qakbot | 5f04c44de516e644115ad8094afbdab4b52ce6e46a848aeb7cf634ad471e4ac0

General

Target

dexc.ocx.dll
Size

647KB
MD5

74335b83254eeff621dd7bea844eb859
SHA1

b004da994afd349eec84ef0a579ca9785f6f496d
SHA256

5f04c44de516e644115ad8094afbdab4b52ce6e46a848aeb7cf634ad471e4ac0
SHA512

edece82d4cb1a8c8d7f5d43ffa7920ff0cb8c61154c5b06d9b3d48a52b0a08a4ce0c0610957d1ca4d5ae6d99e4a4f441da3a2a56eec3e123666742c59905c44e

Score

10^/10

qakbot cullinan 1640168876 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1640168876

C2

93.48.80.198:995

140.82.49.12:443

32.221.229.7:443

24.152.219.253:995

31.35.28.29:443

96.37.113.36:993

190.39.205.165:443

79.173.195.234:443

39.49.66.100:995

103.139.242.30:22

79.167.192.206:995

45.9.20.200:2211

24.95.61.62:443

37.210.226.125:61202

103.139.242.30:995

70.163.1.219:443

103.143.8.71:6881

76.169.147.192:32103

136.143.11.232:443

63.153.187.104:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1604 regsvr32.exe

pid	process
1604	regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

612 schtasks.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1964 net.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

netstat.exeipconfig.exe

pid process

1140 netstat.exe
956 ipconfig.exe

pid	process
612	schtasks.exe

pid	process
1964	net.exe

pid	process
1140	netstat.exe
956	ipconfig.exe

Modifies data under HKEY_USERS 58 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\79bc977e = 358aa4b72a91a31fd3058c0012bf961235988e740df72b5525b0ab841db7566f46ba90e7296a57fc20f4fbac9bf1e7dce3c4a23896b6abbf8e152c5e2799e1287449c7358f630e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\bc08bf91 = 16a4f28ef256289fadf5d2d3098824ce9827e4b24af7fc4b0277b5548b4aa30a6ade435b813c623fcbaf9a76e9fb4b81a96b36df1d6dbe1f5ee1e70753633d5d02bd63c46e4da3f912	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\c341d067 = 1781189140c6448bb48d958f845668a6a9f72fb73c8667b4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5fb177c20f42d32fafb5e794100965ede184346b21def7b1d227fa8814c77ab32887a1cacc324c2684ba0e0ed7d5de68430452731a6e5976c64f1668ddf38987f8da0e291dede8d489daa57f29c8d1ef4479afe560cc2d7007e9ce40	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5fb177c20f42d32fafb5e794100965eee587306b21def7b1d227fa8814c77ab02e85a0cacc324c2684ba0e0ed7d5de68430452731a6e5976c64f1668ddf38987f8da0e291dede8d489daa57f29c8d1ef4479afe560cc2d7007e9ce40	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D4ED54F9-84E2-431E-AC4D-FE3E6504718E}\WpadDecisionTime = 903d19c46e0cd801	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-bb-a2-f5-7a-5b\WpadDecision = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5fb177c20f42d32fafb5e794100965eee587306b21def7b1d227fa8814c77ab02c84a6cacc324c2684ba0e0ed7d5de68430452731a6e5976c64f1668ddf38987f8da0e291dede8d489daa57f29c8d1ef4479afe560cc2d7007e9ce40	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-bb-a2-f5-7a-5b\WpadDecisionTime = b066d6266f0cd801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5faf77c20f772c0295c7c922e97842f557862bee16e97e8990aee9485b529e8479461be15a2ed0002a6109d05d6afbe3134ae5d3136b6658bc09ee804425	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\7bfdb702 = 8077f3e7c721b2be8909492a4eb8da9a73d5210b06492d4a0a83ac572a8f4cbe740659cca3a700e35c02064e10b361eadc3b0129978a32eadef1c72266d1894a12d7cb57a2cf0f73417df1450412c1bfeb7e23404082f8af37cf658645d870617a6659125d21d36565556492a1e483d697affd8f489ff7186dc9ee1b23b1999b2fba111d14a3e646d6f43d5352830a1ee8dcbdefc6b4248ae4b70cdf42cf244260bafa10633356bdd1fc6274812e1c26f82f408253e25eda42021fb3a72ce49304dc3ba570de509d72	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5fb177c20f42d32fafb5e794100965edec86376b21def7b1d227fa8814c77ab32887a1cacc324c2684ba0e0ed7d5de68430452731a6e5976c64f1668ddf38987f8da0e291dede8d489daa57f29c8d1ef4479afe560cc2d7007e9ce40	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-bb-a2-f5-7a-5b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-bb-a2-f5-7a-5b\WpadDecisionTime = b0c94d126d0cd801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D4ED54F9-84E2-431E-AC4D-FE3E6504718E}	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-bb-a2-f5-7a-5b\WpadDecisionTime = 107a6dc36d0cd801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D4ED54F9-84E2-431E-AC4D-FE3E6504718E}\WpadDecisionTime = b0c94d126d0cd801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5fb177c20f42d32fafb5e794100965eee089306b21def7b1d227fa8814c77ab0298ca5cacc324c2684ba0e0ed7d5de68430452731a6e5976c64f1668ddf38987f8da0e291dede8d489daa57f29c8d1ef4479afe560cc2d7007e9ce40	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D4ED54F9-84E2-431E-AC4D-FE3E6504718E}\WpadDecisionReason = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D4ED54F9-84E2-431E-AC4D-FE3E6504718E}\WpadDecisionTime = d0fd12626d0cd801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-bb-a2-f5-7a-5b\WpadDecisionReason = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D4ED54F9-84E2-431E-AC4D-FE3E6504718E}\WpadDecisionTime = 107a6dc36d0cd801	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D4ED54F9-84E2-431E-AC4D-FE3E6504718E}\WpadDecision = "0"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D4ED54F9-84E2-431E-AC4D-FE3E6504718E}\76-bb-a2-f5-7a-5b	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-bb-a2-f5-7a-5b\WpadDecisionTime = 903d19c46e0cd801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4b4d8f4 = c101d7b23bac597f6574c0948e0d083da7837f7f0b62b5cd9026e67ddb867998bb3e733ee1e3bf01c77d0a59	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\312b08ba = d342685048d7e3dbff39f5268fbb261c00ccc4c22e8a6d1c892a74b5e5b901f243d5c27cb61e1ecc25c74ce12e491ed30163d4f225529e077ed7e17a206cc32ad96391e0fabe17ef6427c58b820a6e43abee29e6498456	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-bb-a2-f5-7a-5b\WpadDetectedUrl	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5fb877c20f42d32fafb4ad93190e65e7e586332527d4f4b3dc27cc783af3089a9d7fd7dc21ad7b49653cc9f1c885e57b9b80f6aaa701d246c8e96b556d43b6b9ea6dca8f3df4e93ee9f235af192a1fddbf99cd	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D4ED54F9-84E2-431E-AC4D-FE3E6504718E}\WpadDecisionTime = b066d6266f0cd801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5fb177c20f42d32fafb5e794100965eeec81336b21def7b1d227fa8814c77ab0298ca5cacc324c2684ba0e0ed7d5de68430452731a6e5976c64f1668ddf38987f8da0e291dede8d489daa57f29c8d1ef4479afe560cc2d7007e9ce40	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5fb877c20f42d32fafb4ad93190e65e7e586332527d4f4b1df24cc783af3089a9d7fd7dc21ad7b49653cc9f1c885e57b9b80f6aaa701d246c8e96b556d43b6b9ea6dca8f3df4e93ee9f235af192a1fddbf99cd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5fb177c20f42d32fafb5e794100965ede184346b21def7b1d227fa8814c77ab32a80a0cacc324c2684ba0e0ed7d5de68430452731a6e5976c64f1668ddf38987f8da0e291dede8d489daa57f29c8d1ef4479afe560cc2d7007e9ce40	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D4ED54F9-84E2-431E-AC4D-FE3E6504718E}\WpadNetworkName = "Network 3"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5fb177c20f42d32fafb5e794100965edec86376b21def7b1d227fa8814c77ab32686a7cacc324c2684ba0e0ed7d5de68430452731a6e5976c64f1668ddf38987f8da0e291dede8d489daa57f29c8d1ef4479afe560cc2d7007e9ce40	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5fb177c20f42d32fafb5e794100965edec86376b21def7b1d227fa8814c77ab02e85a0cacc324c2684ba0e0ed7d5de68430452731a6e5976c64f1668ddf38987f8da0e291dede8d489daa57f29c8d1ef4479afe560cc2d7007e9ce40	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ovgsjiuocxix	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\c100f01b = e4b590457b67d667e29de7adaba7cd3ad0cdd6a33613b51719dc79388e78	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-bb-a2-f5-7a-5b\WpadDecisionTime = d0fd12626d0cd801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ovgsjiuocxix\4e62674c = bc5fb177c20f42d32fafb5e794100965eee089306b21def7b1d227fa8814c77ab02b8da4cacc324c2684ba0e0ed7d5de68430452731a6e5976c64f1668ddf38987f8da0e291dede8d489daa57f29c8d1ef4479afe560cc2d7007e9ce40	explorer.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

rundll32.exeregsvr32.exeexplorer.exe

pid process

1300 rundll32.exe
1604 regsvr32.exe
1224 explorer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1300 rundll32.exe
1604 regsvr32.exe

pid	process
1300	rundll32.exe
1604	regsvr32.exe
1224	explorer.exe

pid	process
1300	rundll32.exe
1604	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

whoami.exenetstat.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1616	whoami.exe
Token: SeDebugPrivilege	1140	netstat.exe
Token: SeRestorePrivilege	1392	msiexec.exe
Token: SeTakeOwnershipPrivilege	1392	msiexec.exe
Token: SeSecurityPrivilege	1392	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 812 wrote to memory of 1300	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 1300	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 1300	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 1300	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 1300	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 1300	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 1300	812	rundll32.exe	rundll32.exe
PID 1300 wrote to memory of 1224	1300	rundll32.exe	explorer.exe
PID 1300 wrote to memory of 1224	1300	rundll32.exe	explorer.exe
PID 1300 wrote to memory of 1224	1300	rundll32.exe	explorer.exe
PID 1300 wrote to memory of 1224	1300	rundll32.exe	explorer.exe
PID 1300 wrote to memory of 1224	1300	rundll32.exe	explorer.exe
PID 1300 wrote to memory of 1224	1300	rundll32.exe	explorer.exe
PID 1224 wrote to memory of 612	1224	explorer.exe	schtasks.exe
PID 1224 wrote to memory of 612	1224	explorer.exe	schtasks.exe
PID 1224 wrote to memory of 612	1224	explorer.exe	schtasks.exe
PID 1224 wrote to memory of 612	1224	explorer.exe	schtasks.exe
PID 1892 wrote to memory of 1188	1892	taskeng.exe	regsvr32.exe
PID 1892 wrote to memory of 1188	1892	taskeng.exe	regsvr32.exe
PID 1892 wrote to memory of 1188	1892	taskeng.exe	regsvr32.exe
PID 1892 wrote to memory of 1188	1892	taskeng.exe	regsvr32.exe
PID 1892 wrote to memory of 1188	1892	taskeng.exe	regsvr32.exe
PID 1188 wrote to memory of 1604	1188	regsvr32.exe	regsvr32.exe
PID 1188 wrote to memory of 1604	1188	regsvr32.exe	regsvr32.exe
PID 1188 wrote to memory of 1604	1188	regsvr32.exe	regsvr32.exe
PID 1188 wrote to memory of 1604	1188	regsvr32.exe	regsvr32.exe
PID 1188 wrote to memory of 1604	1188	regsvr32.exe	regsvr32.exe
PID 1188 wrote to memory of 1604	1188	regsvr32.exe	regsvr32.exe
PID 1188 wrote to memory of 1604	1188	regsvr32.exe	regsvr32.exe
PID 1604 wrote to memory of 1980	1604	regsvr32.exe	explorer.exe
PID 1604 wrote to memory of 1980	1604	regsvr32.exe	explorer.exe
PID 1604 wrote to memory of 1980	1604	regsvr32.exe	explorer.exe
PID 1604 wrote to memory of 1980	1604	regsvr32.exe	explorer.exe
PID 1604 wrote to memory of 1980	1604	regsvr32.exe	explorer.exe
PID 1604 wrote to memory of 1980	1604	regsvr32.exe	explorer.exe
PID 1980 wrote to memory of 1704	1980	explorer.exe	reg.exe
PID 1980 wrote to memory of 1704	1980	explorer.exe	reg.exe
PID 1980 wrote to memory of 1704	1980	explorer.exe	reg.exe
PID 1980 wrote to memory of 1704	1980	explorer.exe	reg.exe
PID 1980 wrote to memory of 296	1980	explorer.exe	reg.exe
PID 1980 wrote to memory of 296	1980	explorer.exe	reg.exe
PID 1980 wrote to memory of 296	1980	explorer.exe	reg.exe
PID 1980 wrote to memory of 296	1980	explorer.exe	reg.exe
PID 2044 wrote to memory of 1288	2044	taskeng.exe	regsvr32.exe
PID 2044 wrote to memory of 1288	2044	taskeng.exe	regsvr32.exe
PID 2044 wrote to memory of 1288	2044	taskeng.exe	regsvr32.exe
PID 2044 wrote to memory of 1288	2044	taskeng.exe	regsvr32.exe
PID 2044 wrote to memory of 1288	2044	taskeng.exe	regsvr32.exe
PID 1288 wrote to memory of 604	1288	regsvr32.exe	regsvr32.exe
PID 1288 wrote to memory of 604	1288	regsvr32.exe	regsvr32.exe
PID 1288 wrote to memory of 604	1288	regsvr32.exe	regsvr32.exe
PID 1288 wrote to memory of 604	1288	regsvr32.exe	regsvr32.exe
PID 1288 wrote to memory of 604	1288	regsvr32.exe	regsvr32.exe
PID 1288 wrote to memory of 604	1288	regsvr32.exe	regsvr32.exe
PID 1288 wrote to memory of 604	1288	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 1616	1224	explorer.exe	whoami.exe
PID 1224 wrote to memory of 1616	1224	explorer.exe	whoami.exe
PID 1224 wrote to memory of 1616	1224	explorer.exe	whoami.exe
PID 1224 wrote to memory of 1616	1224	explorer.exe	whoami.exe
PID 1224 wrote to memory of 844	1224	explorer.exe	cmd.exe
PID 1224 wrote to memory of 844	1224	explorer.exe	cmd.exe
PID 1224 wrote to memory of 844	1224	explorer.exe	cmd.exe
PID 1224 wrote to memory of 844	1224	explorer.exe	cmd.exe
PID 1224 wrote to memory of 1632	1224	explorer.exe	arp.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ypldadymdy /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll\"" /SC ONCE /Z /ST 13:06 /ET 13:18
4⤵
- Creates scheduled task(s)
PID:612

C:\Windows\SysWOW64\whoami.exe
whoami /all
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c set
4⤵
PID:844

C:\Windows\SysWOW64\arp.exe
arp -a
4⤵
PID:1632

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:956

C:\Windows\SysWOW64\net.exe
net view /all
4⤵
- Discovers systems in the same network
PID:1964

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
4⤵
PID:1740

C:\Windows\SysWOW64\net.exe
net share
4⤵
PID:936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
5⤵
PID:1876

C:\Windows\SysWOW64\route.exe
route print
4⤵
PID:1068

C:\Windows\SysWOW64\netstat.exe
netstat -nao
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\SysWOW64\net.exe
net localgroup
4⤵
PID:1912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
5⤵
PID:668

C:\Windows\system32\taskeng.exe
taskeng.exe {8A06EE01-DE2A-42BB-A039-14CFD93BBBA8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Aauboaxhjyry" /d "0"
5⤵
PID:1704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ybgqonel" /d "0"
5⤵
PID:296

C:\Windows\system32\taskeng.exe
taskeng.exe {7EEE34D2-1A9B-44E4-92B9-F3B1EB7243F6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll"
3⤵
PID:604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll
MD5
74335b83254eeff621dd7bea844eb859

SHA1
b004da994afd349eec84ef0a579ca9785f6f496d

SHA256
5f04c44de516e644115ad8094afbdab4b52ce6e46a848aeb7cf634ad471e4ac0

SHA512
edece82d4cb1a8c8d7f5d43ffa7920ff0cb8c61154c5b06d9b3d48a52b0a08a4ce0c0610957d1ca4d5ae6d99e4a4f441da3a2a56eec3e123666742c59905c44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll
MD5
01b8a974f93befd9725b5f7f5b27e029

SHA1
91eca55d0a72e1fa3e4d28df748f029da44dc03c

SHA256
90a59ab0372737c3d1536ed00213d96cd23f1fd5209843f1d2539fb493da588c

SHA512
2d2a1a254e4628fe1ddd15b63f16896033430f6fb9631dee1f76f51acfe00ae35e4c67f57af82770d33acf6454fe88ef58cad0c228f978b4f3791f6a2fa10d30

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\dexc.ocx.dll
MD5
74335b83254eeff621dd7bea844eb859

SHA1
b004da994afd349eec84ef0a579ca9785f6f496d

SHA256
5f04c44de516e644115ad8094afbdab4b52ce6e46a848aeb7cf634ad471e4ac0

SHA512
edece82d4cb1a8c8d7f5d43ffa7920ff0cb8c61154c5b06d9b3d48a52b0a08a4ce0c0610957d1ca4d5ae6d99e4a4f441da3a2a56eec3e123666742c59905c44e

Download Submit
memory/1188-67-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/1224-63-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1224-66-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1224-65-0x0000000074281000-0x0000000074283000-memory.dmp

Filesize
8KB

Download
memory/1300-61-0x0000000000240000-0x0000000000283000-memory.dmp

Filesize
268KB

Download
memory/1300-58-0x0000000000290000-0x00000000002B1000-memory.dmp

Filesize
132KB

Download
memory/1300-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1300-59-0x0000000000290000-0x00000000002B1000-memory.dmp

Filesize
132KB

Download
memory/1300-60-0x0000000000290000-0x00000000002B1000-memory.dmp

Filesize
132KB

Download
memory/1300-57-0x0000000000290000-0x00000000002B1000-memory.dmp

Filesize
132KB

Download
memory/1300-56-0x00000000002E0000-0x0000000000380000-memory.dmp

Filesize
640KB

Download
memory/1300-62-0x0000000000290000-0x00000000002B1000-memory.dmp

Filesize
132KB

Download
memory/1604-73-0x00000000005B0000-0x00000000005D1000-memory.dmp

Filesize
132KB

Download
memory/1604-75-0x00000000005B0000-0x00000000005D1000-memory.dmp

Filesize
132KB

Download
memory/1604-74-0x00000000005B0000-0x00000000005D1000-memory.dmp

Filesize
132KB

Download
memory/1604-72-0x00000000005B0000-0x00000000005D1000-memory.dmp

Filesize
132KB

Download
memory/1604-81-0x00000000005B0000-0x00000000005D1000-memory.dmp

Filesize
132KB

Download
memory/1604-80-0x0000000000560000-0x00000000005A3000-memory.dmp

Filesize
268KB

Download
memory/1604-71-0x00000000002F0000-0x0000000000390000-memory.dmp

Filesize
640KB

Download
memory/1980-82-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads