quasar | b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f

Analysis

max time kernel
143s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

discordupdate.exe
Size

3.1MB
MD5

25befffc195ce47401f74afbe942f3ff
SHA1

287aacd0350f05308e08c6b4b8b88baf56f56160
SHA256

b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f
SHA512

a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e
SSDEEP

49152:rv+I22SsaNYfdPBldt698dBcjH0gR04RoGdNdTHHB72eh2NT:rvz22SsaNYfdPBldt6+dBcjH0gR0k

Score

10^/10

quasar bot discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

wexos47815-61484.portmap.host:61484

Mutex

06e2bb33-968c-4ca7-97dc-f23fbd5c3092

Attributes

encryption_key
8924CB3C9515DA437A37F5AE598376261E5528FC
install_name
msinfo32.exe
log_directory
Update
reconnect_delay
3000
startup_key
Discordupdate
subdirectory
dll32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/1924-1-0x0000000000E40000-0x0000000001164000-memory.dmp	family_quasar
behavioral1/files/0x0008000000017403-6.dat	family_quasar
behavioral1/memory/2416-9-0x0000000000F00000-0x0000000001224000-memory.dmp	family_quasar
behavioral1/memory/2344-23-0x0000000001310000-0x0000000001634000-memory.dmp	family_quasar
behavioral1/memory/1372-44-0x00000000002D0000-0x00000000005F4000-memory.dmp	family_quasar
behavioral1/memory/560-55-0x0000000000E60000-0x0000000001184000-memory.dmp	family_quasar
behavioral1/memory/2704-87-0x00000000012A0000-0x00000000015C4000-memory.dmp	family_quasar
behavioral1/memory/2068-119-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/memory/2380-131-0x0000000000C40000-0x0000000000F64000-memory.dmp	family_quasar
behavioral1/memory/2280-142-0x0000000000DE0000-0x0000000001104000-memory.dmp	family_quasar
behavioral1/memory/1712-154-0x0000000000080000-0x00000000003A4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2416	msinfo32.exe
2344	msinfo32.exe
2876	msinfo32.exe
1372	msinfo32.exe
560	msinfo32.exe
1788	msinfo32.exe
400	msinfo32.exe
2704	msinfo32.exe
2732	msinfo32.exe
2884	msinfo32.exe
2068	msinfo32.exe
2380	msinfo32.exe
2280	msinfo32.exe
1712	msinfo32.exe
2304	msinfo32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File created	C:\Windows\system32\dll32\msinfo32.exe	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
684	PING.EXE
1348	PING.EXE
2736	PING.EXE
1152	PING.EXE
2064	PING.EXE
3052	PING.EXE
1960	PING.EXE
952	PING.EXE
2764	PING.EXE
2084	PING.EXE
1528	PING.EXE
604	PING.EXE
536	PING.EXE
3052	PING.EXE
2480	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1528	PING.EXE
2736	PING.EXE
3052	PING.EXE
1152	PING.EXE
2084	PING.EXE
3052	PING.EXE
684	PING.EXE
536	PING.EXE
1348	PING.EXE
604	PING.EXE
2064	PING.EXE
2480	PING.EXE
1960	PING.EXE
952	PING.EXE
2764	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
768	schtasks.exe
2044	schtasks.exe
1964	schtasks.exe
2332	schtasks.exe
2240	schtasks.exe
2896	schtasks.exe
2304	schtasks.exe
2820	schtasks.exe
2532	schtasks.exe
2380	schtasks.exe
2220	schtasks.exe
2348	schtasks.exe
1948	schtasks.exe
2368	schtasks.exe
2376	schtasks.exe
912	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	discordupdate.exe
Token: SeDebugPrivilege	2416	msinfo32.exe
Token: SeDebugPrivilege	2344	msinfo32.exe
Token: SeDebugPrivilege	2876	msinfo32.exe
Token: SeDebugPrivilege	1372	msinfo32.exe
Token: SeDebugPrivilege	560	msinfo32.exe
Token: SeDebugPrivilege	1788	msinfo32.exe
Token: SeDebugPrivilege	400	msinfo32.exe
Token: SeDebugPrivilege	2704	msinfo32.exe
Token: SeDebugPrivilege	2732	msinfo32.exe
Token: SeDebugPrivilege	2884	msinfo32.exe
Token: SeDebugPrivilege	2068	msinfo32.exe
Token: SeDebugPrivilege	2380	msinfo32.exe
Token: SeDebugPrivilege	2280	msinfo32.exe
Token: SeDebugPrivilege	1712	msinfo32.exe
Token: SeDebugPrivilege	2304	msinfo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2368	1924	discordupdate.exe	30
PID 1924 wrote to memory of 2368	1924	discordupdate.exe	30
PID 1924 wrote to memory of 2368	1924	discordupdate.exe	30
PID 1924 wrote to memory of 2416	1924	discordupdate.exe	32
PID 1924 wrote to memory of 2416	1924	discordupdate.exe	32
PID 1924 wrote to memory of 2416	1924	discordupdate.exe	32
PID 2416 wrote to memory of 2304	2416	msinfo32.exe	33
PID 2416 wrote to memory of 2304	2416	msinfo32.exe	33
PID 2416 wrote to memory of 2304	2416	msinfo32.exe	33
PID 2416 wrote to memory of 2836	2416	msinfo32.exe	35
PID 2416 wrote to memory of 2836	2416	msinfo32.exe	35
PID 2416 wrote to memory of 2836	2416	msinfo32.exe	35
PID 2836 wrote to memory of 3036	2836	cmd.exe	37
PID 2836 wrote to memory of 3036	2836	cmd.exe	37
PID 2836 wrote to memory of 3036	2836	cmd.exe	37
PID 2836 wrote to memory of 2764	2836	cmd.exe	38
PID 2836 wrote to memory of 2764	2836	cmd.exe	38
PID 2836 wrote to memory of 2764	2836	cmd.exe	38
PID 2836 wrote to memory of 2344	2836	cmd.exe	40
PID 2836 wrote to memory of 2344	2836	cmd.exe	40
PID 2836 wrote to memory of 2344	2836	cmd.exe	40
PID 2344 wrote to memory of 2376	2344	msinfo32.exe	41
PID 2344 wrote to memory of 2376	2344	msinfo32.exe	41
PID 2344 wrote to memory of 2376	2344	msinfo32.exe	41
PID 2344 wrote to memory of 2900	2344	msinfo32.exe	43
PID 2344 wrote to memory of 2900	2344	msinfo32.exe	43
PID 2344 wrote to memory of 2900	2344	msinfo32.exe	43
PID 2900 wrote to memory of 2672	2900	cmd.exe	45
PID 2900 wrote to memory of 2672	2900	cmd.exe	45
PID 2900 wrote to memory of 2672	2900	cmd.exe	45
PID 2900 wrote to memory of 684	2900	cmd.exe	46
PID 2900 wrote to memory of 684	2900	cmd.exe	46
PID 2900 wrote to memory of 684	2900	cmd.exe	46
PID 2900 wrote to memory of 2876	2900	cmd.exe	47
PID 2900 wrote to memory of 2876	2900	cmd.exe	47
PID 2900 wrote to memory of 2876	2900	cmd.exe	47
PID 2876 wrote to memory of 912	2876	msinfo32.exe	48
PID 2876 wrote to memory of 912	2876	msinfo32.exe	48
PID 2876 wrote to memory of 912	2876	msinfo32.exe	48
PID 2876 wrote to memory of 2952	2876	msinfo32.exe	50
PID 2876 wrote to memory of 2952	2876	msinfo32.exe	50
PID 2876 wrote to memory of 2952	2876	msinfo32.exe	50
PID 2952 wrote to memory of 2924	2952	cmd.exe	52
PID 2952 wrote to memory of 2924	2952	cmd.exe	52
PID 2952 wrote to memory of 2924	2952	cmd.exe	52
PID 2952 wrote to memory of 536	2952	cmd.exe	53
PID 2952 wrote to memory of 536	2952	cmd.exe	53
PID 2952 wrote to memory of 536	2952	cmd.exe	53
PID 2952 wrote to memory of 1372	2952	cmd.exe	54
PID 2952 wrote to memory of 1372	2952	cmd.exe	54
PID 2952 wrote to memory of 1372	2952	cmd.exe	54
PID 1372 wrote to memory of 2332	1372	msinfo32.exe	55
PID 1372 wrote to memory of 2332	1372	msinfo32.exe	55
PID 1372 wrote to memory of 2332	1372	msinfo32.exe	55
PID 1372 wrote to memory of 1828	1372	msinfo32.exe	57
PID 1372 wrote to memory of 1828	1372	msinfo32.exe	57
PID 1372 wrote to memory of 1828	1372	msinfo32.exe	57
PID 1828 wrote to memory of 2156	1828	cmd.exe	59
PID 1828 wrote to memory of 2156	1828	cmd.exe	59
PID 1828 wrote to memory of 2156	1828	cmd.exe	59
PID 1828 wrote to memory of 2084	1828	cmd.exe	60
PID 1828 wrote to memory of 2084	1828	cmd.exe	60
PID 1828 wrote to memory of 2084	1828	cmd.exe	60
PID 1828 wrote to memory of 560	1828	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\discordupdate.exe
"C:\Users\Admin\AppData\Local\Temp\discordupdate.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2368
- C:\Windows\system32\dll32\msinfo32.exe
  "C:\Windows\system32\dll32\msinfo32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2304
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\hnDitOFXGLBW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3036
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2764
  - - C:\Windows\system32\dll32\msinfo32.exe
      "C:\Windows\system32\dll32\msinfo32.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\D5mje4FFipCP.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2672
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:684
      - C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\47RmQ1KfXdcq.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:536
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ukZzsXH6Nh3s.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2084
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2380
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kvG3qiJhR2Vg.bat" "
        11⤵
        
        PID:2320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3052
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2240
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\I1QvqD5SZdiv.bat" "
        13⤵
        
        PID:1628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1348
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\f18aInilszT9.bat" "
        15⤵
        
        PID:1808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1528
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2820
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YD5clytLIhjZ.bat" "
        17⤵
        
        PID:3036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2736
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2348
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bk1nnYeY8TsZ.bat" "
        19⤵
        
        PID:1572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:604
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EmZD01V20prt.bat" "
        21⤵
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1152
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WRp5facd99bK.bat" "
        23⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2064
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gJlCsTxmhkyF.bat" "
        25⤵
        
        PID:1860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3052
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2532
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4lQhFUo3IB9r.bat" "
        27⤵
        
        PID:828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2480
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\l4HCEerX1k4D.bat" "
        29⤵
        
        PID:2488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1960
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1964
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\txw5xe0EIpnp.bat" "
        31⤵
        
        PID:1924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\47RmQ1KfXdcq.bat

Filesize
197B

MD5
4b2a1622e1835a989eb3b39dad14d623

SHA1
0c16ca12b65d8a70ad66183f546192bc32e84f99

SHA256
d8e87d97dae649fae0dd08e93f096a8ac68cb5ad1c9cc3fc2c4db1b72339b37b

SHA512
4b61c657b471136a282ac98fffa42c31e85285b095c1f5e51e8870cf87ffa600502f651593f5a4a22399ee42ad57104dfd9bda7d241e61d044703acf70a038c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4lQhFUo3IB9r.bat

Filesize
197B

MD5
76b2d8bad8f14237acc4981e624dc691

SHA1
76c8b9f1cb7973e4c415d07776f72c7c04e6f424

SHA256
aa9221d213f358045e15d4173dcf5d5487ff75ee9d971a31c1dbeb9afc7000dc

SHA512
70a66a96c28e6334ba357e373fa34bb4c7212f2788e0121612156b14e03f4d4b5e234a3fbccd5fbd68c059165c317aee0d2d7ef7af6d0d1691dd8dfe671b2aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5mje4FFipCP.bat

Filesize
197B

MD5
2b72fe3f8ca0f8c486813ef7c47e1e6f

SHA1
db18df9860ea35e3480dc4c5cae2134f15b813b0

SHA256
146f513e925c25ed802555cf90d4921113acd178a48d3591c48a0f22f6863c19

SHA512
f9851cf0576deda2e977b7c72d577e472ffe3971c8cb43ad7232c449ec0403fdc2f718e6fa8a325d4de42d502e2fe45dd8d7a72f8bc95a7d32072a57a69a29c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EmZD01V20prt.bat

Filesize
197B

MD5
de9d6574f5275b5ad894d3fbba2ccd1f

SHA1
19cb143e12c385028b66456967bb64f6d10066d0

SHA256
628001117c6ff7de5c135f605446cb31a88f00267c7ac57c8f96ca8e9374cc04

SHA512
20dca1155ac2af1f1d085fe23b50b8a56c6e1fbad793a0295eb2cf14ff615ffcbfc4e1d5c2e8c62e4496f9548b1aa3e1a7b13405014c6813c3d11163559b34e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1QvqD5SZdiv.bat

Filesize
197B

MD5
f51b64c45ea0aa1ed2afc09435d3bc33

SHA1
9ca6e968f63a14a406056006a7befcc9edbd9bc7

SHA256
ca146404b987e66d1df2a2e02bc9e0809ff04f1b1c0e4c3dcb165e439251fbf8

SHA512
7c6ff6a525902112311813e91e18fb0c20e635b2c78770794def77813c7c61e9ca1261bf8aa608c9c076a1aecedd12f1d8703b9aaf2902b10f10811f2e137d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRp5facd99bK.bat

Filesize
197B

MD5
621c5925b78d4ebba634db692c798c90

SHA1
b084f827c5e395a95c671a5fe00511f11c483606

SHA256
1b744a03d7afa88561dbf2e347db67c2cce5e625c899c2fcf60f986eba1b984a

SHA512
02317c25cd212a33f2a7244889154a0baffcb2ea858dcd65ff6206b48c4a696c629c8d902b8f90aa2e6887e8d1f086375503444f8fe835c35299e606b9f447b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YD5clytLIhjZ.bat

Filesize
197B

MD5
b25f741267e58d0e915a1e712d7191f5

SHA1
70aff1d1dc7d4534c2406cb9d1f3a6df5827349b

SHA256
1b3802241044c45bd3858f8cd8e105a8801f4d1540f332ae36a8b438329cd9f5

SHA512
d5140e439f6e4ed6c2dd585dedac1d07a99183a6653e68ba3e644bdb07e4bac76c23fb1c3344804ee2b80e0cd6440e8ca2b96ca49105b1ac2489970862c01a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\bk1nnYeY8TsZ.bat

Filesize
197B

MD5
bd2348efc1603813d5b9f3e847b15471

SHA1
118e6d25ded1f39182c9bdf346dc3d1e245d154f

SHA256
d70433d8282b41ebfd227a9bef1ea5485069da846583375d682b17a0d8168b8d

SHA512
f03d17fa95165f0c2c1dea7869f0bf5ce83b3a9b9a6a982f8c226d2fe5eff26d3f13b5fc089c61acc68ba636df8d46a18f675d2ab38cf468b6263f50d1873e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f18aInilszT9.bat

Filesize
197B

MD5
e1699894b092c1670f0143e26c1701f5

SHA1
5413de6984358c9f050859aeacc25b3a1a4aecd7

SHA256
bc512e87a46c1fe95c6d9ddb06038d13495868e45391bc728df2b6913f8ac24d

SHA512
c87a6c8b82352d2fb5f3a58826e982d0468490259a0c81b00c255a4d8adc9b4b82d8fefb0da61551d51fbd9a055490f3929f84c8dbfaf9469cff9ad6ae903c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJlCsTxmhkyF.bat

Filesize
197B

MD5
f2a7a84e6b75f71a73ce4b2d0c192374

SHA1
1bf4d257a4e3cc0e872bf63be8d2955ee79e6456

SHA256
824f0ff9ad69cd607c14be6782ae950c17d9028570f62e1ad887fd76f53927b8

SHA512
940abd22c7004b9a74ac0d7b0b595f00ce483c182a2674067fc450491467efd76f5cf008890c5c48c47481084d9e9b6e8db69872cea3ad03a630383c7e3970e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hnDitOFXGLBW.bat

