Analysis Overview
SHA256
987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48
Threat Level: Known bad
The file 987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48 was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Program crash
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-03-03 15:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-03 15:34
Reported
2023-03-03 15:36
Platform
win7-20230220-en
Max time kernel
149s
Max time network
32s
Command Line
Signatures
Qakbot/Qbot
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,#1
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
\??\c:\Windows\System32\rundll32.exe
rundll32.exe c:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,RS32
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe c:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,RS32
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
Files
memory/548-54-0x0000000000210000-0x0000000000233000-memory.dmp
memory/548-59-0x0000000000210000-0x0000000000233000-memory.dmp
memory/548-60-0x0000000000170000-0x0000000000173000-memory.dmp
memory/548-61-0x0000000000170000-0x0000000000173000-memory.dmp
memory/1792-62-0x00000000000F0000-0x00000000000F2000-memory.dmp
memory/548-63-0x0000000000210000-0x0000000000233000-memory.dmp
memory/1792-64-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/1792-67-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/1792-68-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/1792-69-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/1792-70-0x00000000000C0000-0x00000000000E3000-memory.dmp
memory/1792-72-0x00000000000C0000-0x00000000000E3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-03 15:34
Reported
2023-03-03 15:36
Platform
win10v2004-20230220-en
Max time kernel
143s
Max time network
132s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3752 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3752 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3752 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4080 wrote to memory of 4664 | N/A | C:\Windows\system32\cmd.exe | \??\c:\Windows\System32\rundll32.exe |
| PID 4080 wrote to memory of 4664 | N/A | C:\Windows\system32\cmd.exe | \??\c:\Windows\System32\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 3864 -ip 3864
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3864 -s 4240
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
\??\c:\Windows\System32\rundll32.exe
rundll32.exe c:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,RS32
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| NL | 20.50.201.195:443 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp |
Files
memory/4652-139-0x0000028EABCA0000-0x0000028EABCC0000-memory.dmp
memory/4652-144-0x0000028EAC070000-0x0000028EAC090000-memory.dmp
memory/4652-142-0x0000028EABC60000-0x0000028EABC80000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
| MD5 | 406347732c383e23c3b1af590a47bccd |
| SHA1 | fae764f62a396f2503dd81eefd3c7f06a5fb8e5f |
| SHA256 | e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e |
| SHA512 | 18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}
| MD5 | 8aaad0f4eb7d3c65f81c6e6b496ba889 |
| SHA1 | 231237a501b9433c292991e4ec200b25c1589050 |
| SHA256 | 813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1 |
| SHA512 | 1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62 |
memory/4652-326-0x00000286A9000000-0x00000286AA92F000-memory.dmp
memory/4652-710-0x00000286A9000000-0x00000286AA92F000-memory.dmp