Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2023 10:01
Static task
static1
Behavioral task
behavioral1
Sample
ProjectFunding_406103_Jun01.js
Resource
win7-20230220-en
General
-
Target
ProjectFunding_406103_Jun01.js
-
Size
1KB
-
MD5
466f176d7c53eb5d67bbd974bedc4acf
-
SHA1
b4ac021b9170a2a63d0e392bc9d25849195f5848
-
SHA256
12035df7d8c57f2cf204d6c0748dfee8d4a5c82c621c384e72df73bf822e3e11
-
SHA512
ff4ca4579dd6acc93676022bfdcc5edd4fa360bd3fd62f78fc3897d8a1ea0d951e3bd3e9d77e092b84b78d338b9a61c73cf2e1146fd2428b57829926d31424df
Malware Config
Extracted
qakbot
404.1346
obama266
1685611378
24.234.220.88:990
70.28.50.223:2078
96.56.197.26:2083
103.123.223.133:443
83.249.198.100:2222
199.27.66.213:443
90.104.151.37:2222
94.204.202.106:443
72.205.104.134:443
65.95.141.84:2222
82.131.141.209:443
77.126.99.230:443
71.38.155.217:443
205.237.67.69:995
84.215.202.8:443
24.234.220.88:465
76.178.148.107:2222
116.74.163.130:443
70.28.50.223:2087
147.147.30.126:2222
173.88.135.179:443
103.140.174.20:2222
77.86.98.236:443
92.149.250.113:2222
96.87.28.170:2222
86.168.210.41:443
176.142.207.63:443
12.172.173.82:32101
86.132.236.117:443
70.50.83.216:2222
161.142.103.187:995
45.62.70.33:443
12.172.173.82:465
178.175.187.254:443
83.110.223.61:443
105.184.209.194:995
41.186.88.38:443
102.156.10.183:443
27.109.19.90:2078
47.205.25.170:443
12.172.173.82:993
76.170.252.153:995
69.242.31.249:443
24.234.220.88:995
125.99.69.178:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
124.122.47.148:443
81.229.117.95:2222
98.145.23.67:443
114.143.176.236:443
103.144.201.48:2078
122.186.210.254:443
69.160.121.6:61201
12.172.173.82:21
72.253.126.216:443
75.109.111.89:443
76.86.31.59:443
116.120.145.170:995
12.172.173.82:50001
81.101.185.146:443
201.244.108.183:995
68.203.69.96:443
103.139.242.6:443
103.42.86.42:995
85.61.165.153:2222
76.16.49.134:443
125.99.76.102:443
184.182.66.109:443
70.28.50.223:32100
50.68.204.71:993
85.57.212.13:3389
41.227.190.59:443
70.28.50.223:3389
31.53.29.235:2222
89.79.229.50:443
50.68.186.195:443
47.199.241.39:443
93.147.235.8:443
75.141.227.169:443
45.243.142.31:995
79.92.15.6:443
85.104.105.67:443
89.129.109.27:2222
86.176.83.44:2222
24.234.220.88:993
89.32.156.5:995
12.172.173.82:22
103.101.203.177:443
70.28.50.223:2083
98.187.21.2:443
70.49.205.198:2222
96.56.197.26:2222
92.9.45.20:2222
86.195.14.72:2222
172.115.17.50:443
100.4.163.158:2222
80.12.88.148:2222
213.64.33.92:2222
113.11.92.30:443
78.192.109.105:2222
47.34.30.133:443
122.184.143.86:443
198.2.51.242:993
165.120.169.171:2222
88.126.94.4:50000
82.125.44.236:2222
117.195.17.148:993
147.219.4.194:443
80.167.196.79:443
92.154.17.149:2222
184.181.75.148:443
95.45.50.93:2222
84.35.26.14:995
201.143.215.69:443
12.172.173.82:2087
50.68.204.71:443
64.121.161.102:443
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid process 12 2488 msiexec.exe 63 2488 msiexec.exe 71 2488 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3832 rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e578d1f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI13A7.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8D5C.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f9d6c693febb2fce0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f9d6c6930000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900f9d6c693000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9d6c69300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9d6c69300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exerundll32.exewermgr.exepid process 2488 msiexec.exe 2488 msiexec.exe 3832 rundll32.exe 3832 rundll32.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe 2940 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wscript.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 5072 wscript.exe Token: SeIncreaseQuotaPrivilege 5072 wscript.exe Token: SeSecurityPrivilege 2488 msiexec.exe Token: SeCreateTokenPrivilege 5072 wscript.exe Token: SeAssignPrimaryTokenPrivilege 5072 wscript.exe Token: SeLockMemoryPrivilege 5072 wscript.exe Token: SeIncreaseQuotaPrivilege 5072 wscript.exe Token: SeMachineAccountPrivilege 5072 wscript.exe Token: SeTcbPrivilege 5072 wscript.exe Token: SeSecurityPrivilege 5072 wscript.exe Token: SeTakeOwnershipPrivilege 5072 wscript.exe Token: SeLoadDriverPrivilege 5072 wscript.exe Token: SeSystemProfilePrivilege 5072 wscript.exe Token: SeSystemtimePrivilege 5072 wscript.exe Token: SeProfSingleProcessPrivilege 5072 wscript.exe Token: SeIncBasePriorityPrivilege 5072 wscript.exe Token: SeCreatePagefilePrivilege 5072 wscript.exe Token: SeCreatePermanentPrivilege 5072 wscript.exe Token: SeBackupPrivilege 5072 wscript.exe Token: SeRestorePrivilege 5072 wscript.exe Token: SeShutdownPrivilege 5072 wscript.exe Token: SeDebugPrivilege 5072 wscript.exe Token: SeAuditPrivilege 5072 wscript.exe Token: SeSystemEnvironmentPrivilege 5072 wscript.exe Token: SeChangeNotifyPrivilege 5072 wscript.exe Token: SeRemoteShutdownPrivilege 5072 wscript.exe Token: SeUndockPrivilege 5072 wscript.exe Token: SeSyncAgentPrivilege 5072 wscript.exe Token: SeEnableDelegationPrivilege 5072 wscript.exe Token: SeManageVolumePrivilege 5072 wscript.exe Token: SeImpersonatePrivilege 5072 wscript.exe Token: SeCreateGlobalPrivilege 5072 wscript.exe Token: SeShutdownPrivilege 5072 wscript.exe Token: SeIncreaseQuotaPrivilege 5072 wscript.exe Token: SeCreateTokenPrivilege 5072 wscript.exe Token: SeAssignPrimaryTokenPrivilege 5072 wscript.exe Token: SeLockMemoryPrivilege 5072 wscript.exe Token: SeIncreaseQuotaPrivilege 5072 wscript.exe Token: SeMachineAccountPrivilege 5072 wscript.exe Token: SeTcbPrivilege 5072 wscript.exe Token: SeSecurityPrivilege 5072 wscript.exe Token: SeTakeOwnershipPrivilege 5072 wscript.exe Token: SeLoadDriverPrivilege 5072 wscript.exe Token: SeSystemProfilePrivilege 5072 wscript.exe Token: SeSystemtimePrivilege 5072 wscript.exe Token: SeProfSingleProcessPrivilege 5072 wscript.exe Token: SeIncBasePriorityPrivilege 5072 wscript.exe Token: SeCreatePagefilePrivilege 5072 wscript.exe Token: SeCreatePermanentPrivilege 5072 wscript.exe Token: SeBackupPrivilege 5072 wscript.exe Token: SeRestorePrivilege 5072 wscript.exe Token: SeShutdownPrivilege 5072 wscript.exe Token: SeDebugPrivilege 5072 wscript.exe Token: SeAuditPrivilege 5072 wscript.exe Token: SeSystemEnvironmentPrivilege 5072 wscript.exe Token: SeChangeNotifyPrivilege 5072 wscript.exe Token: SeRemoteShutdownPrivilege 5072 wscript.exe Token: SeUndockPrivilege 5072 wscript.exe Token: SeSyncAgentPrivilege 5072 wscript.exe Token: SeEnableDelegationPrivilege 5072 wscript.exe Token: SeManageVolumePrivilege 5072 wscript.exe Token: SeImpersonatePrivilege 5072 wscript.exe Token: SeCreateGlobalPrivilege 5072 wscript.exe Token: SeShutdownPrivilege 5072 wscript.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
wscript.exepid process 5072 wscript.exe 5072 wscript.exe 5072 wscript.exe 5072 wscript.exe 5072 wscript.exe 5072 wscript.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exerundll32.exerundll32.exedescription pid process target process PID 2488 wrote to memory of 2168 2488 msiexec.exe srtasks.exe PID 2488 wrote to memory of 2168 2488 msiexec.exe srtasks.exe PID 2488 wrote to memory of 2512 2488 msiexec.exe rundll32.exe PID 2488 wrote to memory of 2512 2488 msiexec.exe rundll32.exe PID 2488 wrote to memory of 2884 2488 msiexec.exe wscript.exe PID 2488 wrote to memory of 2884 2488 msiexec.exe wscript.exe PID 2512 wrote to memory of 3832 2512 rundll32.exe rundll32.exe PID 2512 wrote to memory of 3832 2512 rundll32.exe rundll32.exe PID 2512 wrote to memory of 3832 2512 rundll32.exe rundll32.exe PID 3832 wrote to memory of 2940 3832 rundll32.exe wermgr.exe PID 3832 wrote to memory of 2940 3832 rundll32.exe wermgr.exe PID 3832 wrote to memory of 2940 3832 rundll32.exe wermgr.exe PID 3832 wrote to memory of 2940 3832 rundll32.exe wermgr.exe PID 3832 wrote to memory of 2940 3832 rundll32.exe wermgr.exe PID 3832 wrote to memory of 2940 3832 rundll32.exe wermgr.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectFunding_406103_Jun01.js1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5072
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2168
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
-
-
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs2⤵PID:2884
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD59b32faba324626d5ff9489215f17e700
SHA159693ce94811fc663a0c69d01b6aa61e44231160
SHA25604259a03359a6726f8ec98f8e93bf72a0296a4047bac2755725cbbc4a25f4b13
SHA512d2d63380590ac30492fb4bfcf7cfddfc3f4a3c04a2436f19fe05c26ae20c6d2190399cb109352a8f9299e7c378db75c8f8bada1b7940cb5a0376a143b92a1a2b
-
Filesize
752KB
MD55aff39cf05365b14a2d97a5dc187f307
SHA1ba6e300d41333bbf638b6abaf8c1b505f0703237
SHA256eed89bcfe938e41f982166cd9afba140dca256b4d4820f08c2e05bfc4570170a
SHA512e3df408f7492ac156dc33b73642e680cc426a67b239ca6007048df26e862441ac3d88b21bfe2f996b86c9b25a6faf50a2befa88a42c3d33de84f6e327dffccdc
-
Filesize
752KB
MD55aff39cf05365b14a2d97a5dc187f307
SHA1ba6e300d41333bbf638b6abaf8c1b505f0703237
SHA256eed89bcfe938e41f982166cd9afba140dca256b4d4820f08c2e05bfc4570170a
SHA512e3df408f7492ac156dc33b73642e680cc426a67b239ca6007048df26e862441ac3d88b21bfe2f996b86c9b25a6faf50a2befa88a42c3d33de84f6e327dffccdc
-
Filesize
132B
MD50d4c9f15ce74465c59ae36a27f98c817
SHA19cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA5129bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f
-
Filesize
404KB
MD591b232c9a333ba61544a4232c96ab427
SHA193fcd78bc68207d37c97a6ecb424d11197276b4b
SHA256551b9f802218a50dbe8279137959c43e37f8e57315e768b50dcaefebc62632c0
SHA512c1d2568e7353f50724abe523fffb6ffc2181dd1920d6870f800619b07d902214d7b5ccc881f4f328f2e244661c1ba8c041510a82f6dbf2c996c20fbfc3ba6150
-
Filesize
23.0MB
MD5cc58c5430dcfd3c311cc51d5c5ddd74b
SHA184e0271af80d86669c9eda1111e482b2a45a5f98
SHA256b37c9f00b5fd3c92673b8b5211c152dd72cdda5d646ebc770df98fe40bac9eee
SHA512a9b8100dbd845bd70722201490615515755ff48d0e6f01ebc87d7d573e066cf80704958db05650449d2fcf42a12b2f8c5871b53354a280b8ade622db80562cb2
-
\??\Volume{93c6d6f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bb5d2234-0341-4dad-95a7-2f3b901f3682}_OnDiskSnapshotProp
Filesize5KB
MD535e9a6be99afba0c305dce133529bf73
SHA1aab519bdf9b293e854964b480bc52f0a12d8c95a
SHA2566a5cd085975f1bf3867ad4bb27b5c53e105a7201cc41dbe577f3d6f3c95cb472
SHA5121b0d594996ba077790abfea29387aa20008d926b4bd5b08a6e40a693bc2f44abb35ce45881f95ba930973ee4fca33592863a863f03f129fdfa4a92861d38a2a9