quasar | cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601e

Analysis

max time kernel
117s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe
Size

498KB
MD5

415ec6480b4bf02f81f5e9ea21febf30
SHA1

23d1ddacf0f510156075604b30059fde9934410b
SHA256

cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601e
SHA512

c7742a551b96f4aebd372c27dcaeab885eff590c4b2d3273d4c89675f8776a66219a1261f25520e008f15ba3f9b1c3085931efc91f41338fae2e09a51cf7c48a
SSDEEP

12288:3bTrOWFYTzFpaioEoKibiDfq1NznYtK++0AY8fV2Ex82HzlGnmtwa4JwaC1rFDZM:rOWFepgio59nMKj0ABV2+Y7J1

Score

10^/10

quasar discovery spyware trojan

Malware Config

Signatures

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe
	9	ip-api.com	Process not Found
	47	ip-api.com	Process not Found

Quasar family
quasar

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dllchost.exe

Executes dropped EXE 11 IoCs

pid	Process
4712	dllchost.exe
4032	dllchost.exe
4696	dllchost.exe
4768	dllchost.exe
2616	dllchost.exe
3744	dllchost.exe
4364	dllchost.exe
2088	dllchost.exe
2296	dllchost.exe
3736	dllchost.exe
3000	dllchost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
47	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3568	PING.EXE
4460	PING.EXE
4088	PING.EXE
5036	PING.EXE
4284	PING.EXE
2552	PING.EXE
2036	PING.EXE
4836	PING.EXE
4416	PING.EXE
4576	PING.EXE
2188	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
4836	PING.EXE
4576	PING.EXE
4088	PING.EXE
4284	PING.EXE
2552	PING.EXE
2036	PING.EXE
4416	PING.EXE
3568	PING.EXE
4460	PING.EXE
2188	PING.EXE
5036	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4304	schtasks.exe
1100	schtasks.exe
2924	schtasks.exe
3044	schtasks.exe
64	schtasks.exe
4460	schtasks.exe
1912	schtasks.exe
2056	schtasks.exe
116	schtasks.exe
548	schtasks.exe
2792	schtasks.exe
116	schtasks.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe
Token: SeDebugPrivilege	4712	dllchost.exe
Token: SeDebugPrivilege	4032	dllchost.exe
Token: SeDebugPrivilege	4696	dllchost.exe
Token: SeDebugPrivilege	4768	dllchost.exe
Token: SeDebugPrivilege	2616	dllchost.exe
Token: SeDebugPrivilege	3744	dllchost.exe
Token: SeDebugPrivilege	4364	dllchost.exe
Token: SeDebugPrivilege	2088	dllchost.exe
Token: SeDebugPrivilege	2296	dllchost.exe
Token: SeDebugPrivilege	3736	dllchost.exe
Token: SeDebugPrivilege	3000	dllchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2924	2684	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	84
PID 2684 wrote to memory of 2924	2684	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	84
PID 2684 wrote to memory of 2924	2684	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	84
PID 2684 wrote to memory of 4712	2684	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	86
PID 2684 wrote to memory of 4712	2684	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	86
PID 2684 wrote to memory of 4712	2684	cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe	86
PID 4712 wrote to memory of 116	4712	dllchost.exe	88
PID 4712 wrote to memory of 116	4712	dllchost.exe	88
PID 4712 wrote to memory of 116	4712	dllchost.exe	88
PID 4712 wrote to memory of 4576	4712	dllchost.exe	90
PID 4712 wrote to memory of 4576	4712	dllchost.exe	90
PID 4712 wrote to memory of 4576	4712	dllchost.exe	90
PID 4576 wrote to memory of 3268	4576	cmd.exe	92
PID 4576 wrote to memory of 3268	4576	cmd.exe	92
PID 4576 wrote to memory of 3268	4576	cmd.exe	92
PID 4576 wrote to memory of 4088	4576	cmd.exe	93
PID 4576 wrote to memory of 4088	4576	cmd.exe	93
PID 4576 wrote to memory of 4088	4576	cmd.exe	93
PID 4576 wrote to memory of 4032	4576	cmd.exe	102
PID 4576 wrote to memory of 4032	4576	cmd.exe	102
PID 4576 wrote to memory of 4032	4576	cmd.exe	102
PID 4032 wrote to memory of 548	4032	dllchost.exe	107
PID 4032 wrote to memory of 548	4032	dllchost.exe	107
PID 4032 wrote to memory of 548	4032	dllchost.exe	107
PID 4032 wrote to memory of 1776	4032	dllchost.exe	109
PID 4032 wrote to memory of 1776	4032	dllchost.exe	109
PID 4032 wrote to memory of 1776	4032	dllchost.exe	109
PID 1776 wrote to memory of 2916	1776	cmd.exe	111
PID 1776 wrote to memory of 2916	1776	cmd.exe	111
PID 1776 wrote to memory of 2916	1776	cmd.exe	111
PID 1776 wrote to memory of 2188	1776	cmd.exe	112
PID 1776 wrote to memory of 2188	1776	cmd.exe	112
PID 1776 wrote to memory of 2188	1776	cmd.exe	112
PID 1776 wrote to memory of 4696	1776	cmd.exe	114
PID 1776 wrote to memory of 4696	1776	cmd.exe	114
PID 1776 wrote to memory of 4696	1776	cmd.exe	114
PID 4696 wrote to memory of 2792	4696	dllchost.exe	118
PID 4696 wrote to memory of 2792	4696	dllchost.exe	118
PID 4696 wrote to memory of 2792	4696	dllchost.exe	118
PID 4696 wrote to memory of 3420	4696	dllchost.exe	120
PID 4696 wrote to memory of 3420	4696	dllchost.exe	120
PID 4696 wrote to memory of 3420	4696	dllchost.exe	120
PID 3420 wrote to memory of 1436	3420	cmd.exe	122
PID 3420 wrote to memory of 1436	3420	cmd.exe	122
PID 3420 wrote to memory of 1436	3420	cmd.exe	122
PID 3420 wrote to memory of 5036	3420	cmd.exe	123
PID 3420 wrote to memory of 5036	3420	cmd.exe	123
PID 3420 wrote to memory of 5036	3420	cmd.exe	123
PID 3420 wrote to memory of 4768	3420	cmd.exe	126
PID 3420 wrote to memory of 4768	3420	cmd.exe	126
PID 3420 wrote to memory of 4768	3420	cmd.exe	126
PID 4768 wrote to memory of 116	4768	dllchost.exe	128
PID 4768 wrote to memory of 116	4768	dllchost.exe	128
PID 4768 wrote to memory of 116	4768	dllchost.exe	128
PID 4768 wrote to memory of 2152	4768	dllchost.exe	130
PID 4768 wrote to memory of 2152	4768	dllchost.exe	130
PID 4768 wrote to memory of 2152	4768	dllchost.exe	130
PID 2152 wrote to memory of 4648	2152	cmd.exe	132
PID 2152 wrote to memory of 4648	2152	cmd.exe	132
PID 2152 wrote to memory of 4648	2152	cmd.exe	132
PID 2152 wrote to memory of 4284	2152	cmd.exe	133
PID 2152 wrote to memory of 4284	2152	cmd.exe	133
PID 2152 wrote to memory of 4284	2152	cmd.exe	133
PID 2152 wrote to memory of 2616	2152	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe
"C:\Users\Admin\AppData\Local\Temp\cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601eN.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2924
- C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
  "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICcLK0dBX7yw.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3268
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4088
  - - C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
      "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4032
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZRpV2y9pFlXr.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2188
      - C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgw1WNlvDqOX.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NJcdezYmbu7I.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4284
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5rYjtPzra5BU.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NH5MF6pHnUYw.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hegEVLUF6nwj.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4836
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgflCpAwsCP6.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BlN9mvXjZwl0.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4576
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooLhTPDQKMFN.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\498pwth47rwG.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dllchost.exe.log

Filesize
1KB

MD5
08853d2d986873ab78ccdc20d8aafb86

SHA1
437890ccf0d09513fd35c10780b50382293b0bd5

SHA256
e08b584695edef8556e0dbf2866466a3c428030d859eefd70e4ed45c88965002

SHA512
ad29cfe7b739474697e33cdc74d3f098321f519a8a6aea61252a9bc73b4002c4e2c4a2851259a8c2a0c7b2b59cb154b05e81822acc5937538981c56d7c8c3931

Download Submit
C:\Users\Admin\AppData\Local\Temp\498pwth47rwG.bat

Filesize
211B

MD5
28f60dbf32532e1069e3126155cafb2e

SHA1
f6d803b042eab9a05e3b9bc1f2436d9de7397a78

SHA256
73f5a9e02b3ca097bbbeec3a1039f3cc35e0a13ed382e51eebe043e0fac83191

SHA512
e4179eb2a670d26f066156a2cb8b03335091e26179c39225864423918c2761ec891a0b52d399a0ced580b0a0281197434b7b77b295098707a5b10d71148689bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5rYjtPzra5BU.bat

Filesize
211B

MD5
cf0cb00e0dd912b83bcab7dbad35e1d8

SHA1
6b8a2002208cffa7b25ef767264a510b30f9b3d2

SHA256
fe9329e0373c3d2940c71792c55eaf851241f59dbc5f340c7640c20468b92bcf

SHA512
469662b4fd76e8676a8d21668dfbfd3bdc9357d5457f18153369fb71f670ece5b792257f41c74b37ee8672d0bc69cf61731ff96d76948c5200609de672cd5fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlN9mvXjZwl0.bat

Filesize
211B

MD5
753c616df5530b3f427e6f64a780ae02

SHA1
566cb97a1b4ba25239e5826349e5009b89d6e04c

SHA256
81f4a33b4edb0ce80e6ac8fe31c140e65716798746fe3b19669894722cb52015

SHA512
f23577c48fb716d88b31748d78ae68d17de6f7d767dcb8dfdf920446ff7a9ed3c3384c64188c8f50be85847a4a6a27df812d6917e7eb068bce1436a13f3a57e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICcLK0dBX7yw.bat

Filesize
211B

MD5
4df7c1591bdfdd53088360f4cd23679f

SHA1
f62bd002f4eaae5e6c29528ba61eb01b5bfa3668

SHA256
1b01b13e7a1de5eaba96fe29fdfcf3ff8529dd83eb49eeb24ff32873ad23578f

SHA512
d5ce198366d1c3201b9dfae0a49c7bede41c709ccadc4a72c79c26ac404c8910b8c82e44b29208a8f1902f54cf52f957db858fdb560ffe78478162685264576f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgflCpAwsCP6.bat

Filesize
211B

MD5
44a318f84463d992a98bba74bb01ef07

SHA1
eadacb9cb1ffb2fc45a91e97a2829decca15fc18

SHA256
7fa942d5e7d21b0a602a278af6c65079195a5d0f714f133906521e1ac0829f48

SHA512
3bd2d8d1e4200e5968d0a0cacbee77f359c6eaaced802261e6a9b28fca4a5613828b68e30f1e943982b57bf2fc9e5856033076a3e92aea53cf9fb24ee4cd9fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NH5MF6pHnUYw.bat

Filesize
211B

MD5
45edae790f51095ccfb1c997f8296d00

SHA1
80cf5945553b0ff3c36347183725bcb1d73d30f4

SHA256
722b7343d1667469cca7448be2cc16199adb666ea93da93afc714df52c57cfc1

SHA512
999ad9a3e472f6250b2d6b8022b7c794e820ca8810a85b0bdd3e8276a88571d4495e8820d770639816a3783075de31ada0836e33c8091f6388447d646ebfcc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\NJcdezYmbu7I.bat

Filesize
211B

MD5
93d0ed700be330f4253f30a62f0e6c4f

SHA1
a52856d163525cf16aacd42348e36d9f01e32907

SHA256
add0049c67f2095b0504202d292635f4114094cac41dda95f7fa3afa1f648c5f

SHA512
260a09866994c5209791eddeb001ee81eee0d1311364757464b5ebd756d70a1cc52ac6d5328716f2c591f2de38fa4c0c715be6cc6131bcf5c55fe33f98eca06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRpV2y9pFlXr.bat

Filesize
211B

MD5
d2903bcc8dcdaccbc907d2e93feb87c1

SHA1
3f6edd148b671870267a2a6e12c05ca004527f7c

SHA256
e04d33793accb24ebed257f2ed36d31fc4d71b128818ca3e673a56e933fa009d

SHA512
9f8b749dcd1a8a2cd1ddd4ac8c4ce2ea37d9a6399c0f894d78570f402db04bbf1937f0b290fadbf79cb7ca10cdb8683c4f20f51aa6fe3b0d024580febf937289

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgw1WNlvDqOX.bat

Filesize
211B

MD5
c96f6466342ced51e56b334d61a0739a

SHA1
7e6a97af4f8c0c79fe905ba426cbe3594bbab5b0

SHA256
ae8d3331f380e22a55c48c9352356955983599e9366d4e2c3d925a5c43815a8f

SHA512
b9ab9088b5ae51b53615714c624559647d84fee362bfbc3600e553e3eaba1c6e7dfb2c32eab11047c4b9b0a1a8db2b8a2d99fdddd25f5b54bdc6d5609c676581

Download Submit
C:\Users\Admin\AppData\Local\Temp\hegEVLUF6nwj.bat

Filesize
211B

MD5
95a73dc5169409ab558ead3ff01c31b9

SHA1
db6c2a556c56b37bffece0ee84e0c4177ab3fc5b

SHA256
07e226319ce035ed70e60256b705c1b81729ded976e1d3f9cd7a61921dac6291

SHA512
27b86acd48f4f390b0f89a214aa906ea5abcdcaeb661d885959525faa637d9a178569c3ed036a0fb0f7459c2bac1219a355da7dd68a0f1837f9e9cb73370c055

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooLhTPDQKMFN.bat

Filesize
211B

MD5
12afdefb365661390fe8f029948d74a7

SHA1
fb39769e2097898c4f06b7151c4468c6ec60104f

SHA256
c34c9e5c1537ade5e86975bed04d13882a8cfdd9ffa79f27fc16612634c04bea

SHA512
bfdd5fefca0bcbdac9df2502c76e733fae7eac05e5a0bfe03be578bc8fb5e6635cdcc141d47c807e49a4c3696681697c2c722576070e4706c741afadf88b26f9

Download Submit
C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe

Filesize
498KB

MD5
415ec6480b4bf02f81f5e9ea21febf30

SHA1
23d1ddacf0f510156075604b30059fde9934410b

SHA256
cdf9cce1b044f8b50b423e61c390ba52b73e1eb274dfce1c2691772570bd601e

SHA512
c7742a551b96f4aebd372c27dcaeab885eff590c4b2d3273d4c89675f8776a66219a1261f25520e008f15ba3f9b1c3085931efc91f41338fae2e09a51cf7c48a

Download Submit
memory/2684-6-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/2684-7-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/2684-1-0x0000000000D00000-0x0000000000D82000-memory.dmp

Filesize
520KB

Download
memory/2684-2-0x0000000007BD0000-0x0000000007CAC000-memory.dmp

Filesize
880KB

Download
memory/2684-16-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/2684-9-0x0000000009360000-0x000000000939C000-memory.dmp

Filesize
240KB

Download
memory/2684-8-0x0000000008F20000-0x0000000008F32000-memory.dmp

Filesize
72KB

Download
memory/2684-3-0x0000000008260000-0x0000000008804000-memory.dmp

Filesize
5.6MB

Download
memory/2684-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/2684-5-0x0000000007D30000-0x0000000007D36000-memory.dmp

Filesize
24KB

Download
memory/2684-4-0x0000000007D50000-0x0000000007DE2000-memory.dmp

Filesize
584KB

Download
memory/4712-22-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4712-15-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4712-17-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads