qakbot | dd8b18f31dcfa89865629c0264283f6631d38d535b077a8afb3c55d8b677075c

General

Target

q.dll
Size

1.3MB
MD5

9ad3a0d8b2064d12a9098952c7ac3ee2
SHA1

bf59513b280b6a3d4fb7bf6c5c2836fa6d5ee4a2
SHA256

dd8b18f31dcfa89865629c0264283f6631d38d535b077a8afb3c55d8b677075c
SHA512

7a7e152c08889e399af1e126efa3f74638d2273ffecc8e779d752052bf75e2288b915909cd4d633045be9cb02bb84b948a82b958e1f8bdba200787320d23374e

Score

10^/10

qakbot notset 1632819510 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

notset

Campaign

1632819510

C2

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1724 regsvr32.exe

pid	process
1724	regsvr32.exe

Drops file in System32 directory 6 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	explorer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\t4[1]	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1412 schtasks.exe
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

2004 net.exe
732 net.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

netstat.exeipconfig.exenetstat.exeipconfig.exe

pid process

316 netstat.exe
1172 ipconfig.exe
1356 netstat.exe
1996 ipconfig.exe

pid	process
1412	schtasks.exe

pid	process
2004	net.exe
732	net.exe

pid	process
316	netstat.exe
1172	ipconfig.exe
1356	netstat.exe
1996	ipconfig.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\ebba1fb6 = 68ee1b7284497e92dabea08e8792699c9df48782f362aa5257883ffb5df03709d701d1c985816de72943ad960f64cb77b3d8b1a015803aeb1f5e8f33dae9414f635d546c0ffd1bef2d93836d95c88c5558bf3bba0303bf61	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\a16ca00e = 2c3a64ecc509da3707d29040446be2f5c11ce19f10c032fb85c5fcee1d800a84c4be	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B55FA078-758F-4FEE-80CC-20EC7480DBC3}\WpadDecisionReason = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-8c-39-73-4f-7b	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\593d1f66 = e6856610d501ac34b2d277345534c5e81ae9e5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\ebba1fb6 = 68ee127284497e92dabea1c4809b6f989ff18185bd65a45956813ccd21fcc0ab59af0380a8631eea298f5517612d8f1dea3b1f5654658ed97e3c20ec6e1a56036bf2404b3b08d8a3dcbe67b3ab751e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\ebba1fb6 = 68ee1b7284497e92dabea08e8792699f94f68085f362aa5257883ffb5df0370ade01dcc585816de72943ad960f64cb77b3d8b1a015803aeb1f5e8f33dae9414f635d546c0ffd1bef2d93836d95c88c5558bf3bba0303bf61	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\ebba1fb6 = 68ee057284494be1d546060f284b21840e8d7926f432fb72025d295a1d17961719e434ba701259056614aaa99aa89d04a95466ae869f61c7bb8f	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\43f2f741 = e1c936132175346f41befaed25ac6eca8855cf28a3159539a96c0c55988c5f7f7e3caeef35e63b27730f615a10cc6c2891056c66b4557f819336560d21dd011fa8c89cd6e4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\4b88b088 = f441fab5bea83810606db474623ad98cad866e1eb86e235c530824101c9d9cdc67bce6e974	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B55FA078-758F-4FEE-80CC-20EC7480DBC3}\WpadDecision = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-8c-39-73-4f-7b\WpadDecision = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\ebba1fb6 = 68ee1b7284497e92dabea08e8792699f94f38286f362aa5257883ffb5df0370ade01dcc585816de72943ad960f64cb77b3d8b1a015803aeb1f5e8f33dae9414f635d546c0ffd1bef2d93836d95c88c5558bf3bba0303bf61	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\de25cff8 = 04f0974b2177ec5657bb5a2a15421c06b1e67cfd5f1b6aba1bf1f2a21b7e12cbe65b8c62fb2d4b6b3ee719cc5c62747268e5cbe55ba3bd593c5227d6f0e89cbf1ee0ecd1d208e25a8e90f5047cc14ca00688eec8c9a5528aa233dfbc8462e6610cc502bf35f19708e42da0	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\3680ff02 = cca0541d9fe914442e40697c4f1617a66e8dc2ec7ba25d979db93cb0d8714de529ee99b891df4ade812b20358b028ba279de853809c69c9438d3dc27247d9198e1ae53ea4bbae60fb4eb164f72fd3bcb5521cbc64066a5b8f6d9b07836a644a391005e7743	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B55FA078-758F-4FEE-80CC-20EC7480DBC3}\WpadNetworkName = "Network 3"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\ebba1fb6 = 68ee1b7284497e92dabea08e8792699f94f38286f362aa5257883ffb5df0370ade07ddcb85816de72943ad960f64cb77b3d8b1a015803aeb1f5e8f33dae9414f635d546c0ffd1bef2d93836d95c88c5558bf3bba0303bf61	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\94f37040 = 2a2c97c7b3de1c9d94cd34b44ec7610e3978019e8b50e3d273352f5a38967df5651bc79f033c99ed02664547a07049f9947da6c91cc4683d9ba92d89f2acdcfc403148822845d4a2c693076938213a72a245ab34dedc82c0d381eb9f614e28b766db84ff9f4175a5215c2c	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\ebba1fb6 = 68ee1b7284497e92dabea08e8792699c9df48782f362aa5257883ffb5df03709d700d8cf85816de72943ad960f64cb77b3d8b1a015803aeb1f5e8f33dae9414f635d546c0ffd1bef2d93836d95c88c5558bf3bba0303bf61	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B55FA078-758F-4FEE-80CC-20EC7480DBC3}\56-8c-39-73-4f-7b	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\dc64ef84 = ee6ef663b0eae87d23ec7516301e937ea2617958730fc1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\64d888e1 = 6fef4232d7e72bafd71cb615b73afc36320835aa1056d78983e5ebe2511ac0d1a83b75	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\3680ff02 = cca0541d9fe914442f96697c4f1617a66e8dc2ec7ba25d979db93cb0d8714de529ee99b891df4ade812b20358b028ba279de853809c69c9438d3dc27247d9198e1ae53ea4bbae60fb4eb164f72fd3bcb5521cbc64066a5b8f6d9b07836a644a391005e7743	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B55FA078-758F-4FEE-80CC-20EC7480DBC3}\WpadDecisionTime = 9064cfa3f30bd801	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B55FA078-758F-4FEE-80CC-20EC7480DBC3}	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-8c-39-73-4f-7b\WpadDecisionReason = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\ebba1fb6 = 68ee1b7284497e92dabea08e8792699c9df78581f362aa5257883ffb5df03709d703d0c885816de72943ad960f64cb77b3d8b1a015803aeb1f5e8f33dae9414f635d546c0ffd1bef2d93836d95c88c5558bf3bba0303bf61	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\ebba1fb6 = 68ee1b7284497e92dabea08e8792699f94f08381f362aa5257883ffb5df03709d70ddfca85816de72943ad960f64cb77b3d8b1a015803aeb1f5e8f33dae9414f635d546c0ffd1bef2d93836d95c88c5558bf3bba0303bf61	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Efoialoal	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Efoialoal\19d0c76b = 97e00bec56c1cffa54dca0594dcb72a8d2e72a0dde42a3a6ae77093945f88dad6232c40cefbd01ab03c6d4ca1f545e781cf76b213b247b397408f517b4becdef9de6238102514ef7a68912af80798a914b3c15118afc62293b6eede67f1ff3451c29	explorer.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exeexplorer.exeexplorer.exe

pid process

948 rundll32.exe
1724 regsvr32.exe
1064 explorer.exe
1476 explorer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

948 rundll32.exe
1724 regsvr32.exe

pid	process
948	rundll32.exe
1724	regsvr32.exe
1064	explorer.exe
1476	explorer.exe

pid	process
948	rundll32.exe
1724	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

whoami.exenetstat.exe

description	pid	process
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeDebugPrivilege	1356	netstat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 948	1612	rundll32.exe	rundll32.exe
PID 948 wrote to memory of 1476	948	rundll32.exe	explorer.exe
PID 948 wrote to memory of 1476	948	rundll32.exe	explorer.exe
PID 948 wrote to memory of 1476	948	rundll32.exe	explorer.exe
PID 948 wrote to memory of 1476	948	rundll32.exe	explorer.exe
PID 948 wrote to memory of 1476	948	rundll32.exe	explorer.exe
PID 948 wrote to memory of 1476	948	rundll32.exe	explorer.exe
PID 1476 wrote to memory of 1412	1476	explorer.exe	schtasks.exe
PID 1476 wrote to memory of 1412	1476	explorer.exe	schtasks.exe
PID 1476 wrote to memory of 1412	1476	explorer.exe	schtasks.exe
PID 1476 wrote to memory of 1412	1476	explorer.exe	schtasks.exe
PID 860 wrote to memory of 1912	860	taskeng.exe	regsvr32.exe
PID 860 wrote to memory of 1912	860	taskeng.exe	regsvr32.exe
PID 860 wrote to memory of 1912	860	taskeng.exe	regsvr32.exe
PID 860 wrote to memory of 1912	860	taskeng.exe	regsvr32.exe
PID 860 wrote to memory of 1912	860	taskeng.exe	regsvr32.exe
PID 1912 wrote to memory of 1724	1912	regsvr32.exe	regsvr32.exe
PID 1912 wrote to memory of 1724	1912	regsvr32.exe	regsvr32.exe
PID 1912 wrote to memory of 1724	1912	regsvr32.exe	regsvr32.exe
PID 1912 wrote to memory of 1724	1912	regsvr32.exe	regsvr32.exe
PID 1912 wrote to memory of 1724	1912	regsvr32.exe	regsvr32.exe
PID 1912 wrote to memory of 1724	1912	regsvr32.exe	regsvr32.exe
PID 1912 wrote to memory of 1724	1912	regsvr32.exe	regsvr32.exe
PID 1724 wrote to memory of 1064	1724	regsvr32.exe	explorer.exe
PID 1724 wrote to memory of 1064	1724	regsvr32.exe	explorer.exe
PID 1724 wrote to memory of 1064	1724	regsvr32.exe	explorer.exe
PID 1724 wrote to memory of 1064	1724	regsvr32.exe	explorer.exe
PID 1724 wrote to memory of 1064	1724	regsvr32.exe	explorer.exe
PID 1724 wrote to memory of 1064	1724	regsvr32.exe	explorer.exe
PID 1064 wrote to memory of 1228	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 1228	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 1228	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 1228	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 324	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 324	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 324	1064	explorer.exe	reg.exe
PID 1064 wrote to memory of 324	1064	explorer.exe	reg.exe
PID 936 wrote to memory of 1836	936	taskeng.exe	regsvr32.exe
PID 936 wrote to memory of 1836	936	taskeng.exe	regsvr32.exe
PID 936 wrote to memory of 1836	936	taskeng.exe	regsvr32.exe
PID 936 wrote to memory of 1836	936	taskeng.exe	regsvr32.exe
PID 936 wrote to memory of 1836	936	taskeng.exe	regsvr32.exe
PID 1836 wrote to memory of 2040	1836	regsvr32.exe	regsvr32.exe
PID 1836 wrote to memory of 2040	1836	regsvr32.exe	regsvr32.exe
PID 1836 wrote to memory of 2040	1836	regsvr32.exe	regsvr32.exe
PID 1836 wrote to memory of 2040	1836	regsvr32.exe	regsvr32.exe
PID 1836 wrote to memory of 2040	1836	regsvr32.exe	regsvr32.exe
PID 1836 wrote to memory of 2040	1836	regsvr32.exe	regsvr32.exe
PID 1836 wrote to memory of 2040	1836	regsvr32.exe	regsvr32.exe
PID 1064 wrote to memory of 1976	1064	explorer.exe	whoami.exe
PID 1064 wrote to memory of 1976	1064	explorer.exe	whoami.exe
PID 1064 wrote to memory of 1976	1064	explorer.exe	whoami.exe
PID 1064 wrote to memory of 1976	1064	explorer.exe	whoami.exe
PID 1064 wrote to memory of 1528	1064	explorer.exe	cmd.exe
PID 1064 wrote to memory of 1528	1064	explorer.exe	cmd.exe
PID 1064 wrote to memory of 1528	1064	explorer.exe	cmd.exe
PID 1064 wrote to memory of 1528	1064	explorer.exe	cmd.exe
PID 1064 wrote to memory of 1488	1064	explorer.exe	arp.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\q.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\q.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn yqjpodp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\q.dll\"" /SC ONCE /Z /ST 22:37 /ET 22:49
4⤵
- Creates scheduled task(s)
PID:1412

C:\Windows\SysWOW64\whoami.exe
whoami /all
4⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
cmd /c set
4⤵
PID:940

C:\Windows\SysWOW64\arp.exe
arp -a
4⤵
PID:1828

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:1996

C:\Windows\SysWOW64\net.exe
net view /all
4⤵
- Discovers systems in the same network
PID:732

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
4⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net share
4⤵
PID:1104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
5⤵
PID:612

C:\Windows\SysWOW64\route.exe
route print
4⤵
PID:1676

C:\Windows\SysWOW64\netstat.exe
netstat -nao
4⤵
- Gathers network information
PID:316

C:\Windows\SysWOW64\net.exe
net localgroup
4⤵
PID:996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
5⤵
PID:1664

C:\Windows\system32\taskeng.exe
taskeng.exe {EAF7E911-5B89-4EC7-8D50-2471C12C188E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\q.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\q.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Fymxuee" /d "0"
5⤵
PID:1228

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onlpoorkjvg" /d "0"
5⤵
PID:324

C:\Windows\SysWOW64\whoami.exe
whoami /all
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c set
5⤵
PID:1528

C:\Windows\SysWOW64\arp.exe
arp -a
5⤵
PID:1488

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:1172

C:\Windows\SysWOW64\net.exe
net view /all
5⤵
- Discovers systems in the same network
PID:2004

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
5⤵
PID:1884

C:\Windows\SysWOW64\net.exe
net share
5⤵
PID:1548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
6⤵
PID:1408

C:\Windows\SysWOW64\route.exe
route print
5⤵
PID:1076

C:\Windows\SysWOW64\netstat.exe
netstat -nao
5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\SysWOW64\net.exe
net localgroup
5⤵
PID:1712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
6⤵
PID:1920

C:\Windows\system32\taskeng.exe
taskeng.exe {1E99BEAF-E40B-406C-8E6A-76386FAD031D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\q.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\q.dll"
3⤵
PID:2040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\q.dll
MD5
9ad3a0d8b2064d12a9098952c7ac3ee2

SHA1
bf59513b280b6a3d4fb7bf6c5c2836fa6d5ee4a2

SHA256
dd8b18f31dcfa89865629c0264283f6631d38d535b077a8afb3c55d8b677075c

SHA512
7a7e152c08889e399af1e126efa3f74638d2273ffecc8e779d752052bf75e2288b915909cd4d633045be9cb02bb84b948a82b958e1f8bdba200787320d23374e

Download Submit
C:\Users\Admin\AppData\Local\Temp\q.dll
MD5
f48eb049482b93e280f40056ffb0617d

SHA1
ba1474eed211c299ff4bd6613cc775c07212136b

SHA256
3cf51f2130f7a3f4a12936b169d953ba22c7ebb04834e552a5b2d5b1ec5f1699

SHA512
42fdb39a40f58565336fa5f3df6555a9dae98d52c85020cafa973aab38f9896cd94e53317ad88d268ec022e550696609e5da53ad57df7ba09b75c810508ba30e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\q.dll
MD5
9ad3a0d8b2064d12a9098952c7ac3ee2

SHA1
bf59513b280b6a3d4fb7bf6c5c2836fa6d5ee4a2

SHA256
dd8b18f31dcfa89865629c0264283f6631d38d535b077a8afb3c55d8b677075c

SHA512
7a7e152c08889e399af1e126efa3f74638d2273ffecc8e779d752052bf75e2288b915909cd4d633045be9cb02bb84b948a82b958e1f8bdba200787320d23374e

Download Submit
memory/316-120-0x0000000000000000-mapping.dmp

Download
memory/324-89-0x0000000000000000-mapping.dmp

Download
memory/612-118-0x0000000000000000-mapping.dmp

Download
memory/732-115-0x0000000000000000-mapping.dmp

Download
memory/940-111-0x0000000000000000-mapping.dmp

Download
memory/948-57-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/948-67-0x0000000000250000-0x0000000000271000-memory.dmp

Filesize
132KB

Download
memory/948-61-0x0000000000250000-0x0000000000271000-memory.dmp

Filesize
132KB

Download
memory/948-62-0x0000000000250000-0x0000000000271000-memory.dmp

Filesize
132KB

Download
memory/948-60-0x0000000000250000-0x0000000000271000-memory.dmp

Filesize
132KB

Download
memory/948-59-0x0000000000250000-0x0000000000271000-memory.dmp

Filesize
132KB

Download
memory/948-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/948-56-0x0000000001C10000-0x0000000001D57000-memory.dmp

Filesize
1.3MB

Download
memory/948-58-0x0000000000210000-0x0000000000231000-memory.dmp

Filesize
132KB

Download
memory/948-54-0x0000000000000000-mapping.dmp

Download
memory/996-121-0x0000000000000000-mapping.dmp

Download
memory/1064-84-0x0000000000000000-mapping.dmp

Download
memory/1064-90-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1076-105-0x0000000000000000-mapping.dmp

Download
memory/1104-117-0x0000000000000000-mapping.dmp

Download
memory/1132-110-0x0000000000000000-mapping.dmp

Download
memory/1172-99-0x0000000000000000-mapping.dmp

Download
memory/1228-88-0x0000000000000000-mapping.dmp

Download
memory/1356-106-0x0000000000000000-mapping.dmp

Download
memory/1408-104-0x0000000000000000-mapping.dmp

Download
memory/1412-68-0x0000000000000000-mapping.dmp

Download
memory/1476-66-0x0000000074791000-0x0000000074793000-memory.dmp

Filesize
8KB

Download
memory/1476-64-0x0000000000000000-mapping.dmp

Download
memory/1476-63-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1476-69-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1488-98-0x0000000000000000-mapping.dmp

Download
memory/1528-97-0x0000000000000000-mapping.dmp

Download
memory/1548-103-0x0000000000000000-mapping.dmp

Download
memory/1664-122-0x0000000000000000-mapping.dmp

Download
memory/1676-119-0x0000000000000000-mapping.dmp

Download
memory/1712-107-0x0000000000000000-mapping.dmp

Download
memory/1724-81-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1724-76-0x0000000000BE0000-0x0000000000D27000-memory.dmp

Filesize
1.3MB

Download
memory/1724-77-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/1724-73-0x0000000000000000-mapping.dmp

Download
memory/1724-79-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/1724-80-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/1724-82-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/1724-78-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/1828-112-0x0000000000000000-mapping.dmp

Download
memory/1836-91-0x0000000000000000-mapping.dmp

Download
memory/1884-102-0x0000000000000000-mapping.dmp

Download
memory/1912-70-0x0000000000000000-mapping.dmp

Download
memory/1912-71-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

Filesize
8KB

Download
memory/1916-116-0x0000000000000000-mapping.dmp

Download
memory/1920-108-0x0000000000000000-mapping.dmp

Download
memory/1976-96-0x0000000000000000-mapping.dmp

Download
memory/1996-113-0x0000000000000000-mapping.dmp

Download
memory/2004-101-0x0000000000000000-mapping.dmp

Download
memory/2040-94-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads