quasar | b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

discordupdate.exe
Size

3.1MB
MD5

25befffc195ce47401f74afbe942f3ff
SHA1

287aacd0350f05308e08c6b4b8b88baf56f56160
SHA256

b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f
SHA512

a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e
SSDEEP

49152:rv+I22SsaNYfdPBldt698dBcjH0gR04RoGdNdTHHB72eh2NT:rvz22SsaNYfdPBldt6+dBcjH0gR0k

Score

10^/10

quasar bot discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

wexos47815-61484.portmap.host:61484

Mutex

06e2bb33-968c-4ca7-97dc-f23fbd5c3092

Attributes

encryption_key
8924CB3C9515DA437A37F5AE598376261E5528FC
install_name
msinfo32.exe
log_directory
Update
reconnect_delay
3000
startup_key
Discordupdate
subdirectory
dll32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2520-1-0x00000000010A0000-0x00000000013C4000-memory.dmp	family_quasar
behavioral1/files/0x0009000000015d66-6.dat	family_quasar
behavioral1/memory/1636-10-0x0000000000C90000-0x0000000000FB4000-memory.dmp	family_quasar
behavioral1/memory/2788-23-0x0000000000E10000-0x0000000001134000-memory.dmp	family_quasar
behavioral1/memory/344-45-0x00000000002D0000-0x00000000005F4000-memory.dmp	family_quasar
behavioral1/memory/1996-56-0x0000000000860000-0x0000000000B84000-memory.dmp	family_quasar
behavioral1/memory/956-68-0x0000000001120000-0x0000000001444000-memory.dmp	family_quasar
behavioral1/memory/2244-89-0x0000000000A70000-0x0000000000D94000-memory.dmp	family_quasar
behavioral1/memory/2300-101-0x0000000000070000-0x0000000000394000-memory.dmp	family_quasar
behavioral1/memory/2840-112-0x0000000000210000-0x0000000000534000-memory.dmp	family_quasar
behavioral1/memory/2720-124-0x0000000001010000-0x0000000001334000-memory.dmp	family_quasar
behavioral1/memory/3012-145-0x00000000000B0000-0x00000000003D4000-memory.dmp	family_quasar
behavioral1/memory/1176-157-0x0000000000B90000-0x0000000000EB4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
1636	msinfo32.exe
2788	msinfo32.exe
2908	msinfo32.exe
344	msinfo32.exe
1996	msinfo32.exe
956	msinfo32.exe
2112	msinfo32.exe
2244	msinfo32.exe
2300	msinfo32.exe
2840	msinfo32.exe
2720	msinfo32.exe
2992	msinfo32.exe
3012	msinfo32.exe
1176	msinfo32.exe
1008	msinfo32.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File created	C:\Windows\system32\dll32\msinfo32.exe	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
824	PING.EXE
1860	PING.EXE
2468	PING.EXE
1620	PING.EXE
1956	PING.EXE
1204	PING.EXE
2240	PING.EXE
824	PING.EXE
480	PING.EXE
952	PING.EXE
1872	PING.EXE
2772	PING.EXE
1120	PING.EXE
1696	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
824	PING.EXE
1872	PING.EXE
1620	PING.EXE
1956	PING.EXE
824	PING.EXE
1120	PING.EXE
1696	PING.EXE
952	PING.EXE
1860	PING.EXE
2240	PING.EXE
1204	PING.EXE
2772	PING.EXE
480	PING.EXE
2468	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2864	schtasks.exe
1868	schtasks.exe
1616	schtasks.exe
1484	schtasks.exe
2004	schtasks.exe
2848	schtasks.exe
1960	schtasks.exe
2348	schtasks.exe
600	schtasks.exe
272	schtasks.exe
2996	schtasks.exe
1988	schtasks.exe
2580	schtasks.exe
3060	schtasks.exe
1628	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	discordupdate.exe
Token: SeDebugPrivilege	1636	msinfo32.exe
Token: SeDebugPrivilege	2788	msinfo32.exe
Token: SeDebugPrivilege	2908	msinfo32.exe
Token: SeDebugPrivilege	344	msinfo32.exe
Token: SeDebugPrivilege	1996	msinfo32.exe
Token: SeDebugPrivilege	956	msinfo32.exe
Token: SeDebugPrivilege	2112	msinfo32.exe
Token: SeDebugPrivilege	2244	msinfo32.exe
Token: SeDebugPrivilege	2300	msinfo32.exe
Token: SeDebugPrivilege	2840	msinfo32.exe
Token: SeDebugPrivilege	2720	msinfo32.exe
Token: SeDebugPrivilege	2992	msinfo32.exe
Token: SeDebugPrivilege	3012	msinfo32.exe
Token: SeDebugPrivilege	1176	msinfo32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1636	msinfo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1616	2520	discordupdate.exe	30
PID 2520 wrote to memory of 1616	2520	discordupdate.exe	30
PID 2520 wrote to memory of 1616	2520	discordupdate.exe	30
PID 2520 wrote to memory of 1636	2520	discordupdate.exe	32
PID 2520 wrote to memory of 1636	2520	discordupdate.exe	32
PID 2520 wrote to memory of 1636	2520	discordupdate.exe	32
PID 1636 wrote to memory of 3060	1636	msinfo32.exe	33
PID 1636 wrote to memory of 3060	1636	msinfo32.exe	33
PID 1636 wrote to memory of 3060	1636	msinfo32.exe	33
PID 1636 wrote to memory of 2812	1636	msinfo32.exe	35
PID 1636 wrote to memory of 2812	1636	msinfo32.exe	35
PID 1636 wrote to memory of 2812	1636	msinfo32.exe	35
PID 2812 wrote to memory of 2732	2812	cmd.exe	37
PID 2812 wrote to memory of 2732	2812	cmd.exe	37
PID 2812 wrote to memory of 2732	2812	cmd.exe	37
PID 2812 wrote to memory of 1204	2812	cmd.exe	38
PID 2812 wrote to memory of 1204	2812	cmd.exe	38
PID 2812 wrote to memory of 1204	2812	cmd.exe	38
PID 2812 wrote to memory of 2788	2812	cmd.exe	40
PID 2812 wrote to memory of 2788	2812	cmd.exe	40
PID 2812 wrote to memory of 2788	2812	cmd.exe	40
PID 2788 wrote to memory of 2864	2788	msinfo32.exe	41
PID 2788 wrote to memory of 2864	2788	msinfo32.exe	41
PID 2788 wrote to memory of 2864	2788	msinfo32.exe	41
PID 2788 wrote to memory of 2720	2788	msinfo32.exe	43
PID 2788 wrote to memory of 2720	2788	msinfo32.exe	43
PID 2788 wrote to memory of 2720	2788	msinfo32.exe	43
PID 2720 wrote to memory of 2116	2720	cmd.exe	45
PID 2720 wrote to memory of 2116	2720	cmd.exe	45
PID 2720 wrote to memory of 2116	2720	cmd.exe	45
PID 2720 wrote to memory of 2772	2720	cmd.exe	46
PID 2720 wrote to memory of 2772	2720	cmd.exe	46
PID 2720 wrote to memory of 2772	2720	cmd.exe	46
PID 2720 wrote to memory of 2908	2720	cmd.exe	47
PID 2720 wrote to memory of 2908	2720	cmd.exe	47
PID 2720 wrote to memory of 2908	2720	cmd.exe	47
PID 2908 wrote to memory of 1484	2908	msinfo32.exe	48
PID 2908 wrote to memory of 1484	2908	msinfo32.exe	48
PID 2908 wrote to memory of 1484	2908	msinfo32.exe	48
PID 2908 wrote to memory of 2688	2908	msinfo32.exe	50
PID 2908 wrote to memory of 2688	2908	msinfo32.exe	50
PID 2908 wrote to memory of 2688	2908	msinfo32.exe	50
PID 2688 wrote to memory of 2960	2688	cmd.exe	52
PID 2688 wrote to memory of 2960	2688	cmd.exe	52
PID 2688 wrote to memory of 2960	2688	cmd.exe	52
PID 2688 wrote to memory of 1120	2688	cmd.exe	53
PID 2688 wrote to memory of 1120	2688	cmd.exe	53
PID 2688 wrote to memory of 1120	2688	cmd.exe	53
PID 2688 wrote to memory of 344	2688	cmd.exe	54
PID 2688 wrote to memory of 344	2688	cmd.exe	54
PID 2688 wrote to memory of 344	2688	cmd.exe	54
PID 344 wrote to memory of 1868	344	msinfo32.exe	55
PID 344 wrote to memory of 1868	344	msinfo32.exe	55
PID 344 wrote to memory of 1868	344	msinfo32.exe	55
PID 344 wrote to memory of 2008	344	msinfo32.exe	57
PID 344 wrote to memory of 2008	344	msinfo32.exe	57
PID 344 wrote to memory of 2008	344	msinfo32.exe	57
PID 2008 wrote to memory of 3048	2008	cmd.exe	59
PID 2008 wrote to memory of 3048	2008	cmd.exe	59
PID 2008 wrote to memory of 3048	2008	cmd.exe	59
PID 2008 wrote to memory of 480	2008	cmd.exe	60
PID 2008 wrote to memory of 480	2008	cmd.exe	60
PID 2008 wrote to memory of 480	2008	cmd.exe	60
PID 2008 wrote to memory of 1996	2008	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\discordupdate.exe
"C:\Users\Admin\AppData\Local\Temp\discordupdate.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1616
- C:\Windows\system32\dll32\msinfo32.exe
  "C:\Windows\system32\dll32\msinfo32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3060
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\hTaw5SkdBEYL.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2732
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1204
  - - C:\Windows\system32\dll32\msinfo32.exe
      "C:\Windows\system32\dll32\msinfo32.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2864
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zBnjrdVMGMwk.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2116
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2772
      - C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qsDSPA3vzLoW.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1120
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1868
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vE5UlpTYuXt3.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:480
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2004
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VALbmzTaJO0d.bat" "
        11⤵
        
        PID:596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:824
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:600
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NV4vp6Mp70d0.bat" "
        13⤵
        
        PID:1632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:952
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:272
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7loDpS7UuxeV.bat" "
        15⤵
        
        PID:556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1628
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ETnUmoJv8Qrr.bat" "
        17⤵
        
        PID:2396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2468
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2848
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0SwWJCqvWRCp.bat" "
        19⤵
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2240
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1960
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BUBuYM1pdi13.bat" "
        21⤵
        
        PID:2028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1872
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nq00qDjz8sXA.bat" "
        23⤵
        
        PID:352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1620
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\y68R2PUoZxHi.bat" "
        25⤵
        
        PID:2940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1956
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2348
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Gv8wDPc2XK0P.bat" "
        27⤵
        
        PID:1996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:824
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2580
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3SQ2KxIYxSxU.bat" "
        29⤵
        
        PID:1468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1696
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        30⤵
        Executes dropped EXE
        
        PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0SwWJCqvWRCp.bat

Filesize
197B

MD5
20db589a4e2030be8c197bf943315165

SHA1
927fcf477a2cdbf6ae95380b267b6ce01cebdc7f

SHA256
7f765e88ed22d255b80ef298e81c59262bcdb3c53d081b0c6824a73dad85fd99

SHA512
7c69ebbbc5ad110387c3fa57499b1eb384f22a5ba716d9024c799fdbc50a5c0c06f8d53770e5e03a0c761fe4e7dc0da8bdc095d34a8eae8f4aae9ec21f78495b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3SQ2KxIYxSxU.bat

Filesize
197B

MD5
cd9e76feae6790ae82ec7e3aa54d3806

SHA1
652f69c8399d2d03433b980830c347e0a2f8a40b

SHA256
35e595cd01e90f8b300cb5a9efdce8725fd913c6abd38be372d4ab59e561605f

SHA512
a80a9823acd1d60b45c4a4c63dce126b69280769ed7012712b9c8a8c739d4b543030a002c469ebc4df75613bf9829ad2f4ae13186cdc0ca09577549d809f0622

Download Submit
C:\Users\Admin\AppData\Local\Temp\7loDpS7UuxeV.bat

Filesize
197B

MD5
35660a37484bdc88446fae5cf8e53866

SHA1
b16a9a5764dc012c67bc7a162e3b02832d2f38d2

SHA256
79b82015aa6469ff259704716d77dd45a66cd5d7ca90a88c2b5518703bc1686f

SHA512
bb497a70eca92d5d9e04f8cad28a99ec29c6a1e41e731d34a9028beb0b76d660c41ae552a0bb835d6d743a521fcff72c77c34d411fff21d74c2c401a17c6c48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUBuYM1pdi13.bat

Filesize
197B

MD5
967ddfd3598b9ce83cceb8625ed4c94b

SHA1
9072243d9873e4433e832ec20c5e7aa596dbace1

SHA256
7f8f8d1a88a4d9702f5000421f14dfefeb1e94e1cbf1ccd7166b4082e3d24fe3

SHA512
0359a88556c0bf645616743cf6342ae761cbf67d564e03bbd1dbbf11630bf75229550faf14883ea240f9a4ee9cda5b9c7bd53884412c16d363bd05e9e25a97e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ETnUmoJv8Qrr.bat

Filesize
197B

MD5
dad3af65677ac478c103625a72925aaf

SHA1
171300f62dd3ae37a70be1731dc35076193e97f1

SHA256
e050149274da70bbfc2e45ca39a3be41730ee7a0ab2545e1fdf4cc05f96aa363

SHA512
2a7e05021fba9608616ef7e7bf195f7bfd4ee7e7fa1cc5f3f49b4079a0d3caa3f8b9786cab24e61f01356a878d2d16b267801f83c5a28bc880a3cb4457541858

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gv8wDPc2XK0P.bat

Filesize
197B

MD5
abba5cef83631fd2991e5fca0522fc4e

SHA1
f3f8812aa7ba84345af074f672a5ffc082cebd5f

SHA256
69dcae12793ce5ffa02c2e8110a6d5c898108dd0efd760f61843d9216eda9310

SHA512
524e46079c59e852d79eb34b0d7331127e2d8c47ba620f8d05701c2a5f4edf54a549744db9f56780826042c0f8a49b30cd04070e7d3c971f27f7ed6c127d86bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NV4vp6Mp70d0.bat

Filesize
197B

MD5
2b54db3fa00846cadd9028aac21ac96d

SHA1
643a39c640383f62eb51bb8efd58ee2f173e4884

SHA256
398f9a0498778a30ef07f480d4e7e8e002a1326a4d6d816079cb9cc79138665e

SHA512
3a63a9c0f7e2773ab5f1d16c21b4276b5a639b9eb510308bb680f79f6a784901b3c0ef86775ea7298838e59bed356a5f0477a87fd7ed386b755a24887d55d5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VALbmzTaJO0d.bat

Filesize
197B

MD5
8c45abf7fd1472fed388265cd890f642

SHA1
0bc5b0651c4b50f1e49bd26cf280989e8ddc3a6a

SHA256
042c819d28e9c190f8eb3ad4b7639cfd7ec7748d0037a955af5311f9874dadb0

SHA512
5f1f8fc473a8778139d5bd4b5fcdf7a80f55a6c4191792788de1a234531b2d0a0717076f4190da8722ac912402902e60fed738a37568c719dfabac0617784e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hTaw5SkdBEYL.bat

Filesize
197B

MD5
7e4f7076ef820dd96837643e759fc616

SHA1
3e0c46c4fbf4157f7c75e396e569f64fdb117c57

SHA256
e903eb42c48101a63cb7b9d6004bbc573941506829dbe3e740d948a018f06a31

SHA512
bd711b6ea9416e72690548958e9fec1b2fd0655f6a5b400eacdca6eff6597a905f134a8e7fc6d94bf5383db26a0c8548234ca8eb45cd06d43271b5a168e8f76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nq00qDjz8sXA.bat

Filesize
197B

MD5
b1fda493657dc6f146cb315f2e466003

SHA1
72220b28a404a6eea03b49e45c6a3687c11a2d2a

SHA256
7608e3fb2f5ff36c1443888c0ad81b7df5a1f2d09d524474588bbcf262454241

SHA512
067e03bebb08802f3a24731434d57a01d2e744ac525f64263ec575eacf27861e77bfa8f34e31b96738857d0f8cc2b7d08afc79019286f4ebd6510c16c414bf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsDSPA3vzLoW.bat

Filesize
197B

MD5
543eda1b7f63d92705a10d9168617819

SHA1
b8738d9762df4a4810566d7c333532f03b224e1e

SHA256
4bc55f723e3386f5d1efa7dfa9681d118d57fe4acb43c2b70d1daa0cc807499e

SHA512
7f59da2e973f77e2172e24e9dc095d687b8b0cd41a391260300139812bfad222879d05d3ca605668b430789099c1cd5cdcb4db7106b19354bb77ec207868e455

