907c8b42d

SHA256
4bbf702b5cd28d6dea938c2e9dc3bc78e0a23d81156b7130813a14c003d38095

SHA512
e2d0ba9e9759c6db93ba3479d5eb14c7c49a4efe9300634eb05cf11ca00f19ce8dc62d5658abd74c5a544949a4e057f8089abe93c2bfe2ec88d5ef15a760f618

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifx9g1Oa6BaQ.bat

Filesize
209B

MD5
0036d75baf4d0bb4ea42bed60f20c716

SHA1
3a86958d2f263fa9fe31e7dae32cfb695c75da27

SHA256
28f6de63c69e8bfcd1c93e3ffb2afd8ab7a8e85b3aec159c9813a38e1425c006

SHA512
e6e0b8fcb2d29107ca917a838bf763989cac3d9598731fb3c3fdb64bdba46b6ff00ec4d28714746de2740738122de84898911e8df001f7b1b33e8014b33fba30

Download Submit
C:\Users\Admin\AppData\Local\Temp\jOsp2tnzkb61.bat

Filesize
209B

MD5
805dfaca61c26bcfc6a24f65f4c36ac8

SHA1
2885265aca1b206f69e7f7715d28f99bdfe64091

SHA256
6ea8b9d5c97546b8764c77449174c19f718e490f8c33497187133551945c3f00

SHA512
06c314eea6226f0a5642f2f62e2e5ccd49a6a0a11f988fc125af4a755e9a8cbf772f36f3851d06872f74cddbc02eb02f61063138fbed5ee3b672c4fdf825c1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHFAXDwByyur.bat

Filesize
209B

MD5
d5b011290e4a208af745b4fdbb54f27e

SHA1
cf52c2fc51fc5631dc8a9865ec2b48ad5845f039

SHA256
45aaaba368a92cc5d9684c03991773d95fcc657de9340a8d5bc5de12d976b637

SHA512
1f9a3085a3a3387500aa59025780dd481f67a3f70552fd88006e234a5fdf30cb05b05b709e8028b15c3d066dbfb76ef9d9f460718f95c638369e23334bae8d01

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe

Filesize
3.1MB

MD5
f21aa436096afece0b8c39c36bf4a9ab

SHA1
976b74c6a4e59e59a812c06032aae71a0516236a

SHA256
43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10

SHA512
44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b

Download Submit
memory/1776-11-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/1776-13-0x000000001C350000-0x000000001C402000-memory.dmp

Filesize
712KB

Download
memory/1776-9-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/1776-12-0x000000001C240000-0x000000001C290000-memory.dmp

Filesize
320KB

Download
memory/1776-19-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/3528-10-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/3528-1-0x0000000000410000-0x000000000073A000-memory.dmp

Filesize
3.2MB

Download
memory/3528-2-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/3528-0-0x00007FF8A8573000-0x00007FF8A8575000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads