Analysis Overview
SHA256
d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682
Threat Level: Known bad
The file CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.bin was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Qakbot family
Qakbot/Qbot
Loads dropped DLL
Unsigned PE
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-17 13:10
Signatures
Qakbot family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-17 13:10
Reported
2023-05-17 13:13
Platform
win7-20230220-en
Max time kernel
150s
Max time network
34s
Command Line
Signatures
Qakbot/Qbot
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Pxwkrnfcveqz = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Edyakiiulkfy = "0" | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mtuuyoi | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\586bcdad = a45d6ceac7491407678cf317bac27bd3768967edcdc0a2d8c4 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\6df41de3 = bf5babcb35d071497216cc7b1ba13e083a7cb35fecc0a0cf93a5e6e76b513a472f0a029959a7243eaa23a3de41ca34a51b71b1f1 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\e0d7aac8 = 0a519c43768f47835576406e8e28296d6a06519fc9cfdda76fbd0b5fd885d37b18267d2e04d43a90151ee2817b4e2600e9d8eddd2b574f50b72a7a67d4c366062b1115 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\9f9ec53e = f6fb07a18fccdaa3082a9625784e3a7c4172c244cb | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\12bd7215 = bb3ff7ea7eb04c039067ceb4face96d50d6579a72b55fbb0728352d7facbfb520ba78c011b96504ff22628288f26bbc21d24fec006a964f2d6577c8e828e238dcda8c5c7731384 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\12bd7215 = bb3fe0ea7eb079d3d57dec1b4dfc2c9ee72026f11704dc42f2674fef3421bdfa12e73a03f6648aff58dd69e94ca10cbb8197 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\2722a25b = 83e1acfa49a11643641f09d74fc553fc6cc08ed98282a6d49648a72ff2e135a462cb4a820ddafb19000a5448ad3fe86c44586ba30f91e3777fd5069f7ed8d5569cede75deb37332128db504cda0d24bfc6c2dd74dd2a6b4c28e6a0b7db280e6a15fbcccdbc82949947917b144a2f09c057b92aed252594214278327fafbc27ef58292dc0f3f37a8c3e51446432f271a64ff2408163bdea228cf325da51e7dadcf9439f8ee770a07c8e37 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\25638227 = 4ab07de840b2313e620f29316382f44daf7d6b7d606ff943c17bcb | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mtuuyoi\9ddfe542 = 6e54513faa20d9ea1594b2564fdc2d835325897e14b291923bea1aba8f8d3850507360cea1ea62ef42676748717700f736cdcf0f8b409e0b645e6a6089442edbbf927eedbb09242fe51aff4ab5ae0c7a2ea025b7de1b6ac4381e86f8a1af2513da49009d18c4d3 | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn msrdcwpbi /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll\"" /SC ONCE /Z /ST 15:13 /ET 15:25
C:\Windows\system32\taskeng.exe
taskeng.exe {DB888EC7-3A83-4805-97B7-DAA87AE0D3FE} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll"
C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Edyakiiulkfy" /d "0"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Pxwkrnfcveqz" /d "0"
Network
Files
memory/912-54-0x00000000000B0000-0x00000000000B2000-memory.dmp
memory/912-55-0x0000000000080000-0x00000000000A2000-memory.dmp
memory/912-58-0x0000000000080000-0x00000000000A2000-memory.dmp
memory/912-59-0x0000000000080000-0x00000000000A2000-memory.dmp
memory/912-60-0x0000000000080000-0x00000000000A2000-memory.dmp
memory/912-61-0x0000000000080000-0x00000000000A2000-memory.dmp
memory/912-63-0x0000000000080000-0x00000000000A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll
| MD5 | e110303afe7c390d9130805818e3bf76 |
| SHA1 | 83cd9be98486c753da2dfe8972123caf4b655785 |
| SHA256 | d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682 |
| SHA512 | 77216d21e364ce266f2e652fa02389281830a577b0234fca4f17024ce90e3ac69a1a7d5ec44422045884251b8b433a01bc937480f71ea501519ed0a973471db5 |
\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll
| MD5 | e110303afe7c390d9130805818e3bf76 |
| SHA1 | 83cd9be98486c753da2dfe8972123caf4b655785 |
| SHA256 | d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682 |
| SHA512 | 77216d21e364ce266f2e652fa02389281830a577b0234fca4f17024ce90e3ac69a1a7d5ec44422045884251b8b433a01bc937480f71ea501519ed0a973471db5 |
memory/540-69-0x00000000000C0000-0x00000000000E2000-memory.dmp
memory/540-71-0x00000000000C0000-0x00000000000E2000-memory.dmp
memory/540-72-0x00000000000C0000-0x00000000000E2000-memory.dmp
memory/540-73-0x00000000000C0000-0x00000000000E2000-memory.dmp
memory/540-74-0x00000000000C0000-0x00000000000E2000-memory.dmp
memory/540-76-0x00000000000C0000-0x00000000000E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-17 13:10
Reported
2023-05-17 13:13
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Qakbot/Qbot
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Lbshbasioz = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Znxvdra = "0" | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\e2423c9d = 5ba7bb20f2772cd3821d324e84d66f950b147106f02bfa3accff9320090deee22907ce8c96cf1d23afac84d84d0535071a814f | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\1028e440 = 00bbc57093762643c3353ca4ada57841a14b5d5b610351850b8072435ac3168f0d3d9e71fad03f6e2c46563ee4c3737b | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\6f618bb6 = 95bf462cb752379dff22492e310808205eb234fa9ec978a158f1d9cd8252e2ed90729dde162bfe0ede5630900821996eeee47bc2e763f2e9fbe59027e0977809309363a5be71f6c77812c5bf58d98af1edbbbb3ce0ec3107b17e196089954032 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\5afe5bf8 = 086733166343bb4ed387291b2928f8b6f263ad729bd9e31fcbe1852abd34cb3e49203a332c03935b31aeaa0a44b31df525b290d45f372cd26c37ba32eda0ffc96de202c24dde5589fd6e18b41792b83f7cca5cdc6c4fd486d8f2307b6f50070b513ee5b7c85e173031432ae6d83bcd03bd8a72ff1bd97323322b056c546749b931e56d408828e1f7e89ad8b6d3 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\e0031ce1 = a216edf96f6a5b91a43942979a0a77eabc811265be4769301a5d4b387182b915386752a23e671c882fb0d654b7478184ada97a789a16573e387931287a | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\9d0b536b = 051aa16f81826f1ca98af0a0126770bac1853fb54230caab957d6e1fe535108032 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\25b7340e = 7cb695101260c93b197e4e9b802868f8430b32b0338d6095b853f26b35eb276e57f9ef3f5f784633b2355629 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\6f618bb6 = 95bf512cb7520247cc0c99353b540e0724e3022699fe3c3d806583869cfb645fe259bf54d88ff4f702c91024f8150632d61e84d91c6edb1bed7e25be3ba9f3478671ed94c042ade841d81d | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aceakamlowzhic\58bf7b84 = 8ab5aa95619c4a1130be37a29f6c5fc60c314c2733c02ef7b0f9b03dda7277fd8c4f00005311d6149b1b3a44a414d287273db52b8ded95bd736c4e20ab31fe711ca43636510825ff3e7b806fd01e6968f416097193104640f5818931e290a6d145d9 | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn adbqawhw /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll\"" /SC ONCE /Z /ST 15:13 /ET 15:25
C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll"
C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Lbshbasioz" /d "0"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Znxvdra" /d "0"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 67.24.35.254:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp |
Files
memory/3208-133-0x0000000000990000-0x00000000009B2000-memory.dmp
memory/3208-136-0x0000000000990000-0x00000000009B2000-memory.dmp
memory/3208-137-0x0000000000990000-0x00000000009B2000-memory.dmp
memory/3208-138-0x0000000000990000-0x00000000009B2000-memory.dmp
memory/3208-139-0x0000000000990000-0x00000000009B2000-memory.dmp
memory/3208-141-0x0000000000990000-0x00000000009B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll
| MD5 | e110303afe7c390d9130805818e3bf76 |
| SHA1 | 83cd9be98486c753da2dfe8972123caf4b655785 |
| SHA256 | d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682 |
| SHA512 | 77216d21e364ce266f2e652fa02389281830a577b0234fca4f17024ce90e3ac69a1a7d5ec44422045884251b8b433a01bc937480f71ea501519ed0a973471db5 |
C:\Users\Admin\AppData\Local\Temp\CryptOne_Exec_4cc2eae115f8aec53f845b05951e3006da0412d024649910e26094cc673b7928.dll
| MD5 | e110303afe7c390d9130805818e3bf76 |
| SHA1 | 83cd9be98486c753da2dfe8972123caf4b655785 |
| SHA256 | d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682 |
| SHA512 | 77216d21e364ce266f2e652fa02389281830a577b0234fca4f17024ce90e3ac69a1a7d5ec44422045884251b8b433a01bc937480f71ea501519ed0a973471db5 |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/972-147-0x0000000000A00000-0x0000000000A22000-memory.dmp
memory/972-148-0x0000000000A00000-0x0000000000A22000-memory.dmp
memory/972-149-0x0000000000A00000-0x0000000000A22000-memory.dmp
memory/972-150-0x0000000000A00000-0x0000000000A22000-memory.dmp
memory/972-151-0x0000000000A00000-0x0000000000A22000-memory.dmp
memory/972-153-0x0000000000A00000-0x0000000000A22000-memory.dmp