qakbot | 0ecca425b25eff81bf6493c1963719814b45025c059320d3474dda2ec3b1c76c

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2023, 20:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea5c4107afa695a55a489d4c6ffc6edaa06690a6d196a62c0ae8388f0cdd87b9.html
Size

951KB
MD5

b8e99f04e5a459e6f4963811d66b56ca
SHA1

a2c79f4e15732406addeb9c1965d7d8c000b49db
SHA256

ea5c4107afa695a55a489d4c6ffc6edaa06690a6d196a62c0ae8388f0cdd87b9
SHA512

c44cd7c72e49b1578040e0c903e24052d06061c5b63511b92a392ddff18840258928e692b3246c0c3b93c8f664c5c8a85484915336a7d7c077251fb1657a59e5
SSDEEP

24576:x4loHd6SM5sH0ZnieQYDVD2aYRsTITFMf:fH8TZNQe

Score

10^/10

qakbot obama212 1665497532 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

obama212

Campaign

1665497532

190.11.198.76:443

41.111.85.167:443

134.35.2.138:443

105.108.80.229:443

179.113.97.4:32101

197.158.89.85:443

197.204.101.178:443

105.69.147.88:995

41.103.252.215:443

41.104.109.190:443

41.107.209.163:443

14.227.159.241:443

82.12.196.197:443

103.156.237.139:443

196.235.137.166:443

181.141.3.126:443

102.157.22.8:443

41.111.52.120:443

197.92.143.218:443

181.44.34.172:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Executes dropped EXE 1 IoCs

pid	Process
4488	win.com

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
3480	chrome.exe
3480	chrome.exe
2460	chrome.exe
2460	chrome.exe
2348	chrome.exe
2348	chrome.exe
4852	chrome.exe
4852	chrome.exe
5016	chrome.exe
5016	chrome.exe
760	chrome.exe
760	chrome.exe
4464	regsvr32.exe
4464	regsvr32.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
4292	chrome.exe
4292	chrome.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe
1720	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4464	regsvr32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4212	3480	chrome.exe	82
PID 3480 wrote to memory of 4212	3480	chrome.exe	82
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 2044	3480	chrome.exe	85
PID 3480 wrote to memory of 4496	3480	chrome.exe	86
PID 3480 wrote to memory of 4496	3480	chrome.exe	86
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87
PID 3480 wrote to memory of 1244	3480	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Users\Admin\AppData\Local\Temp\ea5c4107afa695a55a489d4c6ffc6edaa06690a6d196a62c0ae8388f0cdd87b9.html
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff858d74f50,0x7ff858d74f60,0x7ff858d74f70
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5388 /prefetch:2
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,15304968159698620937,13916036340772918424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\japonica\mastiff.cmd" "
1⤵
- Enumerates connected drives
PID:4876
- C:\Users\Admin\AppData\Local\Temp\win.com
  C:\Users\Admin\AppData\Local\Temp\win.com japonica\mobsters.dat
  2⤵
  - Executes dropped EXE
  PID:4488
- - C:\Windows\SysWOW64\regsvr32.exe
    japonica\mobsters.dat
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4464
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\win.com

Filesize
24KB

MD5
b0c2fa35d14a9fad919e99d9d75e1b9e

SHA1
8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

SHA256
022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

SHA512
a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

Download Submit
memory/1720-142-0x0000000000760000-0x0000000000789000-memory.dmp

Filesize
164KB

Download
memory/1720-143-0x0000000000760000-0x0000000000789000-memory.dmp

Filesize
164KB

Download
memory/4464-137-0x0000000002980000-0x00000000029A9000-memory.dmp

Filesize
164KB

Download
memory/4464-138-0x00000000024D0000-0x00000000024F9000-memory.dmp

Filesize
164KB

Download
memory/4464-139-0x0000000002980000-0x00000000029A9000-memory.dmp

Filesize
164KB

Download
memory/4464-141-0x0000000002980000-0x00000000029A9000-memory.dmp

Filesize
164KB

Download