Download Submit
C:\Users\Admin\AppData\Local\Temp\vE5UlpTYuXt3.bat

Filesize
197B

MD5
0a6f9daefd4f1916d20cc110c1c5fcab

SHA1
8e3f87f52e768fc0700a3b53bc7dac5d1b58fb76

SHA256
dc7890e868be32a903a93422a04c6e23b4edef81393765ed94dc7335cc89f323

SHA512
c704938ab9048c85ba5371d9eefacf4d0a08077323966f8aa7d925e3ca551a7ee1bb205314f34bbec69c8ec84739bbef280980a82082039795196ff628d08e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\y68R2PUoZxHi.bat

Filesize
197B

MD5
459e7685ca5c80b39e462b4316428e45

SHA1
6845629e16115dd4923b44493716c87630e74ec6

SHA256
ab837df13843cd5337051b71c4e03a8cce2ed01b33993f5da35800b29faa3e54

SHA512
40641fa90a67cf28500786ff7a618ff601471f303861c03295ea15368573076cc9e6991f6e8fea5483a698f335f10c8a807ac219ed908dc5b8aebf6c306a7daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zBnjrdVMGMwk.bat

Filesize
197B

MD5
778b2b45d86474b41eda7a43cd6c85ed

SHA1
56ac11136876bea21f449aec7d2b3fbfdb5379b4

SHA256
03e765ddc5b46adbf2180dbc23246abdb13e0bb8f763e07c8faccaf9da741df4

SHA512
b626adf52f6c6a433ed1fec1b3520db149cccdf65100dac2bc42f356abf01a411377aca2f91c811fa205aceb6d5467fee106f202562262ae08c705c434d2da88

Download Submit
C:\Windows\System32\dll32\msinfo32.exe

Filesize
1.1MB

MD5
7cd34c9993fb9b0037111a4d6afa2ea6

SHA1
67f4b844c8d7f46475405e1c8e8dffc89eb1d03d

SHA256
a54ee15405ad83eb011d4dbbac76f6b50b99df7ee44b08a7102cd6abf954f958

SHA512
296f72342b6a9441bcfa699e63c6752bacf460e32ad4c4a012d71349f016993eafa2b887c3a0d1f4f5e125dca039d910456ca5075fb8033a1a3a59898e48e6d7

Download Submit
C:\Windows\System32\dll32\msinfo32.exe

Filesize
3.1MB

MD5
25befffc195ce47401f74afbe942f3ff

SHA1
287aacd0350f05308e08c6b4b8b88baf56f56160

SHA256
b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f

SHA512
a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e

Download Submit
memory/344-45-0x00000000002D0000-0x00000000005F4000-memory.dmp

Filesize
3.1MB

Download
memory/956-68-0x0000000001120000-0x0000000001444000-memory.dmp

Filesize
3.1MB

Download
memory/1008-168-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/1176-157-0x0000000000B90000-0x0000000000EB4000-memory.dmp

Filesize
3.1MB

Download
memory/1636-20-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/1636-9-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/1636-10-0x0000000000C90000-0x0000000000FB4000-memory.dmp

Filesize
3.1MB

Download
memory/1636-11-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/1996-56-0x0000000000860000-0x0000000000B84000-memory.dmp

Filesize
3.1MB

Download
memory/2244-89-0x0000000000A70000-0x0000000000D94000-memory.dmp

Filesize
3.1MB

Download
memory/2300-101-0x0000000000070000-0x0000000000394000-memory.dmp

Filesize
3.1MB

Download
memory/2520-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2520-8-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-1-0x00000000010A0000-0x00000000013C4000-memory.dmp

Filesize
3.1MB

Download
memory/2720-124-0x0000000001010000-0x0000000001334000-memory.dmp

Filesize
3.1MB

Download
memory/2788-23-0x0000000000E10000-0x0000000001134000-memory.dmp

Filesize
3.1MB

Download
memory/2840-112-0x0000000000210000-0x0000000000534000-memory.dmp

Filesize
3.1MB

Download
memory/3012-145-0x00000000000B0000-0x00000000003D4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads