qakbot | 741ad4a402ca98e0c777ad3cfffa55cfbd75d7af2f23f9dad63d0ed236eeba44

General

Target

2a00d95b47cb04f233ce7351b842234410ec89c455f7515e8234b4d350b99406.html
Size

839KB
MD5

6742059d39462d81438ef4d97af53d43
SHA1

f6441fe1691cc77b400fadf210db421ada166b18
SHA256

2a00d95b47cb04f233ce7351b842234410ec89c455f7515e8234b4d350b99406
SHA512

ba92c3fbcb62c15008f146fde736fea857da02d776b13b8992ab8cbfce62d1ab1046e0cb0b1373d5092a4f9040853268df8bfda5e6faa14c970ce2e2a1a43ba5

Score

10^/10

qakbot obama199 1657265474 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

obama199

Campaign

1657265474

C2

121.7.223.45:2222

67.209.195.198:443

148.64.96.100:443

92.132.132.81:2222

217.128.122.65:2222

47.180.172.159:443

173.174.216.62:443

70.46.220.114:443

32.221.224.140:995

69.14.172.24:443

117.248.109.38:21

94.59.15.180:2222

38.70.253.226:2222

217.165.157.202:995

41.228.22.180:443

67.165.206.193:993

172.115.177.204:2222

186.90.153.162:2222

47.23.89.60:993

120.150.218.241:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

468 regsvr32.exe
1548 regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1956 schtasks.exe

pid	process
1956	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d0ab05d3a297d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f00b79e9a297d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "364582831"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F5E7621-0396-11ED-BA7D-66DE0394A5F7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e22113735f0a1f4cbb35e0cafcd63bd30000000002000000000010660000000100002000000034a69961a420f1c1f0dfcbe0ec34b9715f22920fb68311f5c9780c8e0769b76e000000000e80000000020000200000004f30361eb023d8a349ae224746967eeddbe85b87971c815a8a98b7e7d843bb7a200000001c7880420507406ab5bf2d397cad119b323af1e70fd0831c34eb8524eb1815724000000052d577e51044a1a86b06d8a55af7b16c2477d3d07e2a57088af53382f3acb8521ecfa7e0c5cf8c8858ef9545645710198080d45f888f4e9b5f516667bfcb3ccd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e22113735f0a1f4cbb35e0cafcd63bd300000000020000000000106600000001000020000000754afb53de071b7e91cc68adaac2c049fe4a8be40910afdfcc15dc0741f76c49000000000e8000000002000020000000d523f3eb9c2afdf2b310402e6309ab08ec23af885ee2188153b3fb69c0373ee8900000004acf3efdcb5643df0704c0e71e36f5c4539a3fa300d641623d60d5f50b82666a3a56020dc6b892179b2e45e5688cc93b2f39eade8cd7cad9817babcee46c1f38bb0b8b321c2f6cd3e7cfcc13dbcc13c1e867f71b3891d46d158c41392e34408650ef32890d50822ae9d7bd870dca0ac2d50a7d2e837e67634c21e713775973ea1ffc7d276236662c21e8b5b92d567b6d400000001c32a8742a2008499918f7cd6d0609ea82d427d5a7cfbf58b5b373e7810623740eb45a9d61440fd5eb954f0ba58b0269d99550d8d76ac3c0a4968c83f749c184	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f042fd4ba397d801	powershell.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeexplorer.exeregsvr32.exepowershell.exe

pid	process
468	regsvr32.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1548	regsvr32.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1516	powershell.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

468 regsvr32.exe
1548 regsvr32.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

AUDIODG.EXE7zG.exepowershell.exe

description	pid	process
Token: 33	1224	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1224	AUDIODG.EXE
Token: 33	1224	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1224	AUDIODG.EXE
Token: SeRestorePrivilege	432	7zG.exe
Token: 35	432	7zG.exe
Token: SeSecurityPrivilege	432	7zG.exe
Token: SeSecurityPrivilege	432	7zG.exe
Token: SeDebugPrivilege	1516	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe7zG.exe

pid process

1084 iexplore.exe
1084 iexplore.exe
432 7zG.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEAcroRd32.exe

pid process

1084 iexplore.exe
1084 iexplore.exe
1704 IEXPLORE.EXE
1704 IEXPLORE.EXE
528 AcroRd32.exe
528 AcroRd32.exe
1704 IEXPLORE.EXE
1704 IEXPLORE.EXE

pid	process
1084	iexplore.exe
1084	iexplore.exe
432	7zG.exe

pid	process
1084	iexplore.exe
1084	iexplore.exe
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
528	AcroRd32.exe
528	AcroRd32.exe
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

iexplore.exerundll32.exeregsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exetaskeng.exe

description	pid	process	target process
PID 1084 wrote to memory of 1704	1084	iexplore.exe	IEXPLORE.EXE
PID 1084 wrote to memory of 1704	1084	iexplore.exe	IEXPLORE.EXE
PID 1084 wrote to memory of 1704	1084	iexplore.exe	IEXPLORE.EXE
PID 1084 wrote to memory of 1704	1084	iexplore.exe	IEXPLORE.EXE
PID 1084 wrote to memory of 1064	1084	iexplore.exe	rundll32.exe
PID 1084 wrote to memory of 1064	1084	iexplore.exe	rundll32.exe
PID 1084 wrote to memory of 1064	1084	iexplore.exe	rundll32.exe
PID 1064 wrote to memory of 528	1064	rundll32.exe	AcroRd32.exe
PID 1064 wrote to memory of 528	1064	rundll32.exe	AcroRd32.exe
PID 1064 wrote to memory of 528	1064	rundll32.exe	AcroRd32.exe
PID 1064 wrote to memory of 528	1064	rundll32.exe	AcroRd32.exe
PID 1292 wrote to memory of 468	1292	regsvr32.exe	regsvr32.exe
PID 1292 wrote to memory of 468	1292	regsvr32.exe	regsvr32.exe
PID 1292 wrote to memory of 468	1292	regsvr32.exe	regsvr32.exe
PID 1292 wrote to memory of 468	1292	regsvr32.exe	regsvr32.exe
PID 1292 wrote to memory of 468	1292	regsvr32.exe	regsvr32.exe
PID 1292 wrote to memory of 468	1292	regsvr32.exe	regsvr32.exe
PID 1292 wrote to memory of 468	1292	regsvr32.exe	regsvr32.exe
PID 468 wrote to memory of 1876	468	regsvr32.exe	explorer.exe
PID 468 wrote to memory of 1876	468	regsvr32.exe	explorer.exe
PID 468 wrote to memory of 1876	468	regsvr32.exe	explorer.exe
PID 468 wrote to memory of 1876	468	regsvr32.exe	explorer.exe
PID 468 wrote to memory of 1876	468	regsvr32.exe	explorer.exe
PID 468 wrote to memory of 1876	468	regsvr32.exe	explorer.exe
PID 1876 wrote to memory of 1956	1876	explorer.exe	schtasks.exe
PID 1876 wrote to memory of 1956	1876	explorer.exe	schtasks.exe
PID 1876 wrote to memory of 1956	1876	explorer.exe	schtasks.exe
PID 1876 wrote to memory of 1956	1876	explorer.exe	schtasks.exe
PID 1824 wrote to memory of 1548	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 1548	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 1548	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 1548	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 1548	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 1548	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 1548	1824	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1488	1548	regsvr32.exe	explorer.exe
PID 1548 wrote to memory of 1488	1548	regsvr32.exe	explorer.exe
PID 1548 wrote to memory of 1488	1548	regsvr32.exe	explorer.exe
PID 1548 wrote to memory of 1488	1548	regsvr32.exe	explorer.exe
PID 1548 wrote to memory of 1488	1548	regsvr32.exe	explorer.exe
PID 1548 wrote to memory of 1488	1548	regsvr32.exe	explorer.exe
PID 884 wrote to memory of 1516	884	taskeng.exe	powershell.exe
PID 884 wrote to memory of 1516	884	taskeng.exe	powershell.exe
PID 884 wrote to memory of 1516	884	taskeng.exe	powershell.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2a00d95b47cb04f233ce7351b842234410ec89c455f7515e8234b4d350b99406.html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1084 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\FXS_5979900
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\FXS_5979900"
3⤵
- Suspicious use of SetWindowsHookEx
PID:528

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1916

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\Downloads\FXS_5979900\1395\FXS_5979900.iso"
1⤵
PID:1464

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\Downloads\FXS_5979900\1395\FXS_5979900.iso"
1⤵
PID:1696

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\FXS_5979900\1395\" -an -ai#7zMap14821:118:7zEvent17145
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:432

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" data\assets\images\ilHD.dat
1⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\regsvr32.exe
data\assets\images\ilHD.dat
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:01 /tn jupgyfodj /ET 17:12 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAbwB3AG4AbABvAGEAZABzAFwARgBYAFMAXwA1ADkANwA5ADkAMAAwAFwAMQAzADkANQBcAGQAYQB0AGEAXABhAHMAcwBlAHQAcwBcAGkAbQBhAGcAZQBzAFwAaQBsAEgARAAuAGQAYQB0ACIA" /SC ONCE
4⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" data\assets\images\ilHD.dat
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\regsvr32.exe
data\assets\images\ilHD.dat
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:1488

C:\Windows\system32\taskeng.exe
taskeng.exe {55EBF041-58CB-40D0-87DC-CB4A1063B418} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAbwB3AG4AbABvAGEAZABzAFwARgBYAFMAXwA1ADkANwA5ADkAMAAwAFwAMQAzADkANQBcAGQAYQB0AGEAXABhAHMAcwBlAHQAcwBcAGkAbQBhAGcAZQBzAFwAaQBsAEgARAAuAGQAYQB0AC
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
941e4f10a7608ad6cda011f0c8ba7d1d

SHA1
b90a13c277e9578673fd2861b62539c38b7ffa2e

SHA256
606f5c5ec6f107925c8baeb6b411b4f6d7ff8e253aa9e9f09989387a8cc95c86

SHA512
d9e1e68bf4f769b5569296e52dc0e8f80b1967d9ce861906c1c04cee5b591106a0cab57689093ef86c526e0ac65453ad172217ecc3f2e3e79edd0564661430b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Z0IY7AWK.txt
Filesize
604B

MD5
617bee706999ddeb84ab8c419e570378

SHA1
2fce76c3673dfa160a71074f777417078c7b95b9

SHA256
fb0865873adcd514262aa9bda74a9b0b0a092d5756673cedf69631c1583662c0

SHA512
c9c45a00d228f068a06cf70b642258e1dc70c7dcdc29edbaadfe1b81e0b414427164348309ffb47c505f922f5f423c77fbf710d2d5d18c499de195598e6da144

Download Submit
C:\Users\Admin\Downloads\FXS_5979900.3n9i74q.partial
Filesize
457KB

MD5
f9df78130be1d212ded36a820be9d61b

SHA1
e0abc1483e65d83fe3414fc8ecc734473a0d9b78

SHA256
d3355c4e4f690977831dbdb223cfb0b861cc6f06cf359e2da88efa6e205d13d0

SHA512
0bad7d5ca6fcc6228efbe88eea952cf1cf763c459403f44fae9cc9e0fa3a6709ed1154ddf8183965c32202feb2142291e9f995be7ddcd10258bbcba63390a7ae

Download Submit
C:\Users\Admin\Downloads\FXS_5979900\1395\data\assets\images\ilHD.dat
Filesize
670KB

MD5
1f7dd197ecf193e23a0c329568c65696

SHA1
556615a28102c40f67c9d09c828675bdb950557a

SHA256
01090ff0d968128575357b9841a3a8d6837b6e13c7b309f656f4543a2181b551

SHA512
221c549f6e9e3f3e96957bcf84085a5882efc394e16a6d9a445c1a806f55f46cabd3ddaf2eafb6f9b6ef7821c0647ee345c27b3b000ec21abe91bf215e73fca8

Download Submit
C:\Users\Admin\Downloads\FXS_5979900\1395\data\assets\images\ilHD.dat
Filesize
670KB

MD5
1f7dd197ecf193e23a0c329568c65696

SHA1
556615a28102c40f67c9d09c828675bdb950557a

SHA256
01090ff0d968128575357b9841a3a8d6837b6e13c7b309f656f4543a2181b551

SHA512
221c549f6e9e3f3e96957bcf84085a5882efc394e16a6d9a445c1a806f55f46cabd3ddaf2eafb6f9b6ef7821c0647ee345c27b3b000ec21abe91bf215e73fca8

Download Submit
\Users\Admin\Downloads\FXS_5979900\1395\DATA\ASSETS\IMAGES\ILHD.DAT
Filesize
670KB

MD5
1f7dd197ecf193e23a0c329568c65696

SHA1
556615a28102c40f67c9d09c828675bdb950557a

SHA256
01090ff0d968128575357b9841a3a8d6837b6e13c7b309f656f4543a2181b551

SHA512
221c549f6e9e3f3e96957bcf84085a5882efc394e16a6d9a445c1a806f55f46cabd3ddaf2eafb6f9b6ef7821c0647ee345c27b3b000ec21abe91bf215e73fca8

Download Submit
\Users\Admin\Downloads\FXS_5979900\1395\DATA\ASSETS\IMAGES\ILHD.DAT
Filesize
670KB

MD5
1f7dd197ecf193e23a0c329568c65696

SHA1
556615a28102c40f67c9d09c828675bdb950557a

SHA256
01090ff0d968128575357b9841a3a8d6837b6e13c7b309f656f4543a2181b551

SHA512
221c549f6e9e3f3e96957bcf84085a5882efc394e16a6d9a445c1a806f55f46cabd3ddaf2eafb6f9b6ef7821c0647ee345c27b3b000ec21abe91bf215e73fca8

Download Submit
memory/468-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/468-80-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/468-70-0x0000000001E70000-0x0000000001F1A000-memory.dmp

Filesize
680KB

Download
memory/468-71-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/468-73-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/468-72-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/468-75-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/468-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/468-67-0x0000000000000000-mapping.dmp

Download
memory/528-58-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/528-57-0x0000000000000000-mapping.dmp

Download
memory/1064-56-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmp

Filesize
8KB

Download
memory/1064-55-0x0000000000000000-mapping.dmp

Download
memory/1488-101-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download
memory/1488-100-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download
memory/1488-96-0x0000000000000000-mapping.dmp

Download
memory/1516-105-0x000007FEF2B60000-0x000007FEF36BD000-memory.dmp

Filesize
11.4MB

Download
memory/1516-106-0x0000000001124000-0x0000000001127000-memory.dmp

Filesize
12KB

Download
memory/1516-104-0x000007FEF36C0000-0x000007FEF40E3000-memory.dmp

Filesize
10.1MB

Download
memory/1516-102-0x0000000000000000-mapping.dmp

Download
memory/1516-107-0x0000000001124000-0x0000000001127000-memory.dmp

Filesize
12KB

Download
memory/1548-93-0x00000000001F0000-0x0000000000270000-memory.dmp

Filesize
512KB

Download
memory/1548-89-0x00000000003A0000-0x000000000044A000-memory.dmp

Filesize
680KB

Download
memory/1548-92-0x00000000002A0000-0x00000000002C2000-memory.dmp

Filesize
136KB

Download
memory/1548-94-0x00000000002A0000-0x00000000002C2000-memory.dmp

Filesize
136KB

Download
memory/1548-95-0x00000000001F0000-0x0000000000270000-memory.dmp

Filesize
512KB

Download
memory/1548-90-0x00000000002A0000-0x00000000002C2000-memory.dmp

Filesize
136KB

Download
memory/1548-99-0x00000000002A0000-0x00000000002C2000-memory.dmp

Filesize
136KB

Download
memory/1548-91-0x00000000002A0000-0x00000000002C2000-memory.dmp

Filesize
136KB

Download
memory/1548-86-0x0000000000000000-mapping.dmp

Download
memory/1876-83-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download
memory/1876-81-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download
memory/1876-79-0x0000000070F61000-0x0000000070F63000-memory.dmp

Filesize
8KB

Download
memory/1876-77-0x0000000000000000-mapping.dmp

Download
memory/1956-82-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads