Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2023 11:58
Static task
static1
Behavioral task
behavioral1
Sample
06343599.js
Resource
win7-20230220-en
General
-
Target
06343599.js
-
Size
1KB
-
MD5
d958dec890f5a49330457862991ebee0
-
SHA1
46fae61a6d8ccaa4cd07f0e25fb7285024f8e36c
-
SHA256
3290ebf23a0f763607fa8c7a64b84da516d015adf663380dea9bf5ac19929543
-
SHA512
d6d64699bd29586111573bb7e32bded0dfd48bca63ea9c87517f53f9eab22e3744e81f433f38ffc15dfe388564993bf4069a82e53fa04e748996a4cbfeab4d67
Malware Config
Extracted
qakbot
404.1346
obama266
1685611378
24.234.220.88:990
70.28.50.223:2078
96.56.197.26:2083
103.123.223.133:443
83.249.198.100:2222
199.27.66.213:443
90.104.151.37:2222
94.204.202.106:443
72.205.104.134:443
65.95.141.84:2222
82.131.141.209:443
77.126.99.230:443
71.38.155.217:443
205.237.67.69:995
84.215.202.8:443
24.234.220.88:465
76.178.148.107:2222
116.74.163.130:443
70.28.50.223:2087
147.147.30.126:2222
173.88.135.179:443
103.140.174.20:2222
77.86.98.236:443
92.149.250.113:2222
96.87.28.170:2222
86.168.210.41:443
176.142.207.63:443
12.172.173.82:32101
86.132.236.117:443
70.50.83.216:2222
161.142.103.187:995
45.62.70.33:443
12.172.173.82:465
178.175.187.254:443
83.110.223.61:443
105.184.209.194:995
41.186.88.38:443
102.156.10.183:443
27.109.19.90:2078
47.205.25.170:443
12.172.173.82:993
76.170.252.153:995
69.242.31.249:443
24.234.220.88:995
125.99.69.178:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
124.122.47.148:443
81.229.117.95:2222
98.145.23.67:443
114.143.176.236:443
103.144.201.48:2078
122.186.210.254:443
69.160.121.6:61201
12.172.173.82:21
72.253.126.216:443
75.109.111.89:443
76.86.31.59:443
116.120.145.170:995
12.172.173.82:50001
81.101.185.146:443
201.244.108.183:995
68.203.69.96:443
103.139.242.6:443
103.42.86.42:995
85.61.165.153:2222
76.16.49.134:443
125.99.76.102:443
184.182.66.109:443
70.28.50.223:32100
50.68.204.71:993
85.57.212.13:3389
41.227.190.59:443
70.28.50.223:3389
31.53.29.235:2222
89.79.229.50:443
50.68.186.195:443
47.199.241.39:443
93.147.235.8:443
75.141.227.169:443
45.243.142.31:995
79.92.15.6:443
85.104.105.67:443
89.129.109.27:2222
86.176.83.44:2222
24.234.220.88:993
89.32.156.5:995
12.172.173.82:22
103.101.203.177:443
70.28.50.223:2083
98.187.21.2:443
70.49.205.198:2222
96.56.197.26:2222
92.9.45.20:2222
86.195.14.72:2222
172.115.17.50:443
100.4.163.158:2222
80.12.88.148:2222
213.64.33.92:2222
113.11.92.30:443
78.192.109.105:2222
47.34.30.133:443
122.184.143.86:443
198.2.51.242:993
165.120.169.171:2222
88.126.94.4:50000
82.125.44.236:2222
117.195.17.148:993
147.219.4.194:443
80.167.196.79:443
92.154.17.149:2222
184.181.75.148:443
95.45.50.93:2222
84.35.26.14:995
201.143.215.69:443
12.172.173.82:2087
50.68.204.71:443
64.121.161.102:443
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid process 4 464 msiexec.exe 25 464 msiexec.exe 38 464 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 932 rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e5797dd.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2CCD.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI9878.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exerundll32.exewermgr.exepid process 464 msiexec.exe 464 msiexec.exe 932 rundll32.exe 932 rundll32.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe 2340 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wscript.