Filesize
197B

MD5
bcc7f3122e14e3524160814f49710b68

SHA1
2659701e9987a2e7f50072355421bd273bc84951

SHA256
52fbaed5096362ace185b5e2b9a961fe24f6339b3e91f774f711f07aef30385f

SHA512
516635fb25ad5fe731553a6bc4ea41cc5a0ce081b6394ba196d06354e3d06d742510aeb676a9dd396f53ab55d4d8f1448918e3a631c1d5092f936856f4c86fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvG3qiJhR2Vg.bat

Filesize
197B

MD5
14f62c5f37b9a0c61527b5f5a582afff

SHA1
9423b917224ca4c323fede897b6a998348ecda15

SHA256
f39334db3e8234b4863ddfe40bef99023c04a3e77b6f1650f4df3fc1c43d6039

SHA512
0cb69a39ca7c02527fcc60af7d24722146119280036b361505d205628193b606566f7560d216ad5083b315969b055790e54de144845ebe1a3b9cb30a285d0ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4HCEerX1k4D.bat

Filesize
197B

MD5
d69f39aec8c2fe9592f5114c631a1ae4

SHA1
989446d4a1511b3d7cf039cd766ede39ba0d47ea

SHA256
3c2e9855f24ee72714632e3b9e4e7187ac30e49ccd918794bf548fa0b638dca6

SHA512
f73461fa4dcecd5994ce135aa084a7a578efb7d62239cf4152b161ffe21662f53326fac1b428014b8280c85be2df6aa3432e97d01610b6cd42de6d812969ec0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\txw5xe0EIpnp.bat

Filesize
197B

MD5
17f76423ce2d5982528b0cbf6e26518b

SHA1
908cd629cac0aceadb2ebf529894433a0d037de6

SHA256
b8d9a2df3d1a37b91b28b72671a5588195cc9938a2d00e7832aec5eb4ddacce1

SHA512
74e86797d8e13381d280ad72b2abcb8dbb9add748ece293d2a9475922bf88a3d670c9319bc169c06afa868b9b7662b0cff84e134965f9a936da545750964e7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukZzsXH6Nh3s.bat

Filesize
197B

MD5
b2ba47a6609f403c06cf330acf06b3a0

SHA1
3555e96313f4c386e479e085262d413f2002f55a

SHA256
156e561a0c215ab1c2978cc463682d7189e2bd4029d38bc01889c6a06698b6f3

SHA512
bb231bd3bb83739bda98a6cf1c733daa0d3a0ac0d57c7c788fe352406157a6ec5ef177033e29b890b2e82903d77120d2d3c5f4e4efbdcfc6711ed1dfae3f83de

Download Submit
C:\Windows\System32\dll32\msinfo32.exe

Filesize
3.1MB

MD5
25befffc195ce47401f74afbe942f3ff

SHA1
287aacd0350f05308e08c6b4b8b88baf56f56160

SHA256
b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f

SHA512
a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e

Download Submit
memory/560-55-0x0000000000E60000-0x0000000001184000-memory.dmp

Filesize
3.1MB

Download
memory/1372-44-0x00000000002D0000-0x00000000005F4000-memory.dmp

Filesize
3.1MB

Download
memory/1712-154-0x0000000000080000-0x00000000003A4000-memory.dmp

Filesize
3.1MB

Download
memory/1924-2-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1924-8-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1924-1-0x0000000000E40000-0x0000000001164000-memory.dmp

Filesize
3.1MB

Download
memory/1924-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

Filesize
4KB

Download
memory/2068-119-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/2280-142-0x0000000000DE0000-0x0000000001104000-memory.dmp

Filesize
3.1MB

Download
memory/2344-23-0x0000000001310000-0x0000000001634000-memory.dmp

Filesize
3.1MB

Download
memory/2380-131-0x0000000000C40000-0x0000000000F64000-memory.dmp

Filesize
3.1MB

Download
memory/2416-9-0x0000000000F00000-0x0000000001224000-memory.dmp

Filesize
3.1MB

Download
memory/2416-10-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-11-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-20-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2704-87-0x00000000012A0000-0x00000000015C4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads