Malware Analysis Report

2024-11-30 22:54

Sample ID 230517-qev1jsfb43
Target CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.bin
SHA256 d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682
Tags
aa 1651732978 qakbot banker evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682

Threat Level: Known bad

The file CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.bin was found to be: Known bad.

Malicious Activity Summary

aa 1651732978 qakbot banker evasion stealer trojan

Windows security bypass

Qakbot family

Qakbot/Qbot

Loads dropped DLL

Unsigned PE

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-17 13:10

Signatures

Qakbot family

qakbot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-17 13:10

Reported

2023-05-17 13:13

Platform

win7-20230220-en

Max time kernel

150s

Max time network

34s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Pxwkrnfcveqz = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Edyakiiulkfy = "0" C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mtuuyoi C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\586bcdad = a45d6ceac7491407678cf317bac27bd3768967edcdc0a2d8c4 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\6df41de3 = bf5babcb35d071497216cc7b1ba13e083a7cb35fecc0a0cf93a5e6e76b513a472f0a029959a7243eaa23a3de41ca34a51b71b1f1 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\e0d7aac8 = 0a519c43768f47835576406e8e28296d6a06519fc9cfdda76fbd0b5fd885d37b18267d2e04d43a90151ee2817b4e2600e9d8eddd2b574f50b72a7a67d4c366062b1115 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\9f9ec53e = f6fb07a18fccdaa3082a9625784e3a7c4172c244cb C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\12bd7215 = bb3ff7ea7eb04c039067ceb4face96d50d6579a72b55fbb0728352d7facbfb520ba78c011b96504ff22628288f26bbc21d24fec006a964f2d6577c8e828e238dcda8c5c7731384 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\12bd7215 = bb3fe0ea7eb079d3d57dec1b4dfc2c9ee72026f11704dc42f2674fef3421bdfa12e73a03f6648aff58dd69e94ca10cbb8197 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\2722a25b = 83e1acfa49a11643641f09d74fc553fc6cc08ed98282a6d49648a72ff2e135a462cb4a820ddafb19000a5448ad3fe86c44586ba30f91e3777fd5069f7ed8d5569cede75deb37332128db504cda0d24bfc6c2dd74dd2a6b4c28e6a0b7db280e6a15fbcccdbc82949947917b144a2f09c057b92aed252594214278327fafbc27ef58292dc0f3f37a8c3e51446432f271a64ff2408163bdea228cf325da51e7dadcf9439f8ee770a07c8e37 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\25638227 = 4ab07de840b2313e620f29316382f44daf7d6b7d606ff943c17bcb C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\9ddfe542 = 6e54513faa20d9ea1594b2564fdc2d835325897e14b291923bea1aba8f8d3850507360cea1ea62ef42676748717700f736cdcf0f8b409e0b645e6a6089442edbbf927eedbb09242fe51aff4ab5ae0c7a2ea025b7de1b6ac4381e86f8a1af2513da49009d18c4d3 C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 1176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1176 wrote to memory of 912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1176 wrote to memory of 912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1176 wrote to memory of 912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1176 wrote to memory of 912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1176 wrote to memory of 912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1176 wrote to memory of 912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 732 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 912 wrote to memory of 732 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 912 wrote to memory of 732 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 912 wrote to memory of 732 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 848 wrote to memory of 852 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 848 wrote to memory of 852 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 848 wrote to memory of 852 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 848 wrote to memory of 852 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 848 wrote to memory of 852 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 852 wrote to memory of 804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 852 wrote to memory of 804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 852 wrote to memory of 804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 852 wrote to memory of 804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 852 wrote to memory of 804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 852 wrote to memory of 804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 852 wrote to memory of 804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 804 wrote to memory of 540 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 804 wrote to memory of 540 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 804 wrote to memory of 540 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 804 wrote to memory of 540 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 804 wrote to memory of 540 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 804 wrote to memory of 540 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 540 wrote to memory of 1588 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 540 wrote to memory of 1588 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 540 wrote to memory of 1588 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 540 wrote to memory of 1588 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 540 wrote to memory of 1768 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 540 wrote to memory of 1768 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 540 wrote to memory of 1768 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 540 wrote to memory of 1768 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn msrdcwpbi /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll\"" /SC ONCE /Z /ST 15:13 /ET 15:25

C:\Windows\system32\taskeng.exe

taskeng.exe {DB888EC7-3A83-4805-97B7-DAA87AE0D3FE} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Edyakiiulkfy" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Pxwkrnfcveqz" /d "0"

Network

N/A

Files

memory/912-54-0x00000000000B0000-0x00000000000B2000-memory.dmp

memory/912-55-0x0000000000080000-0x00000000000A2000-memory.dmp

memory/912-58-0x0000000000080000-0x00000000000A2000-memory.dmp

memory/912-59-0x0000000000080000-0x00000000000A2000-memory.dmp

memory/912-60-0x0000000000080000-0x00000000000A2000-memory.dmp

memory/912-61-0x0000000000080000-0x00000000000A2000-memory.dmp

memory/912-63-0x0000000000080000-0x00000000000A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll

MD5 e110303afe7c390d9130805818e3bf76
SHA1 83cd9be98486c753da2dfe8972123caf4b655785
SHA256 d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682
SHA512 77216d21e364ce266f2e652fa02389281830a577b0234fca4f17024ce90e3ac69a1a7d5ec44422045884251b8b433a01bc937480f71ea501519ed0a973471db5

\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll

MD5 e110303afe7c390d9130805818e3bf76
SHA1 83cd9be98486c753da2dfe8972123caf4b655785
SHA256 d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682
SHA512 77216d21e364ce266f2e652fa02389281830a577b0234fca4f17024ce90e3ac69a1a7d5ec44422045884251b8b433a01bc937480f71ea501519ed0a973471db5

memory/540-69-0x00000000000C0000-0x00000000000E2000-memory.dmp

memory/540-71-0x00000000000C0000-0x00000000000E2000-memory.dmp

memory/540-72-0x00000000000C0000-0x00000000000E2000-memory.dmp

memory/540-73-0x00000000000C0000-0x00000000000E2000-memory.dmp

memory/540-74-0x00000000000C0000-0x00000000000E2000-memory.dmp

memory/540-76-0x00000000000C0000-0x00000000000E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-17 13:10

Reported

2023-05-17 13:13

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Lbshbasioz = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Znxvdra = "0" C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\e2423c9d = 5ba7bb20f2772cd3821d324e84d66f950b147106f02bfa3accff9320090deee22907ce8c96cf1d23afac84d84d0535071a814f C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\1028e440 = 00bbc57093762643c3353ca4ada57841a14b5d5b610351850b8072435ac3168f0d3d9e71fad03f6e2c46563ee4c3737b C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\6f618bb6 = 95bf462cb752379dff22492e310808205eb234fa9ec978a158f1d9cd8252e2ed90729dde162bfe0ede5630900821996eeee47bc2e763f2e9fbe59027e0977809309363a5be71f6c77812c5bf58d98af1edbbbb3ce0ec3107b17e196089954032 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\5afe5bf8 = 086733166343bb4ed387291b2928f8b6f263ad729bd9e31fcbe1852abd34cb3e49203a332c03935b31aeaa0a44b31df525b290d45f372cd26c37ba32eda0ffc96de202c24dde5589fd6e18b41792b83f7cca5cdc6c4fd486d8f2307b6f50070b513ee5b7c85e173031432ae6d83bcd03bd8a72ff1bd97323322b056c546749b931e56d408828e1f7e89ad8b6d3 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\e0031ce1 = a216edf96f6a5b91a43942979a0a77eabc811265be4769301a5d4b387182b915386752a23e671c882fb0d654b7478184ada97a789a16573e387931287a C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\9d0b536b = 051aa16f81826f1ca98af0a0126770bac1853fb54230caab957d6e1fe535108032 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\25b7340e = 7cb695101260c93b197e4e9b802868f8430b32b0338d6095b853f26b35eb276e57f9ef3f5f784633b2355629 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\6f618bb6 = 95bf512cb7520247cc0c99353b540e0724e3022699fe3c3d806583869cfb645fe259bf54d88ff4f702c91024f8150632d61e84d91c6edb1bed7e25be3ba9f3478671ed94c042ade841d81d C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\58bf7b84 = 8ab5aa95619c4a1130be37a29f6c5fc60c314c2733c02ef7b0f9b03dda7277fd8c4f00005311d6149b1b3a44a414d287273db52b8ded95bd736c4e20ab31fe711ca43636510825ff3e7b806fd01e6968f416097193104640f5818931e290a6d145d9 C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 4124 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4116 wrote to memory of 4124 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4116 wrote to memory of 4124 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4124 wrote to memory of 3208 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4124 wrote to memory of 3208 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4124 wrote to memory of 3208 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4124 wrote to memory of 3208 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4124 wrote to memory of 3208 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3208 wrote to memory of 1996 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3208 wrote to memory of 1996 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3208 wrote to memory of 1996 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4140 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4140 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4140 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3008 wrote to memory of 972 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3008 wrote to memory of 972 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3008 wrote to memory of 972 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3008 wrote to memory of 972 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3008 wrote to memory of 972 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 972 wrote to memory of 1124 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 972 wrote to memory of 1124 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 972 wrote to memory of 2664 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 972 wrote to memory of 2664 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn adbqawhw /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll\"" /SC ONCE /Z /ST 15:13 /ET 15:25

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Lbshbasioz" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Znxvdra" /d "0"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 67.24.35.254:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

memory/3208-133-0x0000000000990000-0x00000000009B2000-memory.dmp

memory/3208-136-0x0000000000990000-0x00000000009B2000-memory.dmp

memory/3208-137-0x0000000000990000-0x00000000009B2000-memory.dmp

memory/3208-138-0x0000000000990000-0x00000000009B2000-memory.dmp

memory/3208-139-0x0000000000990000-0x00000000009B2000-memory.dmp

memory/3208-141-0x0000000000990000-0x00000000009B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll

MD5 e110303afe7c390d9130805818e3bf76
SHA1 83cd9be98486c753da2dfe8972123caf4b655785
SHA256 d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682
SHA512 77216d21e364ce266f2e652fa02389281830a577b0234fca4f17024ce90e3ac69a1a7d5ec44422045884251b8b433a01bc937480f71ea501519ed0a973471db5

C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll

MD5 e110303afe7c390d9130805818e3bf76
SHA1 83cd9be98486c753da2dfe8972123caf4b655785
SHA256 d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682
SHA512 77216d21e364ce266f2e652fa02389281830a577b0234fca4f17024ce90e3ac69a1a7d5ec44422045884251b8b433a01bc937480f71ea501519ed0a973471db5

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/972-147-0x0000000000A00000-0x0000000000A22000-memory.dmp

memory/972-148-0x0000000000A00000-0x0000000000A22000-memory.dmp

memory/972-149-0x0000000000A00000-0x0000000000A22000-memory.dmp

memory/972-150-0x0000000000A00000-0x0000000000A22000-memory.dmp

memory/972-151-0x0000000000A00000-0x0000000000A22000-memory.dmp

memory/972-153-0x0000000000A00000-0x0000000000A22000-memory.dmp