Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 17:35
Static task
static1
Behavioral task
behavioral1
Sample
ProjectFunding_843489_Jun01.js
Resource
win7-20230220-en
General
-
Target
ProjectFunding_843489_Jun01.js
-
Size
1KB
-
MD5
c7dfc0995de1e2d0c9fdd7737593b576
-
SHA1
6d97a88690d6e5db8039f9dc6fbf316ca543d4a5
-
SHA256
aaee1c741d06959cdf618c51a4b5370d89b1e8d2b9dff607c8a8b06ee640d347
-
SHA512
224b865190b4199dba7cc7dfc0202db77de6bec63ee706268e8dfb60182bd8c48fcaecdc1a2e4544a623f2949ccd16ee900fbf6633269b7f39f5f2a041c8a268
Malware Config
Extracted
qakbot
404.1346
obama266
1685611378
24.234.220.88:990
70.28.50.223:2078
96.56.197.26:2083
103.123.223.133:443
83.249.198.100:2222
199.27.66.213:443
90.104.151.37:2222
94.204.202.106:443
72.205.104.134:443
65.95.141.84:2222
82.131.141.209:443
77.126.99.230:443
71.38.155.217:443
205.237.67.69:995
84.215.202.8:443
24.234.220.88:465
76.178.148.107:2222
116.74.163.130:443
70.28.50.223:2087
147.147.30.126:2222
173.88.135.179:443
103.140.174.20:2222
77.86.98.236:443
92.149.250.113:2222
96.87.28.170:2222
86.168.210.41:443
176.142.207.63:443
12.172.173.82:32101
86.132.236.117:443
70.50.83.216:2222
161.142.103.187:995
45.62.70.33:443
12.172.173.82:465
178.175.187.254:443
83.110.223.61:443
105.184.209.194:995
41.186.88.38:443
102.156.10.183:443
27.109.19.90:2078
47.205.25.170:443
12.172.173.82:993
76.170.252.153:995
69.242.31.249:443
24.234.220.88:995
125.99.69.178:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
124.122.47.148:443
81.229.117.95:2222
98.145.23.67:443
114.143.176.236:443
103.144.201.48:2078
122.186.210.254:443
69.160.121.6:61201
12.172.173.82:21
72.253.126.216:443
75.109.111.89:443
76.86.31.59:443
116.120.145.170:995
12.172.173.82:50001
81.101.185.146:443
201.244.108.183:995
68.203.69.96:443
103.139.242.6:443
103.42.86.42:995
85.61.165.153:2222
76.16.49.134:443
125.99.76.102:443
184.182.66.109:443
70.28.50.223:32100
50.68.204.71:993
85.57.212.13:3389
41.227.190.59:443
70.28.50.223:3389
31.53.29.235:2222
89.79.229.50:443
50.68.186.195:443
47.199.241.39:443
93.147.235.8:443
75.141.227.169:443
45.243.142.31:995
79.92.15.6:443
85.104.105.67:443
89.129.109.27:2222
86.176.83.44:2222
24.234.220.88:993
89.32.156.5:995
12.172.173.82:22
103.101.203.177:443
70.28.50.223:2083
98.187.21.2:443
70.49.205.198:2222
96.56.197.26:2222
92.9.45.20:2222
86.195.14.72:2222
172.115.17.50:443
100.4.163.158:2222
80.12.88.148:2222
213.64.33.92:2222
113.11.92.30:443
78.192.109.105:2222
47.34.30.133:443
122.184.143.86:443
198.2.51.242:993
165.120.169.171:2222
88.126.94.4:50000
82.125.44.236:2222
117.195.17.148:993
147.219.4.194:443
80.167.196.79:443
92.154.17.149:2222
184.181.75.148:443
95.45.50.93:2222
84.35.26.14:995
201.143.215.69:443
12.172.173.82:2087
50.68.204.71:443
64.121.161.102:443
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 4 4292 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4888 rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e56e9ea.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7A65.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIEA56.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009865abc95f2d4b980000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009865abc90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809009865abc9000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exerundll32.exewermgr.exepid process 4292 msiexec.exe 4292 msiexec.exe 4888 rundll32.exe 4888 rundll32.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe 4812 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wscript.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 5096 wscript.exe Token: SeIncreaseQuotaPrivilege 5096 wscript.exe Token: SeSecurityPrivilege 4292 msiexec.exe Token: SeCreateTokenPrivilege 5096 wscript.exe Token: SeAssignPrimaryTokenPrivilege 5096 wscript.exe Token: SeLockMemoryPrivilege 5096 wscript.exe Token: SeIncreaseQuotaPrivilege 5096 wscript.exe Token: SeMachineAccountPrivilege 5096 wscript.exe Token: SeTcbPrivilege 5096 wscript.exe Token: SeSecurityPrivilege 5096 wscript.exe Token: SeTakeOwnershipPrivilege 5096 wscript.exe Token: SeLoadDriverPrivilege 5096 wscript.exe Token: SeSystemProfilePrivilege 5096 wscript.exe Token: SeSystemtimePrivilege 5096 wscript.exe Token: SeProfSingleProcessPrivilege 5096 wscript.exe Token: SeIncBasePriorityPrivilege 5096 wscript.exe Token: SeCreatePagefilePrivilege 5096 wscript.exe Token: SeCreatePermanentPrivilege 5096 wscript.exe Token: SeBackupPrivilege 5096 wscript.exe Token: SeRestorePrivilege 5096 wscript.exe Token: SeShutdownPrivilege 5096 wscript.exe Token: SeDebugPrivilege 5096 wscript.exe Token: SeAuditPrivilege 5096 wscript.exe Token: SeSystemEnvironmentPrivilege 5096 wscript.exe Token: SeChangeNotifyPrivilege 5096 wscript.exe Token: SeRemoteShutdownPrivilege 5096 wscript.exe Token: SeUndockPrivilege 5096 wscript.exe Token: SeSyncAgentPrivilege 5096 wscript.exe Token: SeEnableDelegationPrivilege 5096 wscript.exe Token: SeManageVolumePrivilege 5096 wscript.exe Token: SeImpersonatePrivilege 5096 wscript.exe Token: SeCreateGlobalPrivilege 5096 wscript.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeBackupPrivilege 3860 vssvc.exe Token: SeRestorePrivilege 3860 vssvc.exe Token: SeAuditPrivilege 3860 vssvc.exe Token: SeBackupPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe Token: SeTakeOwnershipPrivilege 4292 msiexec.exe Token: SeRestorePrivilege 4292 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
wscript.exepid process 5096 wscript.exe 5096 wscript.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exerundll32.exerundll32.exedescription pid process target process PID 4292 wrote to memory of 4428 4292 msiexec.exe srtasks.exe PID 4292 wrote to memory of 4428 4292 msiexec.exe srtasks.exe PID 4292 wrote to memory of 924 4292 msiexec.exe rundll32.exe PID 4292 wrote to memory of 924 4292 msiexec.exe rundll32.exe PID 4292 wrote to memory of 2736 4292 msiexec.exe wscript.exe PID 4292 wrote to memory of 2736 4292 msiexec.exe wscript.exe PID 924 wrote to memory of 4888 924 rundll32.exe rundll32.exe PID 924 wrote to memory of 4888 924 rundll32.exe rundll32.exe PID 924 wrote to memory of 4888 924 rundll32.exe rundll32.exe PID 4888 wrote to memory of 4812 4888 rundll32.exe wermgr.exe PID 4888 wrote to memory of 4812 4888 rundll32.exe wermgr.exe PID 4888 wrote to memory of 4812 4888 rundll32.exe wermgr.exe PID 4888 wrote to memory of 4812 4888 rundll32.exe wermgr.exe PID 4888 wrote to memory of 4812 4888 rundll32.exe wermgr.exe PID 4888 wrote to memory of 4812 4888 rundll32.exe wermgr.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectFunding_843489_Jun01.js1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5096
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4428
-
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs2⤵PID:2736
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5314eaf836177274895dd2432bd2959dd
SHA1cd0662d3db4a4396223571ec20d0d7a4aa5a6140
SHA256f9f0af0a943f050bc37ff79b863ef68c86d2a169ffdf2c899e758b87d48b0569
SHA512f430057bbec57f99d621d8696ede99cd27d6589088453d1d50354ac4d52a6d47abaa71f466dbdd4d667f1d9c6bf586beae9852965304a296cb235c55b2abc74e
-
Filesize
752KB
MD566405338f124e7e85e95b35431ac9a33
SHA18aec6858ff913428ffbdb7bc5ab4dbf36cda8d3a
SHA2567c6b62108f5fb30a499b5ea2d841014d56f0db9be319455eea2e8843c66e44ff
SHA512e0ae8833a782ea698446bdcef8ef7b76530a475491a86c057dd5289cb653e48c12af1aba70dc3dfcca22e4dbc9593a8767452492f9301d7d3248c6428ee97d14
-
Filesize
752KB
MD566405338f124e7e85e95b35431ac9a33
SHA18aec6858ff913428ffbdb7bc5ab4dbf36cda8d3a
SHA2567c6b62108f5fb30a499b5ea2d841014d56f0db9be319455eea2e8843c66e44ff
SHA512e0ae8833a782ea698446bdcef8ef7b76530a475491a86c057dd5289cb653e48c12af1aba70dc3dfcca22e4dbc9593a8767452492f9301d7d3248c6428ee97d14
-
Filesize
132B
MD50d4c9f15ce74465c59ae36a27f98c817
SHA19cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA5129bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f
-
Filesize
404KB
MD5f0db47ab7156e4a747acb8601a3e37bf
SHA1822f93d63473e3f7a1c7b9ce50b31d76a9a6b438
SHA256cb33ddf504dbcc23021e1fba3419faeb31fd921f11ee08c4f923b87ec0e6ceed
SHA5123184b589f350cc92c49a3a76aa7ba51a10d51cee9bf573ce54addd1cc912ba524229f6573e7aaf2620ce1dadd7f5684519ca8ff5ddfa729e0f90a8cecd357594
-
Filesize
23.0MB
MD5b82ffb3bc4d8d486274dd6bda7d55c9f
SHA1dd828994c15caa8b1a3523248864ffab1e3068c1
SHA256d8047e0802350fc06c31bfa65ccd3a52186ea62d083c6e8d5ded42e72b392ef2
SHA512916b7dce70979ba7387ae6be172e1bbef741e6fe07b08ad40f83d05122f583c2a86b64e85a58221ee47b1638e48a78948bfa9b0f9155fed375c6a82af87443de
-
\??\Volume{c9ab6598-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{659663e9-0767-44ec-8462-5b6fa7bf4374}_OnDiskSnapshotProp
Filesize5KB
MD5b06c6406c8c6e85cad42462c49708204
SHA1ec3e362352280a6790423654c246222c142f66e3
SHA256f5a61959a9d66d6c0c5fdd7f498fe216e4e3e28921c7339d51abd0119817bb19
SHA5122cc6e3f3766c00b25626dfc1e195a0a17a9f5a052d096392532124eebaafd93d35ff968652b064b4d8cf3bd548b0164997e86ae7b4aed45222aa962e69813a15