qakbot | 5f04c44de516e644115ad8094afbdab4b52ce6e46a848aeb7cf634ad471e4ac0

General

Target

dexc.ocx.dll
Size

647KB
MD5

74335b83254eeff621dd7bea844eb859
SHA1

b004da994afd349eec84ef0a579ca9785f6f496d
SHA256

5f04c44de516e644115ad8094afbdab4b52ce6e46a848aeb7cf634ad471e4ac0
SHA512

edece82d4cb1a8c8d7f5d43ffa7920ff0cb8c61154c5b06d9b3d48a52b0a08a4ce0c0610957d1ca4d5ae6d99e4a4f441da3a2a56eec3e123666742c59905c44e

Score

10^/10

qakbot cullinan 1640168876 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1640168876

C2

93.48.80.198:995

140.82.49.12:443

32.221.229.7:443

24.152.219.253:995

31.35.28.29:443

96.37.113.36:993

190.39.205.165:443

79.173.195.234:443

39.49.66.100:995

103.139.242.30:22

79.167.192.206:995

45.9.20.200:2211

24.95.61.62:443

37.210.226.125:61202

103.139.242.30:995

70.163.1.219:443

103.143.8.71:6881

76.169.147.192:32103

136.143.11.232:443

63.153.187.104:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1116 regsvr32.exe

pid	process
1116	regsvr32.exe

Drops file in System32 directory 6 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	explorer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\t4[1]	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1848 schtasks.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1752 net.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exenetstat.exe

pid process

1692 ipconfig.exe
1456 netstat.exe

pid	process
1848	schtasks.exe

pid	process
1752	net.exe

pid	process
1692	ipconfig.exe
1456	netstat.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae782cbd7b19c42008381bcd716ae8b3ac8f7c838784f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\5d340324 = 51acb69d6544b4776c52ed7e6beeeb9d91801f388a66	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yecsdkdxvivyv	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae782cbd7b19c42008381bcd716ae8b3ac8f7e808184f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae7928b97819c42008381bcd716ae8b3ac8e7b8a8a84f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae792bb87f19c42008381bcd716ae8b3ac8e7f848b84f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\824fc3ec = 2d143a7ee1a5b98a3440463d106c95464810417590033b6c3ab6be1b157137c13babc5633d15	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{62C06286-BB99-4D46-9271-D2E0A97EB5F4}\1e-2b-3b-83-7c-54	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae762bbc7919c42008381bcd716ae8b3ac8179818384f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\c8997c54 = f556a4c5ca16ecf13d077b72c74cd90c7a2f43918d7595df0f7e4338a4e104cfed327c6e2c4dce98741c784f2f5f69489facac987aa348dd239da534b1c037d73dc037ca82dbdca46b264d70b0e9d8089913371ec5b432fff41360c44c174d056e05859110c8064374fd962535b918	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e11eb024e5fe6a64075e46c7d0bd31592a0b2d0893af51560a36df4ea9628c885b792b31ffce29472c55ae881b35c6d2ba930f2922828862b9dac1a0d7b98bf460b26b8aee9b964bb487184c4e0a59566b9568fcf1e07e3159388f8daad2ee1288738b2214c53f34f33	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{62C06286-BB99-4D46-9271-D2E0A97EB5F4}\WpadDecisionReason = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae762bbc7919c42008381bcd716ae8b3ac817f808184f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-2b-3b-83-7c-54\WpadDecisionReason = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae782fbb7b19c42008381bcd716ae8b3ac8f7c838784f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0049000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae782fbb7b19c42008381bcd716ae8b3ac8f72828584f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\203c4cae = 376d607d13a7df36d7d43661067ed39d8543f612fe43f521443a548c477dcc15925549e4547a25616d79603a8546c09f060b1f3f277a744dee55e5c62ac80243dd4d384719851409679d836bc6bb71a163ce263f571386d2d9683f3630a466	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae762ebb7019c42008381bcd716ae8b3ac817f808184f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\LanguageList = 640065002d0044004500000064006500000065006e002d0055005300000065006e0000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae792eb67f19c42008381bcd716ae8b3ac8e7d878a84f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\f6c74c7 = d62df995c609f6369f4a0d357d237528957aa44282cc74f9cb04531ddfa45d038d0593ec1c9a75cd9d3270a4e44f30bc2b7772d4c6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e06eb024e6ad96bd4d6b8b7b344a77529b97c57c2230c3914ce475a26290799a247cfc1aba2a14836a42844593007a755811327540ff245c4bb4f8435c3c905e173abdf7e1e3b2108e94a73a435312bd48a70622d74e7497ec217796f3ac2d8235d0a379b02a1238bc6873ca252b32691cb420b70297b83663759da21eb98	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{62C06286-BB99-4D46-9271-D2E0A97EB5F4}\WpadDecisionTime = 00c266611b0dd801	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{62C06286-BB99-4D46-9271-D2E0A97EB5F4}\WpadNetworkName = "Netzwerk"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\554e44ed = e634ad4f6c33e16b4ab16ed341d29505419129ede069cc33fc22aa8771871f21cd1a207377520546a337803dfb9df1d0175aeefb94bcdd8e40c297163fa148f48ca8ee3296997b27d074bac2e5e13dab2b04f6ab3ba638931870262eb2fec7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae7628be7c19c42008381bcd716ae8b3ac817b868084f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-2b-3b-83-7c-54	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae7928b97819c42008381bcd716ae8b3ac8f738b8484f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{62C06286-BB99-4D46-9271-D2E0A97EB5F4}	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yecsdkdxvivyv\fd06ac1a = ba7e0feb024e6ad96bd4d7f2b0ba43ae792eb67f19c42008381bcd716ae8b3ac8e73878284f4d42121a332fcf6002bd2a205047dbaeadcb73ad9feabf8af431953a280870ff2ecd20d323d666f430d2c0415fd8ec41b5383ce2a002aaa570910b745bd37498834565afbe5aa6d1bd392b7e5ab045fc6ee2add021f9448646645f38334a7b701385c90	explorer.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

rundll32.exeregsvr32.exeexplorer.exe

pid process

1444 rundll32.exe
1116 regsvr32.exe
1108 explorer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1444 rundll32.exe
1116 regsvr32.exe

pid	process
1444	rundll32.exe
1116	regsvr32.exe
1108	explorer.exe

pid	process
1444	rundll32.exe
1116	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

whoami.exenetstat.exe

description	pid	process
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	1456	netstat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1800 wrote to memory of 1444	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1444	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1444	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1444	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1444	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1444	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1444	1800	rundll32.exe	rundll32.exe
PID 1444 wrote to memory of 1684	1444	rundll32.exe	explorer.exe
PID 1444 wrote to memory of 1684	1444	rundll32.exe	explorer.exe
PID 1444 wrote to memory of 1684	1444	rundll32.exe	explorer.exe
PID 1444 wrote to memory of 1684	1444	rundll32.exe	explorer.exe
PID 1444 wrote to memory of 1684	1444	rundll32.exe	explorer.exe
PID 1444 wrote to memory of 1684	1444	rundll32.exe	explorer.exe
PID 1684 wrote to memory of 1848	1684	explorer.exe	schtasks.exe
PID 1684 wrote to memory of 1848	1684	explorer.exe	schtasks.exe
PID 1684 wrote to memory of 1848	1684	explorer.exe	schtasks.exe
PID 1684 wrote to memory of 1848	1684	explorer.exe	schtasks.exe
PID 1868 wrote to memory of 1116	1868	regsvr32.exe	regsvr32.exe
PID 1868 wrote to memory of 1116	1868	regsvr32.exe	regsvr32.exe
PID 1868 wrote to memory of 1116	1868	regsvr32.exe	regsvr32.exe
PID 1868 wrote to memory of 1116	1868	regsvr32.exe	regsvr32.exe
PID 1868 wrote to memory of 1116	1868	regsvr32.exe	regsvr32.exe
PID 1868 wrote to memory of 1116	1868	regsvr32.exe	regsvr32.exe
PID 1868 wrote to memory of 1116	1868	regsvr32.exe	regsvr32.exe
PID 1116 wrote to memory of 1108	1116	regsvr32.exe	explorer.exe
PID 1116 wrote to memory of 1108	1116	regsvr32.exe	explorer.exe
PID 1116 wrote to memory of 1108	1116	regsvr32.exe	explorer.exe
PID 1116 wrote to memory of 1108	1116	regsvr32.exe	explorer.exe
PID 1116 wrote to memory of 1108	1116	regsvr32.exe	explorer.exe
PID 1116 wrote to memory of 1108	1116	regsvr32.exe	explorer.exe
PID 1108 wrote to memory of 1036	1108	explorer.exe	reg.exe
PID 1108 wrote to memory of 1036	1108	explorer.exe	reg.exe
PID 1108 wrote to memory of 1036	1108	explorer.exe	reg.exe
PID 1108 wrote to memory of 1036	1108	explorer.exe	reg.exe
PID 1108 wrote to memory of 1368	1108	explorer.exe	reg.exe
PID 1108 wrote to memory of 1368	1108	explorer.exe	reg.exe
PID 1108 wrote to memory of 1368	1108	explorer.exe	reg.exe
PID 1108 wrote to memory of 1368	1108	explorer.exe	reg.exe
PID 1188 wrote to memory of 932	1188	taskeng.exe	regsvr32.exe
PID 1188 wrote to memory of 932	1188	taskeng.exe	regsvr32.exe
PID 1188 wrote to memory of 932	1188	taskeng.exe	regsvr32.exe
PID 1188 wrote to memory of 932	1188	taskeng.exe	regsvr32.exe
PID 1188 wrote to memory of 932	1188	taskeng.exe	regsvr32.exe
PID 932 wrote to memory of 1752	932	regsvr32.exe	regsvr32.exe
PID 932 wrote to memory of 1752	932	regsvr32.exe	regsvr32.exe
PID 932 wrote to memory of 1752	932	regsvr32.exe	regsvr32.exe
PID 932 wrote to memory of 1752	932	regsvr32.exe	regsvr32.exe
PID 932 wrote to memory of 1752	932	regsvr32.exe	regsvr32.exe
PID 932 wrote to memory of 1752	932	regsvr32.exe	regsvr32.exe
PID 932 wrote to memory of 1752	932	regsvr32.exe	regsvr32.exe
PID 1108 wrote to memory of 1036	1108	explorer.exe	whoami.exe
PID 1108 wrote to memory of 1036	1108	explorer.exe	whoami.exe
PID 1108 wrote to memory of 1036	1108	explorer.exe	whoami.exe
PID 1108 wrote to memory of 1036	1108	explorer.exe	whoami.exe
PID 1108 wrote to memory of 1128	1108	explorer.exe	cmd.exe
PID 1108 wrote to memory of 1128	1108	explorer.exe	cmd.exe
PID 1108 wrote to memory of 1128	1108	explorer.exe	cmd.exe
PID 1108 wrote to memory of 1128	1108	explorer.exe	cmd.exe
PID 1108 wrote to memory of 836	1108	explorer.exe	arp.exe
PID 1108 wrote to memory of 836	1108	explorer.exe	arp.exe
PID 1108 wrote to memory of 836	1108	explorer.exe	arp.exe
PID 1108 wrote to memory of 836	1108	explorer.exe	arp.exe
PID 1108 wrote to memory of 1692	1108	explorer.exe	ipconfig.exe
PID 1108 wrote to memory of 1692	1108	explorer.exe	ipconfig.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn yksbgla /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll\"" /SC ONCE /Z /ST 09:54 /ET 10:06
4⤵
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Umfyfrttsgcn" /d "0"
4⤵
PID:1036

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Uwfuiorllue" /d "0"
4⤵
PID:1368

C:\Windows\SysWOW64\whoami.exe
whoami /all
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c set
4⤵
PID:1128

C:\Windows\SysWOW64\arp.exe
arp -a
4⤵
PID:836

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:1692

C:\Windows\SysWOW64\net.exe
net view /all
4⤵
- Discovers systems in the same network
PID:1752

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
4⤵
PID:1896

C:\Windows\SysWOW64\net.exe
net share
4⤵
PID:1172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
5⤵
PID:872

C:\Windows\SysWOW64\route.exe
route print
4⤵
PID:1808

C:\Windows\SysWOW64\netstat.exe
netstat -nao
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\net.exe
net localgroup
4⤵
PID:1620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
5⤵
PID:1676

C:\Windows\system32\taskeng.exe
taskeng.exe {A77D333D-1B14-4407-AE02-C3B9178F9945} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll"
3⤵
PID:1752

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll
MD5
74335b83254eeff621dd7bea844eb859

SHA1
b004da994afd349eec84ef0a579ca9785f6f496d

SHA256
5f04c44de516e644115ad8094afbdab4b52ce6e46a848aeb7cf634ad471e4ac0

SHA512
edece82d4cb1a8c8d7f5d43ffa7920ff0cb8c61154c5b06d9b3d48a52b0a08a4ce0c0610957d1ca4d5ae6d99e4a4f441da3a2a56eec3e123666742c59905c44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dexc.ocx.dll
MD5
01b8a974f93befd9725b5f7f5b27e029

SHA1
91eca55d0a72e1fa3e4d28df748f029da44dc03c

SHA256
90a59ab0372737c3d1536ed00213d96cd23f1fd5209843f1d2539fb493da588c

SHA512
2d2a1a254e4628fe1ddd15b63f16896033430f6fb9631dee1f76f51acfe00ae35e4c67f57af82770d33acf6454fe88ef58cad0c228f978b4f3791f6a2fa10d30

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\dexc.ocx.dll
MD5
74335b83254eeff621dd7bea844eb859

SHA1
b004da994afd349eec84ef0a579ca9785f6f496d

SHA256
5f04c44de516e644115ad8094afbdab4b52ce6e46a848aeb7cf634ad471e4ac0

SHA512
edece82d4cb1a8c8d7f5d43ffa7920ff0cb8c61154c5b06d9b3d48a52b0a08a4ce0c0610957d1ca4d5ae6d99e4a4f441da3a2a56eec3e123666742c59905c44e

Download Submit
memory/1108-80-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1116-75-0x00000000002E0000-0x0000000000301000-memory.dmp

Filesize
132KB

Download
memory/1116-73-0x00000000002E0000-0x0000000000301000-memory.dmp

Filesize
132KB

Download
memory/1116-74-0x00000000002E0000-0x0000000000301000-memory.dmp

Filesize
132KB

Download
memory/1116-72-0x00000000002E0000-0x0000000000301000-memory.dmp

Filesize
132KB

Download
memory/1116-71-0x00000000002E0000-0x0000000000301000-memory.dmp

Filesize
132KB

Download
memory/1116-70-0x00000000009B0000-0x0000000000A50000-memory.dmp

Filesize
640KB

Download
memory/1444-59-0x0000000000410000-0x0000000000431000-memory.dmp

Filesize
132KB

Download
memory/1444-61-0x0000000000410000-0x0000000000431000-memory.dmp

Filesize
132KB

Download
memory/1444-60-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/1444-54-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download
memory/1444-58-0x0000000000410000-0x0000000000431000-memory.dmp

Filesize
132KB

Download
memory/1444-57-0x0000000000410000-0x0000000000431000-memory.dmp

Filesize
132KB

Download
memory/1444-56-0x0000000000410000-0x0000000000431000-memory.dmp

Filesize
132KB

Download
memory/1444-55-0x0000000000280000-0x0000000000320000-memory.dmp

Filesize
640KB

Download
memory/1684-65-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1684-64-0x0000000074DD1000-0x0000000074DD3000-memory.dmp

Filesize
8KB

Download
memory/1684-62-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/1868-66-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads