qakbot | 75b86b1c8506479e325adef0d1709fe1085d18412735801382794bfaa11d673b

General

Target

b5ac0c29-5792-4494-b1da-39e24a1305f2.html
Size

635KB
MD5

ed71cd00d8d5828af0f009cb416b5f29
SHA1

a0a4dfee1827ebc7cbd9cd4b3d65b4af4523bb85
SHA256

75b86b1c8506479e325adef0d1709fe1085d18412735801382794bfaa11d673b
SHA512

06f0060c25653c84a2f7b8bf09a5c1ebe2de1dc6bd4fed9ff42892a950e972e7cff39a9c9fd638d7ce7acc975ca7c9b12674a57ff49b10ef71fbc8f2c9dfc282
SSDEEP

12288:4K6CzXEideCJbodCmGqbBtfWr13NCpEK3XoXtYStXtb:+Cz0ikqEdCWtfNpX4XuGXl

Score

10^/10

qakbot obama223 1668757345 banker persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.30

Botnet

obama223

Campaign

1668757345

C2

68.47.128.161:443

87.65.160.87:995

172.90.139.138:2222

86.175.128.143:443

12.172.173.82:465

71.247.10.63:2083

47.41.154.250:443

91.254.215.167:443

71.31.101.183:443

81.229.117.95:2222

24.4.239.157:443

41.99.177.175:443

92.149.205.238:2222

73.230.28.7:443

47.229.96.60:443

186.188.2.193:443

174.112.25.29:2078

84.35.26.14:995

86.130.9.167:2222

116.74.163.221:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

WScript.exeNotepad.exe

description ioc process

File opened (read-only) \??\E: WScript.exe
File opened (read-only) \??\E: Notepad.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

description	ioc	process
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\E:	Notepad.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221130015517.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3d2e8fcc-03e6-4e01-97fc-3d7c33a7d87a.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

Processes:

powershell.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemsedge.exemsedge.exemsedge.exeidentity_helper.exeregsvr32.exewermgr.exe

pid	process
3952	powershell.exe
3952	powershell.exe
2372	msedge.exe
2372	msedge.exe
4992	msedge.exe
4992	msedge.exe
3188	msedge.exe
3188	msedge.exe
548	identity_helper.exe
548	identity_helper.exe
5540	regsvr32.exe
5540	regsvr32.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe
5620	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

5540 regsvr32.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4992 msedge.exe
4992 msedge.exe
4992 msedge.exe
4992 msedge.exe
4992 msedge.exe
4992 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3952 powershell.exe

pid	process
5540	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	3952	powershell.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

msedge.exe

pid	process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4992 wrote to memory of 1164	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 1164	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4392	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 2372	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 2372	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3504	4992	msedge.exe	msedge.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge C:\Users\Admin\AppData\Local\Temp\b5ac0c29-5792-4494-b1da-39e24a1305f2.html
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch C:\Users\Admin\AppData\Local\Temp\b5ac0c29-5792-4494-b1da-39e24a1305f2.html
1⤵
- Adds Run key to start application
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff985c046f8,0x7ff985c04708,0x7ff985c04718
2⤵
PID:1164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
2⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
2⤵
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
2⤵
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 /prefetch:8
2⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
2⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5284 /prefetch:8
2⤵
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
2⤵
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5600 /prefetch:8
2⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:8
2⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
2⤵
- Drops file in Program Files directory
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x104,0x108,0xd8,0xfc,0x7ff696df5460,0x7ff696df5470,0x7ff696df5480
3⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
2⤵
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
2⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5124 /prefetch:8
2⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
2⤵
PID:5884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 /prefetch:2
2⤵
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 /prefetch:8
2⤵
PID:6032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5224 /prefetch:8
2⤵
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,1447952634884858584,7262081123825966660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5920 /prefetch:8
2⤵
PID:5316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3176

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\Agreement.js"
1⤵
- Checks computer location settings
- Enumerates connected drives
PID:5472

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" debunked\irately.temp
2⤵
PID:5520

C:\Windows\SysWOW64\regsvr32.exe
debunked\irately.temp
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5540

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5620

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" E:\Agreement.js
1⤵
- Enumerates connected drives
PID:5692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\pipe\LOCAL\crashpad_4992_HJVGIIYRCXJCDZOC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/548-159-0x0000000000000000-mapping.dmp

Download
memory/740-146-0x0000000000000000-mapping.dmp

Download
memory/1164-133-0x0000000000000000-mapping.dmp

Download
memory/1396-144-0x0000000000000000-mapping.dmp

Download
memory/1476-157-0x0000000000000000-mapping.dmp

Download
memory/1512-142-0x0000000000000000-mapping.dmp

Download
memory/1644-152-0x0000000000000000-mapping.dmp

Download
memory/2312-148-0x0000000000000000-mapping.dmp

Download
memory/2372-137-0x0000000000000000-mapping.dmp

Download
memory/2456-163-0x0000000000000000-mapping.dmp

Download
memory/3176-155-0x0000000000000000-mapping.dmp

Download
memory/3188-153-0x0000000000000000-mapping.dmp

Download
memory/3368-150-0x0000000000000000-mapping.dmp

Download
memory/3504-140-0x0000000000000000-mapping.dmp

Download
memory/3776-161-0x0000000000000000-mapping.dmp

Download
memory/3952-132-0x0000025AB8A20000-0x0000025AB8A42000-memory.dmp

Filesize
136KB

Download
memory/3952-156-0x00007FF984A20000-0x00007FF9854E1000-memory.dmp

Filesize
10.8MB

Download
memory/3952-134-0x00007FF984A20000-0x00007FF9854E1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-136-0x0000000000000000-mapping.dmp

Download
memory/4568-158-0x0000000000000000-mapping.dmp

Download
memory/5192-180-0x0000000000000000-mapping.dmp

Download
memory/5316-184-0x0000000000000000-mapping.dmp

Download
memory/5520-164-0x0000000000000000-mapping.dmp

Download
memory/5540-165-0x0000000000000000-mapping.dmp

Download
memory/5540-166-0x0000000000730000-0x000000000075E000-memory.dmp

Filesize
184KB

Download
memory/5540-167-0x0000000000760000-0x000000000078A000-memory.dmp

Filesize
168KB

Download
memory/5540-169-0x0000000000760000-0x000000000078A000-memory.dmp

Filesize
168KB

Download
memory/5568-182-0x0000000000000000-mapping.dmp

Download
memory/5620-168-0x0000000000000000-mapping.dmp

Download
memory/5620-171-0x0000000000CC0000-0x0000000000CEA000-memory.dmp

Filesize
168KB

Download
memory/5620-170-0x0000000000CC0000-0x0000000000CEA000-memory.dmp

Filesize
168KB

Download
memory/5812-173-0x0000000000000000-mapping.dmp

Download
memory/5884-175-0x0000000000000000-mapping.dmp

Download
memory/5968-176-0x0000000000000000-mapping.dmp

Download
memory/6032-178-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads