525c47a20e285efd7491185c1623d18e375f26f62864e73576608fd5c541053f | Triage

Analysis

max time kernel
91s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2022 00:54

Sharing

Report Analysis Logs

General

Target

newst_qbot_obama.dll
Size

168KB
MD5

6ee20df54a3fe0779b34587482489032
SHA1

6e8ca2cd0112f04589151620760290409ec58eb6
SHA256

525c47a20e285efd7491185c1623d18e375f26f62864e73576608fd5c541053f
SHA512

1166aeedd08a447d89c29c71ec4c9322218ec17c201c86dbf564f13e40ac00d3410a81ea1cbec2dbd15082bf9f046edba443339a0ed1a1b4dd7468383ad54812
SSDEEP

3072:9wKKmgbQWxRJ9B0/ITuWA9YNJMAnUFzTBfF5gj/O/yafaY:iZTK/ITuT9YNJHn0zTB95QG/

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4884 wrote to memory of 800	4884	regsvr32.exe	regsvr32.exe
PID 4884 wrote to memory of 800	4884	regsvr32.exe	regsvr32.exe
PID 4884 wrote to memory of 800	4884	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\newst_qbot_obama.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\newst_qbot_obama.dll
  2⤵
  PID:800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/800-132-0x0000000000000000-mapping.dmp

Download