c373639f248a4ab9e180efba40efd66249785657542cef5f7755c2432e98fb17

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 19:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

qbot_v5.dll
Size

184KB
MD5

ad21bf01af70637e231a2882c03e7069
SHA1

5ed92e7e80dcac57771ec421692b5e82f65ca65d
SHA256

c373639f248a4ab9e180efba40efd66249785657542cef5f7755c2432e98fb17
SHA512

421a0600a1e18354839167c0daa7b2a9e7ce83fc146fc7dd61e000c6e2b96253fccf13dd21384e843d17f6e0f31bc8452fea653ac3c578ccb27c31aee8d2483e
SSDEEP

3072:AixYRIgVFK9cJx2I87ZMGCDaZqZu9E/gLAE/OwtJBdw:AixYVVQ9G2I8ZMGjZqY9EiAcB6

Score

1^/10

Malware Config

Signatures

Modifies registry class 12 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\filxtgatuguoyq\a81662dc = 84f8a3eb359b94535c9f8413e94e7542dc51276103d4b761d4613c17bcec59f8a076eb0a1a562e62bdbe3631fca1984a9abc2ed85543f5321c0a3bd50ae241294e702082442195fb18555fd6278ea11ab0f7ca12470b5e94b6a9263cc9534cf862	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\filxtgatuguoyq\b75979f7 = a6b69987ad84502e5aa4595a363073eaff725156fd3a556d5e1ec9f5ed2b3ce7d5f8fe9620a7a28dd8333158ab2f75c126c97f5d60aa8a04e4b100d878dbf6cd09	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\filxtgatuguoyq\7bf37969 = c70f0a6249db3c82ed912316532b6448d7b7111370d5c50dbe5123b32cbd31d5cbbf965695fe26040ecf9c08ce2cce0a96	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\filxtgatuguoyq\2ddb31a1 = 875b0e3f260a388094ea1655052ef15750e72535fc5994578831716bf2c1a452951003840d6e7ca55acf9cc0fcd679b0e6e30af24fe3d4883386029eb64233d3b65b3ae14c0fee39f1961e3839acd25091fb6e09ca1ac0b29aa784e431c5e431ba	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\filxtgatuguoyq\2c5c6c26 = e548b165ce7a49328c3a7a165e6a0531db50b75659df5209c4c27b67c5fa90fcb59a78c6321b073d9eb606c605e6010a289be6447f0543f41fa2bbd0c9da0d1d0b23dc4a1f38fa8c9cf35cde045e153939515c52fca833ad45b4c09bedb0dfee1c2c1dd8da24246c6bda8c03f77a3d6638	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\filxtgatuguoyq	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\filxtgatuguoyq\2c5c6c26 = 67505bc0c0919da33bbbfead96d97f56c07f6a68a69a1b6953215bbf930677301637fb70cd47db118a142443ed8b058ef5b4ac06941bea479baf363c6c78a844cf0bfaaacc9c14d18268566d8c5914c15f52439e7e7d3d93b02eaeb3f4ed912f14	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\filxtgatuguoyq\7a7424ee = a68fd8d330763de58b497543314930bd82f80b9db4b9272f3227f78929c659bc2259dd4d8389ebb5758d2160a55e9b51435ae22226724252f66c7721382e22669886fe9a38faf28d75115070b615c6778fdef6068d2f4fcefc9089274de5141c9ca70c8efa4a48fca6c91033fd471e11cbcfad4210188c5f8fe87dc3687e810ef23b099c9c0f96e2660c0dac346ca02bb57369c68f3effcbf1d990f607952a2647	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\filxtgatuguoyq\64bc6242 = 876174445d5efe4fb4af95d11b0b9356a942aa071eb6714e1b345caa264f1dfd1b80114718e98fcbff4faabdeb4755a5cb744cc96f4db547c48c5cedcde7d29592daf38077d26cef4c9603bc0816e08306d5d15ab0c374d027f2fbfd13c7be54afbbe0cd3bcb05141dd3a68c0b6d9ada9befee04f6b4c316dbe05dd61eeca27610	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\filxtgatuguoyq\bc1b2d69 = e4371c608ed7b7756f0bac637049c866ff53458d9796c18ba0db9e3713909380fca54620d86c162e6fa6e2165853879593fa25e63105fc16868f3d98e625113781	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\filxtgatuguoyq\134507f7 = c69aadb486943958748debccea8f8592e7d2ff2b5c54a112ee43c9ce10214ce6cf2c291bd5222cb9f84c766008101d37b5d44f75ffa2336627e40694481caaa8a5d25eda7f585d32dc1a31be881b7c81c9392c2c010fa65cbcd1961c84f2c2e368cb249551cb60f1b791263798463723ab	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\filxtgatuguoyq\b6de2470 = a6032c1d8d59d28c1e07c8e5a3b4c073a2971fd3750127ec6224a18d7ae93696dfcff7f6ebce708533c64578c77384ed314d7d51a020038babeca1c0379d3a593d957a444d63bea8263e4510d1985a3e8c47a20793c9f96ec664985ce500e7069412fb6531cee9e3500fe8933516abcc49	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	rundll32.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe
2224	wermgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2224	2400	rundll32.exe	28
PID 2400 wrote to memory of 2224	2400	rundll32.exe	28
PID 2400 wrote to memory of 2224	2400	rundll32.exe	28
PID 2400 wrote to memory of 2224	2400	rundll32.exe	28
PID 2400 wrote to memory of 2224	2400	rundll32.exe	28
PID 2400 wrote to memory of 2224	2400	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qbot_v5.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2224-0-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/2224-1-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2224-7-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2224-20-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2224-21-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2224-22-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2224-23-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2224-24-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2224-27-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download