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2724 wscript.exe Token: SeIncreaseQuotaPrivilege 2724 wscript.exe Token: SeSecurityPrivilege 464 msiexec.exe Token: SeCreateTokenPrivilege 2724 wscript.exe Token: SeAssignPrimaryTokenPrivilege 2724 wscript.exe Token: SeLockMemoryPrivilege 2724 wscript.exe Token: SeIncreaseQuotaPrivilege 2724 wscript.exe Token: SeMachineAccountPrivilege 2724 wscript.exe Token: SeTcbPrivilege 2724 wscript.exe Token: SeSecurityPrivilege 2724 wscript.exe Token: SeTakeOwnershipPrivilege 2724 wscript.exe Token: SeLoadDriverPrivilege 2724 wscript.exe Token: SeSystemProfilePrivilege 2724 wscript.exe Token: SeSystemtimePrivilege 2724 wscript.exe Token: SeProfSingleProcessPrivilege 2724 wscript.exe Token: SeIncBasePriorityPrivilege 2724 wscript.exe Token: SeCreatePagefilePrivilege 2724 wscript.exe Token: SeCreatePermanentPrivilege 2724 wscript.exe Token: SeBackupPrivilege 2724 wscript.exe Token: SeRestorePrivilege 2724 wscript.exe Token: SeShutdownPrivilege 2724 wscript.exe Token: SeDebugPrivilege 2724 wscript.exe Token: SeAuditPrivilege 2724 wscript.exe Token: SeSystemEnvironmentPrivilege 2724 wscript.exe Token: SeChangeNotifyPrivilege 2724 wscript.exe Token: SeRemoteShutdownPrivilege 2724 wscript.exe Token: SeUndockPrivilege 2724 wscript.exe Token: SeSyncAgentPrivilege 2724 wscript.exe Token: SeEnableDelegationPrivilege 2724 wscript.exe Token: SeManageVolumePrivilege 2724 wscript.exe Token: SeImpersonatePrivilege 2724 wscript.exe Token: SeCreateGlobalPrivilege 2724 wscript.exe Token: SeShutdownPrivilege 2724 wscript.exe Token: SeIncreaseQuotaPrivilege 2724 wscript.exe Token: SeCreateTokenPrivilege 2724 wscript.exe Token: SeAssignPrimaryTokenPrivilege 2724 wscript.exe Token: SeLockMemoryPrivilege 2724 wscript.exe Token: SeIncreaseQuotaPrivilege 2724 wscript.exe Token: SeMachineAccountPrivilege 2724 wscript.exe Token: SeTcbPrivilege 2724 wscript.exe Token: SeSecurityPrivilege 2724 wscript.exe Token: SeTakeOwnershipPrivilege 2724 wscript.exe Token: SeLoadDriverPrivilege 2724 wscript.exe Token: SeSystemProfilePrivilege 2724 wscript.exe Token: SeSystemtimePrivilege 2724 wscript.exe Token: SeProfSingleProcessPrivilege 2724 wscript.exe Token: SeIncBasePriorityPrivilege 2724 wscript.exe Token: SeCreatePagefilePrivilege 2724 wscript.exe Token: SeCreatePermanentPrivilege 2724 wscript.exe Token: SeBackupPrivilege 2724 wscript.exe Token: SeRestorePrivilege 2724 wscript.exe Token: SeShutdownPrivilege 2724 wscript.exe Token: SeDebugPrivilege 2724 wscript.exe Token: SeAuditPrivilege 2724 wscript.exe Token: SeSystemEnvironmentPrivilege 2724 wscript.exe Token: SeChangeNotifyPrivilege 2724 wscript.exe Token: SeRemoteShutdownPrivilege 2724 wscript.exe Token: SeUndockPrivilege 2724 wscript.exe Token: SeSyncAgentPrivilege 2724 wscript.exe Token: SeEnableDelegationPrivilege 2724 wscript.exe Token: SeManageVolumePrivilege 2724 wscript.exe Token: SeImpersonatePrivilege 2724 wscript.exe Token: SeCreateGlobalPrivilege 2724 wscript.exe Token: SeShutdownPrivilege 2724 wscript.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
wscript.exepid process 2724 wscript.exe 2724 wscript.exe 2724 wscript.exe 2724 wscript.exe 2724 wscript.exe 2724 wscript.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exerundll32.exerundll32.exedescription pid process target process PID 464 wrote to memory of 1524 464 msiexec.exe srtasks.exe PID 464 wrote to memory of 1524 464 msiexec.exe srtasks.exe PID 464 wrote to memory of 2708 464 msiexec.exe rundll32.exe PID 464 wrote to memory of 2708 464 msiexec.exe rundll32.exe PID 464 wrote to memory of 4952 464 msiexec.exe wscript.exe PID 464 wrote to memory of 4952 464 msiexec.exe wscript.exe PID 2708 wrote to memory of 932 2708 rundll32.exe rundll32.exe PID 2708 wrote to memory of 932 2708 rundll32.exe rundll32.exe PID 2708 wrote to memory of 932 2708 rundll32.exe rundll32.exe PID 932 wrote to memory of 2340 932 rundll32.exe wermgr.exe PID 932 wrote to memory of 2340 932 rundll32.exe wermgr.exe PID 932 wrote to memory of 2340 932 rundll32.exe wermgr.exe PID 932 wrote to memory of 2340 932 rundll32.exe wermgr.exe PID 932 wrote to memory of 2340 932 rundll32.exe wermgr.exe PID 932 wrote to memory of 2340 932 rundll32.exe wermgr.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\06343599.js1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2724
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1524
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs2⤵PID:4952
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD51b942b8814e57cff213ffa119524ee46
SHA169ca95b362e42ddd2ac3958dce771ac273024aa8
SHA2561f3c35bb316542815fe9512e1fedb33b83c37548e653081cb933741ce869ca04
SHA512143e3e4b99864557e6d49a97736e49aaeeb652d92a71662d7cc168c67ebdf3c9b04aa29e9a540524ad77b3de4ebc46e6fda9fa31ffc552b69cab2ece2600c876
-
Filesize
752KB
MD57ef6522096f05d2144bf938010551774
SHA14f0884a7326db0610b5520ece1a4a64d666e84cf
SHA2567f64a81bd4b2d686f7abe3f0b58097f2b2792d7c32eea5fa225753e45eab1efa
SHA5128f39c3c0fbb066394d15256aab3f005ba3099a38d7e6c05992d99595dbf8e146493bf5b7141f731e7b88c5097861c59343ab32215195bb6d408a75619699ce4c
-
Filesize
752KB
MD57ef6522096f05d2144bf938010551774
SHA14f0884a7326db0610b5520ece1a4a64d666e84cf
SHA2567f64a81bd4b2d686f7abe3f0b58097f2b2792d7c32eea5fa225753e45eab1efa
SHA5128f39c3c0fbb066394d15256aab3f005ba3099a38d7e6c05992d99595dbf8e146493bf5b7141f731e7b88c5097861c59343ab32215195bb6d408a75619699ce4c
-
Filesize
132B
MD50d4c9f15ce74465c59ae36a27f98c817
SHA19cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA5129bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f
-
Filesize
404KB
MD5485d28c1a4dbd1c2ebf7a3b4518d7b43
SHA1db920a3eb784c86c5fdf0ef25841c2fbd26466ab
SHA256897a4b6be5d1ab3643756b547fda2e5064380c7f305c4ac6ba9883194f2776f1
SHA512771aaaf626ac0cbfbb07c39d6c577374b34ba51cb2c56258cc82e78ac74f2f9512535e32326c28f4bcd263aa4384389ce8b01d96bc15130b0d32403264870b51
-
Filesize
23.0MB
MD534bcc6767127e917e5b4c7ec2a321938
SHA1919ac3745e43a8239e05af585656fbb65cad9320
SHA2562623dd5fe62b4c25f2ec7bfd32971c55e1e97d161b8497a1337d62ca8f306bbc
SHA5123f7726fdca0ecab689d1c7387dea9fe359e0a59820650c7356aafbf7e1b5190cc8e009d50af9aac651207dbbc626104fe81153802412bafc9eaa2d112fdda6f0
-
\??\Volume{7e74cb8c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bca989e5-5e7c-4ac7-a443-b9bad2b1e36c}_OnDiskSnapshotProp
Filesize5KB
MD5c1a8c4bea19e73349a96d92b7424eecc
SHA1c0170b3ec70f9ccdfffa7434dec0c3fe164e6cb1
SHA256e89ead2b1ca7278d5629621288bbada404326e10e88a68fef8eda6134f2abd86
SHA512fba09e745366bb6c2e814f5f2fd58018115e378a36b4c96a55bf42335fd923d0e3db78e93270cfa85d821f8aab0166a91f0baa9f18725c5da0479ba947a6c166