quasar | 5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8

Analysis

max time kernel
111s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
Size

498KB
MD5

0b289f42527f29b5080b2c27f1b81abc
SHA1

b4609368985d9c37c5b3b1bed3098360a7e2bd52
SHA256

5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8
SHA512

0af17966a2b3291f25dac48600360ae59f3e235162f9c3b5cb676a331089ac52e33e228df0b4471b946d2934cf0d4a880392f7b8690485741b2426474b7289e4
SSDEEP

12288:3bTrOWFYTzFpaioEoKibiDfq1NznYtK++0AY8fV2Ex82HzlGnmtwa4JwaC1rFDZU:rOWFepgio59nMKj0ABV2+Y7J1H

Score

10^/10

quasar discovery spyware trojan

Malware Config

Signatures

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
	7	ip-api.com	Process not Found
	47	ip-api.com	Process not Found

Quasar family
quasar

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllchost.exe

Executes dropped EXE 11 IoCs

pid	Process
3176	dllchost.exe
544	dllchost.exe
628	dllchost.exe
3408	dllchost.exe
1712	dllchost.exe
912	dllchost.exe
4176	dllchost.exe
3356	dllchost.exe
1972	dllchost.exe
2872	dllchost.exe
32	dllchost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
47	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4240	PING.EXE
3156	PING.EXE
2668	PING.EXE
2180	PING.EXE
1576	PING.EXE
4592	PING.EXE
2552	PING.EXE
4716	PING.EXE
1552	PING.EXE
4824	PING.EXE
2764	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
1576	PING.EXE
4240	PING.EXE
4824	PING.EXE
3156	PING.EXE
4592	PING.EXE
2668	PING.EXE
2764	PING.EXE
2552	PING.EXE
4716	PING.EXE
1552	PING.EXE
2180	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3992	schtasks.exe
912	schtasks.exe
5068	schtasks.exe
1152	schtasks.exe
2556	schtasks.exe
5096	schtasks.exe
3652	schtasks.exe
2488	schtasks.exe
2924	schtasks.exe
4168	schtasks.exe
3948	schtasks.exe
2408	schtasks.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4216	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
Token: SeDebugPrivilege	3176	dllchost.exe
Token: SeDebugPrivilege	544	dllchost.exe
Token: SeDebugPrivilege	628	dllchost.exe
Token: SeDebugPrivilege	3408	dllchost.exe
Token: SeDebugPrivilege	1712	dllchost.exe
Token: SeDebugPrivilege	912	dllchost.exe
Token: SeDebugPrivilege	4176	dllchost.exe
Token: SeDebugPrivilege	3356	dllchost.exe
Token: SeDebugPrivilege	1972	dllchost.exe
Token: SeDebugPrivilege	2872	dllchost.exe
Token: SeDebugPrivilege	32	dllchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 2488	4216	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	83
PID 4216 wrote to memory of 2488	4216	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	83
PID 4216 wrote to memory of 2488	4216	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	83
PID 4216 wrote to memory of 3176	4216	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	85
PID 4216 wrote to memory of 3176	4216	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	85
PID 4216 wrote to memory of 3176	4216	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	85
PID 3176 wrote to memory of 912	3176	dllchost.exe	86
PID 3176 wrote to memory of 912	3176	dllchost.exe	86
PID 3176 wrote to memory of 912	3176	dllchost.exe	86
PID 3176 wrote to memory of 2668	3176	dllchost.exe	88
PID 3176 wrote to memory of 2668	3176	dllchost.exe	88
PID 3176 wrote to memory of 2668	3176	dllchost.exe	88
PID 2668 wrote to memory of 2748	2668	cmd.exe	90
PID 2668 wrote to memory of 2748	2668	cmd.exe	90
PID 2668 wrote to memory of 2748	2668	cmd.exe	90
PID 2668 wrote to memory of 1576	2668	cmd.exe	91
PID 2668 wrote to memory of 1576	2668	cmd.exe	91
PID 2668 wrote to memory of 1576	2668	cmd.exe	91
PID 2668 wrote to memory of 544	2668	cmd.exe	92
PID 2668 wrote to memory of 544	2668	cmd.exe	92
PID 2668 wrote to memory of 544	2668	cmd.exe	92
PID 544 wrote to memory of 2924	544	dllchost.exe	93
PID 544 wrote to memory of 2924	544	dllchost.exe	93
PID 544 wrote to memory of 2924	544	dllchost.exe	93
PID 544 wrote to memory of 836	544	dllchost.exe	95
PID 544 wrote to memory of 836	544	dllchost.exe	95
PID 544 wrote to memory of 836	544	dllchost.exe	95
PID 836 wrote to memory of 1324	836	cmd.exe	97
PID 836 wrote to memory of 1324	836	cmd.exe	97
PID 836 wrote to memory of 1324	836	cmd.exe	97
PID 836 wrote to memory of 4592	836	cmd.exe	98
PID 836 wrote to memory of 4592	836	cmd.exe	98
PID 836 wrote to memory of 4592	836	cmd.exe	98
PID 836 wrote to memory of 628	836	cmd.exe	105
PID 836 wrote to memory of 628	836	cmd.exe	105
PID 836 wrote to memory of 628	836	cmd.exe	105
PID 628 wrote to memory of 4168	628	dllchost.exe	106
PID 628 wrote to memory of 4168	628	dllchost.exe	106
PID 628 wrote to memory of 4168	628	dllchost.exe	106
PID 628 wrote to memory of 1608	628	dllchost.exe	108
PID 628 wrote to memory of 1608	628	dllchost.exe	108
PID 628 wrote to memory of 1608	628	dllchost.exe	108
PID 1608 wrote to memory of 760	1608	cmd.exe	110
PID 1608 wrote to memory of 760	1608	cmd.exe	110
PID 1608 wrote to memory of 760	1608	cmd.exe	110
PID 1608 wrote to memory of 4240	1608	cmd.exe	111
PID 1608 wrote to memory of 4240	1608	cmd.exe	111
PID 1608 wrote to memory of 4240	1608	cmd.exe	111
PID 1608 wrote to memory of 3408	1608	cmd.exe	114
PID 1608 wrote to memory of 3408	1608	cmd.exe	114
PID 1608 wrote to memory of 3408	1608	cmd.exe	114
PID 3408 wrote to memory of 3948	3408	dllchost.exe	115
PID 3408 wrote to memory of 3948	3408	dllchost.exe	115
PID 3408 wrote to memory of 3948	3408	dllchost.exe	115
PID 3408 wrote to memory of 4736	3408	dllchost.exe	117
PID 3408 wrote to memory of 4736	3408	dllchost.exe	117
PID 3408 wrote to memory of 4736	3408	dllchost.exe	117
PID 4736 wrote to memory of 4352	4736	cmd.exe	119
PID 4736 wrote to memory of 4352	4736	cmd.exe	119
PID 4736 wrote to memory of 4352	4736	cmd.exe	119
PID 4736 wrote to memory of 4824	4736	cmd.exe	120
PID 4736 wrote to memory of 4824	4736	cmd.exe	120
PID 4736 wrote to memory of 4824	4736	cmd.exe	120
PID 4736 wrote to memory of 1712	4736	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
"C:\Users\Admin\AppData\Local\Temp\5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2488
- C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
  "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H8spSnHQ7DJN.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2748
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1576
  - - C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
      "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SxhPML0ghxPR.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:836
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4592
      - C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQyscfYDphdQ.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4240
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCsgQl62VLmp.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4824
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgwtTqosAthi.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qv4PwEQz7yYO.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIfGCT5xQHwB.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vrP6EdgMuGhH.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuOev7M3gfBe.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4716
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KT8TxHxRAewj.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:32
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I9YvzXSOV3X2.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dllchost.exe.log

Filesize
1KB

MD5
08853d2d986873ab78ccdc20d8aafb86

SHA1
437890ccf0d09513fd35c10780b50382293b0bd5

SHA256
e08b584695edef8556e0dbf2866466a3c428030d859eefd70e4ed45c88965002

SHA512
ad29cfe7b739474697e33cdc74d3f098321f519a8a6aea61252a9bc73b4002c4e2c4a2851259a8c2a0c7b2b59cb154b05e81822acc5937538981c56d7c8c3931

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIfGCT5xQHwB.bat

Filesize
211B

MD5
8703a4709448a5bc888a4b54786f0e5e

SHA1
9b88fd2554cab098cfa4f1323b695c7761687cdd

SHA256
2dc2b9bce033df44f9723eb04cdaf3179d2b4fbc329a1956f6a5b6cd8646a2e9

SHA512
502cb77e1f5aea07099e68272b9f74ebaf05a33370bd1c373482f420ffa521bc0d5f90618b5d575e8270eb9e8dbb59fdc20f47ff7c70d7601b2df2adea58aed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCsgQl62VLmp.bat

Filesize
211B

MD5
a68e8c7983bafc5ae962cc6070a32bca

SHA1
40805442b6d499d7e7122bfc3eb331da7bad791c

SHA256
86c3e6c18526519c779db45d58b24a4a670418ffd391d8e00b5241141b92d875

SHA512
2621261a6c564407dee5fea3730109491b72062801cf37545bb39596e3bee10667f3c4958d117786c78784e52fcd3140960a514ec5bbcce8175f71a6c2d678bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\H8spSnHQ7DJN.bat

Filesize
211B

MD5
92cfaf4ddf7603eb3e919460289439ef

SHA1
73b570107bbba17dfcc936b5a22684cf17b6865e

SHA256
2b388c80f0fd534b19492971fe699168bd54278a9bccc31b5a73e716c3dfd9c2

SHA512
5595659b0e1a2846357bcf7a7f780ce0aba7f12755e009d6efdc1ded2dc47dda0240b1b3c82304b9c673f684a727fcbb8ca6e59b7ad14e2360328a99668a0194

Download Submit
C:\Users\Admin\AppData\Local\Temp\I9YvzXSOV3X2.bat

Filesize
211B

MD5
bfb748376c6fb4353878c0284b66b992

SHA1
06289804cf01726b319999982bf8b0b0c366992b

SHA256
08e47088b1408de4c20c056f6da5bad67e49368d37722d13953717a63c3f5690

SHA512
cc9fba9e10df80f5b38783e676924913040e40731a89c2762a9fe889b7acb3fa5c822db78382bc2deb61d5bace5118c7adaba2536a9555af88614be1a4bf8f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KT8TxHxRAewj.bat

Filesize
211B

MD5
9ed54f36dcd3a5bc7ad857972eb4910a

SHA1
5668f7341320681232cd2f698433a45693813f79

SHA256
d528b54d1facdeda9eec3ebb1f11fa7d2befacdc0d62fe4aed540de52ddd011b

SHA512
59ee986a1d08351ec17047305178a2d1bcc11e03d5a43767f4415435db6c840ceb429a2414114884d0630ed62bfb2d4057c40fa839a29660da3f182a762c8102

Download Submit
C:\Users\Admin\AppData\Local\Temp\SxhPML0ghxPR.bat

Filesize
211B

MD5
ca56cdda63bc5ec3fca9d3e6ce3c1cd4

SHA1
25e14098fefd8fb961636499f8d56b318829c280

SHA256
517c26c1171622e7880c5d3ab65d69050a5fca3bdce405b9a004b049728b82a3

SHA512
6e3c861ac6acac329f2bdc9d34b8de7496dc8f6e438ac8434906dea3d7d252b197e723d144739babd832fa5924ea2fd7cf93ebb455b3e57f0a18b80e11ff8695

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuOev7M3gfBe.bat

Filesize
211B

MD5
f08c8023499ded2c1f5744408f7f0da2

SHA1
0ee20a2206b23b27cce8dd62bcc04717e52cedf6

SHA256
ef5be967ca60f42b9d02bcb4a9b6191e01095dd0d5a8d6b12b36552b6fe3fbba

SHA512
ccb7d41835a004fb381d94ef37a22c18a24c02c8d5a8c850a3fec21460228096d907771231fb2a56fe93992b8b5ed787865062d10dac3ab21ff1de9d36437808

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgwtTqosAthi.bat

Filesize
211B

MD5
d4061a78eb0fcbedfc775c080069a503

SHA1
2ff6ceba2affe572eeddb48b82a78ad204160127

SHA256
96016dc5717e3646ef1ca573dca53af45ed5664d01dc69c1ecea886dea768843

SHA512
27a5c71b9e257bd3e0fc1f1d43495abde2c2f73b715f2a537e31d00d472ebd4dca0627b38cd029cd0347ba52a5a81cfe35274f927789b130b4f3caf897eb9f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\qv4PwEQz7yYO.bat

Filesize
211B

MD5
a68e6aeb99f5b5e3780d30aaacc46910

SHA1
65d98810e67bccaee9bbe75bf5b84c93fe05a252

SHA256
68b6192bba66365fac2492ac809e93ce79f0b98f262c89f3d84a42ff3cd0e1f2

SHA512
082ed3fa893eba238bd4d51524db9a50ed20a85829442638a4fb992e8cf0c95f95bf1b84185e2602df95b70cda8f9b9606a484876a2d46a6dbe0e4f2c321bf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrP6EdgMuGhH.bat

Filesize
211B

MD5
b9309f00c01550b249bdb702f03d2f54

SHA1
70f8c95117642e98c5eb7e027e693559d92178c5

SHA256
09b20be1b597f7fd0fe54327e81cc6c3d1c43868512a091e72b23d2dda2e84ba

SHA512
a11737322dfb68cb74ca33419bc1dfb094d742bbd6b4aaf9d58a3d9704cfcacedb63aff100de72b2c2b5e59eca4afe66d92d811a54fffd34d3ebf142d2c6f4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQyscfYDphdQ.bat

Filesize
211B

MD5
9be03504a481ec2ded58d119deee4890

SHA1
5aee1ea5d5bd1be31b1f5b1fe06391a47599eb48

SHA256
9c1bd765daf2fe8a2449bca29895d3f6bf0e34e75cfaec26166e79890854570e

SHA512
3899ed34ba7969dfc9d2785735c62be10c7663b9ca6f22ca9fd4d05da104a5f596f14edcc389445c1acc7d417db6d3617b9a6ad2982781237f6aab3493113a96

Download Submit
C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe

Filesize
498KB

MD5
0b289f42527f29b5080b2c27f1b81abc

SHA1
b4609368985d9c37c5b3b1bed3098360a7e2bd52

SHA256
5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8

SHA512
0af17966a2b3291f25dac48600360ae59f3e235162f9c3b5cb676a331089ac52e33e228df0b4471b946d2934cf0d4a880392f7b8690485741b2426474b7289e4

Download Submit
memory/3176-16-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-17-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-22-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4216-6-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4216-15-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4216-9-0x0000000006380000-0x00000000063BC000-memory.dmp

Filesize
240KB

Download
memory/4216-8-0x0000000005E40000-0x0000000005E52000-memory.dmp

Filesize
72KB

Download
memory/4216-7-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/4216-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/4216-5-0x0000000005520000-0x0000000005526000-memory.dmp

Filesize
24KB

Download
memory/4216-4-0x0000000007B10000-0x0000000007BA2000-memory.dmp

Filesize
584KB

Download
memory/4216-3-0x0000000008020000-0x00000000085C4000-memory.dmp

Filesize
5.6MB

Download
memory/4216-2-0x0000000007990000-0x0000000007A6C000-memory.dmp

Filesize
880KB

Download
memory/4216-1-0x00000000009F0000-0x0000000000A72000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads