quasar | cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601e

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe
Size

498KB
MD5

415ec6480b4bf02f81f5e9ea21febf30
SHA1

23d1ddacf0f510156075604b30059fde9934410b
SHA256

cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601e
SHA512

c7742a551b96f4aebd372c27dcaeab885eff590c4b2d3273d4c89675f8776a66219a1261f25520e008f15ba3f9b1c3085931efc91f41338fae2e09a51cf7c48a
SSDEEP

12288:3bTrOWFYTzFpaioEoKibiDfq1NznYtK++0AY8fV2Ex82HzlGnmtwa4JwaC1rFDZM:rOWFepgio59nMKj0ABV2+Y7J1

Score

10^/10

quasar discovery spyware trojan

Malware Config

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	2	ip-api.com	Process not Found
	8	api.ipify.org	Process not Found
	13	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe

Quasar family
quasar

Executes dropped EXE 11 IoCs

pid	Process
2744	dllchost.exe
2096	dllchost.exe
2100	dllchost.exe
2064	dllchost.exe
2880	dllchost.exe
1712	dllchost.exe
2856	dllchost.exe
2296	dllchost.exe
2976	dllchost.exe
1616	dllchost.exe
2092	dllchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2128	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
13	ip-api.com
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2924	PING.EXE
2468	PING.EXE
1896	PING.EXE
1704	PING.EXE
2768	PING.EXE
1480	PING.EXE
1124	PING.EXE
2592	PING.EXE
2876	PING.EXE
2400	PING.EXE
840	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
2876	PING.EXE
2768	PING.EXE
1480	PING.EXE
2924	PING.EXE
2468	PING.EXE
1896	PING.EXE
840	PING.EXE
1124	PING.EXE
2592	PING.EXE
1704	PING.EXE
2400	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1072	schtasks.exe
2036	schtasks.exe
2292	schtasks.exe
2596	schtasks.exe
2960	schtasks.exe
2216	schtasks.exe
2424	schtasks.exe
1872	schtasks.exe
2852	schtasks.exe
2784	schtasks.exe
1984	schtasks.exe
3048	schtasks.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe
Token: SeDebugPrivilege	2744	dllchost.exe
Token: SeDebugPrivilege	2096	dllchost.exe
Token: SeDebugPrivilege	2100	dllchost.exe
Token: SeDebugPrivilege	2064	dllchost.exe
Token: SeDebugPrivilege	2880	dllchost.exe
Token: SeDebugPrivilege	1712	dllchost.exe
Token: SeDebugPrivilege	2856	dllchost.exe
Token: SeDebugPrivilege	2296	dllchost.exe
Token: SeDebugPrivilege	2976	dllchost.exe
Token: SeDebugPrivilege	1616	dllchost.exe
Token: SeDebugPrivilege	2092	dllchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2852	2128	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	30
PID 2128 wrote to memory of 2852	2128	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	30
PID 2128 wrote to memory of 2852	2128	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	30
PID 2128 wrote to memory of 2852	2128	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	30
PID 2128 wrote to memory of 2744	2128	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	32
PID 2128 wrote to memory of 2744	2128	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	32
PID 2128 wrote to memory of 2744	2128	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	32
PID 2128 wrote to memory of 2744	2128	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	32
PID 2744 wrote to memory of 2784	2744	dllchost.exe	33
PID 2744 wrote to memory of 2784	2744	dllchost.exe	33
PID 2744 wrote to memory of 2784	2744	dllchost.exe	33
PID 2744 wrote to memory of 2784	2744	dllchost.exe	33
PID 2744 wrote to memory of 2276	2744	dllchost.exe	35
PID 2744 wrote to memory of 2276	2744	dllchost.exe	35
PID 2744 wrote to memory of 2276	2744	dllchost.exe	35
PID 2744 wrote to memory of 2276	2744	dllchost.exe	35
PID 2276 wrote to memory of 2052	2276	cmd.exe	37
PID 2276 wrote to memory of 2052	2276	cmd.exe	37
PID 2276 wrote to memory of 2052	2276	cmd.exe	37
PID 2276 wrote to memory of 2052	2276	cmd.exe	37
PID 2276 wrote to memory of 1124	2276	cmd.exe	38
PID 2276 wrote to memory of 1124	2276	cmd.exe	38
PID 2276 wrote to memory of 1124	2276	cmd.exe	38
PID 2276 wrote to memory of 1124	2276	cmd.exe	38
PID 2276 wrote to memory of 2096	2276	cmd.exe	39
PID 2276 wrote to memory of 2096	2276	cmd.exe	39
PID 2276 wrote to memory of 2096	2276	cmd.exe	39
PID 2276 wrote to memory of 2096	2276	cmd.exe	39
PID 2096 wrote to memory of 1072	2096	dllchost.exe	40
PID 2096 wrote to memory of 1072	2096	dllchost.exe	40
PID 2096 wrote to memory of 1072	2096	dllchost.exe	40
PID 2096 wrote to memory of 1072	2096	dllchost.exe	40
PID 2096 wrote to memory of 1740	2096	dllchost.exe	42
PID 2096 wrote to memory of 1740	2096	dllchost.exe	42
PID 2096 wrote to memory of 1740	2096	dllchost.exe	42
PID 2096 wrote to memory of 1740	2096	dllchost.exe	42
PID 1740 wrote to memory of 2912	1740	cmd.exe	44
PID 1740 wrote to memory of 2912	1740	cmd.exe	44
PID 1740 wrote to memory of 2912	1740	cmd.exe	44
PID 1740 wrote to memory of 2912	1740	cmd.exe	44
PID 1740 wrote to memory of 2924	1740	cmd.exe	45
PID 1740 wrote to memory of 2924	1740	cmd.exe	45
PID 1740 wrote to memory of 2924	1740	cmd.exe	45
PID 1740 wrote to memory of 2924	1740	cmd.exe	45
PID 1740 wrote to memory of 2100	1740	cmd.exe	46
PID 1740 wrote to memory of 2100	1740	cmd.exe	46
PID 1740 wrote to memory of 2100	1740	cmd.exe	46
PID 1740 wrote to memory of 2100	1740	cmd.exe	46
PID 2100 wrote to memory of 2036	2100	dllchost.exe	47
PID 2100 wrote to memory of 2036	2100	dllchost.exe	47
PID 2100 wrote to memory of 2036	2100	dllchost.exe	47
PID 2100 wrote to memory of 2036	2100	dllchost.exe	47
PID 2100 wrote to memory of 2372	2100	dllchost.exe	49
PID 2100 wrote to memory of 2372	2100	dllchost.exe	49
PID 2100 wrote to memory of 2372	2100	dllchost.exe	49
PID 2100 wrote to memory of 2372	2100	dllchost.exe	49
PID 2372 wrote to memory of 2164	2372	cmd.exe	51
PID 2372 wrote to memory of 2164	2372	cmd.exe	51
PID 2372 wrote to memory of 2164	2372	cmd.exe	51
PID 2372 wrote to memory of 2164	2372	cmd.exe	51
PID 2372 wrote to memory of 2468	2372	cmd.exe	52
PID 2372 wrote to memory of 2468	2372	cmd.exe	52
PID 2372 wrote to memory of 2468	2372	cmd.exe	52
PID 2372 wrote to memory of 2468	2372	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe
"C:\Users\Admin\AppData\Local\Temp\cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2852
- C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
  "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\cgk01N0WRV4o.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2052
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1124
  - - C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
      "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1072
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ytuc6ESClLd9.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924
      - C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3qWBL0SU4F39.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XAIepwKUNCxz.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\freCy4ME69iu.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\m4qwL1nt98bv.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AsfqH0sUEKux.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tJveYlnMsWLt.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Vk45UNJldyI7.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Omrhz2V6PdfM.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\s6d9TxN6iaZC.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3qWBL0SU4F39.bat

Filesize
211B

MD5
c80f8af7d20b628adc4a24f268b5af5b

SHA1
764a5a4a2aeefa3cdcdd323af5aa44b00a48cdb5

SHA256
63d7baf89519acb1082eca532abdaa0336bc7fd30ed84e111c11f059505ff794

SHA512
a3bc1737c7b87640bece85ccdc1b92aedec6e8aeacdfa75629c77a6dfdfdb35b915da60598bd199fc676926b37ca9a895977baf1b2d6777afa784c030c5ab781

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsfqH0sUEKux.bat

Filesize
211B

MD5
a418c0689a4555af61846383acc4d87e

SHA1
40c1a10d1329a03255572899f68fff0da8ddeee5

SHA256
e06c1ed67f6e9093fd2456b788b44d8d8fe038d00a64639a55c98f799bc1721e

SHA512
91237b2ca21d2474e1974478422f920f47ed2703bc5c85d89f5f64300811cec715ea9e70c3506d2223a427f18cd73609ef849bfbc477315812b7caeb43bdbfd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Omrhz2V6PdfM.bat

Filesize
211B

MD5
b65373df8c62ce62910e7a1090ffe67a

SHA1
74da1540cd5ba59095dce12f53cdcc74df63f5fa

SHA256
c968677946fa274a8eb2c6b4efa5ad2772803ce444ba8f31f80ca929cf551889

SHA512
13a0887e81c04fcb7102d3f7a23b9d02da12d076dc9b1ea5e76422c47204fa2e20f39fbd13aebceb0c9316b1f111dcb395558eebfcd5984b9f26412c16f3bd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vk45UNJldyI7.bat

Filesize
211B

MD5
9dad6bb820e43f8d016684c555ae8d86

SHA1
3c1246bf0c480af88ffc10a7c5d9493e13203590

SHA256
965993cb7c796086d4b2eb33ec2213c372f8c43eff304265970a991c4daca159

SHA512
70186d076bb9d42301f8e56338dae81678f0522e8d68c0b0e76adde5d1558b2a5a1ebdf540ccb525c22d2eff139938c2ab9bbc549198b4bc023e0d290df44964

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAIepwKUNCxz.bat

Filesize
211B

MD5
d5777cf7e5bc74665c2b70890ff0135d

SHA1
5e07c53cbaf8bc81b947947428eb63fb6bd858e9

SHA256
06d6a930d742d356eacd8f506ac69137912b8fc1d504f329476aa93b16265cf8

SHA512
0f9d7b4200e248b540a8ad91eac446c59350c71d7d5b5df3ba98e596e329a67b0b8d178040da51ce8abdbb485925d40883dd3f3dd1a7c97902aa03dc2199e087

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ytuc6ESClLd9.bat

Filesize
211B

MD5
cf13fc950953859bc1c07d770b62d2b9

SHA1
21667973d1e491fe3f1d257cbbf87bb9a7447b6a

SHA256
d48d1b03df17980b48b66bd631797f544344dd11edb58adecdd15bddec4b4cb1

SHA512
da32bbb95a2e5655913578fa7062ca618b0e77cd09cc4151e32412284a744e0d9eef82ce5f2d6d7f0dd30209fef939e9ad9c00604e1d63cc5fc9721f585f700f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgk01N0WRV4o.bat

Filesize
211B

MD5
1e40e58b88280f8b5cde9a4a4ea215d5

SHA1
41fdc30a13f6f9a01738c43318e679431d162e3b

SHA256
c205e94bfae4ad2572f35f51a161cdfcb2ac63d0bcaf72eff2780297d17f2fee

SHA512
ca10a70f8dc90a7cdace9f8ad3efafdaf9567dbe401f42b522b70f67efaa1e8b5e15736b20bf656275617b8b2b9e39a7e6f4e54b56465ca6e3700cc381970201

Download Submit
C:\Users\Admin\AppData\Local\Temp\freCy4ME69iu.bat

Filesize
211B

MD5
562e34f91c4a60389ec36fcdd8e38d47

SHA1
829f7dd33a89e3cfcf2bbdcbe1e453a3b7698c1e

SHA256
69c64b34fa1bee220867ff14071da74412addf5c96f06ab4bad662aa75881b83

SHA512
5f3b7af4002688ce00da468b4c1223ea1019786df1438ec61b169419f22f2068431d89df239f28af3a6af3a24fe78df855e9f1973eeaa862ac9e7be5fd2000d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\m4qwL1nt98bv.bat

Filesize
211B

MD5
aae76b890f28480c8f00845386de2360

SHA1
63d25e2b6e79223b7d58c0da77ef3cb391bc660e

SHA256
9674aa6efae00042c732f3bddfe74fd3e05c52e31fadd8168b5c5a177c08f945

SHA512
76b7eaf111aeeed7d9e3ba0bbe0573b63e4f4673c121404570720312f504291e27f795cee3ebff1202e054f58f86002f80f247ade6baf778723bb6148f1c4d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\s6d9TxN6iaZC.bat

Filesize
211B

MD5
8e66ea53eed1a558278940a5af187be2

SHA1
bab798f68300e3300dc57b80bd3f3b6cf787f5b9

SHA256
5911ac6e6a75ef76bc2ec8e533c7bfe297922b86e5882b71cd730bbebeea896c

SHA512
87b7be8b1ce9d3c0fad11da92a0f43c0d4e804fa0aa3b563e07775d8ca647dbc70699c8ce3cca7fc65ddd9b70b562b3ebabfea8265213a3d930f5864b12015f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tJveYlnMsWLt.bat

Filesize
211B

MD5
b090d6134a3e73697e4b33537fc394b1

SHA1
697519c549390c2d9f52872b488ffcf7f95d2334

SHA256
34300f6ac459e75b7ede484dffa7afd7384aecc57725e05d0e8a2eb1ae629acc

SHA512
add0be04be032552931543266c4d55d548f27eb1da54399943410c783f8fb164ec5d79d9b0731c00d2d7245115836741aadc398295231fb9bf141bf5874439e9

Download Submit
\Users\Admin\AppData\Roaming\dllchost\dllchost.exe

Filesize
498KB

MD5
415ec6480b4bf02f81f5e9ea21febf30

SHA1
23d1ddacf0f510156075604b30059fde9934410b

SHA256
cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601e

SHA512
c7742a551b96f4aebd372c27dcaeab885eff590c4b2d3273d4c89675f8776a66219a1261f25520e008f15ba3f9b1c3085931efc91f41338fae2e09a51cf7c48a

Download Submit
memory/1712-70-0x00000000012D0000-0x0000000001352000-memory.dmp

Filesize
520KB

Download
memory/2064-48-0x0000000000030000-0x00000000000B2000-memory.dmp

Filesize
520KB

Download
memory/2096-26-0x0000000000EC0000-0x0000000000F42000-memory.dmp

Filesize
520KB

Download
memory/2100-37-0x00000000010B0000-0x0000000001132000-memory.dmp

Filesize
520KB

Download
memory/2128-1-0x0000000001320000-0x00000000013A2000-memory.dmp

Filesize
520KB

Download
memory/2128-2-0x0000000001200000-0x00000000012DC000-memory.dmp

Filesize
880KB

Download
memory/2128-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/2128-13-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-3-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/2128-4-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-92-0x00000000012D0000-0x0000000001352000-memory.dmp

Filesize
520KB

Download
memory/2744-14-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-12-0x0000000000010000-0x0000000000092000-memory.dmp

Filesize
520KB

Download
memory/2744-11-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-24-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2856-81-0x00000000012D0000-0x0000000001352000-memory.dmp

Filesize
520KB

Download
memory/2880-59-0x00000000012C0000-0x0000000001342000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads