Analysis Overview
SHA256
39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6
Threat Level: Known bad
The file 39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-09 07:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-09 07:32
Reported
2023-01-09 07:33
Platform
win7-20220812-en
Max time kernel
10s
Command Line
Signatures
Qakbot/Qbot
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1392 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1392 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1392 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1392 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1392 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1392 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1392 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll
Network
Files
memory/1392-54-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp
memory/1968-55-0x0000000000000000-mapping.dmp
memory/1968-56-0x0000000075521000-0x0000000075523000-memory.dmp
memory/1968-57-0x0000000000140000-0x0000000000162000-memory.dmp
memory/1968-59-0x0000000000140000-0x0000000000162000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-09 07:32
Reported
2023-01-09 07:35
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Qakbot/Qbot
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 08:35 /tn rtoetgatg /ET 08:46 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMwA5ADQAMgA4AGUAMAA4AGYAYgAxADQAZAAxADgAOAA3ADgAZAAxADQANwBmADkAMQBmADkAYwBmAGIAZAAzADIANAAzADYAYQAyAGMAMAA3AGUANgA5ADUAZQA0ADMAMwAwAGUAMwA5ADQANgA4AGIAMAA4AGMAZAAxAGMANgAuAGQAbABsACIA" /SC ONCE
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 51.132.193.104:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp |
Files
memory/1756-132-0x0000000000000000-mapping.dmp
memory/1756-133-0x0000000000D40000-0x0000000000D62000-memory.dmp
memory/2380-134-0x0000000000000000-mapping.dmp
memory/1756-135-0x0000000000D40000-0x0000000000D62000-memory.dmp
memory/2380-136-0x0000000000FD0000-0x0000000000FF2000-memory.dmp
memory/3952-137-0x0000000000000000-mapping.dmp
memory/2380-138-0x0000000000FD0000-0x0000000000FF2000-memory.dmp