qakbot | 184f9484299a3227430041acb86c82af3a89f78633599ed6c3afe66e61900ed7

General

Target

0b2de008-e828-4d57-921b-3b939ee621de.zip
Size

433KB
MD5

10fe31576a786ad193ece260351ab4db
SHA1

cac60c023a04a913a9131bd65ded26f0c1a46dbc
SHA256

184f9484299a3227430041acb86c82af3a89f78633599ed6c3afe66e61900ed7
SHA512

ed8773ac03d26f1a8e3eb69de795edba373ad4d1c3547919ee91508ef23da260e33c9195ec763578b4fc992739e73f4fd45f9d105294945f343cb0db40576ab6
SSDEEP

6144:6kzidwF+C9ClTzYqtmZkKPr3MXb27e7NfZ3997Fom4941K024aeyjGLlV1nl++3r:vzi/C9INtmZN7Ea7INZNgm6CNyjsL+qr

Score

10^/10

qakbot obama221 1667915095 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.27

Botnet

obama221

Campaign

1667915095

C2

199.83.165.233:443

24.142.218.202:443

79.166.120.168:995

92.24.200.226:995

151.32.168.124:443

72.88.245.71:443

46.229.194.17:443

142.119.40.220:2222

177.205.114.49:2222

174.104.184.149:443

86.167.26.227:2222

94.15.58.251:443

82.155.111.187:443

2.84.98.228:2222

69.133.162.35:443

92.189.214.236:2222

190.74.23.139:443

47.34.30.133:443

80.103.77.44:2222

82.34.170.37:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

Processes:

explorer.execontrol.execontrol.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer."	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByDirection = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-4#immutable1 = "Device Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874369"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874385"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000010000000200000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\LogicalViewMode = "2"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer."	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

explorer.exe

pid process

1112 explorer.exe
1112 explorer.exe

pid	process
1112	explorer.exe
1112	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exewermgr.exe

pid	process
3144	regsvr32.exe
3144	regsvr32.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe
2096	wermgr.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3144 regsvr32.exe
2232 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeShutdownPrivilege 1112 explorer.exe
Token: SeCreatePagefilePrivilege 1112 explorer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

explorer.exe

pid process

1112 explorer.exe
1112 explorer.exe

description	pid	process
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeCreatePagefilePrivilege	1112	explorer.exe

pid	process
1112	explorer.exe
1112	explorer.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

cmd.execontrol.exeregsvr32.execmd.execontrol.exeregsvr32.exe

description	pid	process	target process
PID 2196 wrote to memory of 940	2196	cmd.exe	control.exe
PID 2196 wrote to memory of 940	2196	cmd.exe	control.exe
PID 2196 wrote to memory of 940	2196	cmd.exe	control.exe
PID 940 wrote to memory of 3144	940	control.exe	regsvr32.exe
PID 940 wrote to memory of 3144	940	control.exe	regsvr32.exe
PID 940 wrote to memory of 3144	940	control.exe	regsvr32.exe
PID 3144 wrote to memory of 2096	3144	regsvr32.exe	wermgr.exe
PID 3144 wrote to memory of 2096	3144	regsvr32.exe	wermgr.exe
PID 3144 wrote to memory of 2096	3144	regsvr32.exe	wermgr.exe
PID 3144 wrote to memory of 2096	3144	regsvr32.exe	wermgr.exe
PID 3144 wrote to memory of 2096	3144	regsvr32.exe	wermgr.exe
PID 1536 wrote to memory of 3916	1536	cmd.exe	control.exe
PID 1536 wrote to memory of 3916	1536	cmd.exe	control.exe
PID 1536 wrote to memory of 3916	1536	cmd.exe	control.exe
PID 3916 wrote to memory of 2232	3916	control.exe	regsvr32.exe
PID 3916 wrote to memory of 2232	3916	control.exe	regsvr32.exe
PID 3916 wrote to memory of 2232	3916	control.exe	regsvr32.exe
PID 2232 wrote to memory of 5008	2232	regsvr32.exe	wermgr.exe
PID 2232 wrote to memory of 5008	2232	regsvr32.exe	wermgr.exe
PID 2232 wrote to memory of 5008	2232	regsvr32.exe	wermgr.exe
PID 2232 wrote to memory of 5008	2232	regsvr32.exe	wermgr.exe
PID 2232 wrote to memory of 5008	2232	regsvr32.exe	wermgr.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\0b2de008-e828-4d57-921b-3b939ee621de.zip
1⤵
PID:2096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c control.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- \??\E:\control.exe
  control.exe
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\SysWOW64\regsvr32.exe msoffice32.dll
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2096

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1112

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c control.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- \??\E:\control.exe
  control.exe
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\SysWOW64\regsvr32.exe msoffice32.dll
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      PID:5008

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/940-132-0x0000000000000000-mapping.dmp

Download
memory/2096-136-0x0000000000000000-mapping.dmp

Download
memory/2096-139-0x0000000000BC0000-0x0000000000BEA000-memory.dmp

Filesize
168KB

Download
memory/2096-138-0x0000000000BC0000-0x0000000000BEA000-memory.dmp

Filesize
168KB

Download
memory/2232-141-0x0000000000000000-mapping.dmp

Download
memory/2232-142-0x0000000002BD0000-0x0000000002BFA000-memory.dmp

Filesize
168KB

Download
memory/2232-145-0x0000000002BD0000-0x0000000002BFA000-memory.dmp

Filesize
168KB

Download
memory/3144-137-0x0000000001330000-0x000000000135A000-memory.dmp

Filesize
168KB

Download
memory/3144-135-0x0000000001330000-0x000000000135A000-memory.dmp

Filesize
168KB

Download
memory/3144-134-0x0000000001300000-0x000000000132E000-memory.dmp

Filesize
184KB

Download
memory/3144-133-0x0000000000000000-mapping.dmp

Download
memory/3916-140-0x0000000000000000-mapping.dmp

Download
memory/5008-143-0x0000000000000000-mapping.dmp

Download
memory/5008-144-0x0000000000460000-0x000000000048A000-memory.dmp

Filesize
168KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads