Analysis
-
max time kernel
538s -
max time network
504s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 22:24
Static task
static1
General
-
Target
ProjectFunding_268488_Jun01.js
-
Size
1KB
-
MD5
4d4c10bc91a9f0f55ae4e3f13028e21c
-
SHA1
ca582c0d141a690f6bb59c25fb7cc521f80d09d7
-
SHA256
c103447a81a20f57e6b80dd939b58e442398d97e5c96acba87482af4ae433848
-
SHA512
8dbbfc5e903ee05459899d14d95547dfaef78e42262f8c36bd94b27ab7a35cc7bbd2298ed9faded8eb6f2fda2d1d821192a13e4f030973d0270c76f9ca7137fe
Malware Config
Extracted
qakbot
404.1346
obama266
1685611378
24.234.220.88:990
70.28.50.223:2078
96.56.197.26:2083
103.123.223.133:443
83.249.198.100:2222
199.27.66.213:443
90.104.151.37:2222
94.204.202.106:443
72.205.104.134:443
65.95.141.84:2222
82.131.141.209:443
77.126.99.230:443
71.38.155.217:443
205.237.67.69:995
84.215.202.8:443
24.234.220.88:465
76.178.148.107:2222
116.74.163.130:443
70.28.50.223:2087
147.147.30.126:2222
173.88.135.179:443
103.140.174.20:2222
77.86.98.236:443
92.149.250.113:2222
96.87.28.170:2222
86.168.210.41:443
176.142.207.63:443
12.172.173.82:32101
86.132.236.117:443
70.50.83.216:2222
161.142.103.187:995
45.62.70.33:443
12.172.173.82:465
178.175.187.254:443
83.110.223.61:443
105.184.209.194:995
41.186.88.38:443
102.156.10.183:443
27.109.19.90:2078
47.205.25.170:443
12.172.173.82:993
76.170.252.153:995
69.242.31.249:443
24.234.220.88:995
125.99.69.178:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
124.122.47.148:443
81.229.117.95:2222
98.145.23.67:443
114.143.176.236:443
103.144.201.48:2078
122.186.210.254:443
69.160.121.6:61201
12.172.173.82:21
72.253.126.216:443
75.109.111.89:443
76.86.31.59:443
116.120.145.170:995
12.172.173.82:50001
81.101.185.146:443
201.244.108.183:995
68.203.69.96:443
103.139.242.6:443
103.42.86.42:995
85.61.165.153:2222
76.16.49.134:443
125.99.76.102:443
184.182.66.109:443
70.28.50.223:32100
50.68.204.71:993
85.57.212.13:3389
41.227.190.59:443
70.28.50.223:3389
31.53.29.235:2222
89.79.229.50:443
50.68.186.195:443
47.199.241.39:443
93.147.235.8:443
75.141.227.169:443
45.243.142.31:995
79.92.15.6:443
85.104.105.67:443
89.129.109.27:2222
86.176.83.44:2222
24.234.220.88:993
89.32.156.5:995
12.172.173.82:22
103.101.203.177:443
70.28.50.223:2083
98.187.21.2:443
70.49.205.198:2222
96.56.197.26:2222
92.9.45.20:2222
86.195.14.72:2222
172.115.17.50:443
100.4.163.158:2222
80.12.88.148:2222
213.64.33.92:2222
113.11.92.30:443
78.192.109.105:2222
47.34.30.133:443
122.184.143.86:443
198.2.51.242:993
165.120.169.171:2222
88.126.94.4:50000
82.125.44.236:2222
117.195.17.148:993
147.219.4.194:443
80.167.196.79:443
92.154.17.149:2222
184.181.75.148:443
95.45.50.93:2222
84.35.26.14:995
201.143.215.69:443
12.172.173.82:2087
50.68.204.71:443
64.121.161.102:443
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid process 7 180 msiexec.exe 33 180 msiexec.exe 46 180 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1836 rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI2DD6.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIAA5A.tmp msiexec.exe File created C:\Windows\Installer\e57aa1d.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1984 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exerundll32.exewermgr.exepid process 180 msiexec.exe 180 msiexec.exe 1836 rundll32.exe 1836 rundll32.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe 964 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wscript.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2492 wscript.exe Token: SeIncreaseQuotaPrivilege 2492 wscript.exe Token: SeSecurityPrivilege 180 msiexec.exe Token: SeCreateTokenPrivilege 2492 wscript.exe Token: SeAssignPrimaryTokenPrivilege 2492 wscript.exe Token: SeLockMemoryPrivilege 2492 wscript.exe Token: SeIncreaseQuotaPrivilege 2492 wscript.exe Token: SeMachineAccountPrivilege 2492 wscript.exe Token: SeTcbPrivilege 2492 wscript.exe Token: SeSecurityPrivilege 2492 wscript.exe Token: SeTakeOwnershipPrivilege 2492 wscript.exe Token: SeLoadDriverPrivilege 2492 wscript.exe Token: SeSystemProfilePrivilege 2492 wscript.exe Token: SeSystemtimePrivilege 2492 wscript.exe Token: SeProfSingleProcessPrivilege 2492 wscript.exe Token: SeIncBasePriorityPrivilege 2492 wscript.exe Token: SeCreatePagefilePrivilege 2492 wscript.exe Token: SeCreatePermanentPrivilege 2492 wscript.exe Token: SeBackupPrivilege 2492 wscript.exe Token: SeRestorePrivilege 2492 wscript.exe Token: SeShutdownPrivilege 2492 wscript.exe Token: SeDebugPrivilege 2492 wscript.exe Token: SeAuditPrivilege 2492 wscript.exe Token: SeSystemEnvironmentPrivilege 2492 wscript.exe Token: SeChangeNotifyPrivilege 2492 wscript.exe Token: SeRemoteShutdownPrivilege 2492 wscript.exe Token: SeUndockPrivilege 2492 wscript.exe Token: SeSyncAgentPrivilege 2492 wscript.exe Token: SeEnableDelegationPrivilege 2492 wscript.exe Token: SeManageVolumePrivilege 2492 wscript.exe Token: SeImpersonatePrivilege 2492 wscript.exe Token: SeCreateGlobalPrivilege 2492 wscript.exe Token: SeShutdownPrivilege 2492 wscript.exe Token: SeIncreaseQuotaPrivilege 2492 wscript.exe Token: SeCreateTokenPrivilege 2492 wscript.exe Token: SeAssignPrimaryTokenPrivilege 2492 wscript.exe Token: SeLockMemoryPrivilege 2492 wscript.exe Token: SeIncreaseQuotaPrivilege 2492 wscript.exe Token: SeMachineAccountPrivilege 2492 wscript.exe Token: SeTcbPrivilege 2492 wscript.exe Token: SeSecurityPrivilege 2492 wscript.exe Token: SeTakeOwnershipPrivilege 2492 wscript.exe Token: SeLoadDriverPrivilege 2492 wscript.exe Token: SeSystemProfilePrivilege 2492 wscript.exe Token: SeSystemtimePrivilege 2492 wscript.exe Token: SeProfSingleProcessPrivilege 2492 wscript.exe Token: SeIncBasePriorityPrivilege 2492 wscript.exe Token: SeCreatePagefilePrivilege 2492 wscript.exe Token: SeCreatePermanentPrivilege 2492 wscript.exe Token: SeBackupPrivilege 2492 wscript.exe Token: SeRestorePrivilege 2492 wscript.exe Token: SeShutdownPrivilege 2492 wscript.exe Token: SeDebugPrivilege 2492 wscript.exe Token: SeAuditPrivilege 2492 wscript.exe Token: SeSystemEnvironmentPrivilege 2492 wscript.exe Token: SeChangeNotifyPrivilege 2492 wscript.exe Token: SeRemoteShutdownPrivilege 2492 wscript.exe Token: SeUndockPrivilege 2492 wscript.exe Token: SeSyncAgentPrivilege 2492 wscript.exe Token: SeEnableDelegationPrivilege 2492 wscript.exe Token: SeManageVolumePrivilege 2492 wscript.exe Token: SeImpersonatePrivilege 2492 wscript.exe Token: SeCreateGlobalPrivilege 2492 wscript.exe Token: SeShutdownPrivilege 2492 wscript.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
wscript.exepid process 2492 wscript.exe 2492 wscript.exe 2492 wscript.exe 2492 wscript.exe 2492 wscript.exe 2492 wscript.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
msiexec.exerundll32.exerundll32.exewermgr.exedescription pid process target process PID 180 wrote to memory of 4796 180 msiexec.exe srtasks.exe PID 180 wrote to memory of 4796 180 msiexec.exe srtasks.exe PID 180 wrote to memory of 1900 180 msiexec.exe rundll32.exe PID 180 wrote to memory of 1900 180 msiexec.exe rundll32.exe PID 180 wrote to memory of 3792 180 msiexec.exe wscript.exe PID 180 wrote to memory of 3792 180 msiexec.exe wscript.exe PID 1900 wrote to memory of 1836 1900 rundll32.exe rundll32.exe PID 1900 wrote to memory of 1836 1900 rundll32.exe rundll32.exe PID 1900 wrote to memory of 1836 1900 rundll32.exe rundll32.exe PID 1836 wrote to memory of 964 1836 rundll32.exe wermgr.exe PID 1836 wrote to memory of 964 1836 rundll32.exe wermgr.exe PID 1836 wrote to memory of 964 1836 rundll32.exe wermgr.exe PID 1836 wrote to memory of 964 1836 rundll32.exe wermgr.exe PID 1836 wrote to memory of 964 1836 rundll32.exe wermgr.exe PID 1836 wrote to memory of 964 1836 rundll32.exe wermgr.exe PID 964 wrote to memory of 1984 964 wermgr.exe ipconfig.exe PID 964 wrote to memory of 1984 964 wermgr.exe ipconfig.exe PID 964 wrote to memory of 1984 964 wermgr.exe ipconfig.exe PID 964 wrote to memory of 216 964 wermgr.exe whoami.exe PID 964 wrote to memory of 216 964 wermgr.exe whoami.exe PID 964 wrote to memory of 216 964 wermgr.exe whoami.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectFunding_268488_Jun01.js1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2492
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4796
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:1984
-
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵PID:216
-
-
-
-
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs2⤵PID:3792
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4372
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5ee686de077e03cb56f48a0a112bd75ef
SHA193d8bd85f2b211acc95da8b658361ba83b40cbc5
SHA2566995b3d0452b72751077236ed71989b53b77e3a258ad226609e5e207db63f983
SHA5126799cb1b1c4409aab4b27a4c223d9008e05f7ecfa287921317121cd81f3f664fc69fe479ad69659c44b0b634678a0b4d725d12ffe43f4b2b9aefa6c4e36af8bd
-
Filesize
752KB
MD5a9b2ae0ff67dbe87ced4b08dee184b15
SHA1ac3101c2db7912b8c90fb323dabd34228081aa6b
SHA256b7f36f9b2a633ef3019f0dbd9a3e1689a328fce2c9718505bb45442c1829d2c0
SHA512a4bc2bdb28ee428004c4d694908ad84761a61e2cb2cc182ecc9670280c668c9922915808daef725021d2865fdb8864501c15096a1af58a4ec17207ad4488614d
-
Filesize
752KB
MD5a9b2ae0ff67dbe87ced4b08dee184b15
SHA1ac3101c2db7912b8c90fb323dabd34228081aa6b
SHA256b7f36f9b2a633ef3019f0dbd9a3e1689a328fce2c9718505bb45442c1829d2c0
SHA512a4bc2bdb28ee428004c4d694908ad84761a61e2cb2cc182ecc9670280c668c9922915808daef725021d2865fdb8864501c15096a1af58a4ec17207ad4488614d
-
Filesize
132B
MD50d4c9f15ce74465c59ae36a27f98c817
SHA19cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA5129bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f
-
Filesize
404KB
MD5e54f16d1a308f1f31865de24f5336d8c
SHA1f345b6262e40e10bbcd06fb2db53b346b82f6a88
SHA256728170cdd8115f6a897d01235d62259466b6f3540e92e7166a07d7c44661f1d5
SHA512138d2d7b12bd95b1a3647da6c357fbf79b99736734d80611247d881ebed6e41b9dcf765eb4ab1db2d07f990c50a69a97df2029a9b3375f93970ebe1856208ffe
-
Filesize
23.0MB
MD5e984953caf82d7f87aa8071d85fe033a
SHA1dd016fb760f516053fc3b21faff9dee2adb47aea
SHA2561c12e4e5678a213176eb0e694a465dc17c822907c1ae36bb8552c1bb92d80361
SHA512b5f70a0c215a6286e43bab73db87eef9f32cfd032295754d2edb8c5151f43d6e5238dab68f3fd3d441f4165428258222d3e14c23bd2f6b503723ef22c402cf54
-
\??\Volume{af0fc727-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f20c350b-7bc4-4118-b78b-55c3ddffe2c3}_OnDiskSnapshotProp
Filesize5KB
MD5153f9842f28382d036c856d4b58ef0c3
SHA16126357732aacf5ab1f1adb64c4887900b5b4d80
SHA256563996c43ed81ef350460df16e50dc0ec336f7877dd2da7d0d009aa02accd3ae
SHA5126233c56a03a58a143b960f904f08a103212424e19d1d1694d51dca3dd8c1ad65df9304d90ad2f534b4c2acb2f505e9dca1d5570c76292e1a5483643008973217