Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 16:38
Static task
static1
Behavioral task
behavioral1
Sample
ProjectFunding_477443_Jun01.js
Resource
win7-20230220-en
General
-
Target
ProjectFunding_477443_Jun01.js
-
Size
1KB
-
MD5
6eec3609ad79c0b5efd01946dbf1f90d
-
SHA1
f59d16c3aaf41e61fc39fad32d315eaf438df6d3
-
SHA256
d2e421d6f0d2b40181cd19075284df13bbdbab7db7c79cbec45cd5ae3304bb4f
-
SHA512
7b8f9861ba7baa173fbacd222b95938490cefd19aee7553629133483adcb12764e0a8c233e06e9bf55c754bc12b017ed5f904ccbf6d0bf290e68dc00b46fb0d5
Malware Config
Extracted
qakbot
404.1346
obama266
1685611378
24.234.220.88:990
70.28.50.223:2078
96.56.197.26:2083
103.123.223.133:443
83.249.198.100:2222
199.27.66.213:443
90.104.151.37:2222
94.204.202.106:443
72.205.104.134:443
65.95.141.84:2222
82.131.141.209:443
77.126.99.230:443
71.38.155.217:443
205.237.67.69:995
84.215.202.8:443
24.234.220.88:465
76.178.148.107:2222
116.74.163.130:443
70.28.50.223:2087
147.147.30.126:2222
173.88.135.179:443
103.140.174.20:2222
77.86.98.236:443
92.149.250.113:2222
96.87.28.170:2222
86.168.210.41:443
176.142.207.63:443
12.172.173.82:32101
86.132.236.117:443
70.50.83.216:2222
161.142.103.187:995
45.62.70.33:443
12.172.173.82:465
178.175.187.254:443
83.110.223.61:443
105.184.209.194:995
41.186.88.38:443
102.156.10.183:443
27.109.19.90:2078
47.205.25.170:443
12.172.173.82:993
76.170.252.153:995
69.242.31.249:443
24.234.220.88:995
125.99.69.178:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
124.122.47.148:443
81.229.117.95:2222
98.145.23.67:443
114.143.176.236:443
103.144.201.48:2078
122.186.210.254:443
69.160.121.6:61201
12.172.173.82:21
72.253.126.216:443
75.109.111.89:443
76.86.31.59:443
116.120.145.170:995
12.172.173.82:50001
81.101.185.146:443
201.244.108.183:995
68.203.69.96:443
103.139.242.6:443
103.42.86.42:995
85.61.165.153:2222
76.16.49.134:443
125.99.76.102:443
184.182.66.109:443
70.28.50.223:32100
50.68.204.71:993
85.57.212.13:3389
41.227.190.59:443
70.28.50.223:3389
31.53.29.235:2222
89.79.229.50:443
50.68.186.195:443
47.199.241.39:443
93.147.235.8:443
75.141.227.169:443
45.243.142.31:995
79.92.15.6:443
85.104.105.67:443
89.129.109.27:2222
86.176.83.44:2222
24.234.220.88:993
89.32.156.5:995
12.172.173.82:22
103.101.203.177:443
70.28.50.223:2083
98.187.21.2:443
70.49.205.198:2222
96.56.197.26:2222
92.9.45.20:2222
86.195.14.72:2222
172.115.17.50:443
100.4.163.158:2222
80.12.88.148:2222
213.64.33.92:2222
113.11.92.30:443
78.192.109.105:2222
47.34.30.133:443
122.184.143.86:443
198.2.51.242:993
165.120.169.171:2222
88.126.94.4:50000
82.125.44.236:2222
117.195.17.148:993
147.219.4.194:443
80.167.196.79:443
92.154.17.149:2222
184.181.75.148:443
95.45.50.93:2222
84.35.26.14:995
201.143.215.69:443
12.172.173.82:2087
50.68.204.71:443
64.121.161.102:443
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 9 548 msiexec.exe 23 548 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1640 rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e572f6e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC558.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI30F4.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exerundll32.exewermgr.exepid process 548 msiexec.exe 548 msiexec.exe 1640 rundll32.exe 1640 rundll32.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe 4916 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wscript.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4456 wscript.exe Token: SeIncreaseQuotaPrivilege 4456 wscript.exe Token: SeSecurityPrivilege 548 msiexec.exe Token: SeCreateTokenPrivilege 4456 wscript.exe Token: SeAssignPrimaryTokenPrivilege 4456 wscript.exe Token: SeLockMemoryPrivilege 4456 wscript.exe Token: SeIncreaseQuotaPrivilege 4456 wscript.exe Token: SeMachineAccountPrivilege 4456 wscript.exe Token: SeTcbPrivilege 4456 wscript.exe Token: SeSecurityPrivilege 4456 wscript.exe Token: SeTakeOwnershipPrivilege 4456 wscript.exe Token: SeLoadDriverPrivilege 4456 wscript.exe Token: SeSystemProfilePrivilege 4456 wscript.exe Token: SeSystemtimePrivilege 4456 wscript.exe Token: SeProfSingleProcessPrivilege 4456 wscript.exe Token: SeIncBasePriorityPrivilege 4456 wscript.exe Token: SeCreatePagefilePrivilege 4456 wscript.exe Token: SeCreatePermanentPrivilege 4456 wscript.exe Token: SeBackupPrivilege 4456 wscript.exe Token: SeRestorePrivilege 4456 wscript.exe Token: SeShutdownPrivilege 4456 wscript.exe Token: SeDebugPrivilege 4456 wscript.exe Token: SeAuditPrivilege 4456 wscript.exe Token: SeSystemEnvironmentPrivilege 4456 wscript.exe Token: SeChangeNotifyPrivilege 4456 wscript.exe Token: SeRemoteShutdownPrivilege 4456 wscript.exe Token: SeUndockPrivilege 4456 wscript.exe Token: SeSyncAgentPrivilege 4456 wscript.exe Token: SeEnableDelegationPrivilege 4456 wscript.exe Token: SeManageVolumePrivilege 4456 wscript.exe Token: SeImpersonatePrivilege 4456 wscript.exe Token: SeCreateGlobalPrivilege 4456 wscript.exe Token: SeShutdownPrivilege 4456 wscript.exe Token: SeIncreaseQuotaPrivilege 4456 wscript.exe Token: SeCreateTokenPrivilege 4456 wscript.exe Token: SeAssignPrimaryTokenPrivilege 4456 wscript.exe Token: SeLockMemoryPrivilege 4456 wscript.exe Token: SeIncreaseQuotaPrivilege 4456 wscript.exe Token: SeMachineAccountPrivilege 4456 wscript.exe Token: SeTcbPrivilege 4456 wscript.exe Token: SeSecurityPrivilege 4456 wscript.exe Token: SeTakeOwnershipPrivilege 4456 wscript.exe Token: SeLoadDriverPrivilege 4456 wscript.exe Token: SeSystemProfilePrivilege 4456 wscript.exe Token: SeSystemtimePrivilege 4456 wscript.exe Token: SeProfSingleProcessPrivilege 4456 wscript.exe Token: SeIncBasePriorityPrivilege 4456 wscript.exe Token: SeCreatePagefilePrivilege 4456 wscript.exe Token: SeCreatePermanentPrivilege 4456 wscript.exe Token: SeBackupPrivilege 4456 wscript.exe Token: SeRestorePrivilege 4456 wscript.exe Token: SeShutdownPrivilege 4456 wscript.exe Token: SeDebugPrivilege 4456 wscript.exe Token: SeAuditPrivilege 4456 wscript.exe Token: SeSystemEnvironmentPrivilege 4456 wscript.exe Token: SeChangeNotifyPrivilege 4456 wscript.exe Token: SeRemoteShutdownPrivilege 4456 wscript.exe Token: SeUndockPrivilege 4456 wscript.exe Token: SeSyncAgentPrivilege 4456 wscript.exe Token: SeEnableDelegationPrivilege 4456 wscript.exe Token: SeManageVolumePrivilege 4456 wscript.exe Token: SeImpersonatePrivilege 4456 wscript.exe Token: SeCreateGlobalPrivilege 4456 wscript.exe Token: SeRestorePrivilege 548 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
wscript.exepid process 4456 wscript.exe 4456 wscript.exe 4456 wscript.exe 4456 wscript.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exerundll32.exerundll32.exedescription pid process target process PID 548 wrote to memory of 4236 548 msiexec.exe srtasks.exe PID 548 wrote to memory of 4236 548 msiexec.exe srtasks.exe PID 548 wrote to memory of 2008 548 msiexec.exe rundll32.exe PID 548 wrote to memory of 2008 548 msiexec.exe rundll32.exe PID 548 wrote to memory of 1156 548 msiexec.exe wscript.exe PID 548 wrote to memory of 1156 548 msiexec.exe wscript.exe PID 2008 wrote to memory of 1640 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1640 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1640 2008 rundll32.exe rundll32.exe PID 1640 wrote to memory of 4916 1640 rundll32.exe wermgr.exe PID 1640 wrote to memory of 4916 1640 rundll32.exe wermgr.exe PID 1640 wrote to memory of 4916 1640 rundll32.exe wermgr.exe PID 1640 wrote to memory of 4916 1640 rundll32.exe wermgr.exe PID 1640 wrote to memory of 4916 1640 rundll32.exe wermgr.exe PID 1640 wrote to memory of 4916 1640 rundll32.exe wermgr.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectFunding_477443_Jun01.js1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4456
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4236
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916
-
-
-
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs2⤵PID:1156
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5ccc2ebd2d67f46afc42222a4301bb28c
SHA1a2057d06e4f76d719669d257b3dd79ef2bf9661e
SHA2561877d84463b8dd44e13e187f7286b5a44f0aee328cb354c02a76330404b53a74
SHA512d46a3b70f8542b54a903a31bb3e9167770a20c16952b8e8c26e4b98a90f8d0441d6841f8fd49d05f9f818cf8ecee8244b42c1d36b997cb4240fe1804141c0f61
-
Filesize
752KB
MD5a3c115c9412963557aac45deaf2ca848
SHA1ef7c3118336d46746fdbd3bba91901c699832655
SHA25675010ec11a83b127edfeab14ac50dd54167d645c5bca677ae95dfbdcbebeba40
SHA512888eb3186ada8d3a95624271f69526129d33640b40014d87e3c363ffdfd2a7f919b9fb7624667400b16d63a592f002a54f4bad30b242f59822312c3cea488ffa
-
Filesize
752KB
MD5a3c115c9412963557aac45deaf2ca848
SHA1ef7c3118336d46746fdbd3bba91901c699832655
SHA25675010ec11a83b127edfeab14ac50dd54167d645c5bca677ae95dfbdcbebeba40
SHA512888eb3186ada8d3a95624271f69526129d33640b40014d87e3c363ffdfd2a7f919b9fb7624667400b16d63a592f002a54f4bad30b242f59822312c3cea488ffa
-
Filesize
132B
MD50d4c9f15ce74465c59ae36a27f98c817
SHA19cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA5129bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f
-
Filesize
404KB
MD5e2d36f984d12b8f25ec701033cae6c86
SHA13c4266299b2aadb41cb4d989ed9cc0b08b9bd167
SHA256715e78c2a3da2acd6db40e94c65d80e3de11fa30e5908fbf2cb74bbeeeb07a33
SHA512d4cee60a1c62b50750659b5cd01a789baaca0b8288afd0b10ff7608004a8393b95ebd25199b85f652e30d533779cd2c5fe931f6c302a82b6d9679a1b46b47ba5
-
Filesize
23.0MB
MD52a0f0a6084a3810166021e58a97c6158
SHA10f23167b6885cef12cbe17555dc9979d709ab390
SHA256f3bbb2e77cb909a48a98c4ca4cb69d8d8ae10fde4973899b4f195005be484f0a
SHA5123173cad2a37975a5c2b7ecdb78d65680007cf0d63475fd6aacea2859b64516530c1b0d1a438c20027b80b148a5a2e593343e3a548c4f78daf4b517cdb3407bb6
-
\??\Volume{af0fc727-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{29e3e0a2-f512-4656-bb66-7b5e6eafac4f}_OnDiskSnapshotProp
Filesize5KB
MD541751f7bb7017357c88d5ee81ff93b74
SHA1aabc5afe2c039a64f070b35d7e422eca74801917
SHA2569eb929713cd33a17d04497c02982279e994b128744f11c5d5d285ee99888251c
SHA5121e004364554cac376aba8b03ac9fa3f848cc1a09dd9492ff3ca29ab3bf0a6211cc47f7b18853c3da34f917842472056fc2ddf2c5b1089ec89b116f3099df691f