quasar | b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

discordupdate.exe
Size

3.1MB
MD5

25befffc195ce47401f74afbe942f3ff
SHA1

287aacd0350f05308e08c6b4b8b88baf56f56160
SHA256

b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f
SHA512

a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e
SSDEEP

49152:rv+I22SsaNYfdPBldt698dBcjH0gR04RoGdNdTHHB72eh2NT:rvz22SsaNYfdPBldt6+dBcjH0gR0k

Score

10^/10

quasar bot discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

wexos47815-61484.portmap.host:61484

Mutex

06e2bb33-968c-4ca7-97dc-f23fbd5c3092

Attributes

encryption_key
8924CB3C9515DA437A37F5AE598376261E5528FC
install_name
msinfo32.exe
log_directory
Update
reconnect_delay
3000
startup_key
Discordupdate
subdirectory
dll32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2808-1-0x0000000000D70000-0x0000000001094000-memory.dmp	family_quasar
behavioral2/files/0x000c000000023b74-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msinfo32.exe

Executes dropped EXE 15 IoCs

pid	Process
3284	msinfo32.exe
1232	msinfo32.exe
4436	msinfo32.exe
4420	msinfo32.exe
4380	msinfo32.exe
2140	msinfo32.exe
3572	msinfo32.exe
1808	msinfo32.exe
1308	msinfo32.exe
4664	msinfo32.exe
2964	msinfo32.exe
4604	msinfo32.exe
4940	msinfo32.exe
1744	msinfo32.exe
3240	msinfo32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File created	C:\Windows\system32\dll32\msinfo32.exe	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	discordupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
236	PING.EXE
1272	PING.EXE
3136	PING.EXE
2752	PING.EXE
4504	PING.EXE
1992	PING.EXE
2464	PING.EXE
700	PING.EXE
3108	PING.EXE
3032	PING.EXE
2036	PING.EXE
5032	PING.EXE
4072	PING.EXE
1716	PING.EXE
2968	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4072	PING.EXE
2752	PING.EXE
236	PING.EXE
700	PING.EXE
5032	PING.EXE
1272	PING.EXE
1992	PING.EXE
1716	PING.EXE
3032	PING.EXE
4504	PING.EXE
2036	PING.EXE
2968	PING.EXE
2464	PING.EXE
3108	PING.EXE
3136	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3672	schtasks.exe
4744	schtasks.exe
2116	schtasks.exe
1628	schtasks.exe
2072	schtasks.exe
4416	schtasks.exe
1220	schtasks.exe
2748	schtasks.exe
1888	schtasks.exe
4848	schtasks.exe
3536	schtasks.exe
1560	schtasks.exe
3384	schtasks.exe
4276	schtasks.exe
3884	schtasks.exe
3724	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	discordupdate.exe
Token: SeDebugPrivilege	3284	msinfo32.exe
Token: SeDebugPrivilege	1232	msinfo32.exe
Token: SeDebugPrivilege	4436	msinfo32.exe
Token: SeDebugPrivilege	4420	msinfo32.exe
Token: SeDebugPrivilege	4380	msinfo32.exe
Token: SeDebugPrivilege	2140	msinfo32.exe
Token: SeDebugPrivilege	3572	msinfo32.exe
Token: SeDebugPrivilege	1808	msinfo32.exe
Token: SeDebugPrivilege	1308	msinfo32.exe
Token: SeDebugPrivilege	4664	msinfo32.exe
Token: SeDebugPrivilege	2964	msinfo32.exe
Token: SeDebugPrivilege	4604	msinfo32.exe
Token: SeDebugPrivilege	4940	msinfo32.exe
Token: SeDebugPrivilege	1744	msinfo32.exe
Token: SeDebugPrivilege	3240	msinfo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4276	2808	discordupdate.exe	85
PID 2808 wrote to memory of 4276	2808	discordupdate.exe	85
PID 2808 wrote to memory of 3284	2808	discordupdate.exe	87
PID 2808 wrote to memory of 3284	2808	discordupdate.exe	87
PID 3284 wrote to memory of 3884	3284	msinfo32.exe	88
PID 3284 wrote to memory of 3884	3284	msinfo32.exe	88
PID 3284 wrote to memory of 1188	3284	msinfo32.exe	90
PID 3284 wrote to memory of 1188	3284	msinfo32.exe	90
PID 1188 wrote to memory of 544	1188	cmd.exe	92
PID 1188 wrote to memory of 544	1188	cmd.exe	92
PID 1188 wrote to memory of 236	1188	cmd.exe	93
PID 1188 wrote to memory of 236	1188	cmd.exe	93
PID 1188 wrote to memory of 1232	1188	cmd.exe	102
PID 1188 wrote to memory of 1232	1188	cmd.exe	102
PID 1232 wrote to memory of 1888	1232	msinfo32.exe	106
PID 1232 wrote to memory of 1888	1232	msinfo32.exe	106
PID 1232 wrote to memory of 4244	1232	msinfo32.exe	108
PID 1232 wrote to memory of 4244	1232	msinfo32.exe	108
PID 4244 wrote to memory of 4472	4244	cmd.exe	110
PID 4244 wrote to memory of 4472	4244	cmd.exe	110
PID 4244 wrote to memory of 3032	4244	cmd.exe	111
PID 4244 wrote to memory of 3032	4244	cmd.exe	111
PID 4244 wrote to memory of 4436	4244	cmd.exe	113
PID 4244 wrote to memory of 4436	4244	cmd.exe	113
PID 4436 wrote to memory of 4848	4436	msinfo32.exe	114
PID 4436 wrote to memory of 4848	4436	msinfo32.exe	114
PID 4436 wrote to memory of 4548	4436	msinfo32.exe	117
PID 4436 wrote to memory of 4548	4436	msinfo32.exe	117
PID 4548 wrote to memory of 4540	4548	cmd.exe	119
PID 4548 wrote to memory of 4540	4548	cmd.exe	119
PID 4548 wrote to memory of 2464	4548	cmd.exe	120
PID 4548 wrote to memory of 2464	4548	cmd.exe	120
PID 4548 wrote to memory of 4420	4548	cmd.exe	124
PID 4548 wrote to memory of 4420	4548	cmd.exe	124
PID 4420 wrote to memory of 4744	4420	msinfo32.exe	126
PID 4420 wrote to memory of 4744	4420	msinfo32.exe	126
PID 4420 wrote to memory of 3708	4420	msinfo32.exe	129
PID 4420 wrote to memory of 3708	4420	msinfo32.exe	129
PID 3708 wrote to memory of 2972	3708	cmd.exe	131
PID 3708 wrote to memory of 2972	3708	cmd.exe	131
PID 3708 wrote to memory of 700	3708	cmd.exe	132
PID 3708 wrote to memory of 700	3708	cmd.exe	132
PID 3708 wrote to memory of 4380	3708	cmd.exe	134
PID 3708 wrote to memory of 4380	3708	cmd.exe	134
PID 4380 wrote to memory of 3536	4380	msinfo32.exe	135
PID 4380 wrote to memory of 3536	4380	msinfo32.exe	135
PID 4380 wrote to memory of 4956	4380	msinfo32.exe	138
PID 4380 wrote to memory of 4956	4380	msinfo32.exe	138
PID 4956 wrote to memory of 3448	4956	cmd.exe	140
PID 4956 wrote to memory of 3448	4956	cmd.exe	140
PID 4956 wrote to memory of 4504	4956	cmd.exe	141
PID 4956 wrote to memory of 4504	4956	cmd.exe	141
PID 4956 wrote to memory of 2140	4956	cmd.exe	143
PID 4956 wrote to memory of 2140	4956	cmd.exe	143
PID 2140 wrote to memory of 1560	2140	msinfo32.exe	144
PID 2140 wrote to memory of 1560	2140	msinfo32.exe	144
PID 2140 wrote to memory of 2104	2140	msinfo32.exe	147
PID 2140 wrote to memory of 2104	2140	msinfo32.exe	147
PID 2104 wrote to memory of 4412	2104	cmd.exe	149
PID 2104 wrote to memory of 4412	2104	cmd.exe	149
PID 2104 wrote to memory of 3108	2104	cmd.exe	150
PID 2104 wrote to memory of 3108	2104	cmd.exe	150
PID 2104 wrote to memory of 3572	2104	cmd.exe	153
PID 2104 wrote to memory of 3572	2104	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\discordupdate.exe
"C:\Users\Admin\AppData\Local\Temp\discordupdate.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4276
- C:\Windows\system32\dll32\msinfo32.exe
  "C:\Windows\system32\dll32\msinfo32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bNjsa6ZvEtJn.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:544
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:236
  - - C:\Windows\system32\dll32\msinfo32.exe
      "C:\Windows\system32\dll32\msinfo32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1232
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1888
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NDyxTi2qS2ru.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4244
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4472
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3032
      - C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgIDAJeV7f0M.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2464
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWgaNAyqMEzd.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:700
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4QVqsR7zr0Zr.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4504
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e4f3tvVcb2Sp.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3108
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwFUfx6Hbaif.bat" "
        15⤵
        
        PID:4388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1272
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\On8vEnmHMols.bat" "
        17⤵
        
        PID:3288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2036
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gLnSpZO7YTBF.bat" "
        19⤵
        
        PID:3956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5032
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dvk8Mnls9l2u.bat" "
        21⤵
        
        PID:888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1992
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOXNfLGLjNS4.bat" "
        23⤵
        
        PID:2612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4072
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4604
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qnGllujyzVa6.bat" "
        25⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3136
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkXSGDFDtk29.bat" "
        27⤵
        
        PID:952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2752
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5aA26WHlZWjK.bat" "
        29⤵
        
        PID:4744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1716
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E0jwHnuyLGAr.bat" "
        31⤵
        
        PID:4432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msinfo32.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4QVqsR7zr0Zr.bat

Filesize
197B

MD5
cbe03f21aea2804db712e02102bfa721

SHA1
792ffbc02377e87507cea8cd54e367a2943df21b

SHA256
a0d039c609894be365b1f3eaa88d0c0a8285d0250d9c0008285b0411ba9025ea

SHA512
c4c963edec1c72c1d21abe489c449d21762da537bbf9bfa369120862d570c5b44b124bf924b4d6b768c92be30f34b32a8a220b296729004008526d29d3d48276

Download Submit
C:\Users\Admin\AppData\Local\Temp\5aA26WHlZWjK.bat

Filesize
197B

MD5
1e4c8bd7feaa9bdf15ca3e3fe59aea96

SHA1
e1ded76888bad766f5b98a7537917671d53ab639

SHA256
971f73bb627d1956258ca63100307c04f45d58f0d0a016cb3274e7a1162b2593

SHA512
0924ef264be598206e5e0c9b19bdb05eaff134d37358c1c9eafcafc9bd2755b6714a21323992617e113de7add8557942452ecff684f1c7a36a21014f8cb4e404

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0jwHnuyLGAr.bat

Filesize
197B

MD5
63f27a4e1253a5f1c31f436d988c1dfe

SHA1
198ff6aa220cc904461728ea8abc950a45b05d07

SHA256
6d2df765add280968fef2fe9f026ec67a1f26b50c0605f7b826e1a16bbd9491d

SHA512
4d35f2f32956c3605971cf8d3972e4b8275f66ffc4024c85f39658b0bf5f1b286388295047f8deebeff17b8d493498a08e975f7c456a77b3083aa0bff44d4ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWgaNAyqMEzd.bat

Filesize
197B

MD5
b4c12f820e32347088004beecc2df01c

SHA1
aee6585c2f09165a39c458b1c8a644d7222140fe

SHA256
3bd26018ba50796f70175506666ad129de9d8f40fca4a42e65d25391435f2f9e

SHA512
d1c4b9958bc25a20cd2df13b10867f212939c23f57566e44355158da4c7410f7a4303fda81d3de16bb14d9f61be72cb990e68e33e91b55a192446d0fe6d8b943

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgIDAJeV7f0M.bat

Filesize
197B

MD5
92ddf1c6528638ca05453ed38d006d7d

SHA1
c93c2c16802df796bc83e781a5b8ddbe7e164d5f

SHA256
faf7032ec776d043fd46afb7715446e77c910e2b577cbd22b5bddf67faefb9f7

SHA512
3a1215874146b7c4d83d548a050cf429e29a1cb6cca18eff4bbe0c10e88518eda25f9fb26d26ba09844a9730b710a153f35035959f5ceaea0a2c514c4ddb5d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDyxTi2qS2ru.bat

Filesize
197B

MD5
51be86b2015e1c08397ba8c94f2e9678

SHA1
ed289fe0bc4e36ef01b5d3330aa09ed8d4f35ca0

SHA256
474ffe1c306a145f67eb81e7769bb24aebd194d40819acde33ce28b8ea92c71d

SHA512
f8c82c904c10f6625bd6526159b3cf1a9258ab2e922e34093819ca590dd99f60f61dc62a702010004aa45b625ce8a203347610a7dfe7b276e0641e130f720f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\OOXNfLGLjNS4.bat

Filesize
197B

MD5
7dc6028bb602f11a60938921f4c4cec0

SHA1
c6ad96e98904b68995d81aba8ffd3c624d42c6ee

SHA256
3a3b65b2d5b4b60ec884371df1ecd47ce5d0e3cbec7368f9fcb13b81ea298978

SHA512
0b1412ee0055c95981aaf630227ba5619ecf40ba9f44d6d1b828b98818f71c17303853a611e995b6077fcb6cd7956dfa81848ca8c12006d5c3aefef26490250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\On8vEnmHMols.bat

Filesize
197B

MD5
a938dc1b35168a335e91fe3c73a17f24

SHA1
261103152d6c37715f9f4bd7fb6982c51cd06283

SHA256
52c4ec62ad9169bf462c39557764bc90e4545c32cb8db97d3c4597340253ba22

SHA512
8d0c8ce4cc7601d74e6f143c292dd6b457401b907c2da580eaf011889f130c1c582bf7ad21e359f85e98c4780c83fcc3780a83f71a99c4af6f9661d63653a6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\bNjsa6ZvEtJn.bat

Filesize
197B

MD5
47d4f719f065ee614b78843e3a1b8c86

SHA1
9c44f9207d5e72988ff6825e31db84ee2e5d23df

SHA256
14b8e36389620ec0ed84b605f756571547e7d312ebc63fcde2c95aaeecdf7045

SHA512
50caf44514f93e5e7818112b7107b42e84bd6623160c2aea00098e303536fdcb9fa1fb0535a2e00eb4cf528a5f7935748b2693bd96d4c2deb5a3b9bf895af6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvk8Mnls9l2u.bat

Filesize
197B

MD5
a51c4387e683d6b835e8ac2172130a07

SHA1
55046a6c9979bc7673f4821f76f914eeb17c13d3

SHA256
f60a2c927a709cfb0cb5be7bf51134c317417fe3d7431120ae6fa72ced77bd46

SHA512
889900361c610d53265627aa08a44fda32171d085ff2bfe652949d9c49b5fccd3354733d685c9032c4803242ba0a6304a6794467de48f009f5793851a3d104a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4f3tvVcb2Sp.bat

Filesize
197B

MD5
4fc3173c12ef84f45ae813bfe1cfb896

SHA1
b10f2e13b55af6b36f189c45e7b9abfbe3b416eb

SHA256
9a163cb97f0f3cf2f34c2afb070149f49f8a5089760eb45c26d0d041b334f2ad

SHA512
dea8ea61b1d138debacbdb46478a4aaa046cfb61c216f885a6e1b9fd1078f7a5a0eb92e46378eaba599790104107b28e01f9adeebc79bc40d499eab953ac0af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gLnSpZO7YTBF.bat

Filesize
197B

MD5
d827a199b045497781f16d67c2101775

SHA1
e9a28c38838f53344c3d64713eb1275f39338554

SHA256
fb936ae72f08c6abc21e89935ad6adcebbafda7a02bb212834fa0425aed03bf0

SHA512
c70f3410574a0fe9479544a9fd49edb4fbdd8dea07082e531fed2d5a395c495072a2d8d194f36af2bf98af65d2cdd2ff5b9d7d0cbdc03124e4a74c0fd85c181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwFUfx6Hbaif.bat

Filesize
197B

MD5
14f5ab8223d731fa938451f7261065a4

SHA1
749a85d6a53cf2b7452642f34083a0858f500114

SHA256
46df9582a01cbef3746ec30c0a272c781dd5fcf2c88d9722e14f3d282a775bf8

SHA512
a708dff899e73106b7ce87feb8754121f5fbd3b2e47c8958448cf2122c3bfd07bf5cd5f7ef9ad01ed23ce75df77466ccc42569b3db59be170b1610bd174f2dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnGllujyzVa6.bat

Filesize
197B

MD5
14efed3d858c18852de870e88c0f5370

SHA1
f818de2bc620463045d5e005e5818a00207d0d25

SHA256
cfa091785621d9125d9cf3efbb9e7a56f16f62dbdfb524c0c31045e34821d4f4

SHA512
be9a93d28e321ebd64b7bd655f7aa546f4f6e43c8fc84f5bcf6ce7ed79579d48825a0736e3d3553a64a86851c26c9e4fc20834939de726aa94fddc2808f34613

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkXSGDFDtk29.bat

Filesize
197B

MD5
8b6d8ac336046c420c1414b7c03080c7

SHA1
09367cc8e6bf6eb62a50f680428362d239d689fa

SHA256
cf033b62b3bbf162fe21bcd68fa41d2db60f8048dedc39e75d961264efd9b93a

SHA512
93208491ba440f8d33fbe820bac4133c0f1893a35ac33d5aca7d9b3bac2778ed0dec8268b75ba9cc3877bd839f8fe8dfb43b41dcecdae5100a9c0eff9f9ee9e4

Download Submit
C:\Windows\System32\dll32\msinfo32.exe

Filesize
3.1MB

MD5
25befffc195ce47401f74afbe942f3ff

SHA1
287aacd0350f05308e08c6b4b8b88baf56f56160

SHA256
b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f

SHA512
a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e

Download Submit
memory/2808-0-0x00007FFB67ED3000-0x00007FFB67ED5000-memory.dmp

Filesize
8KB

Download
memory/2808-9-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/2808-2-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/2808-1-0x0000000000D70000-0x0000000001094000-memory.dmp

Filesize
3.1MB

Download
memory/3284-10-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/3284-11-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/3284-18-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/3284-12-0x000000001B720000-0x000000001B770000-memory.dmp

Filesize
320KB

Download
memory/3284-13-0x000000001BF80000-0x000000001C032000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads