qakbot | 46be6fc385ff5dbeb439bf46ec27f868034f499a49524120a7692a1170469c91

General

Target

qjnndpxjfqujk.dll
Size

489KB
MD5

2c7fe65874005a9f4d3e455ad1a8547b
SHA1

e5c78ee1be97d61ea6acff4e3d433577b2fab96c
SHA256

46be6fc385ff5dbeb439bf46ec27f868034f499a49524120a7692a1170469c91
SHA512

ac8b0cc51c9f54401de36c3101c245d678c85c3d04f2356bf7403f3fc511a356d11f66df6fd76d9f7f5e73a7c95c1f1e13298a7cd07383c2fed675d611970207

Score

10^/10

qakbot notset 1632476965 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

notset

Campaign

1632476965

C2

136.232.34.70:443

216.201.162.158:443

92.59.35.196:2222

105.198.236.99:443

185.250.148.74:443

73.77.87.137:443

196.218.227.241:995

103.148.120.144:443

120.150.218.241:995

47.22.148.6:443

140.82.49.12:443

71.74.12.34:443

27.223.92.142:995

76.25.142.196:443

95.77.223.148:443

75.188.35.168:443

96.37.113.36:993

173.21.10.71:2222

45.46.53.140:2222

73.151.236.31:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1364 regsvr32.exe
1888 regsvr32.exe

pid	process
1364	regsvr32.exe
1888	regsvr32.exe

Drops file in System32 directory 6 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	explorer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\t4[1]	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

960 schtasks.exe

pid	process
960	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecision = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecisionTime = 30c41f94bfb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Kazucwzuov\a611e967 = 13e0486bcba3562131c4d00dc1e4666428aaff90f569ad48c9bb1961927e1916e5e21db48b56fcc91393de0147f8d81d48c24a6b9534ba77c07987e0589bb0db	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Kazucwzuov\d9588691 = 9d4914f16b5598290d146dbd0012da7a2d8c4b88f081b60be8515edcb16e971021b4df88c9c4abe0431e178f5e04a3089bb9a2d5fdfa8e634f30b8a56b0759a98323c5aa85e67c9d461a0d5119c4aa19d8f3ed6e8d096b7b9d08	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = 50b36da1beb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecisionTime = 50d19302bfb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Kazucwzuov\ee8676a3 = f237b39662c302258c9479cb0455025ba27f3e5b	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecisionTime = 101f4732bfb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Kazucwzuov\547b31ba = 7189c1ec69f93c73dbc856c40ed4870a5086d6ce0aa33dc55b25	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadNetworkName = "Network"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = 90065842beb4d701	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Kazucwzuov	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecisionTime = 903528eabcb4d701	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecisionTime = f0f51b11beb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecisionTime = 50b36da1beb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = 30c41f94bfb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000d000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Kazucwzuov\d9588691 = 9d4914f16b5598290d146dbd0012da7a2c8f4281f081b60be8515edcb16e971020b1d78fc9c4abe0431e178f5e04a3089bb9a2d5fdfa8e634f30b8a56b0759a98323c5aa85e67c9d461a0d5119c4aa19d8f3ed6e8d096b7b9d08	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = b043b6d0bfb4d701	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDetectedUrl	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Kazucwzuov\938e3929 = 3d9cc9329fb5dfd6a73eaf212f7863e3a00fe3e5f2f5281982ddfeed6f923b3eb18611a3e1e95146c4e982fbec40ebff9d39b82155d0c2181abc82390fb903fbba7ae3751907eb724acdad9cea	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Kazucwzuov\d9588691 = 9d491df16b5598290d146cf7001bd07c27894c83be8abb00e05f5aeaaa2e56af4e8fb99a41c27c0c8ed2768c20734d42eb28cec82bad5609e1c3f483cde830ae8fb9006306671af03d18e135f7b83f21af	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Kazucwzuov\d9588691 = 9d4914f16b5598290d146dbd0012da7a2c8f4281f081b60be8515edcb16e971020bfd681c9c4abe0431e178f5e04a3089bb9a2d5fdfa8e634f30b8a56b0759a98323c5aa85e67c9d461a0d5119c4aa19d8f3ed6e8d096b7b9d08	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = f0f51b11beb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = b005dd70beb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecisionTime = b005dd70beb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = 50d19302bfb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = 30d6c563bfb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Kazucwzuov\ecc756df = a9751f7780cacd2b990d2504d7aa40946dd9a6355b5e93445f248a50fc9c096d658d00bfca7316ea911c63b0d3ace5d1a0c6e079f7b5aaad2b70c0c5b0817f2e4db8ba5c3267e3a819f8ff3ef0273ffe91a341eada18eeca93ba5494c39a6d6f6a193348065a28cd764bb8a4eb742d1fcb9a6181e70acde45d90c54c0edfa8321adb8bd816da1e21b7717c320defb7a856e5d33a6dea01d1ff0ce4aaecc64fd15e31cda565dc4bc6e95eb62c1d45	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecisionReason = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Kazucwzuov\d9588691 = 9d4914f16b5598290d146dbd0012da7a2c894e87f081b60be8515edcb16e971020b5d58ec9c4abe0431e178f5e04a3089bb9a2d5fdfa8e634f30b8a56b0759a98323c5aa85e67c9d461a0d5119c4aa19d8f3ed6e8d096b7b9d08	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecisionTime = b043b6d0bfb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecisionTime = 90065842beb4d701	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Kazucwzuov\563a11c6 = 8be10ba37b4d9792f3b342620c4480517d6d8c11ee8b419ddddf150fb4967ba4a1c78978db0baee5c846997f912ba99a991d747c5de2083af73b5ffb456632bbd680370ed951026c2473b1e7d2a2f2f370dc2bca15132ce96c915eb6d84038ab86	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionReason = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

468 rundll32.exe
1364 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

468 rundll32.exe
1364 regsvr32.exe

pid	process
468	rundll32.exe
1364	regsvr32.exe

pid	process
468	rundll32.exe
1364	regsvr32.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 676 wrote to memory of 468	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 468	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 468	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 468	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 468	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 468	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 468	676	rundll32.exe	rundll32.exe
PID 468 wrote to memory of 564	468	rundll32.exe	explorer.exe
PID 468 wrote to memory of 564	468	rundll32.exe	explorer.exe
PID 468 wrote to memory of 564	468	rundll32.exe	explorer.exe
PID 468 wrote to memory of 564	468	rundll32.exe	explorer.exe
PID 468 wrote to memory of 564	468	rundll32.exe	explorer.exe
PID 468 wrote to memory of 564	468	rundll32.exe	explorer.exe
PID 564 wrote to memory of 960	564	explorer.exe	schtasks.exe
PID 564 wrote to memory of 960	564	explorer.exe	schtasks.exe
PID 564 wrote to memory of 960	564	explorer.exe	schtasks.exe
PID 564 wrote to memory of 960	564	explorer.exe	schtasks.exe
PID 1596 wrote to memory of 1376	1596	taskeng.exe	regsvr32.exe
PID 1596 wrote to memory of 1376	1596	taskeng.exe	regsvr32.exe
PID 1596 wrote to memory of 1376	1596	taskeng.exe	regsvr32.exe
PID 1596 wrote to memory of 1376	1596	taskeng.exe	regsvr32.exe
PID 1596 wrote to memory of 1376	1596	taskeng.exe	regsvr32.exe
PID 1376 wrote to memory of 1364	1376	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 1364	1376	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 1364	1376	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 1364	1376	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 1364	1376	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 1364	1376	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 1364	1376	regsvr32.exe	regsvr32.exe
PID 1364 wrote to memory of 1648	1364	regsvr32.exe	explorer.exe
PID 1364 wrote to memory of 1648	1364	regsvr32.exe	explorer.exe
PID 1364 wrote to memory of 1648	1364	regsvr32.exe	explorer.exe
PID 1364 wrote to memory of 1648	1364	regsvr32.exe	explorer.exe
PID 1364 wrote to memory of 1648	1364	regsvr32.exe	explorer.exe
PID 1364 wrote to memory of 1648	1364	regsvr32.exe	explorer.exe
PID 1648 wrote to memory of 1800	1648	explorer.exe	reg.exe
PID 1648 wrote to memory of 1800	1648	explorer.exe	reg.exe
PID 1648 wrote to memory of 1800	1648	explorer.exe	reg.exe
PID 1648 wrote to memory of 1800	1648	explorer.exe	reg.exe
PID 1648 wrote to memory of 784	1648	explorer.exe	reg.exe
PID 1648 wrote to memory of 784	1648	explorer.exe	reg.exe
PID 1648 wrote to memory of 784	1648	explorer.exe	reg.exe
PID 1648 wrote to memory of 784	1648	explorer.exe	reg.exe
PID 976 wrote to memory of 928	976	taskeng.exe	regsvr32.exe
PID 976 wrote to memory of 928	976	taskeng.exe	regsvr32.exe
PID 976 wrote to memory of 928	976	taskeng.exe	regsvr32.exe
PID 976 wrote to memory of 928	976	taskeng.exe	regsvr32.exe
PID 976 wrote to memory of 928	976	taskeng.exe	regsvr32.exe
PID 928 wrote to memory of 1888	928	regsvr32.exe	regsvr32.exe
PID 928 wrote to memory of 1888	928	regsvr32.exe	regsvr32.exe
PID 928 wrote to memory of 1888	928	regsvr32.exe	regsvr32.exe
PID 928 wrote to memory of 1888	928	regsvr32.exe	regsvr32.exe
PID 928 wrote to memory of 1888	928	regsvr32.exe	regsvr32.exe
PID 928 wrote to memory of 1888	928	regsvr32.exe	regsvr32.exe
PID 928 wrote to memory of 1888	928	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rkmadeqhc /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll\"" /SC ONCE /Z /ST 22:56 /ET 23:08
4⤵
- Creates scheduled task(s)
PID:960

C:\Windows\system32\taskeng.exe
taskeng.exe {D1B8E0B0-E42C-42ED-A5FB-AA60463428FE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Nwphu" /d "0"
5⤵
PID:1800

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Traeogxgm" /d "0"
5⤵
PID:784

C:\Windows\system32\taskeng.exe
taskeng.exe {08F9D994-53B8-4DBF-A5D8-7CC4FD7B0B09} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll"
3⤵
- Loads dropped DLL
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll
MD5
2c7fe65874005a9f4d3e455ad1a8547b

SHA1
e5c78ee1be97d61ea6acff4e3d433577b2fab96c

SHA256
46be6fc385ff5dbeb439bf46ec27f868034f499a49524120a7692a1170469c91

SHA512
ac8b0cc51c9f54401de36c3101c245d678c85c3d04f2356bf7403f3fc511a356d11f66df6fd76d9f7f5e73a7c95c1f1e13298a7cd07383c2fed675d611970207

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll
MD5
cd70357fa79fcffc50db3a010b27d367

SHA1
438006bc7b54484d937e3a8fb46d204592dc92cc

SHA256
c136aec75056abf339fa81044b0e31b0fd9959eb8fce013ca1eeb7384b09e9b0

SHA512
0ce64f60daf9f961894a88d5da356fd5554a28dd571e7fc3a07f4b9ac33ed2983d92df07b0d008afcf735e71f0ec937f85639706675b83f80d1957e4074819f8

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll
MD5
2c7fe65874005a9f4d3e455ad1a8547b

SHA1
e5c78ee1be97d61ea6acff4e3d433577b2fab96c

SHA256
46be6fc385ff5dbeb439bf46ec27f868034f499a49524120a7692a1170469c91

SHA512
ac8b0cc51c9f54401de36c3101c245d678c85c3d04f2356bf7403f3fc511a356d11f66df6fd76d9f7f5e73a7c95c1f1e13298a7cd07383c2fed675d611970207

Download Submit
\Users\Admin\AppData\Local\Temp\qjnndpxjfqujk.dll
MD5
cd70357fa79fcffc50db3a010b27d367

SHA1
438006bc7b54484d937e3a8fb46d204592dc92cc

SHA256
c136aec75056abf339fa81044b0e31b0fd9959eb8fce013ca1eeb7384b09e9b0

SHA512
0ce64f60daf9f961894a88d5da356fd5554a28dd571e7fc3a07f4b9ac33ed2983d92df07b0d008afcf735e71f0ec937f85639706675b83f80d1957e4074819f8

Download Submit
memory/468-59-0x0000000000000000-mapping.dmp

Download
memory/468-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/468-62-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/468-63-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/468-60-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/564-67-0x0000000074061000-0x0000000074063000-memory.dmp

Filesize
8KB

Download
memory/564-69-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/564-65-0x0000000000000000-mapping.dmp

Download
memory/784-83-0x0000000000000000-mapping.dmp

Download
memory/928-86-0x0000000000000000-mapping.dmp

Download
memory/960-68-0x0000000000000000-mapping.dmp

Download
memory/1364-73-0x0000000000000000-mapping.dmp

Download
memory/1364-77-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1364-84-0x0000000000250000-0x0000000000271000-memory.dmp

Filesize
132KB

Download
memory/1364-76-0x0000000000420000-0x000000000049F000-memory.dmp

Filesize
508KB

Download
memory/1376-71-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/1376-70-0x0000000000000000-mapping.dmp

Download
memory/1648-78-0x0000000000000000-mapping.dmp

Download
memory/1648-85-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1800-82-0x0000000000000000-mapping.dmp

Download
memory/1888-89-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads