Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2022 08:18
Static task
static1
Behavioral task
behavioral1
Sample
50600999_420925.img
Resource
win7-20220812-en
General
-
Target
50600999_420925.img
-
Size
2.6MB
-
MD5
5531d308f169eb4387f80202b68333a0
-
SHA1
bac447aa3281946bca9c501d8c18fcf2f5a1c0d1
-
SHA256
81343a9be0c301685f76fa2185dc8b28c0e8aebdca6f23ba12a4412685e286f6
-
SHA512
75ef718691db75eebc044590c499982acd1a83e9986eb0be15a951ed5ccc7401a58a5d7a146989977bb32180e4a2f0c44913b1adc54641e50a4bbb3d9b0e85ad
Malware Config
Extracted
qakbot
403.694
obama186
1654596660
67.165.206.193:993
63.143.92.99:995
74.14.5.179:2222
182.191.92.203:995
197.89.8.51:443
89.101.97.139:443
86.97.9.190:443
124.40.244.115:2222
80.11.74.81:2222
41.215.153.104:995
179.100.20.32:32101
31.35.28.29:443
202.134.152.2:2222
109.12.111.14:443
93.48.80.198:995
120.150.218.241:995
41.38.167.179:995
177.94.57.126:32101
173.174.216.62:443
1.161.101.20:443
88.224.254.172:443
82.41.63.217:443
67.209.195.198:443
70.46.220.114:443
24.178.196.158:2222
39.44.213.68:995
84.241.8.23:32103
210.246.4.69:995
92.132.172.197:2222
91.177.173.10:995
217.128.122.65:2222
149.28.238.199:995
45.76.167.26:995
45.63.1.12:443
144.202.2.175:443
45.63.1.12:995
144.202.3.39:995
144.202.2.175:995
45.76.167.26:443
149.28.238.199:443
144.202.3.39:443
140.82.63.183:995
140.82.63.183:443
175.145.235.37:443
85.246.82.244:443
47.23.89.60:993
187.207.131.50:61202
176.67.56.94:443
148.64.96.100:443
140.82.49.12:443
76.70.9.169:2222
217.164.121.161:2222
72.27.33.160:443
108.60.213.141:443
104.34.212.7:32103
39.44.158.215:995
31.48.174.63:2078
75.99.168.194:61201
117.248.109.38:21
83.110.218.147:993
82.152.39.39:443
180.129.108.214:995
5.32.41.45:443
83.110.92.106:443
197.164.182.46:993
196.203.37.215:80
186.90.153.162:2222
37.186.54.254:995
89.211.179.247:2222
24.139.72.117:443
201.142.177.168:443
37.34.253.233:443
69.14.172.24:443
125.24.187.183:443
208.107.221.224:443
174.69.215.101:443
76.25.142.196:443
96.37.113.36:993
173.21.10.71:2222
73.151.236.31:443
45.46.53.140:2222
189.146.90.232:443
70.51.135.90:2222
190.252.242.69:443
201.145.165.25:443
47.157.227.70:443
72.252.157.93:993
177.205.155.85:443
72.252.157.93:995
187.251.132.144:22
40.134.246.185:995
24.55.67.176:443
79.80.80.29:2222
179.158.105.44:443
72.252.157.93:990
89.86.33.217:443
201.172.23.68:2222
102.182.232.3:995
177.156.191.231:443
39.49.96.122:995
94.36.193.176:2222
120.61.1.114:443
217.164.121.161:1194
39.41.29.200:995
86.195.158.178:2222
86.98.149.168:2222
1.161.101.20:995
124.109.35.32:995
172.115.177.204:2222
105.27.172.6:443
32.221.224.140:995
208.101.82.0:443
71.24.118.253:443
143.0.219.6:995
217.165.176.49:2222
90.120.65.153:2078
5.203.199.157:995
39.52.41.80:995
148.0.56.63:443
191.112.25.187:443
121.7.223.45:2222
47.156.131.10:443
177.209.202.242:2222
41.86.42.158:995
106.51.48.170:50001
41.84.229.240:443
94.71.169.212:995
111.125.245.116:995
78.101.193.241:6883
201.242.175.29:2222
38.70.253.226:2222
187.149.236.5:443
217.165.79.88:443
85.255.232.18:443
103.246.242.202:443
41.230.62.211:995
67.69.166.79:2222
42.228.224.249:2222
172.114.160.81:995
94.26.122.9:995
75.99.168.194:443
189.253.206.105:443
81.215.196.174:443
46.107.48.202:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Rqbkqlurta = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Axwio = "0" reg.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 2324 rundll32.exe 1172 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5116 956 WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 10 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\22881d5 = 183f10cce4bc34c5ca3a8dd1d922b7711d4c60ac79e9b6f4e42224a665737b205f2facd40639c2719b7c1392d23da45c684268511b40904ca179fad2de86edc56b695d8e022a035f4867cb57bc explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\b8d5c6cc = ebcaabc091de3fc8a414f9aef3645a1a9fa5145e6b0c6552908a3a3b144234eb98b1bcd4feaf4eac38eb253403552678d3b1bd90e1480105bc6587b9094db1f5d58213b82679a5a768c1655a4c26b33a67940ebce9e0c7f8 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\4abf1e11 = 925912cdece84806305f5c94d23d092d2000a2cf26c2183795e23fa45d434124b5ea868de21f1415e6e6200028e4cfa708f424ce51d7f09d1a44d1188b7a1e0d explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\35f671e7 = 2c63f2a8adfb70186d2f199e8ba94abf33efaed447fd0a2fbfa30ca3c576e6dc7014d1b3b70870628fb23f469e5809c6ee249750b5dcf13c0c5f709ccc3365c9e4a177 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\69a1a9 = 593196bee9d4c06443cd56589e64c02cfdfe17c79549b0e0796cbdc9063a30b6a7033a3b2ed7ff51ebbb718c6f2ad2d5e20bccb7d60002be942cb3cc58a1f3e64225925add47857f43be4ea18467f75bc0d3957ce5a3f0c4660df9ec8b791c0a639576c03a21f0727889cf50d40675 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\ba94e6b0 = 16f4acf33deec759bfec70b28a779e962042506e0ed37bf424e58f2b64de462aeeba402c79adee236b2d741060edc88296b58b68262e4043f9d46e41b4aa634a90f4185cf44dde54288efa25bf20 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\c79ca93a = 85039612eebf12dedff316fc0d4ef106cf8bc7ba07d734cad259cd13d1bdd9ac explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\7f20ce5f = 41cba79a86b833bd377a868188f2cb3360198774e26e7378853f0c5e66c42cfbbfb49f9a9226e2a40dc0097e6e7071387e9b0ba55823667ebef3f220fdcf16ad2603be1b8e7d7720f62ee3598af1ae36da38cda7ae6fcdfdb4c15d1b36a6a4235a58f6c437ed61ddb0222c59dbcf2f342e explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\35f671e7 = 2c63e5a8adfb45c99e49cedc6d728c82d8387931a9809a8a0b265247f23706ac89145ae6a5713627828b7da13121271e6f86a2c2ef023d530925507d15fd46e9dd75b3516745a78d2d96898878701a9548cfa5c6fefb8487 explorer.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exeexplorer.exepid process 2324 rundll32.exe 2324 rundll32.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 2324 rundll32.exe 1172 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
cmd.exe7zG.exedescription pid process Token: SeManageVolumePrivilege 4596 cmd.exe Token: SeManageVolumePrivilege 4596 cmd.exe Token: SeRestorePrivilege 2532 7zG.exe Token: 35 2532 7zG.exe Token: SeSecurityPrivilege 2532 7zG.exe Token: SeSecurityPrivilege 2532 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 2532 7zG.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exedescription pid process target process PID 2664 wrote to memory of 2324 2664 rundll32.exe rundll32.exe PID 2664 wrote to memory of 2324 2664 rundll32.exe rundll32.exe PID 2664 wrote to memory of 2324 2664 rundll32.exe rundll32.exe PID 2324 wrote to memory of 2464 2324 rundll32.exe explorer.exe PID 2324 wrote to memory of 2464 2324 rundll32.exe explorer.exe PID 2324 wrote to memory of 2464 2324 rundll32.exe explorer.exe PID 2324 wrote to memory of 2464 2324 rundll32.exe explorer.exe PID 2324 wrote to memory of 2464 2324 rundll32.exe explorer.exe PID 2464 wrote to memory of 5048 2464 explorer.exe schtasks.exe PID 2464 wrote to memory of 5048 2464 explorer.exe schtasks.exe PID 2464 wrote to memory of 5048 2464 explorer.exe schtasks.exe PID 2752 wrote to memory of 1172 2752 regsvr32.exe regsvr32.exe PID 2752 wrote to memory of 1172 2752 regsvr32.exe regsvr32.exe PID 2752 wrote to memory of 1172 2752 regsvr32.exe regsvr32.exe PID 1172 wrote to memory of 712 1172 regsvr32.exe explorer.exe PID 1172 wrote to memory of 712 1172 regsvr32.exe explorer.exe PID 1172 wrote to memory of 712 1172 regsvr32.exe explorer.exe PID 1172 wrote to memory of 712 1172 regsvr32.exe explorer.exe PID 1172 wrote to memory of 712 1172 regsvr32.exe explorer.exe PID 712 wrote to memory of 408 712 explorer.exe reg.exe PID 712 wrote to memory of 408 712 explorer.exe reg.exe PID 712 wrote to memory of 2620 712 explorer.exe reg.exe PID 712 wrote to memory of 2620 712 explorer.exe reg.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\50600999_420925.img1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\50600999_420925\" -spe -an -ai#7zMap12315:110:7zEvent112401⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" 019338921.dll,DllInstall1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" 019338921.dll,DllInstall2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn mpxtvtt /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dll\"" /SC ONCE /Z /ST 10:20 /ET 10:324⤵
- Creates scheduled task(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 956 -ip 9561⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 956 -s 17641⤵
- Program crash
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dll"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dll"2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Rqbkqlurta" /d "0"4⤵
- Windows security bypass
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Axwio" /d "0"4⤵
- Windows security bypass
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dllFilesize
1.4MB
MD5889de0fcbdf800a0732d5909c5b16057
SHA1925b2fa5fdd084651f84f3b3c4381b0a10ef3ad3
SHA256f9d073248e84c44c6130c379cf845290b701dd9312e4114caf4b3a99f70e3e8e
SHA512303911ea66cca532b57b5acd3565f13d3500760eda42bf90653154f482e7d640d0cd318c1f9fd97570dbe7b18cd533deee34b3d2416d4c588a9cabfe47d99777
-
C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dllFilesize
1.4MB
MD5889de0fcbdf800a0732d5909c5b16057
SHA1925b2fa5fdd084651f84f3b3c4381b0a10ef3ad3
SHA256f9d073248e84c44c6130c379cf845290b701dd9312e4114caf4b3a99f70e3e8e
SHA512303911ea66cca532b57b5acd3565f13d3500760eda42bf90653154f482e7d640d0cd318c1f9fd97570dbe7b18cd533deee34b3d2416d4c588a9cabfe47d99777
-
C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dllFilesize
1.4MB
MD5889de0fcbdf800a0732d5909c5b16057
SHA1925b2fa5fdd084651f84f3b3c4381b0a10ef3ad3
SHA256f9d073248e84c44c6130c379cf845290b701dd9312e4114caf4b3a99f70e3e8e
SHA512303911ea66cca532b57b5acd3565f13d3500760eda42bf90653154f482e7d640d0cd318c1f9fd97570dbe7b18cd533deee34b3d2416d4c588a9cabfe47d99777
-
C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dllFilesize
1.4MB
MD5889de0fcbdf800a0732d5909c5b16057
SHA1925b2fa5fdd084651f84f3b3c4381b0a10ef3ad3
SHA256f9d073248e84c44c6130c379cf845290b701dd9312e4114caf4b3a99f70e3e8e
SHA512303911ea66cca532b57b5acd3565f13d3500760eda42bf90653154f482e7d640d0cd318c1f9fd97570dbe7b18cd533deee34b3d2416d4c588a9cabfe47d99777
-
memory/408-151-0x0000000000000000-mapping.dmp
-
memory/712-154-0x0000000000C60000-0x0000000000C82000-memory.dmpFilesize
136KB
-
memory/712-153-0x0000000000C60000-0x0000000000C82000-memory.dmpFilesize
136KB
-
memory/712-149-0x0000000000000000-mapping.dmp
-
memory/1172-150-0x0000000002B20000-0x0000000002B42000-memory.dmpFilesize
136KB
-
memory/1172-147-0x0000000001860000-0x000000000188D000-memory.dmpFilesize
180KB
-
memory/1172-146-0x0000000002B20000-0x0000000002B42000-memory.dmpFilesize
136KB
-
memory/1172-148-0x0000000002B20000-0x0000000002B42000-memory.dmpFilesize
136KB
-
memory/1172-144-0x0000000000000000-mapping.dmp
-
memory/2324-137-0x0000000002AF0000-0x0000000002B12000-memory.dmpFilesize
136KB
-
memory/2324-139-0x0000000002AF0000-0x0000000002B12000-memory.dmpFilesize
136KB
-
memory/2324-136-0x0000000002AA0000-0x0000000002ACD000-memory.dmpFilesize
180KB
-
memory/2324-135-0x0000000002AF0000-0x0000000002B12000-memory.dmpFilesize
136KB
-
memory/2324-133-0x0000000000000000-mapping.dmp
-
memory/2464-142-0x00000000012D0000-0x00000000012F2000-memory.dmpFilesize
136KB
-
memory/2464-141-0x00000000012D0000-0x00000000012F2000-memory.dmpFilesize
136KB
-
memory/2464-138-0x0000000000000000-mapping.dmp
-
memory/2620-152-0x0000000000000000-mapping.dmp
-
memory/5048-140-0x0000000000000000-mapping.dmp