qakbot | 4a59695c3c4af42c92808e4caf4160b9aa76ba84d8a917d05e9d4a06b0fc4f3f

General

Target

111.dll
Size

1.8MB
MD5

d12984d1fd1dcf63026ed1e6ebfe528a
SHA1

853a8d074df6e31219a8aff36843b9c4c06fce85
SHA256

4a59695c3c4af42c92808e4caf4160b9aa76ba84d8a917d05e9d4a06b0fc4f3f
SHA512

370a0530c2553046a5664152e939ff6a55e77e2b6646d29edde4e44072da271cdc4b13ec8066cb6af2d8b2ad0c737adb36c817d969038716b0adfb5620e44f46

Score

10^/10

qakbot bhs02 1643626574 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

bhs02

Campaign

1643626574

C2

37.186.54.18:995

182.191.92.203:995

67.209.195.198:443

186.64.87.224:443

31.167.160.170:443

96.246.158.154:995

86.98.47.119:61200

75.156.151.34:443

45.9.20.200:443

76.23.237.163:995

78.96.235.245:443

102.65.38.67:443

89.211.184.52:2222

193.251.59.245:2222

94.60.254.81:443

24.222.20.254:443

114.79.148.170:443

94.59.253.222:2222

129.208.150.26:995

103.139.242.30:990

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1540 regsvr32.exe

pid	process
1540	regsvr32.exe

Drops file in System32 directory 6 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	explorer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\t4[1]	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1996 schtasks.exe

pid	process
1996	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\848bab19 = ced1cf5c96d3e424237845826706ccc5cbf4f08677f1f52f3a38ecf02480b137e8ce5cc6f1cf0e76962ff9f4b65b7bbc2b063f9c99a520ca8dee2d4bc1c46fd52e8b69756f5981edb6ae849e608b1a9055d6e66b23e0e2b0bdc710f6b1826e2a68f9bf147c407d58a4256417d585d637dafbadc7d5288361506f4259d69932b248fbbd55b930be6abe3e49decbf5a2f5d79f7c3fe88b564941791f7453398f25547d8b0a9ddd7c8c071c8038efec3e20ca30d6ca5f579d76a2a577e934373cbaf5e3af677722708042de	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-a4-fd-41-45-2b\WpadDecisionTime = 90d49fdfe416d801	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-a4-fd-41-45-2b\WpadDetectedUrl	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9D88A58B-1C38-472B-A2BB-31DAF66B98F9}\WpadDecisionTime = 90ae3f74e516d801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\437ea38a = d215c9c8f1b4a02bf4ad82f114a025997403d61e04079832e1f2872c06dc6a2817aa10b08474	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\fbc2c4ef = 707becb699a60e54ed1fb7209ab5c0ec7c7bc7a84fbcf56ebefb68f9555c12aff3ed49ddd0d1	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-a4-fd-41-45-2b\WpadDecisionReason = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\ce5d14a1 = 68d6e9aee09c77812500abb10870d780b95de3228c8bce0bb746c4da0d69aac43db98e913e351fe156	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\b1147b57 = 306b2779c485dd51a5d4d6cc8fa84aee7e1434dcfd1ff151c39306045bb79156b109c4439de916423a9e80614470d66025316cb2dc06d25d20238d4061f223485840f031bb19c9f586aac86c96e6606859c25cbbd385dab5f42a9e9184bee9bffb010d9d0e9e87d315a97070a80316ac3ae62acf9f2c93a16dc35c0ce49a81222497b549e16b7c0b59	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-a4-fd-41-45-2b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-a4-fd-41-45-2b\WpadDecisionTime = f064fe34e616d801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\b1147b57 = 306b2779c485dd51a5d4d6cc8fa84aee791132d1fd1ff151c39306045bb79156b60dc7409de916423a9e80614470d66025316cb2dc06d25d20238d4061f223485840f031bb19c9f586aac86c96e6606859c25cbbd385dab5f42a9e9184bee9bffb010d9d0e9e87d315a97070a80316ac3ae62acf9f2c93a16dc35c0ce49a81222497b549e16b7c0b59	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\b1147b57 = 306b2779c485dd51a5d4d6cc8fa84aee781d31ddfd1ff151c39306045bb79156b60bc9479de916423a9e80614470d66025316cb2dc06d25d20238d4061f223485840f031bb19c9f586aac86c96e6606859c25cbbd385dab5f42a9e9184bee9bffb010d9d0e9e87d315a97070a80316ac3ae62acf9f2c93a16dc35c0ce49a81222497b549e16b7c0b59	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\b1147b57 = 306b2779c485dd51a5d4d6cc8fa84aee79123cd1fd1ff151c39306045bb79156b10bc5419de916423a9e80614470d66025316cb2dc06d25d20238d4061f223485840f031bb19c9f586aac86c96e6606859c25cbbd385dab5f42a9e9184bee9bffb010d9d0e9e87d315a97070a80316ac3ae62acf9f2c93a16dc35c0ce49a81222497b549e16b7c0b59	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\b1147b57 = 306b2779c485dd51a5d4d6cc8fa84aee781d31ddfd1ff151c39306045bb79156b702c0489de916423a9e80614470d66025316cb2dc06d25d20238d4061f223485840f031bb19c9f586aac86c96e6606859c25cbbd385dab5f42a9e9184bee9bffb010d9d0e9e87d315a97070a80316ac3ae62acf9f2c93a16dc35c0ce49a81222497b549e16b7c0b59	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9D88A58B-1C38-472B-A2BB-31DAF66B98F9}\WpadDecisionTime = 10d47669e616d801	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-a4-fd-41-45-2b\WpadDecisionTime = 1093530be516d801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-a4-fd-41-45-2b\WpadDecisionTime = 50ce3a3fe516d801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\b1147b57 = 306b2779c485dd51a5d4d6cc8fa84aee79123cd1fd1ff151c39306045bb79156b60dc7409de916423a9e80614470d66025316cb2dc06d25d20238d4061f223485840f031bb19c9f586aac86c96e6606859c25cbbd385dab5f42a9e9184bee9bffb010d9d0e9e87d315a97070a80316ac3ae62acf9f2c93a16dc35c0ce49a81222497b549e16b7c0b59	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\b1147b57 = 306b2779c485dd51a5d4d6cc8fa84aee791433d8fd1ff151c39306045bb79156b609c8499de916423a9e80614470d66025316cb2dc06d25d20238d4061f223485840f031bb19c9f586aac86c96e6606859c25cbbd385dab5f42a9e9184bee9bffb010d9d0e9e87d315a97070a80316ac3ae62acf9f2c93a16dc35c0ce49a81222497b549e16b7c0b59	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\b1147b57 = 306b2779c485dd51a5d4d6cc8fa84aee7e1136dbfd1ff151c39306045bb79156b10fc3429de916423a9e80614470d66025316cb2dc06d25d20238d4061f223485840f031bb19c9f586aac86c96e6606859c25cbbd385dab5f42a9e9184bee9bffb010d9d0e9e87d315a97070a80316ac3ae62acf9f2c93a16dc35c0ce49a81222497b549e16b7c0b59	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-a4-fd-41-45-2b\WpadDecision = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9D88A58B-1C38-472B-A2BB-31DAF66B98F9}\WpadDecisionTime = 1093530be516d801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\b1147b57 = 306b2779c485dd51a5d4d6cc8fa84aee781037dafd1ff151c39306045bb79156b70cc1469de916423a9e80614470d66025316cb2dc06d25d20238d4061f223485840f031bb19c9f586aac86c96e6606859c25cbbd385dab5f42a9e9184bee9bffb010d9d0e9e87d315a97070a80316ac3ae62acf9f2c93a16dc35c0ce49a81222497b549e16b7c0b59	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\86ca8b65 = 50762995f0fffdf2caa56a09d9df04332946983fc27e4def1932af532c7a877e4a15f7f4bf75679b42b905f201eee019fefa3b65df8ae2809f65b99f0fa17fd125dc29c37c61039e06f5a99247a9adc29a028122fee47b1e519c1a839107b13f3897bbc24ebc8bf2a2fba65a52	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\b1147b57 = 306b2e79c485dd51a5d4d78688a04ee9711433ddb21afc51c39c053234b62f1dc453f283838bdf370a4b03cfbb23b877bc2bb816c903c25feff44135a0b196d9bb73aca8e024098eeb952d9ddbb53695ede755231080306a9a1b375dad3e1e23d4a1912f2195acb7ad2cc1c14783b956398563f1fe2206dc55a310c3919068e9	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9D88A58B-1C38-472B-A2BB-31DAF66B98F9}	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-a4-fd-41-45-2b\WpadDecisionTime = 307704a0e616d801	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\b1147b57 = 306b2779c485dd51a5d4d6cc8fa84aee781d31ddfd1ff151c39306045bb79156b70cc1469de916423a9e80614470d66025316cb2dc06d25d20238d4061f223485840f031bb19c9f586aac86c96e6606859c25cbbd385dab5f42a9e9184bee9bffb010d9d0e9e87d315a97070a80316ac3ae62acf9f2c93a16dc35c0ce49a81222497b549e16b7c0b59	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\3e76ec00 = 3529aadc2df39cf06afb82932ea3318e6ea27b9909a6171114a4ac61110ea4ea52e0d0e980	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9D88A58B-1C38-472B-A2BB-31DAF66B98F9}\WpadDecisionTime = 90d49fdfe416d801	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9D88A58B-1C38-472B-A2BB-31DAF66B98F9}\42-a4-fd-41-45-2b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cugakfeqioy\b1147b57 = 306b2779c485dd51a5d4d6cc8fa84aee79123cd1fd1ff151c39306045bb79156b603c6429de916423a9e80614470d66025316cb2dc06d25d20238d4061f223485840f031bb19c9f586aac86c96e6606859c25cbbd385dab5f42a9e9184bee9bffb010d9d0e9e87d315a97070a80316ac3ae62acf9f2c93a16dc35c0ce49a81222497b549e16b7c0b59	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9D88A58B-1C38-472B-A2BB-31DAF66B98F9}\WpadDecisionTime = 50ce3a3fe516d801	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

580 rundll32.exe
1540 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

580 rundll32.exe
1540 regsvr32.exe

pid	process
580	rundll32.exe
1540	regsvr32.exe

pid	process
580	rundll32.exe
1540	regsvr32.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exetaskeng.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 876 wrote to memory of 580	876	rundll32.exe	rundll32.exe
PID 876 wrote to memory of 580	876	rundll32.exe	rundll32.exe
PID 876 wrote to memory of 580	876	rundll32.exe	rundll32.exe
PID 876 wrote to memory of 580	876	rundll32.exe	rundll32.exe
PID 876 wrote to memory of 580	876	rundll32.exe	rundll32.exe
PID 876 wrote to memory of 580	876	rundll32.exe	rundll32.exe
PID 876 wrote to memory of 580	876	rundll32.exe	rundll32.exe
PID 580 wrote to memory of 836	580	rundll32.exe	explorer.exe
PID 580 wrote to memory of 836	580	rundll32.exe	explorer.exe
PID 580 wrote to memory of 836	580	rundll32.exe	explorer.exe
PID 580 wrote to memory of 836	580	rundll32.exe	explorer.exe
PID 580 wrote to memory of 836	580	rundll32.exe	explorer.exe
PID 580 wrote to memory of 836	580	rundll32.exe	explorer.exe
PID 836 wrote to memory of 1996	836	explorer.exe	schtasks.exe
PID 836 wrote to memory of 1996	836	explorer.exe	schtasks.exe
PID 836 wrote to memory of 1996	836	explorer.exe	schtasks.exe
PID 836 wrote to memory of 1996	836	explorer.exe	schtasks.exe
PID 1568 wrote to memory of 1796	1568	taskeng.exe	regsvr32.exe
PID 1568 wrote to memory of 1796	1568	taskeng.exe	regsvr32.exe
PID 1568 wrote to memory of 1796	1568	taskeng.exe	regsvr32.exe
PID 1568 wrote to memory of 1796	1568	taskeng.exe	regsvr32.exe
PID 1568 wrote to memory of 1796	1568	taskeng.exe	regsvr32.exe
PID 1796 wrote to memory of 1540	1796	regsvr32.exe	regsvr32.exe
PID 1796 wrote to memory of 1540	1796	regsvr32.exe	regsvr32.exe
PID 1796 wrote to memory of 1540	1796	regsvr32.exe	regsvr32.exe
PID 1796 wrote to memory of 1540	1796	regsvr32.exe	regsvr32.exe
PID 1796 wrote to memory of 1540	1796	regsvr32.exe	regsvr32.exe
PID 1796 wrote to memory of 1540	1796	regsvr32.exe	regsvr32.exe
PID 1796 wrote to memory of 1540	1796	regsvr32.exe	regsvr32.exe
PID 1540 wrote to memory of 1272	1540	regsvr32.exe	explorer.exe
PID 1540 wrote to memory of 1272	1540	regsvr32.exe	explorer.exe
PID 1540 wrote to memory of 1272	1540	regsvr32.exe	explorer.exe
PID 1540 wrote to memory of 1272	1540	regsvr32.exe	explorer.exe
PID 1540 wrote to memory of 1272	1540	regsvr32.exe	explorer.exe
PID 1540 wrote to memory of 1272	1540	regsvr32.exe	explorer.exe
PID 1272 wrote to memory of 1816	1272	explorer.exe	reg.exe
PID 1272 wrote to memory of 1816	1272	explorer.exe	reg.exe
PID 1272 wrote to memory of 1816	1272	explorer.exe	reg.exe
PID 1272 wrote to memory of 1816	1272	explorer.exe	reg.exe
PID 1272 wrote to memory of 1456	1272	explorer.exe	reg.exe
PID 1272 wrote to memory of 1456	1272	explorer.exe	reg.exe
PID 1272 wrote to memory of 1456	1272	explorer.exe	reg.exe
PID 1272 wrote to memory of 1456	1272	explorer.exe	reg.exe
PID 1156 wrote to memory of 1648	1156	taskeng.exe	default-browser-agent.exe
PID 1156 wrote to memory of 1648	1156	taskeng.exe	default-browser-agent.exe
PID 1156 wrote to memory of 1648	1156	taskeng.exe	default-browser-agent.exe
PID 1144 wrote to memory of 944	1144	taskeng.exe	regsvr32.exe
PID 1144 wrote to memory of 944	1144	taskeng.exe	regsvr32.exe
PID 1144 wrote to memory of 944	1144	taskeng.exe	regsvr32.exe
PID 1144 wrote to memory of 944	1144	taskeng.exe	regsvr32.exe
PID 1144 wrote to memory of 944	1144	taskeng.exe	regsvr32.exe
PID 944 wrote to memory of 1748	944	regsvr32.exe	regsvr32.exe
PID 944 wrote to memory of 1748	944	regsvr32.exe	regsvr32.exe
PID 944 wrote to memory of 1748	944	regsvr32.exe	regsvr32.exe
PID 944 wrote to memory of 1748	944	regsvr32.exe	regsvr32.exe
PID 944 wrote to memory of 1748	944	regsvr32.exe	regsvr32.exe
PID 944 wrote to memory of 1748	944	regsvr32.exe	regsvr32.exe
PID 944 wrote to memory of 1748	944	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\111.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\111.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn snzuglu /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\111.dll\"" /SC ONCE /Z /ST 20:49 /ET 21:01
4⤵
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\taskeng.exe
taskeng.exe {0AEC113D-D115-44F7-8D71-15A44A2876FA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\111.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\111.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ccxmnaoeyn" /d "0"
5⤵
PID:1816

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Bdsnt" /d "0"
5⤵
PID:1456

C:\Windows\system32\taskeng.exe
taskeng.exe {253422E2-0709-490A-A6C8-5262049F2D19} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\111.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\111.dll"
3⤵
PID:1748

C:\Windows\system32\taskeng.exe
taskeng.exe {22A11272-B5AB-495F-A6ED-5CEB79D10EDE} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
2⤵
PID:1648

C:\Windows\system32\taskeng.exe
taskeng.exe {FE10F003-98EC-447C-8293-2C6CB47BB12C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\111.dll
MD5
d12984d1fd1dcf63026ed1e6ebfe528a

SHA1
853a8d074df6e31219a8aff36843b9c4c06fce85

SHA256
4a59695c3c4af42c92808e4caf4160b9aa76ba84d8a917d05e9d4a06b0fc4f3f

SHA512
370a0530c2553046a5664152e939ff6a55e77e2b6646d29edde4e44072da271cdc4b13ec8066cb6af2d8b2ad0c737adb36c817d969038716b0adfb5620e44f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\111.dll
MD5
175a73b3d5a52f5ce8a5f92b19b1b846

SHA1
4566215ba043478ded5e48dd333c4d7e16ab65c0

SHA256
670cee9a9cbaec864f8e483b7f9e50082bfcf911e642068e7d9ef36f8bb68b7f

SHA512
e7113dc527cf295b5ede8a1a54c0141e164bebb30b1cad29afe90eeadceed67fd8e15c5839d9b87f610bd684db05ddf191ddda2146eee6d296848ab16287d089

Download Submit
\Users\Admin\AppData\Local\Temp\111.dll
MD5
d12984d1fd1dcf63026ed1e6ebfe528a

SHA1
853a8d074df6e31219a8aff36843b9c4c06fce85

SHA256
4a59695c3c4af42c92808e4caf4160b9aa76ba84d8a917d05e9d4a06b0fc4f3f

SHA512
370a0530c2553046a5664152e939ff6a55e77e2b6646d29edde4e44072da271cdc4b13ec8066cb6af2d8b2ad0c737adb36c817d969038716b0adfb5620e44f46

Download Submit
memory/580-56-0x0000000001D20000-0x0000000001EF5000-memory.dmp

Filesize
1.8MB

Download
memory/580-61-0x0000000000220000-0x0000000000490000-memory.dmp

Filesize
2.4MB

Download
memory/580-62-0x0000000000220000-0x0000000000490000-memory.dmp

Filesize
2.4MB

Download
memory/580-55-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/836-63-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/836-66-0x00000000000E0000-0x0000000000101000-memory.dmp

Filesize
132KB

Download
memory/836-65-0x0000000074EA1000-0x0000000074EA3000-memory.dmp

Filesize
8KB

Download
memory/1272-81-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1540-71-0x0000000000A40000-0x0000000000C15000-memory.dmp

Filesize
1.8MB

Download
memory/1540-73-0x00000000006E0000-0x0000000000701000-memory.dmp

Filesize
132KB

Download
memory/1540-72-0x00000000006E0000-0x0000000000701000-memory.dmp

Filesize
132KB

Download
memory/1540-75-0x00000000006E0000-0x0000000000701000-memory.dmp

Filesize
132KB

Download
memory/1540-74-0x00000000006E0000-0x0000000000701000-memory.dmp

Filesize
132KB

Download
memory/1540-80-0x00000000006E0000-0x0000000000701000-memory.dmp

Filesize
132KB

Download
memory/1540-79-0x0000000000470000-0x00000000004A1000-memory.dmp

Filesize
196KB

Download
memory/1796-67-0x000007FEFC221000-0x000007FEFC223000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads