qakbot | 7565197033c48948b916cfca13a09a414e3370482f208e86b00502a0a7f5a2c4

Analysis

max time kernel
370s
max time network
356s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2022 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Report Jul 14 34594.html
Size

1.1MB
MD5

5703b2785b9813aaa7d361c98ca4c0ac
SHA1

b8a2d58bbd98fea5fb6f601b421445032fbe4bb6
SHA256

7565197033c48948b916cfca13a09a414e3370482f208e86b00502a0a7f5a2c4
SHA512

3bd447adc5cd3be31b313d132aead913cc04cd9daa75255fb7b43ad825c25b17604f0fa8cdab2b410f1cd071c059e3e3a651298d77cae6212c5569f3671e3c96

Score

10^/10

qakbot obama201 1657815129 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

obama201

Campaign

1657815129

70.46.220.114:443

179.111.8.52:32101

208.107.221.224:443

176.45.218.138:995

24.158.23.166:995

24.54.48.11:443

89.101.97.139:443

24.55.67.176:443

24.139.72.117:443

120.150.218.241:995

174.69.215.101:443

38.70.253.226:2222

41.228.22.180:443

217.165.157.202:995

172.115.177.204:2222

173.21.10.71:2222

69.14.172.24:443

47.23.89.60:993

104.34.212.7:32103

66.230.104.103:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 1 IoCs

Processes:

calc.exe

pid process

4928 calc.exe
Loads dropped DLL 3 IoCs

Processes:

calc.exeregsvr32.exeregsvr32.exe

pid process

4928 calc.exe
2324 regsvr32.exe
224 regsvr32.exe

pid	process
4928	calc.exe

pid	process
4928	calc.exe
2324	regsvr32.exe
224	regsvr32.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3900 schtasks.exe

pid	process
3900	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = ec5d73f82a9dd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30974225"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{3766474D-C774-4B27-8046-AEAA18C404DC}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3897913771"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b05ee3f311a1d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000094c858eae3d57f4bbeeb69290716aab400000000020000000000106600000001000020000000c0300adcbf6b8c472e4a0af683e83451e9d2ed6fbf29cd43414fd712d18f1f09000000000e800000000200002000000026661c038b482088d0e70e705889024090edb6c67525992f299ffb734d53287e200000003e87e45976e876614f317d311351c833afe3bffe22a8fede3ba88dda53e95f7a400000008c9c3cc8c5628fe2ebcd02108c372f92097b3e546058baddd2fcb416ab92645697186b7bf8a3ab68cbcf637ccc16a445272cc7bd55c751409a9edff31aee574d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0fbecf311a1d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30974225"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000094c858eae3d57f4bbeeb69290716aab40000000002000000000010660000000100002000000065a52e86a8d5a616352b1be9d49db971ed551f40c9aa2b6433ee1c5aa7a33396000000000e80000000020000200000001d2f491b856f21435474450dccad6eaad618378afff1c8d4f1dc31f720d0a572200000006d4dc43ad9f1fa0a56f2ea580f470b719e96cdc1ffbd705d004abe760acbf78d40000000a17b59072fa853f9b298bca63186d33980dd43fac47133c7f10f29714a0dfd5a27efec2f831af3fb730c08e1515161a8842a24982a755f8db47a0e3dd5afc2bc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3897757446"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "365620073"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{13DF4CA7-0D05-11ED-B78D-FA7EC45B5024} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

powershell.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wialdpgojoxdwo\d5acdba2 = 95a0ffb3a6ae45baed9527c83c0124240a5f8fd36d45a01a5cc4d6f7c136ccbf6c07	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wialdpgojoxdwo\aae5b454 = 29e89c1266591a7fe618a73d215979bc10c259f1f3e010369335d2ff7aab3a5c05d086f1d40229c4866abccf68cb7b96bd06b542127c4b82dfdf1af891c719e1727ac1fc520b95a14912ea10	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wialdpgojoxdwo\e2722b90 = 8aee0091c1770fb7531f1691dff285504f83ea6945d81b3d04137212d5aebf5dbbe5eee79937e57bb80b313b62c04f2428e2faff96a8957205756708f3b05bf3df581e67315f1d289a018cae4f09a9197ce4c078a1fce96228726315c4ffd07588e8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wialdpgojoxdwo\9f7a641a = d7ddaa6c794bab96cb26af23de0855aeb71799b2426c3a38c82ea4aa954a4456477a9a38b704a77013753f	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wialdpgojoxdwo\e0330bec = fb90815d9572624d94d7ef26912553386b5dbbb2a943e55c0ad6ce57f0fc685dd9d9100faa4331ffe7c0474d92de1a16ca02b5128676a0456441db14965359bff5eb933b85ec9d8e7d67713800a463b274d6a2c85f364110791a33a7f01dd7f2b934a6d8f77f37e764103d94083258b47c7a7d7b3a7960b2dd1e316048ccb2c3403c29976d118ecb257d1cab8b12eb08cb615a69ad48	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wialdpgojoxdwo\588f6c89 = 581d129eadf4f6de64762a03ecfa327c1e28bcf8c2aef71cfcb05fa271b042aca2fee0f205e8d7e9873b9d058f2e068c58f2f9ada0befc13f2c11ef3d2ffdaa72a0d71bc5874f2cdf195956ddae9bc17b268af9eadc638604c48a5fd00858030153f6d2cd7843847	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wialdpgojoxdwo\d5acdba2 = 95a0e8b3a6ae7679162230296006d5a13a2f2e15a107592df3015a8facba3906d5697cb1c2cfee4aa01c2538e53123b6572affbb733045	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wialdpgojoxdwo\27c6037f = c64d9b2b5f1ce3acb5ad819e480bbf1c2d68a5d5	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wialdpgojoxdwo	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wialdpgojoxdwo\5ace4cf5 = 0b390bf68b3b959a2acd40966d04ea5cdb01e8eb8059faaa3e41d3c93854a5903c98a1f8c013df3e8ba4	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Modifies registry class 3 IoCs

Processes:

OpenWith.exeiexplore.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeexplorer.exe

pid	process
2324	regsvr32.exe
2324	regsvr32.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

3924 OpenWith.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

1324
1324
1324
1324
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2324 regsvr32.exe
224 regsvr32.exe

pid	process
3924	OpenWith.exe

pid	process
1324
1324
1324
1324

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

AUDIODG.EXE7zG.exepowershell.exe

description	pid	process
Token: 33	1568	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1568	AUDIODG.EXE
Token: SeRestorePrivilege	100	7zG.exe
Token: 35	100	7zG.exe
Token: SeSecurityPrivilege	100	7zG.exe
Token: SeSecurityPrivilege	100	7zG.exe
Token: SeDebugPrivilege	4796	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeosk.exe7zG.exe

pid process

3980 iexplore.exe
3980 iexplore.exe
4368 osk.exe
100 7zG.exe

Suspicious use of SetWindowsHookEx 59 IoCs

Processes:

iexplore.exeIEXPLORE.EXEosk.exeOpenWith.exeOpenWith.exe

pid	process
3980	iexplore.exe
3980	iexplore.exe
3452	IEXPLORE.EXE
3452	IEXPLORE.EXE
3452	IEXPLORE.EXE
3452	IEXPLORE.EXE
3452	IEXPLORE.EXE
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
4368	osk.exe
3424	OpenWith.exe
3424	OpenWith.exe
3424	OpenWith.exe
3424	OpenWith.exe
3424	OpenWith.exe
3424	OpenWith.exe
3424	OpenWith.exe
3424	OpenWith.exe
3424	OpenWith.exe
3424	OpenWith.exe
3424	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

iexplore.execmd.execalc.exeregsvr32.exeexplorer.exeOpenWith.exepowershell.exeregsvr32.exeregsvr32.exeOpenWith.exe

description	pid	process	target process
PID 3980 wrote to memory of 3452	3980	iexplore.exe	IEXPLORE.EXE
PID 3980 wrote to memory of 3452	3980	iexplore.exe	IEXPLORE.EXE
PID 3980 wrote to memory of 3452	3980	iexplore.exe	IEXPLORE.EXE
PID 3824 wrote to memory of 4928	3824	cmd.exe	calc.exe
PID 3824 wrote to memory of 4928	3824	cmd.exe	calc.exe
PID 3824 wrote to memory of 4928	3824	cmd.exe	calc.exe
PID 4928 wrote to memory of 2324	4928	calc.exe	regsvr32.exe
PID 4928 wrote to memory of 2324	4928	calc.exe	regsvr32.exe
PID 4928 wrote to memory of 2324	4928	calc.exe	regsvr32.exe
PID 2324 wrote to memory of 2288	2324	regsvr32.exe	explorer.exe
PID 2324 wrote to memory of 2288	2324	regsvr32.exe	explorer.exe
PID 2324 wrote to memory of 2288	2324	regsvr32.exe	explorer.exe
PID 2324 wrote to memory of 2288	2324	regsvr32.exe	explorer.exe
PID 2324 wrote to memory of 2288	2324	regsvr32.exe	explorer.exe
PID 2288 wrote to memory of 3900	2288	explorer.exe	schtasks.exe
PID 2288 wrote to memory of 3900	2288	explorer.exe	schtasks.exe
PID 2288 wrote to memory of 3900	2288	explorer.exe	schtasks.exe
PID 3424 wrote to memory of 4696	3424	OpenWith.exe	NOTEPAD.EXE
PID 3424 wrote to memory of 4696	3424	OpenWith.exe	NOTEPAD.EXE
PID 4796 wrote to memory of 3236	4796	powershell.exe	regsvr32.exe
PID 4796 wrote to memory of 3236	4796	powershell.exe	regsvr32.exe
PID 3236 wrote to memory of 224	3236	regsvr32.exe	regsvr32.exe
PID 3236 wrote to memory of 224	3236	regsvr32.exe	regsvr32.exe
PID 3236 wrote to memory of 224	3236	regsvr32.exe	regsvr32.exe
PID 224 wrote to memory of 3932	224	regsvr32.exe	explorer.exe
PID 224 wrote to memory of 3932	224	regsvr32.exe	explorer.exe
PID 224 wrote to memory of 3932	224	regsvr32.exe	explorer.exe
PID 224 wrote to memory of 3932	224	regsvr32.exe	explorer.exe
PID 224 wrote to memory of 3932	224	regsvr32.exe	explorer.exe
PID 3924 wrote to memory of 664	3924	OpenWith.exe	NOTEPAD.EXE
PID 3924 wrote to memory of 664	3924	OpenWith.exe	NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Report Jul 14 34594.html"
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3980 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4836

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x3d8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\Report Jul 14 34594\3590\" -an -ai#7zMap31012:150:7zEvent27747
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c calc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Users\Admin\Documents\Report Jul 14 34594\3590\calc.exe
calc.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe 7533.dll
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:10 /tn ftdggmxsw /ET 17:21 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAbwBjAHUAbQBlAG4AdABzAFwAUgBlAHAAbwByAHQAIABKAHUAbAAgADEANAAgADMANAA1ADkANABcADMANQA5ADAAXAA3ADUAMwAzAC4AZABsAGwAIgA=" /SC ONCE
5⤵
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Report Jul 14 34594\3590\WindowsCodecs.dll
2⤵
PID:4696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAbwBjAHUAbQBlAG4AdABzAFwAUgBlAHAAbwByAHQAIABKAHUAbAAgADEANAAgADMANAA1ADkANABcADMANQA5ADAAXAA3ADUAMwAzAC4AZABsAGwAIgA=
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "C:\Users\Admin\Documents\Report Jul 14 34594\3590\7533.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SysWOW64\regsvr32.exe
"C:\Users\Admin\Documents\Report Jul 14 34594\3590\7533.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
PID:3932

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Report Jul 14 34594\3590\7533.dll
2⤵
PID:664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0S6OBVY5\Report Jul 14 34594.zip.hwacl6i.partial
Filesize
696KB

MD5
e450d4fa37ecd8b85d5c56fc7b11a7d8

SHA1
806b7bd657fc12685fe56e13b6740e6179e9c083

SHA256
5369c33d8843673162fc3a76287163d51cc2aca308ec690f85479caaef4eb0cf

SHA512
3dbb800f708b4e69187432a090ea617326862e986c9f8b447862073628736fa8c0cc82bcd9b85dff9ca3b93487640a53761e0431de35ca51b1a2b44a34c95f84

Download Submit
C:\Users\Admin\Documents\Report Jul 14 34594\3590\7533.dll
Filesize
663KB

MD5
ea078c250be209724d951e13b9f10918

SHA1
b4de93a381008505dd145b5c22668b256279f0f4

SHA256
3e8d61ca0c9ff25fd8cc603a90b639e7ee58502eda75fd54da7accdd9f83a125

SHA512
c1aafffa026ee411fb7c54dd52d8a0b88ca850810d70ee7b0e77f89e6e2e266b2e59a0d14318cf6afb9b5375196473d8e4e830136240a8d0a5015592208c21ea

Download Submit
C:\Users\Admin\Documents\Report Jul 14 34594\3590\7533.dll
Filesize
663KB

MD5
ea078c250be209724d951e13b9f10918

SHA1
b4de93a381008505dd145b5c22668b256279f0f4

SHA256
3e8d61ca0c9ff25fd8cc603a90b639e7ee58502eda75fd54da7accdd9f83a125

SHA512
c1aafffa026ee411fb7c54dd52d8a0b88ca850810d70ee7b0e77f89e6e2e266b2e59a0d14318cf6afb9b5375196473d8e4e830136240a8d0a5015592208c21ea

Download Submit
C:\Users\Admin\Documents\Report Jul 14 34594\3590\7533.dll
Filesize
663KB

MD5
ea078c250be209724d951e13b9f10918

SHA1
b4de93a381008505dd145b5c22668b256279f0f4

SHA256
3e8d61ca0c9ff25fd8cc603a90b639e7ee58502eda75fd54da7accdd9f83a125

SHA512
c1aafffa026ee411fb7c54dd52d8a0b88ca850810d70ee7b0e77f89e6e2e266b2e59a0d14318cf6afb9b5375196473d8e4e830136240a8d0a5015592208c21ea

Download Submit
C:\Users\Admin\Documents\Report Jul 14 34594\3590\7533.dll
Filesize
663KB

MD5
ea078c250be209724d951e13b9f10918

SHA1
b4de93a381008505dd145b5c22668b256279f0f4

SHA256
3e8d61ca0c9ff25fd8cc603a90b639e7ee58502eda75fd54da7accdd9f83a125

SHA512
c1aafffa026ee411fb7c54dd52d8a0b88ca850810d70ee7b0e77f89e6e2e266b2e59a0d14318cf6afb9b5375196473d8e4e830136240a8d0a5015592208c21ea

Download Submit
C:\Users\Admin\Documents\Report Jul 14 34594\3590\7533.dll
Filesize
4KB

MD5
76a2decc68aff93f026b420515cc3ff4

SHA1
6fd671ee5b904e9f32cfaf3efe156aa67d29a6cf

SHA256
116fa41add376639d7490471eb01703a49a257e5ed61dad106abb8165355ad7d

SHA512
5fc39f653a318e765f54c03c2d6dcceab3a4ec904950e6bca8e6b5a1cabf3c2fe577ff7022bb63df7edfa1c342b6a0a2d68f3a3d7f4ef4c1801e6f6d644778c9

Download Submit
C:\Users\Admin\Documents\Report Jul 14 34594\3590\WindowsCodecs.dll
Filesize
4KB

MD5
21930abbbb06588edf0240cc60302143

SHA1
48bf9b838ecb90b8389a0c50b301acc32b44b53e

SHA256
8760c4b4cc8fdcd144651d5ba02195d238950d3b70abd7d7e1e2d42b6bda9751

SHA512
36b092e22b953a4c984530ee1f3d01aae88084ed8146918316438ee37daefe76ed3cb6dfa39c7a020871a92fc2df0a22b5f4146cdd6437339fe3cff4792db4f6

Download Submit
C:\Users\Admin\Documents\Report Jul 14 34594\3590\WindowsCodecs.dll
Filesize
4KB

MD5
21930abbbb06588edf0240cc60302143

SHA1
48bf9b838ecb90b8389a0c50b301acc32b44b53e

SHA256
8760c4b4cc8fdcd144651d5ba02195d238950d3b70abd7d7e1e2d42b6bda9751

SHA512
36b092e22b953a4c984530ee1f3d01aae88084ed8146918316438ee37daefe76ed3cb6dfa39c7a020871a92fc2df0a22b5f4146cdd6437339fe3cff4792db4f6

Download Submit
C:\Users\Admin\Documents\Report Jul 14 34594\3590\calc.exe
Filesize
758KB

MD5
60b7c0fead45f2066e5b805a91f4f0fc

SHA1
9018a7d6cdbe859a430e8794e73381f77c840be0

SHA256
80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22

SHA512
68b9f9c00fc64df946684ce81a72a2624f0fc07e07c0c8b3db2fae8c9c0415bd1b4a03ad7ffa96985af0cc5e0410f6c5e29a30200efff21ab4b01369a3c59b58

Download Submit
C:\Users\Admin\Documents\Report Jul 14 34594\3590\calc.exe
Filesize
758KB

MD5
60b7c0fead45f2066e5b805a91f4f0fc

SHA1
9018a7d6cdbe859a430e8794e73381f77c840be0

SHA256
80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22

SHA512
68b9f9c00fc64df946684ce81a72a2624f0fc07e07c0c8b3db2fae8c9c0415bd1b4a03ad7ffa96985af0cc5e0410f6c5e29a30200efff21ab4b01369a3c59b58

Download Submit
memory/224-154-0x0000000001540000-0x0000000001562000-memory.dmp

Filesize
136KB

Download
memory/224-156-0x0000000001540000-0x0000000001562000-memory.dmp

Filesize
136KB

Download
memory/224-158-0x0000000001540000-0x0000000001562000-memory.dmp

Filesize
136KB

Download
memory/224-155-0x00000000014F0000-0x0000000001519000-memory.dmp

Filesize
164KB

Download
memory/224-151-0x0000000000000000-mapping.dmp

Download
memory/664-162-0x0000000000000000-mapping.dmp

Download
memory/2288-147-0x0000000000880000-0x00000000008A2000-memory.dmp

Filesize
136KB

Download
memory/2288-142-0x0000000000000000-mapping.dmp

Download
memory/2288-145-0x0000000000880000-0x00000000008A2000-memory.dmp

Filesize
136KB

Download
memory/2324-141-0x0000000002E30000-0x0000000002E52000-memory.dmp

Filesize
136KB

Download
memory/2324-140-0x00000000010F0000-0x0000000001119000-memory.dmp

Filesize
164KB

Download
memory/2324-139-0x0000000002E30000-0x0000000002E52000-memory.dmp

Filesize
136KB

Download
memory/2324-136-0x0000000000000000-mapping.dmp

Download
memory/2324-143-0x0000000002E30000-0x0000000002E52000-memory.dmp

Filesize
136KB

Download
memory/3236-149-0x0000000000000000-mapping.dmp

Download
memory/3900-144-0x0000000000000000-mapping.dmp

Download
memory/3932-157-0x0000000000000000-mapping.dmp

Download
memory/3932-159-0x0000000000AB0000-0x0000000000AD2000-memory.dmp

Filesize
136KB

Download
memory/3932-160-0x0000000000AB0000-0x0000000000AD2000-memory.dmp

Filesize
136KB

Download
memory/4696-146-0x0000000000000000-mapping.dmp

Download
memory/4796-153-0x00007FFE149E0000-0x00007FFE154A1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-148-0x000002BEF0F70000-0x000002BEF0F92000-memory.dmp

Filesize
136KB

Download
memory/4928-131-0x0000000000000000-mapping.dmp

Download