qakbot | 2827772c694257f02892bfc37635cb4f7e873e598bdca9a3e43bc5dd92709543

Resubmissions

26/09/2022, 22:23

220926-2at38sdbhl 10

26/09/2022, 19:56

220926-ynv1xabhd5 10

26/09/2022, 18:58

220926-xmwqdabgd6 10

26/09/2022, 12:36

220926-ps571abhhq 10

Analysis

max time kernel
1800s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26/09/2022, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Art#4376.zip
Size

605KB
MD5

6a793a5e8c1ab979df01b4dccde9ca32
SHA1

17deb587031196f62b8d3a53c60541fd0959457d
SHA256

2827772c694257f02892bfc37635cb4f7e873e598bdca9a3e43bc5dd92709543
SHA512

9fe9b6a57667a2c414b32efd91e764e2ce001fb851b44bb467bd113f0a1e518f448e94d1d3fa7ad10db247cf1d065d4efabed8964bab7631a4223b3afd0fb989
SSDEEP

12288:R5WRiTvdfmH2KzulB3vzZDGUIex97hr7fcrPdmgTL5qnQWW3BEKzqzccp/8H:R5L1T3vzZaCPJErPk0wn1wEIqzU

Score

10^/10

qakbot bb 1664184863 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

Campaign

1664184863

197.204.227.155:443

123.23.64.230:443

173.218.180.91:443

111.125.157.230:443

70.49.33.200:2222

149.28.38.16:995

86.132.13.105:2078

149.28.38.16:443

45.77.159.252:995

45.77.159.252:443

149.28.63.197:995

144.202.15.58:443

45.63.10.144:443

45.63.10.144:995

149.28.63.197:443

144.202.15.58:995

39.121.226.109:443

177.255.14.99:995

134.35.10.30:443

99.232.140.205:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Executes dropped EXE 1 IoCs

pid	Process
4732	ChromeRecovery.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 1 IoCs

pid	Process
4372	regsvr32.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3660_1747968679\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3660_1747968679\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3660_1747968679\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3660_1747968679\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3660_1747968679\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3660_1747968679\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3660_1747968679\manifest.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
4288	net.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
520	ipconfig.exe
1708	netstat.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3324	chrome.exe
3324	chrome.exe
1824	chrome.exe
1824	chrome.exe
1968	chrome.exe
1968	chrome.exe
2336	chrome.exe
2336	chrome.exe
1132	chrome.exe
1132	chrome.exe
4584	chrome.exe
4584	chrome.exe
2344	chrome.exe
2344	chrome.exe
3748	chrome.exe
3748	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
4372	regsvr32.exe
4372	regsvr32.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe
1756	wermgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4784	OpenWith.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4372	regsvr32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeRestorePrivilege	3952	7zG.exe
Token: 35	3952	7zG.exe
Token: SeSecurityPrivilege	3952	7zG.exe
Token: SeSecurityPrivilege	3952	7zG.exe
Token: SeDebugPrivilege	1708	netstat.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeDebugPrivilege	1316	whoami.exe
Token: SeSecurityPrivilege	1556	msiexec.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3952	7zG.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 4464	4784	OpenWith.exe	102
PID 4784 wrote to memory of 4464	4784	OpenWith.exe	102
PID 1824 wrote to memory of 4680	1824	chrome.exe	105
PID 1824 wrote to memory of 4680	1824	chrome.exe	105
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 1608	1824	chrome.exe	106
PID 1824 wrote to memory of 3324	1824	chrome.exe	107
PID 1824 wrote to memory of 3324	1824	chrome.exe	107
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108
PID 1824 wrote to memory of 3128	1824	chrome.exe	108

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Art#4376.zip
1⤵
PID:4984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4416

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Art#4376\" -spe -an -ai#7zMap3470:96:7zEvent22583
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Art#4376\banners\mongoosesFavors.cmd" "
1⤵
PID:956

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Art#4376\banners\mongoosesFavors.cmd
1⤵
PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Art#4376\banners\mongoosesFavors.cmd" "
1⤵
PID:2932

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Art#4376\banners\retsina.db
  2⤵
  PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe4ddb4f50,0x7ffe4ddb4f60,0x7ffe4ddb4f70
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:2
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2928 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1128 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3472 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,3632083913833268235,4112613734202947965,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 /prefetch:8
  2⤵
  PID:4456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:3660
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3660_1747968679\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3660_1747968679\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={2028d348-71f7-43aa-8f70-fef5500e55e9} --system
  2⤵
  - Executes dropped EXE
  PID:4732

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\Art#4376\banners\impalpablePopularization.js
1⤵
PID:1084

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Art#4376\banners\mongoosesFavors.cmd
1⤵
PID:1532

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\banners\impalpablePopularization.js"
1⤵
- Checks computer location settings
PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Art#4376\banners\mongoosesFavors.cmd" svr"
  2⤵
  PID:3776
- - C:\Windows\system32\regsvr32.exe
    regsvr32 banners\retsina.db
    3⤵
    PID:2568
  - - C:\Windows\SysWOW64\regsvr32.exe
      banners\retsina.db
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:4372
    - - C:\Windows\SysWOW64\wermgr.exe
        
        C:\Windows\SysWOW64\wermgr.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
      - C:\Windows\SysWOW64\net.exe
        
        net view
        6⤵
        Discovers systems in the same network
        
        PID:4288
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c set
        6⤵
        
        PID:4760
      - C:\Windows\SysWOW64\arp.exe
        
        arp -a
        6⤵
        
        PID:3724
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:520
      - C:\Windows\SysWOW64\nslookup.exe
        
        nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
        6⤵
        
        PID:4704
      - C:\Windows\SysWOW64\net.exe
        
        net share
        6⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        7⤵
        
        PID:4240
      - C:\Windows\SysWOW64\route.exe
        
        route print
        6⤵
        
        PID:3952
      - C:\Windows\SysWOW64\netstat.exe
        
        netstat -nao
        6⤵
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
      - C:\Windows\SysWOW64\net.exe
        
        net localgroup
        6⤵
        
        PID:800
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:3324
      - C:\Windows\SysWOW64\whoami.exe
        
        whoami /all
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3660_1747968679\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Art#4376\banners\impalpablePopularization.js

Filesize
221B

MD5
3fcfe2d081b471c6caaaf0d898c4868c

SHA1
e674d8c8b422c616fb9680a2b8605b0a062171e6

SHA256
31c56f4aa09b731e42f72f8346121922121e9b22c8de36a2a217e74a11fa43d7

SHA512
82c2817684289d1202f7f88cb7f139bdf5ae9b83616388095cc04f9d878590f6bf96bb84747eba45c6c12316cbdffa99674d783ec035b34b267bbc59784586c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Art#4376\banners\mongoosesFavors.cmd

Filesize
43B

MD5
18ed16c7c98444c28129ba2249c2419b

SHA1
3f0128c2efdb1f8803dfb0aa373aac7995eb7d8f

SHA256
23c8468d2ada0f33f983ab49d0bd953a09b6deae99fec3631d1305aebf2f0f11

SHA512
f6264f6538d668aa851c45b8ce9e51e3161309bdabb7553b59599c546fc942773e58f27a2854790a8128ebc27c5753f96a10a7804ba60f7901078bed59553321

Download Submit
C:\Users\Admin\AppData\Local\Temp\Art#4376\banners\retsina.db

Filesize
1.1MB

MD5
e17ff4c8e0da566b6fbe6ce54101eee7

SHA1
ed92354f1a9500c9dc07dfe77e23d3193e905559

SHA256
0b353412e79686c5185dfdf185747e856f379c863ff41d82ce0ef4b69b31b747

SHA512
70b9b4f07b35cf617da318e79999d3593355c126d10ab01a30827cd0daaa0d0fe54bbc9ed8fce80372803573ad2f30ea30e177dbf9ca0eddcf4cafb87e081f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Art#4376\banners\retsina.db

Filesize
1.1MB

MD5
e17ff4c8e0da566b6fbe6ce54101eee7

SHA1
ed92354f1a9500c9dc07dfe77e23d3193e905559

SHA256
0b353412e79686c5185dfdf185747e856f379c863ff41d82ce0ef4b69b31b747

SHA512
70b9b4f07b35cf617da318e79999d3593355c126d10ab01a30827cd0daaa0d0fe54bbc9ed8fce80372803573ad2f30ea30e177dbf9ca0eddcf4cafb87e081f30

Download Submit
memory/1756-150-0x00000000005B0000-0x00000000005D2000-memory.dmp

Filesize
136KB

Download
memory/1756-151-0x00000000005B0000-0x00000000005D2000-memory.dmp

Filesize
136KB

Download
memory/4372-146-0x0000000002C10000-0x0000000002C51000-memory.dmp

Filesize
260KB

Download
memory/4372-145-0x0000000002C80000-0x0000000002CA2000-memory.dmp

Filesize
136KB

Download
memory/4372-149-0x0000000002C80000-0x0000000002CA2000-memory.dmp

Filesize
136KB

Download
memory/4372-147-0x0000000002C80000-0x0000000002CA2000-memory.dmp

Filesize
136KB

Download