quasar | 5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8

Analysis

max time kernel
120s
max time network
112s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
Size

498KB
MD5

0b289f42527f29b5080b2c27f1b81abc
SHA1

b4609368985d9c37c5b3b1bed3098360a7e2bd52
SHA256

5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8
SHA512

0af17966a2b3291f25dac48600360ae59f3e235162f9c3b5cb676a331089ac52e33e228df0b4471b946d2934cf0d4a880392f7b8690485741b2426474b7289e4
SSDEEP

12288:3bTrOWFYTzFpaioEoKibiDfq1NznYtK++0AY8fV2Ex82HzlGnmtwa4JwaC1rFDZU:rOWFepgio59nMKj0ABV2+Y7J1H

Score

10^/10

quasar discovery spyware trojan

Malware Config

Signatures

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	2	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
	10	ip-api.com	Process not Found

Quasar family
quasar

Executes dropped EXE 12 IoCs

pid	Process
2616	dllchost.exe
2248	dllchost.exe
2372	dllchost.exe
2008	dllchost.exe
2920	dllchost.exe
2512	dllchost.exe
320	dllchost.exe
1628	dllchost.exe
2564	dllchost.exe
1332	dllchost.exe
1780	dllchost.exe
1688	dllchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1700	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
380	PING.EXE
1772	PING.EXE
1060	PING.EXE
3008	PING.EXE
2196	PING.EXE
764	PING.EXE
2860	PING.EXE
484	PING.EXE
2052	PING.EXE
2932	PING.EXE
584	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
584	PING.EXE
1060	PING.EXE
2860	PING.EXE
2052	PING.EXE
2932	PING.EXE
1772	PING.EXE
3008	PING.EXE
2196	PING.EXE
764	PING.EXE
484	PING.EXE
380	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2816	schtasks.exe
2764	schtasks.exe
1628	schtasks.exe
2296	schtasks.exe
840	schtasks.exe
2688	schtasks.exe
2008	schtasks.exe
1780	schtasks.exe
468	schtasks.exe
2280	schtasks.exe
2116	schtasks.exe
560	schtasks.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
Token: SeDebugPrivilege	2616	dllchost.exe
Token: SeDebugPrivilege	2248	dllchost.exe
Token: SeDebugPrivilege	2372	dllchost.exe
Token: SeDebugPrivilege	2008	dllchost.exe
Token: SeDebugPrivilege	2920	dllchost.exe
Token: SeDebugPrivilege	320	dllchost.exe
Token: SeDebugPrivilege	1628	dllchost.exe
Token: SeDebugPrivilege	2564	dllchost.exe
Token: SeDebugPrivilege	1332	dllchost.exe
Token: SeDebugPrivilege	1780	dllchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2816	1700	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	31
PID 1700 wrote to memory of 2816	1700	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	31
PID 1700 wrote to memory of 2816	1700	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	31
PID 1700 wrote to memory of 2816	1700	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	31
PID 1700 wrote to memory of 2616	1700	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	33
PID 1700 wrote to memory of 2616	1700	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	33
PID 1700 wrote to memory of 2616	1700	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	33
PID 1700 wrote to memory of 2616	1700	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	33
PID 2616 wrote to memory of 2764	2616	dllchost.exe	34
PID 2616 wrote to memory of 2764	2616	dllchost.exe	34
PID 2616 wrote to memory of 2764	2616	dllchost.exe	34
PID 2616 wrote to memory of 2764	2616	dllchost.exe	34
PID 2616 wrote to memory of 484	2616	dllchost.exe	36
PID 2616 wrote to memory of 484	2616	dllchost.exe	36
PID 2616 wrote to memory of 484	2616	dllchost.exe	36
PID 2616 wrote to memory of 484	2616	dllchost.exe	36
PID 484 wrote to memory of 1608	484	cmd.exe	38
PID 484 wrote to memory of 1608	484	cmd.exe	38
PID 484 wrote to memory of 1608	484	cmd.exe	38
PID 484 wrote to memory of 1608	484	cmd.exe	38
PID 484 wrote to memory of 584	484	cmd.exe	39
PID 484 wrote to memory of 584	484	cmd.exe	39
PID 484 wrote to memory of 584	484	cmd.exe	39
PID 484 wrote to memory of 584	484	cmd.exe	39
PID 484 wrote to memory of 2248	484	cmd.exe	40
PID 484 wrote to memory of 2248	484	cmd.exe	40
PID 484 wrote to memory of 2248	484	cmd.exe	40
PID 484 wrote to memory of 2248	484	cmd.exe	40
PID 2248 wrote to memory of 1628	2248	dllchost.exe	41
PID 2248 wrote to memory of 1628	2248	dllchost.exe	41
PID 2248 wrote to memory of 1628	2248	dllchost.exe	41
PID 2248 wrote to memory of 1628	2248	dllchost.exe	41
PID 2248 wrote to memory of 1956	2248	dllchost.exe	43
PID 2248 wrote to memory of 1956	2248	dllchost.exe	43
PID 2248 wrote to memory of 1956	2248	dllchost.exe	43
PID 2248 wrote to memory of 1956	2248	dllchost.exe	43
PID 1956 wrote to memory of 2924	1956	cmd.exe	45
PID 1956 wrote to memory of 2924	1956	cmd.exe	45
PID 1956 wrote to memory of 2924	1956	cmd.exe	45
PID 1956 wrote to memory of 2924	1956	cmd.exe	45
PID 1956 wrote to memory of 3008	1956	cmd.exe	46
PID 1956 wrote to memory of 3008	1956	cmd.exe	46
PID 1956 wrote to memory of 3008	1956	cmd.exe	46
PID 1956 wrote to memory of 3008	1956	cmd.exe	46
PID 1956 wrote to memory of 2372	1956	cmd.exe	47
PID 1956 wrote to memory of 2372	1956	cmd.exe	47
PID 1956 wrote to memory of 2372	1956	cmd.exe	47
PID 1956 wrote to memory of 2372	1956	cmd.exe	47
PID 2372 wrote to memory of 2296	2372	dllchost.exe	48
PID 2372 wrote to memory of 2296	2372	dllchost.exe	48
PID 2372 wrote to memory of 2296	2372	dllchost.exe	48
PID 2372 wrote to memory of 2296	2372	dllchost.exe	48
PID 2372 wrote to memory of 2956	2372	dllchost.exe	50
PID 2372 wrote to memory of 2956	2372	dllchost.exe	50
PID 2372 wrote to memory of 2956	2372	dllchost.exe	50
PID 2372 wrote to memory of 2956	2372	dllchost.exe	50
PID 2956 wrote to memory of 632	2956	cmd.exe	52
PID 2956 wrote to memory of 632	2956	cmd.exe	52
PID 2956 wrote to memory of 632	2956	cmd.exe	52
PID 2956 wrote to memory of 632	2956	cmd.exe	52
PID 2956 wrote to memory of 2196	2956	cmd.exe	53
PID 2956 wrote to memory of 2196	2956	cmd.exe	53
PID 2956 wrote to memory of 2196	2956	cmd.exe	53
PID 2956 wrote to memory of 2196	2956	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
"C:\Users\Admin\AppData\Local\Temp\5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2816
- C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
  "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGnH7rg5PoRe.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1608
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:584
  - - C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
      "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2dWVhFiXbrJA.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3008
      - C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cX02cJhhXTSO.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PXAAXTZPIWRo.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XnbJYHOfcW4K.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ayyJ8Tf09hFR.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWD3vIKFWn6R.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:484
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\F65FHbJ7tVLG.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6ksEkMTQCJXl.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:380
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KxBLRSIY82uU.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\D588fQ4x7n0t.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2dWVhFiXbrJA.bat

Filesize
211B

MD5
67ae240a8366a02016818b1a4c9a17f2

SHA1
048da251f2c9cb046aa3596d3558baf98a278e0c

SHA256
f70db3edbb2db67fd621086a75b61fb06918c29212042a49ca7b7c3eefc68452

SHA512
6303326881b827e0ec5b6741c0c5ffb8dfcd18859f9afaa09198e52c53faf92c5cfc5c7c38a3efb70b6826223c1eacea6b9e7aa27ff15e490e0c90294d9269a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ksEkMTQCJXl.bat

Filesize
211B

MD5
18d535b28d0c9864bbb03d6b0b050884

SHA1
b638cfa7c260c78d329b9644c77048dd5c1c8afe

SHA256
509008aac215cb9034124016f35e09703fcdc681f60bf04a4dec77fdb7b4c04d

SHA512
7b91c04460aaa8d2ecfdd319e3f48c33cee955ea7fd94cb73a17819c0f9605eb8b16ded0d1b285a679f7a784423ea5fc846098e4dcfbf05097a5bac245d32301

Download Submit
C:\Users\Admin\AppData\Local\Temp\D588fQ4x7n0t.bat

Filesize
211B

MD5
7374d264659d48638690af314f0b9625

SHA1
fd0fa7129f673f073cdf7d0fb09e0eb082119022

SHA256
608364bdfe716a4b2b73d7a1246a31a1c636d1152b94983adc8ade9c40676001

SHA512
600b589a5f99ca4d139f4d4c847edbdc1250aed714040cd1c51d213984f21a477750cc2a229da60adc439b6a81630327c630350e51620aecd96fe4f880e2b857

Download Submit
C:\Users\Admin\AppData\Local\Temp\F65FHbJ7tVLG.bat

Filesize
211B

MD5
5f9e2425cc6915b18f5c50084bdc6fa4

SHA1
559a3040e5c7f37534099a9e0ed86ac8d721bbdf

SHA256
f00fea582913095fc572b7d82f9b4ce789b80e9042c543d699fc180c0327ae16

SHA512
fc1daa909e58b42ae7847acd64cecf0d5ac0555b39676d662f898ed4544d58453b02179162d3f7a03eaac79f18b47bdb5de725e9025877d8606545751b801cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxBLRSIY82uU.bat

Filesize
211B

MD5
dfaaa8dfdf2f5503b6b2a38c17bc2fed

SHA1
d3ede7efeba8b206f10e85e4f467cef779c98aea

SHA256
25bcc769e0e5e1522b222bade11b93825e2d5fc1e7e82433937723bf6f91142e

SHA512
3748571e46cb95ff1a6464484ee48a4e7bd39fc654649f465c33f4d2777efaf75a6dd71f575adabde003c0f5d2201f7ed72bb6d2ad6fa633b3b9e9e8ccb21d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MWD3vIKFWn6R.bat

Filesize
211B

MD5
0b76b55f0792a01ec1ef6357b0cb23ed

SHA1
8f913365015f83d4543b876c91bc8b4d669ec4b5

SHA256
5fc1831f97185634310f97afb00680689b00b257e4d3a4a0295897c9f61ad38f

SHA512
1e9ddf5e601329b1c51211ac505d913afc5a90b680e751ec9c55d07186e6ba09d075b0ea9a1f8073bd8d48f40a4eff325086a4533cd5afd17cb4155d08650ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PXAAXTZPIWRo.bat

Filesize
211B

MD5
98f4d64de9db1b518cb870127ed7cbf1

SHA1
adc3b0279274296e39bcf4a2be5b8ad0803f86ad

SHA256
86105884642b4f57733f2dbb689375887c86bbb099b48060bfc876dab261201a

SHA512
be7b40a85f548cf52db1b0d9c7987eb926e7e822e1a8df2a7781527963d107ece27daf3c547ad4181a9c7f10349e179bca64605f385a31646a0a4d74a9128ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XnbJYHOfcW4K.bat

Filesize
211B

MD5
b9df7961259f7eaa03b9b44a3acd4f9b

SHA1
411fa4daf2aa61378e264855c664dab7ea45846a

SHA256
33add34b99ff5a2e8b5db5a5e9bbedb8db6a396d7e015c209941927e31e2a63f

SHA512
0d5c26ae7a6ed646c22ac5b8ada40a65bb68451026af6b116e0f20c1e6edb2c182c47740f37122f6732fb47e772a88bf6d3c20c1fc801d09c58069334278ba0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGnH7rg5PoRe.bat

Filesize
211B

MD5
52653136672815df7b2194fc2dff6496

SHA1
7f3d161dcba72e4be304f24c116ee694f0c36a9f

SHA256
e1e8408dc814343eb6e75c53ada91ba95d49eece074d1900e9bf40c35655eca7

SHA512
cd86b8d2b1a4ebb4a7c93d9076ee080877645284048de91b806baec4db65b351a512b7efbe48aba5ca07c6395c787f9181e5ceb1237e4b6bd54debf301fb3f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cX02cJhhXTSO.bat

Filesize
211B

MD5
e0c265a9d711988b1ccfed6dd7806aff

SHA1
1ce08c99cd48d686357bd5561325d6494b9ffc82

SHA256
ce1338c1839a0fbc3d9f4a01cbecc99870ea3b8321e305068618a3a129efe758

SHA512
e69448fc18ae0896464f2641a51cc6211b004473c2a04c61265276ba2c78d38cc1a682f6cf79dd84ae728af9da07f26256a121d20355f92a557320d716e7c000

Download Submit
\Users\Admin\AppData\Roaming\dllchost\dllchost.exe

Filesize
498KB

MD5
0b289f42527f29b5080b2c27f1b81abc

SHA1
b4609368985d9c37c5b3b1bed3098360a7e2bd52

SHA256
5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8

SHA512
0af17966a2b3291f25dac48600360ae59f3e235162f9c3b5cb676a331089ac52e33e228df0b4471b946d2934cf0d4a880392f7b8690485741b2426474b7289e4

Download Submit
memory/320-74-0x0000000000EB0000-0x0000000000F32000-memory.dmp

Filesize
520KB

Download
memory/1332-107-0x00000000013E0000-0x0000000001462000-memory.dmp

Filesize
520KB

Download
memory/1628-85-0x0000000000170000-0x00000000001F2000-memory.dmp

Filesize
520KB

Download
memory/1688-129-0x00000000013E0000-0x0000000001462000-memory.dmp

Filesize
520KB

Download
memory/1700-13-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/1700-4-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/1700-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/1700-3-0x00000000008B0000-0x00000000008B6000-memory.dmp

Filesize
24KB

Download
memory/1700-2-0x0000000004650000-0x000000000472C000-memory.dmp

Filesize
880KB

Download
memory/1700-1-0x00000000000F0000-0x0000000000172000-memory.dmp

Filesize
520KB

Download
memory/1780-118-0x00000000013E0000-0x0000000001462000-memory.dmp

Filesize
520KB

Download
memory/2008-48-0x0000000000B40000-0x0000000000BC2000-memory.dmp

Filesize
520KB

Download
memory/2248-26-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2372-37-0x00000000002B0000-0x0000000000332000-memory.dmp

Filesize
520KB

Download
memory/2512-72-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/2564-96-0x0000000001050000-0x00000000010D2000-memory.dmp

Filesize
520KB

Download
memory/2616-24-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-14-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-12-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-11-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2920-59-0x00000000003C0000-0x0000000000442000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads