qakbot | 59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35

Analysis

max time kernel
1200s
max time network
1203s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-04-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

userapi.dll
Size

167KB
MD5

ce75519a7d251a187dbd7e72b53b093a
SHA1

fa103591148ab8478a84ce25db28ece2e678bd02
SHA256

59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35
SHA512

d40da7049f41ddb6b2e6bb751405385256fd9465101ebcf7af8441f8ffa4733df8528ea6312ca6c3d7e57b1365c4c472215865b978f17ccd11deb13b8bdbf5c8
SSDEEP

3072:GeWBsy+tW4we6Ygz5vEEFV6Q+S19N+sqoi7geA7y9utB5t:GeWBsRE/dYw5FMkj+sNiTA7ptB

Score

10^/10

qakbot tchk08 1710958492 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1710958492

77.105.162.176:995

31.210.173.10:443

5.252.177.195:443

Attributes

camp_date
2024-03-20 18:14:52 +0000 UTC

Signatures

Detect Qakbot Payload 41 IoCs

resource	yara_rule
behavioral1/memory/3636-1-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-7-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-8-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-10-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3836-9-0x0000000180000000-0x000000018002F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-21-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-22-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-23-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-24-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-25-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-26-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-35-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-36-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-37-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-38-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-40-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-42-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-43-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-45-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-47-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-49-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-50-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-51-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-53-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-55-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-56-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-57-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-59-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-61-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-63-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-65-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-66-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-68-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-70-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-72-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-73-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-74-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-77-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-76-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-80-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5
behavioral1/memory/3636-82-0x0000014E40620000-0x0000014E4064F000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3736	ipconfig.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 65717bf603653447079f593b900623472aa3f4c4f5fa1dc25156467ed986efbcbfab67b6e0938f80b9bdb658922c9a2db5333a28f27a9e09361aab1ab1693d49647fcecbf41c94cc3528b99ee4da4febd2aeb27f442fc540308f0cb4c8b5b06265	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\bb88bd57 = e7c37bce68ee679ac7663e71179c56b354f1dee526525726dd19a58276289d6fe931ebdf1d8d606007aaddc57abd91a51b0f7d7918aba67eecf13f01e403a983ea212452a27954a4c2578a59b8d82588bc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 8716e3f16b96a51045dbd2a26d7af893812edd615bda81e409a81fe81cc6d8371a56b9d978c621cc205c8ea8b49c0215958d96fb24aa98bf93dc8563845913df1784eea1b5273b02d57348e941745216e7e8c5f88dee7f88ddb767c84a5cfc3e17	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = 66af803e7e17e6f39fc6f9f6b8ec83e594a4ee17a5656650abacaa6befe2ccc2d92e4298dfa73da82937ee23580f75a80837ebd0077c8dc2b7721d298d8c3336d4b4907a376d0f4facc9aacf41dfb5ad39	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\a4c7a67c = e77022c9f6f1b3b0bab4220b51b75be1e2f14d25abeefe12157ca8a6893854de07bd94ac88c30a016ca6ca8279c9ee8a7081182ef96b7ef69a927ffce04bbcb9ca	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\a4c7a67c = 07ef1a8e1d6263613f98adf2b259919c1cece86f704f06249e4152f82a10580b2682e62e0f7de93c1ab18ae6ee2a9fe96b4dd4fbdcd2170b4dd6d8843cc8b4fea9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\42fedf01 = 85a2209428af0a8fa4bf1faf64d7bf21c96a79ff6b1aa978a2b99a46d4c648971db0dba8e18ac6257f2fd48bd6c303fa48c0811b711d9191b4574ac06f7df489454a36eb218e2c4ee2d6141d5dee920a93	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\bb88bd57 = c745e0a860777ae9b588a918c7c7068371e54401802d074f53fdbb257f9435fb3223b49edd33544eeaee128085cacc649930f847461093c4a7ca2c77a544d796ddb273a31f4ec86645620d3747a61d9ec1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\bb88bd57 = 258efc331856ea99172fa890c4d905db32dec69ec9bb5799c3ca0d365e27d8d0c137f903b985e0b99dd78cf71378dce25f6625a5f62ee10777f448069085be57c2e56ce2f012ec554298c51c7f482af7d4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\a4c7a67c = e46dc78db89e76db02d8820befa592ce555ab96a554e63e9cb57dcffde86ead0d2afab55497db20cb71c02ad325a56b801a9fba235a56ba0886f3947a142eb4884	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = a43bce5d4ad5fd608fa34f5267ce50f1c9f35cd9513ed94442708d8a306e9d9fb54a6bc853b10a4d51e32be0582ad6c203c00b37c7be496eaefd5612314de1a04d6e96b6cc7527b42a6cc93e138a5876eb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\a4c7a67c = 46da6f7bf058d448e62ba014e7b75eb5ca3f2571c86a0a5cda9b9b6b0701db3d34f1cdedc9a45886efedcee20894fdba0634767c9579896e6e38dbd0e6dfe3e5c7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\bb88bd57 = a5a741ae2512d26384cf55688c29962a2e8ea955c55f73c2cce9c915502ad54faf254773b73e73557aa79b72686f6a98c3a3631eb7e90e4f94b63170a36459a86826f5b5931f2e5a89cf81b610769373d8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = 87dc8d544a207c55497c9819d9c85aa7e47d946f8de3877194b75d9b61f2eb6f0a7a34e03de374918169b77b0812c2eeeceaef4e0a7e7ad05e29a7de1b89c4fcb13d8f51598b652257bb0874f158ffe420	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\42fedf01 = 4514fde8e3c69db1c4afb7782b431895dd2c1c4407c06ebdbc97cc800a3e259a040fe5cc108a284be236d91c3e7f1a6c989ae9a08474ccca08c96a8e65347f45ab69ec6de84f987b1acfa712644e599572	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 662931e1901008d2d20db7426ee3a02ef42e4a090f908581d0b9a7f486952f4b0867ef277c3a678e31763c26c8b3e18cc8e2ebd4dfbd64c646b76b561fb9ff19ba32f95a66568bd054179f95ce503d8d6eec84016885639bbfbcdf13f655d9ae17	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\bb88bd57 = 844778d7bf10478c5674bcbf8c556826bbdacaf369c8804e165af925d2318279f6e465754d5f6392997226d3b0ef8ac5c379baceb51e5c6829671c774b8a7889aab668ac0e4883c137b9f09165b8f618f4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\bb88bd57 = a60cbb347e7bf6803cecfaf93fdcce13f8d22e081a66038aa64d21c0a734fa56c6be7210f682485ec2b1ad88cac18ae071487a28a06333acc62d2a0d44a3e46bf1f092069c82b3e0b0fdba42eb5906d963	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\42fedf01 = 44ce0613e25e3fe17437eddc91ec56bd5134ead6515896d10acddee75b16f2985e501fbf15c9b5d0a11fce94debe5add250fc844375686bd17d688bd496b6acc33959d9681bd1900c0f679eeb402a49261	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\42fedf01 = 07fb2aa36c49985afb0988db7aa48d1e92fa1ff49e1989f7dbfb8f19ffb81b67922ded5dcac2d2a2f199a78c13a7dd5debdf10fe99757a3c5c263c45d88cf3b57b99d872740b735309d850c792bc559f08	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\a4c7a67c = e7d011b7504f761a0daf5b35b406c3735c369af091da2fb15bb72d14ae6f03229be69d43fd86d398395c49f4a9f67bc26c9da430cc4a80e731c63720654a4b9413	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = a7d60dd45f629ede2eac876303c2b36e2664b27adf5ae00598743d3e886b735764ffe5ae83f07706cb8c40e313aa53b50868d95406f71a24ae417b171c13a7d849fa32d02ded2c1ffbdc76878fa4c19b94	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = a723469a13e437368f3ef54e15313db3b930f198ded61982e9eaaff75f1629d3c947e40aba4b6f68c5733e26bb2c10236ab5cd158803d8c131f943ce5fc8911a221490a76c33a494d84ea9625b82819d17	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 0771a624b94530379da213c002bbfde5f03f26cc79fd334f4e73adb859911e4d32960934501294c0d41510dadb984c91af77c20a36cf08411764901596e0bd8a1c79c1f754d4a6c6ce2124554fe58cb8379b8ec8c6b7d94fdb74f3ed28ae94cbaa	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = c5fc341c34e516d39ba30b4525ded690fba584d0e0817355319a5200cb8e7d23cc02e02fc9b23fa5120ca55912a967545ec7c91de2afcd91c360820bebce7444c0fdea91380a69138444770de0242b744011b8051703d7b8a173160eb69f0bf395	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = 454d943b8da1cacff58317de8435f4201b3c6b4e960c1dcffd9d66b6070c726ba7f50cdb45e20046b33a2ec43377d022ba7912b41464315962c20c3bdb8463ee395d12b6e81356742bf8d5a26545ec165e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 065d66ba13799b59698c0c9a5fc8730ce21f69792d96cfd019904cba5b81fcf87b5d2d6fd059a24b096929b9268c0d29df97cc521ea293d8477838aefec227c20b8a0251003ca170a11333f68ad7f8b53f9764fbf8d3870ed78201c67d60284305	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\42fedf01 = 0736913c506a41ba2118d823079d0d6027ae3369f49d43e003714fca6d7e4a32d3366ca3b8bfcc28cfd281669f40474842c3d16ab6c89fc1680fe55fc1208dced74cf8df36e32ca18e73aed78d743f5e1b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\a4c7a67c = 8548c8da7c30f494592cc3d57ea568ee09507289aa99ac97ff9502c47b5b081477c3ca0d2ef4b2c26ca841f1637590b703ef868af0f01c43f0caab4dbed014097f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\a4c7a67c = 67d3a416844a3fe85f2c7bce67b73d123176245690cd22f1a61bf8b3f783579aab0ec5c1c84c8c6d793a26a1f0b06a972273d95fae4391ee8f50ba0f3c06ca59f1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = a7435870321daceaa9d29a080e33f1ac643854e1ae6a8a8232ab53a67c0b51b2c3ada2475a9f011be1eace20e2a1ff6d82ddef28f10c1f4c655f7a373a553cfdbcaf0be405cfdb73cd9c1de1346d9b4eb8f0d2a8d9dbbc5c678df88b4023d80f91	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = 2575b89b9d4b1ad986ae873850eb44bb82433ae050c9a68b6fda0de912b7ae081a93da007d189c3c5ca15bc8d149f1ecd5b7421beaa724aeb218fc308eb08a6a20b85771865bbe8c02ae14e38104041153	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = a7605f5c93d8b6947141192e20d8964ef0a2ba804fac4069427e8c39cda00fff2becdf2a2e7a004679f9b836a4e8e623554d1ab5ce7cdb1ed4f605576c50c8dc82813d60fad838e195103f187b781c3a2a9b75b29e5e1163d586147bd3959ed1fd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\a4c7a67c = 8450bd7b6ed068a4f5d373f79ced3c37fd6c6887b40a4cdec358100544a0e0b427064bde15e8c5841e7002be073d6ed6c7067892a45649f14ae808fefc9b06c8d5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = a6c11354da6643527705bc14b8264fd27dc6c684563f105c4d321064e63bb45f7b3fa89bbd4488d01d74eb1c4cfd307327629fa5c2a6f5f7f7c227b047daf290e834d40e1f45ce40af6d2f8653edadb8d3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 85ad282083d353241b6bde61268796f2366a800cab431acbba4c31a256e44e98d75b15907e35f36519051fa9ab038524341755679a46fce395b53d6278e60c91188cc50055d9cee64a7afa4717920469ff68121c99282e004edeae18ad4b32c9e8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\bb88bd57 = e76b525fe3794fe6df9287e531c79b5915a21fc0604cc8a9357d434a8df40c4c407e112797a3a408d5f34515a95f54a560d9396c000cd8e5c24f799ee292be736d75d3d4a98446b8f3ab2c3bf851ff0d30	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\42fedf01 = a69bbf6716356686012a32a46cf269acbfaa70ecd5281acad834bf5510ea9eadc551f9f97a0dbb69db708d02d50345ec750f159e1b2428224854d8dcd9ca5428427ec07f8a0ce641a5828843745b770f2f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\bb88bd57 = 64a4fa5f3449ac8dfe1d6982d3d80556f0ce7c451d838a56177076cc1234dc9de759b77719fc5cb6d3e9f93ca9e085b2fedca9ddedeb8b0640657302b4becd2224b1d9810ebe1c6f5370a195eb3d031d17	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = c43f7f3477e7fe85b8f005d77b48ed565e558ee509c7a0f5be61b20a7367e5158c3a4d19c0cc1f0d56ca0067b84621c59a6e3a2e25316c5dd96bb272e5b89792e0d599eac18e658c326e0791dcc55b35a78cc943eb9fd447994261d73a7c328b4a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 854d74568ae4ad903d807b6fd7e5768d492cd80bda7e1ff163a73c3c5cf7116e1a2074e9d882ab296e996d2aedf1693d77b04c85b608f836ebb1ba2f44d213daba714ac2e9789b1164089bb824e30d7ade568f1c3b9542c5a25e9c0bd48221640f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 24507a6a8fede8d23780bb627525a8ab9d6903290d14644fc7fbb7a0fe7d81bf058e8696a93d95a34a64062d13da35a2e26cf9cbf24eeffc6cfb7d304841f2b0fd88f02b6d51af80bd13f0f7b72271ea48d4e8db33912cfcf08943ad7b5cc1e96b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\bb88bd57 = 2460f5d38c797e213de07ff805a30c40dbb6cbe4fc6b6c6f3b5dd63170c20ae58eb26c694b90c119484d9cdff0b58e23b06ff811349b80e9e8a1ffa28d4bca7c4fd13398430c76e1b0f910d2ef5cda82d6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\42fedf01 = e6467e9000dffe69da5d4fc2d2365621d002d962c1911da44aab9e09a291db4bba14a368cd49ca5a2a785e2dceac5ab9af6ddcdf3bbf508921ddc0414999e02027b34de84d6e6b1eaf48307f4047da4881	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\a4c7a67c = 25d0e060c05e509038e42cdca9305f5217422eb752e4f66f6b909597a741a19893c43de7798713e16a734cfbe41d0c1bd1e05a1b0897d3defa228be29b7dfcae38	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = 64d62f7586976109e5602e3a036dcc56929619b978209a008de884d0b7951898f7e5f6620f2f98b7dae5eaa577d60b2e76a05a0ca0fdb09b34f6309f0958d37caffef010aaaf4ce3578cf33ff273383b63	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 041d2565f1f8f0a3496367409b2e002ea09339db9963a4ba90732719bc66fa10f51611a26469cd61338a8908693a15819aaec2c853dc763f9be5a0bcd4ea8439c06a1bc2e19e4cc4a5a6d4e3df8f3bb060fdd9ad451223ca8821d9800ffe76f161	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = e5b51fa234881287a08522df7ea4818472bb74beea8626fbc8a8ee1876f4d3ea86a5e9e679e2f620913450e45583b39b926e4ca6ee66ecf37fa27d2875d3e7d7658cdfe2c029f8615e26c243a26844e2c7782ae492016e860a5f2f96709a665344	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = 66e12627cdb53b2443db779704aa2f59a8f0f4c5b7b769ea6555a263e81e4535974f839aa800278314f13025801ca4d827062abe0b3de91f3f0cf7e406298c89754720236e0f4802355612cbafe31cd950	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 070c6eee9d6c151a25e3b04d8569d3c515a258e89e782054d31b938d8d8e891e50765c864686ee57fd938e7c6a8ef93c75f124524cfc2eb546734d2c193e783b9e67857b057d516b3b0536478087b0773858eb9ce0cfe7c6c2ad559f57a9c2fc79	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 87fff22736c96186de0215da140923f6a5febcf8f2bdc2f428ecaec861346bcbcec22ee7f632f75fbe4936ddc941aaa60de087a2056528ab03b1c839ff38b626e97458f62a06f02fa43ed311d50ba467adebc6893a7ca3f0fe5ed8ba02f38ad885	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = 649384ac0a255e5bed878cceb2837bab797a632dacc69aa57ee14bf438fae67b3b1ca5b4de4e67dd77066ca46133accbb395dadd1003c2a99af5c0e9400a8f9e2127a093de437dfc24502eee993592a51d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 45e09a80dd3e9daa60b170d79c9eed274cb2776637ea5ba7e19b45e760457ac94bc67a2474ef86119d9d53b698855b1c3c5618929732508565e9bf672f029e88dac78f635ddc58f6ab4b74ef7c0af673859ff4f6ddde2d3fcce94a933a0c9ee619	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 0468490a7da8dc3f080328f844a166a0fc41f4060be96c2250966e330a5550d2d4fae0320ac551eb360ab52bdf4dcd493289937f858d566dc993162a4f80c668689bfcdd4a1a90663f892aa83627fc83df4f566c7f37b0c9a8af0823b53a0d500c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\bb88bd57 = c51f36cc136bf73199612c87989e8b7b689b88435563c0c93beaefda93d5198ea5b128ebd17a1a1af7df28401a3c0aa98a7a198cdc7ab2df6c82d570856f90e8b1ee763759523408b86a47c87f5022e657	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = 467d2d78ab4ef895345da1e533fc75d0badf030538ba7c3efe105c8063bbb047c4a5d48146f8a788b44079e436f01aa25be89a2d5f7c6a83643412cda61776c56a75d37f374d1538e28888e0aa49379d2e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\bb88bd57 = 4699b1b887e40e70e659af7401b7df3990f55e53cd73a85b0cfffa94a135ce7f369ac866366e637b111b28696e56a9d6dc3cfbf30346e248b40ee624ee6e3c9ed7be8a3ca4b1f41b4c91b5d925434c1fe2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = a784bf9630982beddcd6895a121cf6c3b07b6ee66fa814d84510ea5bf613e2d6b5ce1aba4dd75d19f7de8ea48bcd116f3177c8a80d14b3a22031b20b8ef560bb16defeb37a21a0b9282e0626a85c7fb0d4c75be694a67de94002563cf2a81310ee	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = 844278c8c643c11813b4a9c1f645b900fea64d63839082592cdaea9aec5cdeea987b88c5fd4cfeea731675e04696b96a71081007e109281a26f90f0d75ec7af65b82ce6d8e114859c4faba095a6f67fcc7c523d7b3619e5d14d7af4a59a3166de5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = 66abf45a1ab749ab5a572a7305792e2cb14cc625f1b2f63d73370fc01624d042c49036a350c5b7882446e42781218fe1df6f6f1b6ec6b539b5011848ac22fceed52a883ccd65ece20a55cad83ad5de630d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = 454c7b41c979361e301ae7ecb62796fce7b35966c13446103cfbc198f3b1ad5a4e8b04ee0847c88f33b969e60eacc3084287f88d21ce1d32cc3e9e2874e7e709d4986fd505ac52abd02ff76abe1399f497	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\5db1c42a = c5b408808edaf4520701d2bc0050331e77442fc26a419d442c705172304bc63046423da20e969a24543595b4f27c31e5f0cf4bed9061287a4045c12381e02a5477f7cab8c1c334512928f4c47376d174b98d9eb077028913cad44c2bc13a9d7f23	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = 471f5fe7762b3d6991f5e9f985bf202f3b44de01c6c7c2eca585e5a0055ff67afef94cef25b047f0fe933cc7541eeb57ee78b0401c2b47457148b300d734cb57a9871f75d46f2bce631f82750570407ca8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\zvqoaguobbo\2a48a19f = 0450e772add578ed0f98e3b9491c598018d82ec05c0355900c364047abc1fa92e324bcec967ef4cfe1cf2d4e119b584dade073c28fefdf2063c2e9bbaccd0a00c2eabca5ec9fbee8eafe512939f218b1c3	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3836	rundll32.exe
3836	rundll32.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe
3636	wermgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeDebugPrivilege	3188	whoami.exe
Token: SeSecurityPrivilege	4152	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 3636	3836	rundll32.exe	73
PID 3836 wrote to memory of 3636	3836	rundll32.exe	73
PID 3836 wrote to memory of 3636	3836	rundll32.exe	73
PID 3836 wrote to memory of 3636	3836	rundll32.exe	73
PID 3836 wrote to memory of 3636	3836	rundll32.exe	73
PID 3636 wrote to memory of 3736	3636	wermgr.exe	75
PID 3636 wrote to memory of 3736	3636	wermgr.exe	75
PID 3636 wrote to memory of 3188	3636	wermgr.exe	77
PID 3636 wrote to memory of 3188	3636	wermgr.exe	77
PID 3636 wrote to memory of 4204	3636	wermgr.exe	79
PID 3636 wrote to memory of 4204	3636	wermgr.exe	79
PID 3636 wrote to memory of 5072	3636	wermgr.exe	81
PID 3636 wrote to memory of 5072	3636	wermgr.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\userapi.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\System32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3736
- - C:\Windows\System32\whoami.exe
    whoami /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3188
- - C:\Windows\System32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:4204
- - C:\Windows\System32\qwinsta.exe
    qwinsta
    3⤵
    PID:5072

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3636-47-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-23-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-51-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-10-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-1-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-21-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-22-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-50-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-24-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-25-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-26-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-35-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-49-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-37-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-38-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-40-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-42-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-43-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-45-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-0-0x0000014E40650000-0x0000014E40652000-memory.dmp

Filesize
8KB

Download
memory/3636-36-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-7-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-8-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-53-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-55-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-56-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-57-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-59-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-61-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-63-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-65-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-66-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-68-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-70-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-72-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-73-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-74-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-77-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-76-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-80-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3636-82-0x0000014E40620000-0x0000014E4064F000-memory.dmp

Filesize
188KB

Download
memory/3836-9-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download