Analysis Overview
SHA256
7f891d031f9fb425425dead2afdb523cdd3979da1416ddcc66adf3147ef359d1
Threat Level: Known bad
The file qbot-7-pw-abc555.zip was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-07 19:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-07 19:31
Reported
2023-02-07 19:34
Platform
win10-20220812-en
Max time kernel
52s
Max time network
148s
Command Line
Signatures
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\cmd.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\cmd.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\REJ_1766.iso
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.10:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-07 19:31
Reported
2023-02-07 19:34
Platform
win10-20220901-en
Max time kernel
51s
Max time network
147s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\REJ.lnk
Network
| Country | Destination | Domain | Proto |
| US | 20.42.65.89:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-02-07 19:31
Reported
2023-02-07 19:34
Platform
win10-20220812-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\oslo\nicks.txt
Network
| Country | Destination | Domain | Proto |
| GB | 51.105.71.136:443 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-02-07 19:31
Reported
2023-02-07 19:34
Platform
win10-20220812-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4436 wrote to memory of 4204 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 4436 wrote to memory of 4204 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 4436 wrote to memory of 428 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 4436 wrote to memory of 428 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\oslo\they.cmd"
C:\Windows\system32\regsvr32.exe
C:\Windows\\\\\\system32\\\\\\regsvr32.exe oslo\trudge.dat
C:\Windows\system32\PING.EXE
ping google.com
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 52.168.112.66:443 | tcp |
Files
memory/4204-115-0x0000000000000000-mapping.dmp
memory/428-116-0x0000000000000000-mapping.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-02-07 19:31
Reported
2023-02-07 19:34
Platform
win10-20220901-en
Max time kernel
50s
Max time network
147s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\oslo\train.png
Network
| Country | Destination | Domain | Proto |
| US | 20.44.10.122:443 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-02-07 19:31
Reported
2023-02-07 19:34
Platform
win10-20220812-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
Qakbot/Qbot
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4720 wrote to memory of 4492 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4720 wrote to memory of 4492 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4720 wrote to memory of 4492 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\oslo\trudge.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\oslo\trudge.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 712
Network
| Country | Destination | Domain | Proto |
| GB | 51.105.71.137:443 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/4492-116-0x0000000000000000-mapping.dmp
memory/4492-117-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-120-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-123-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-153-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-154-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-149-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-156-0x0000000000A30000-0x0000000000BD8000-memory.dmp
memory/4492-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-159-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-163-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-164-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-165-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-166-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-167-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-168-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-169-0x00000000046A0000-0x00000000046C9000-memory.dmp
memory/4492-170-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-171-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-172-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-173-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-174-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-175-0x0000000000E20000-0x0000000000E4A000-memory.dmp
memory/4492-176-0x00000000046A0000-0x00000000046C9000-memory.dmp
memory/4492-177-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-179-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-178-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4492-180-0x00000000046A0000-0x00000000046C9000-memory.dmp