Analysis
-
max time kernel
156s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 16:12
Static task
static1
Behavioral task
behavioral1
Sample
ProjectFunding_450726_Jun01.js
Resource
win7-20230220-en
General
-
Target
ProjectFunding_450726_Jun01.js
-
Size
1KB
-
MD5
a657553449746c482dacfe3b19119b7a
-
SHA1
630b815d443f8f7ef7e4c4c7c100de1cd8a7ed53
-
SHA256
44e029dd6210c4906a82e1f16dd5ebed434efd225dafb92fc560e6ff6d1ee948
-
SHA512
dea33536a5c5fe279ca1a8a3d4639be0f49d5ca3c21f4cbbda10c5d059837c2bc4c3917cdbddd0fc9f4a0773f325369b200f0df8e0035da6afab26f09502c321
Malware Config
Extracted
qakbot
404.1346
obama266
1685611378
24.234.220.88:990
70.28.50.223:2078
96.56.197.26:2083
103.123.223.133:443
83.249.198.100:2222
199.27.66.213:443
90.104.151.37:2222
94.204.202.106:443
72.205.104.134:443
65.95.141.84:2222
82.131.141.209:443
77.126.99.230:443
71.38.155.217:443
205.237.67.69:995
84.215.202.8:443
24.234.220.88:465
76.178.148.107:2222
116.74.163.130:443
70.28.50.223:2087
147.147.30.126:2222
173.88.135.179:443
103.140.174.20:2222
77.86.98.236:443
92.149.250.113:2222
96.87.28.170:2222
86.168.210.41:443
176.142.207.63:443
12.172.173.82:32101
86.132.236.117:443
70.50.83.216:2222
161.142.103.187:995
45.62.70.33:443
12.172.173.82:465
178.175.187.254:443
83.110.223.61:443
105.184.209.194:995
41.186.88.38:443
102.156.10.183:443
27.109.19.90:2078
47.205.25.170:443
12.172.173.82:993
76.170.252.153:995
69.242.31.249:443
24.234.220.88:995
125.99.69.178:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
124.122.47.148:443
81.229.117.95:2222
98.145.23.67:443
114.143.176.236:443
103.144.201.48:2078
122.186.210.254:443
69.160.121.6:61201
12.172.173.82:21
72.253.126.216:443
75.109.111.89:443
76.86.31.59:443
116.120.145.170:995
12.172.173.82:50001
81.101.185.146:443
201.244.108.183:995
68.203.69.96:443
103.139.242.6:443
103.42.86.42:995
85.61.165.153:2222
76.16.49.134:443
125.99.76.102:443
184.182.66.109:443
70.28.50.223:32100
50.68.204.71:993
85.57.212.13:3389
41.227.190.59:443
70.28.50.223:3389
31.53.29.235:2222
89.79.229.50:443
50.68.186.195:443
47.199.241.39:443
93.147.235.8:443
75.141.227.169:443
45.243.142.31:995
79.92.15.6:443
85.104.105.67:443
89.129.109.27:2222
86.176.83.44:2222
24.234.220.88:993
89.32.156.5:995
12.172.173.82:22
103.101.203.177:443
70.28.50.223:2083
98.187.21.2:443
70.49.205.198:2222
96.56.197.26:2222
92.9.45.20:2222
86.195.14.72:2222
172.115.17.50:443
100.4.163.158:2222
80.12.88.148:2222
213.64.33.92:2222
113.11.92.30:443
78.192.109.105:2222
47.34.30.133:443
122.184.143.86:443
198.2.51.242:993
165.120.169.171:2222
88.126.94.4:50000
82.125.44.236:2222
117.195.17.148:993
147.219.4.194:443
80.167.196.79:443
92.154.17.149:2222
184.181.75.148:443
95.45.50.93:2222
84.35.26.14:995
201.143.215.69:443
12.172.173.82:2087
50.68.204.71:443
64.121.161.102:443
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 4 3796 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3208 rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e572e26.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB79D.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI2E93.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009865abc95f2d4b980000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009865abc90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809009865abc9000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exerundll32.exewermgr.exepid process 3796 msiexec.exe 3796 msiexec.exe 3208 rundll32.exe 3208 rundll32.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe 2016 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wscript.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3260 wscript.exe Token: SeIncreaseQuotaPrivilege 3260 wscript.exe Token: SeSecurityPrivilege 3796 msiexec.exe Token: SeCreateTokenPrivilege 3260 wscript.exe Token: SeAssignPrimaryTokenPrivilege 3260 wscript.exe Token: SeLockMemoryPrivilege 3260 wscript.exe Token: SeIncreaseQuotaPrivilege 3260 wscript.exe Token: SeMachineAccountPrivilege 3260 wscript.exe Token: SeTcbPrivilege 3260 wscript.exe Token: SeSecurityPrivilege 3260 wscript.exe Token: SeTakeOwnershipPrivilege 3260 wscript.exe Token: SeLoadDriverPrivilege 3260 wscript.exe Token: SeSystemProfilePrivilege 3260 wscript.exe Token: SeSystemtimePrivilege 3260 wscript.exe Token: SeProfSingleProcessPrivilege 3260 wscript.exe Token: SeIncBasePriorityPrivilege 3260 wscript.exe Token: SeCreatePagefilePrivilege 3260 wscript.exe Token: SeCreatePermanentPrivilege 3260 wscript.exe Token: SeBackupPrivilege 3260 wscript.exe Token: SeRestorePrivilege 3260 wscript.exe Token: SeShutdownPrivilege 3260 wscript.exe Token: SeDebugPrivilege 3260 wscript.exe Token: SeAuditPrivilege 3260 wscript.exe Token: SeSystemEnvironmentPrivilege 3260 wscript.exe Token: SeChangeNotifyPrivilege 3260 wscript.exe Token: SeRemoteShutdownPrivilege 3260 wscript.exe Token: SeUndockPrivilege 3260 wscript.exe Token: SeSyncAgentPrivilege 3260 wscript.exe Token: SeEnableDelegationPrivilege 3260 wscript.exe Token: SeManageVolumePrivilege 3260 wscript.exe Token: SeImpersonatePrivilege 3260 wscript.exe Token: SeCreateGlobalPrivilege 3260 wscript.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeBackupPrivilege 2668 vssvc.exe Token: SeRestorePrivilege 2668 vssvc.exe Token: SeAuditPrivilege 2668 vssvc.exe Token: SeBackupPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe Token: SeTakeOwnershipPrivilege 3796 msiexec.exe Token: SeRestorePrivilege 3796 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
wscript.exepid process 3260 wscript.exe 3260 wscript.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exerundll32.exerundll32.exedescription pid process target process PID 3796 wrote to memory of 1000 3796 msiexec.exe srtasks.exe PID 3796 wrote to memory of 1000 3796 msiexec.exe srtasks.exe PID 3796 wrote to memory of 1948 3796 msiexec.exe rundll32.exe PID 3796 wrote to memory of 1948 3796 msiexec.exe rundll32.exe PID 3796 wrote to memory of 824 3796 msiexec.exe wscript.exe PID 3796 wrote to memory of 824 3796 msiexec.exe wscript.exe PID 1948 wrote to memory of 3208 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 3208 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 3208 1948 rundll32.exe rundll32.exe PID 3208 wrote to memory of 2016 3208 rundll32.exe wermgr.exe PID 3208 wrote to memory of 2016 3208 rundll32.exe wermgr.exe PID 3208 wrote to memory of 2016 3208 rundll32.exe wermgr.exe PID 3208 wrote to memory of 2016 3208 rundll32.exe wermgr.exe PID 3208 wrote to memory of 2016 3208 rundll32.exe wermgr.exe PID 3208 wrote to memory of 2016 3208 rundll32.exe wermgr.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectFunding_450726_Jun01.js1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3260
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1000
-
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs2⤵PID:824
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2016
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2668
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD520c8748771234907f298ab6c19d0ef88
SHA1cddfcd5fee5cfee3b4324fb5a95f99744bb04f22
SHA256ef91a95e39707614436547ad2b8d9432adf3350ca801291e2abb42d5b3bc5da8
SHA5125e383d2eb0238d0b40552949e0ef2d3ec2dd6486905aa820f5d71d3faa6f378db155fe10f78ca0e680539c83e389ec9d13624223e30fe295868e08a25860a874
-
Filesize
752KB
MD5e363ab66e88773ccf7e3099c104f2e9e
SHA1d4f3c0fda1bfb983f49facbfdb73054b7cbe57f9
SHA256f4ebbb6df51313699d35d72a58030878d04bcc6f32ae4ef8c24e59c45e3b1b9f
SHA512be86609cd2f065716a342643c39a82d8a6f165233a60bb425202290269dc1dc110b844665b67c148489708e3c1f5a1add671ccdf6a0a9335928b5d9fd59b4d26
-
Filesize
752KB
MD5e363ab66e88773ccf7e3099c104f2e9e
SHA1d4f3c0fda1bfb983f49facbfdb73054b7cbe57f9
SHA256f4ebbb6df51313699d35d72a58030878d04bcc6f32ae4ef8c24e59c45e3b1b9f
SHA512be86609cd2f065716a342643c39a82d8a6f165233a60bb425202290269dc1dc110b844665b67c148489708e3c1f5a1add671ccdf6a0a9335928b5d9fd59b4d26
-
Filesize
132B
MD50d4c9f15ce74465c59ae36a27f98c817
SHA19cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA5129bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f
-
Filesize
404KB
MD53f97af6fab9f837be11f50b7b49fa2ef
SHA115bbf6f3198cfe1dca7eb35c239c13488ea65b01
SHA2561430c435b3e786d45da166b8797960545d75bedda0880da91c866d8fd2bee0cf
SHA512e88970c73577dcda5fb20bb5f3935be4b5ad9c3173542153aecab7beed2b377788df304126d9d5c22cc22188081dd00659a4cd40d2a2a400ccd134ad27bf5f05
-
Filesize
23.0MB
MD5ab87c1f9e83ac135e8f8d1032b442795
SHA1fb6dfa7040deb72db3dcb93668f6c10def9ab02b
SHA256aee1ad2325094a899de2fd6a03a45e7fa8fe61654707005ae72858bd90b2f4c8
SHA5123dba6e07aac120ae0a37a497884969dd8f8e129323b6e031bb8c0edd4a1cc1d3589601cfd784de55ee39af582eebb7122cb0132f6981699b60e7457a5c9d850e
-
\??\Volume{c9ab6598-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{55e9168d-5946-48bf-849f-fb1b27d01aca}_OnDiskSnapshotProp
Filesize5KB
MD503785117e0a995597a8db6b88fdf3369
SHA13237a6a9df834bbd88e817fb8991f429fd598d70
SHA256aab745a8cd01c3a621177cb3f78e990b91340a3a51441ad6152301acf5294fc8
SHA51208de574520f6749486a5f9d0ef8dfff336951fe8125f798255d732514920dded74b0d080a8046f9285087961a578bb937c01a587406e30c02ba5f4a4cfa3b4a6