Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 16:49
Static task
static1
Behavioral task
behavioral1
Sample
09345699.js
Resource
win7-20230220-en
General
-
Target
09345699.js
-
Size
1KB
-
MD5
a657553449746c482dacfe3b19119b7a
-
SHA1
630b815d443f8f7ef7e4c4c7c100de1cd8a7ed53
-
SHA256
44e029dd6210c4906a82e1f16dd5ebed434efd225dafb92fc560e6ff6d1ee948
-
SHA512
dea33536a5c5fe279ca1a8a3d4639be0f49d5ca3c21f4cbbda10c5d059837c2bc4c3917cdbddd0fc9f4a0773f325369b200f0df8e0035da6afab26f09502c321
Malware Config
Extracted
qakbot
404.1346
obama266
1685611378
24.234.220.88:990
70.28.50.223:2078
96.56.197.26:2083
103.123.223.133:443
83.249.198.100:2222
199.27.66.213:443
90.104.151.37:2222
94.204.202.106:443
72.205.104.134:443
65.95.141.84:2222
82.131.141.209:443
77.126.99.230:443
71.38.155.217:443
205.237.67.69:995
84.215.202.8:443
24.234.220.88:465
76.178.148.107:2222
116.74.163.130:443
70.28.50.223:2087
147.147.30.126:2222
173.88.135.179:443
103.140.174.20:2222
77.86.98.236:443
92.149.250.113:2222
96.87.28.170:2222
86.168.210.41:443
176.142.207.63:443
12.172.173.82:32101
86.132.236.117:443
70.50.83.216:2222
161.142.103.187:995
45.62.70.33:443
12.172.173.82:465
178.175.187.254:443
83.110.223.61:443
105.184.209.194:995
41.186.88.38:443
102.156.10.183:443
27.109.19.90:2078
47.205.25.170:443
12.172.173.82:993
76.170.252.153:995
69.242.31.249:443
24.234.220.88:995
125.99.69.178:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
124.122.47.148:443
81.229.117.95:2222
98.145.23.67:443
114.143.176.236:443
103.144.201.48:2078
122.186.210.254:443
69.160.121.6:61201
12.172.173.82:21
72.253.126.216:443
75.109.111.89:443
76.86.31.59:443
116.120.145.170:995
12.172.173.82:50001
81.101.185.146:443
201.244.108.183:995
68.203.69.96:443
103.139.242.6:443
103.42.86.42:995
85.61.165.153:2222
76.16.49.134:443
125.99.76.102:443
184.182.66.109:443
70.28.50.223:32100
50.68.204.71:993
85.57.212.13:3389
41.227.190.59:443
70.28.50.223:3389
31.53.29.235:2222
89.79.229.50:443
50.68.186.195:443
47.199.241.39:443
93.147.235.8:443
75.141.227.169:443
45.243.142.31:995
79.92.15.6:443
85.104.105.67:443
89.129.109.27:2222
86.176.83.44:2222
24.234.220.88:993
89.32.156.5:995
12.172.173.82:22
103.101.203.177:443
70.28.50.223:2083
98.187.21.2:443
70.49.205.198:2222
96.56.197.26:2222
92.9.45.20:2222
86.195.14.72:2222
172.115.17.50:443
100.4.163.158:2222
80.12.88.148:2222
213.64.33.92:2222
113.11.92.30:443
78.192.109.105:2222
47.34.30.133:443
122.184.143.86:443
198.2.51.242:993
165.120.169.171:2222
88.126.94.4:50000
82.125.44.236:2222
117.195.17.148:993
147.219.4.194:443
80.167.196.79:443
92.154.17.149:2222
184.181.75.148:443
95.45.50.93:2222
84.35.26.14:995
201.143.215.69:443
12.172.173.82:2087
50.68.204.71:443
64.121.161.102:443
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 4 4844 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1532 rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIE7C6.tmp msiexec.exe File created C:\Windows\Installer\e56e769.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI740C.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exerundll32.exewermgr.exepid process 4844 msiexec.exe 4844 msiexec.exe 1532 rundll32.exe 1532 rundll32.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe 2384 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wscript.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1452 wscript.exe Token: SeIncreaseQuotaPrivilege 1452 wscript.exe Token: SeSecurityPrivilege 4844 msiexec.exe Token: SeCreateTokenPrivilege 1452 wscript.exe Token: SeAssignPrimaryTokenPrivilege 1452 wscript.exe Token: SeLockMemoryPrivilege 1452 wscript.exe Token: SeIncreaseQuotaPrivilege 1452 wscript.exe Token: SeMachineAccountPrivilege 1452 wscript.exe Token: SeTcbPrivilege 1452 wscript.exe Token: SeSecurityPrivilege 1452 wscript.exe Token: SeTakeOwnershipPrivilege 1452 wscript.exe Token: SeLoadDriverPrivilege 1452 wscript.exe Token: SeSystemProfilePrivilege 1452 wscript.exe Token: SeSystemtimePrivilege 1452 wscript.exe Token: SeProfSingleProcessPrivilege 1452 wscript.exe Token: SeIncBasePriorityPrivilege 1452 wscript.exe Token: SeCreatePagefilePrivilege 1452 wscript.exe Token: SeCreatePermanentPrivilege 1452 wscript.exe Token: SeBackupPrivilege 1452 wscript.exe Token: SeRestorePrivilege 1452 wscript.exe Token: SeShutdownPrivilege 1452 wscript.exe Token: SeDebugPrivilege 1452 wscript.exe Token: SeAuditPrivilege 1452 wscript.exe Token: SeSystemEnvironmentPrivilege 1452 wscript.exe Token: SeChangeNotifyPrivilege 1452 wscript.exe Token: SeRemoteShutdownPrivilege 1452 wscript.exe Token: SeUndockPrivilege 1452 wscript.exe Token: SeSyncAgentPrivilege 1452 wscript.exe Token: SeEnableDelegationPrivilege 1452 wscript.exe Token: SeManageVolumePrivilege 1452 wscript.exe Token: SeImpersonatePrivilege 1452 wscript.exe Token: SeCreateGlobalPrivilege 1452 wscript.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeBackupPrivilege 1896 vssvc.exe Token: SeRestorePrivilege 1896 vssvc.exe Token: SeAuditPrivilege 1896 vssvc.exe Token: SeBackupPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
wscript.exepid process 1452 wscript.exe 1452 wscript.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exerundll32.exerundll32.exedescription pid process target process PID 4844 wrote to memory of 4084 4844 msiexec.exe srtasks.exe PID 4844 wrote to memory of 4084 4844 msiexec.exe srtasks.exe PID 4844 wrote to memory of 4460 4844 msiexec.exe rundll32.exe PID 4844 wrote to memory of 4460 4844 msiexec.exe rundll32.exe PID 4844 wrote to memory of 4404 4844 msiexec.exe wscript.exe PID 4844 wrote to memory of 4404 4844 msiexec.exe wscript.exe PID 4460 wrote to memory of 1532 4460 rundll32.exe rundll32.exe PID 4460 wrote to memory of 1532 4460 rundll32.exe rundll32.exe PID 4460 wrote to memory of 1532 4460 rundll32.exe rundll32.exe PID 1532 wrote to memory of 2384 1532 rundll32.exe wermgr.exe PID 1532 wrote to memory of 2384 1532 rundll32.exe wermgr.exe PID 1532 wrote to memory of 2384 1532 rundll32.exe wermgr.exe PID 1532 wrote to memory of 2384 1532 rundll32.exe wermgr.exe PID 1532 wrote to memory of 2384 1532 rundll32.exe wermgr.exe PID 1532 wrote to memory of 2384 1532 rundll32.exe wermgr.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\09345699.js1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1452
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4084
-
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs2⤵PID:4404
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2384
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5379d34377a77bc33f20a6f5ccb7e6f82
SHA143b5dc4ccb006bf632d3a6be1ee6437ca4d8a7bc
SHA2564adefbf654ed39c6ce87251ab5f7e3168ec45ef82259a4f6f814dd4f77cf1215
SHA512979fdc69c0a1742181213ee75131c5a0652a0fe56c62cb1d4626dac36b60743ab42e7c4d7d2d5342b9d148b830cfa972a73076387a0151a5149dddb6e60e33be
-
Filesize
752KB
MD5f8090ce52ba92370700730571eae8324
SHA1a23475ba810e5aa65de0b3b6b566a3407015e4a1
SHA25634185364f0df3da1b86d02067a7e6641ac0e89cb8f03da38186c3bb2413c9dfb
SHA512d0659e9b21dc8a8ef14543ff480133ef4c220e737dc91b13df6564c4f505ded6f51b7d6822cc7e08f00d711b2afce8042bba3148d70bbcc7cc4f65d74a6b967d
-
Filesize
752KB
MD5f8090ce52ba92370700730571eae8324
SHA1a23475ba810e5aa65de0b3b6b566a3407015e4a1
SHA25634185364f0df3da1b86d02067a7e6641ac0e89cb8f03da38186c3bb2413c9dfb
SHA512d0659e9b21dc8a8ef14543ff480133ef4c220e737dc91b13df6564c4f505ded6f51b7d6822cc7e08f00d711b2afce8042bba3148d70bbcc7cc4f65d74a6b967d
-
Filesize
132B
MD50d4c9f15ce74465c59ae36a27f98c817
SHA19cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA5129bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f
-
Filesize
404KB
MD56ae8d648f8a9146b7f95b3a7073575d0
SHA1f980c6e727aeb59bf3e6e77d3169448989995ad0
SHA256e4740d41deca81aedd912cc1f1cb5a52dbf9a8d7dfdaa8adbcb6da119379fe3d
SHA51250b30cee011918cd584c08b64871373edd5284af3cbaef04174ec48c63ab35ae8de8e85d35d1c2e9bfb389fcf1d9a7dcf0f246c958191beacd0e14557a65e054
-
Filesize
23.0MB
MD5b9d924a15f53d4fa564bd4d403d71d9a
SHA14b42857c08be8b39bb6840cec2bd56253a2f05ce
SHA2569d4432c8ce4eef54dbf3c5fd45503c77941235465aea7e5230e26c58abc104ef
SHA51275cb67a44baefa3dfc68dd83f88b1ff9d45d9447e76565a14a0c8a211b7e5bd28587a9468d1f5da0caae134448c8149bdf3570120dfe178e91818526f406e6bb
-
\??\Volume{4cc777a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3465b196-19a7-4dc8-9a83-b28a3081ed43}_OnDiskSnapshotProp
Filesize5KB
MD5a2e5fa84771bd7d437ce2e143fef16d3
SHA1e67f90bb92fd5902bc0a073c630d1fdbc9667423
SHA2560082d4cbaad0c100cf30acef0e7e896bddabaa55a89c102f7f3c95cc53b9d09d
SHA51269795c027e619cdf7d9507786bf0349316286f17d942f615bba850b434a427dbc946f0cdc64e89f56d84288e40bd7eb6fee0e02a5140f9812f8ea69d95f8beba