Analysis
-
max time kernel
1199s -
max time network
1195s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-04-2024 01:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Run-Malware-1.bat
Resource
win10-20240404-en
windows10-1703-x64
8 signatures
1200 seconds
Behavioral task
behavioral2
Sample
Run-Malware-1.bat
Resource
win10v2004-20240412-en
windows10-2004-x64
8 signatures
1200 seconds
General
-
Target
Run-Malware-1.bat
-
Size
64B
-
MD5
4a5c0851841d5f1927ba79b7307a77f8
-
SHA1
624765f7ddb16d57ba10b053d06c720d304c484a
-
SHA256
0e4e4ad7098ea7deb02d5ffaa3e08c89e44fa7083caef8e7ddcf13fada1e2f9d
-
SHA512
64773939e5545c896a82fbe1629e7eaa5592b1b99e28aacc28666f073b48c743376dd3a1be6d9cba70f9bf19cff72e5c77869def524bde4bf050c593d9ef3016
Malware Config
Extracted
Family
qakbot
Botnet
tchk08
Campaign
1710958492
C2
77.105.162.176:995
31.210.173.10:443
5.252.177.195:443
Attributes
-
camp_date
2024-03-20 18:14:52 +0000 UTC
Signatures
-
Detect Qakbot Payload 56 IoCs
resource yara_rule behavioral1/memory/4564-1-0x0000022F43150000-0x0000022F4317F000-memory.dmp family_qakbot_v5 behavioral1/memory/4564-4-0x0000022F43120000-0x0000022F4314D000-memory.dmp family_qakbot_v5 behavioral1/memory/4564-6-0x0000022F43180000-0x0000022F431AF000-memory.dmp family_qakbot_v5 behavioral1/memory/4564-7-0x0000022F43180000-0x0000022F431AF000-memory.dmp family_qakbot_v5 behavioral1/memory/4564-8-0x0000022F43180000-0x0000022F431AF000-memory.dmp family_qakbot_v5 behavioral1/memory/4564-9-0x0000022F43180000-0x0000022F431AF000-memory.dmp family_qakbot_v5 behavioral1/memory/4564-11-0x0000022F43180000-0x0000022F431AF000-memory.dmp family_qakbot_v5 behavioral1/memory/4564-10-0x0000022F43180000-0x0000022F431AF000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-13-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/4564-19-0x0000022F43180000-0x0000022F431AF000-memory.dmp family_qakbot_v5 behavioral1/memory/4564-20-0x0000022F43180000-0x0000022F431AF000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-21-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/4564-22-0x0000022F43180000-0x0000022F431AF000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-23-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-24-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-35-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-36-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-37-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-39-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-38-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-40-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-41-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-42-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-43-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-44-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-45-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-46-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-52-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-53-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-54-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-56-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-57-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-58-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-59-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-60-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-61-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-62-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-63-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-64-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-65-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-66-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-67-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-68-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-69-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-70-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-71-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-72-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-74-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-75-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-76-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-77-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-78-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-79-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-80-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-81-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 behavioral1/memory/1904-82-0x0000020F4CA20000-0x0000020F4CA4F000-memory.dmp family_qakbot_v5 -
Delays execution with timeout.exe 1 IoCs
pid Process 4788 timeout.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3712 ipconfig.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\99b758b0 = c7cb70afa041cf63e370f39e6f8fd7c10211ebfaa111a06d6c7ba658e7d6f8cc3668b7210c67c0e393576f79c64be5718a wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = 6548b85cabe02aa03ed8a426c081fcd4e484fa15b26fd23e7b4e230af34d24b1a119488203e5e4eb2ad90be3a5ee62d7830eebe27ee3e35366002c75dc3ebe6788a32bd05f450e897b4e8ca18504390a3d4f7b8fa84dc47ceb874faf54a17134ab62e739b92bb866df6efcf4c16fa5cb80 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = 67e7fef66ac94de50b8a21aa5896adf4a9e18e8461f163699128228e554dd72b66e8e9081e45cf6b5e0a5fa900cc9e8b2dc89295d0af22cb7e66f3ae87d076a3a95482828f8763f70fd6f7207fbe5bd83c60193786585cfa8dd9916e829e5b2e672908d7bef6c21df16d6ffafb734d9dd5 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = 6539aa26636c66b95ede3007e700cb49a87181babea10889e3e2a109f9698bc310c37e825fb5a3c17daca48c6c44fce45956c773eced803762e5bedb4c17867271 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\99b758b0 = 67e3dfb44a6d3ce9ab8584590e4535c5b7f54f185310a5af041be78673ea702828decd8127496453491825723e335ca7f8 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\60c13ae6 = 0614a9d6019d1ea56e536163215231690d9d4b9c60acd548604cce1be1bfa2141e33caeaec9e4589be65006a1421e2da7c54e6da879a3b79d2df7373bd0ece7208298a727d491127cc131d8284ced1c1e6c53b8897c6b64aff52f32b2a3ee43aec743f4a773851c7af6bfcc01b85ba8764 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\60c13ae6 = a4b2468802bb807144e7acf9f44f0a376bc9c8a1e7b2a3479be26841737c262678190a8a44e9da2b354528afacd59dc6186b55ba736e10b1e3a4ae379da3edea0816f655a3b0a853bf23380327795e44d4abcf96ce5acfb9c52d001025fc3bc0d5aeb713755e645eb590f5afbeaadd4574 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\f101262e = 8796d47aae3f0da5dd84f3ef382698bf71cb30985bc9f119b7c6d3d6e22933db409c7b1943b85e33c927d4cd18d6f196434176d95a9fdb2f447ba474c6084794a54380df8afcd377d331ab4854223cff793a6a2dd46d8e84e4db8a2c0eec93e51f9301d0c5bc03b3b36008555b9fae3b32 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\99b758b0 = 25200df604a36d50ed9f7310d4927f2b1b3a45c16db7120fa97a468881a51201852ffc1fa850af153edbfd76a8e071b657 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = c6d44976191585fb8d86d13a31d8646d4345e86b8d77bb4cfb8a170b49441edb0bd1f7b16c295af9645299446cf352f137ff20d5200ecd1537669bd0081dfd5d26b83a5f0f8516acf2c19278dc2dfa241d964fd486d75453471afbe607db25b6164d86b5c00583aa0fdbfc17649449dcc7 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = e68aa7aa607809d8c57d6fc7c2dadea029359c79b5df745f54f2129f82fcf19f41d86d22cb18153f107d7d7ea4de7b8a597bf5105895030adce15463f1ae1f8e92 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = e4fb5a5de87073928e384c692287e160d098e7d8b4b085b5cd5256748de6ef2e03e1f1677fd85edc270401199d3df0602dcb3d13e037ca33e2b035b0d4d5047769 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = c7aa537024ad3bd0a1e8820034c0f4f19991c9b336f9870de381b0310d030425bdc77e8833bb13609854731b183e08b89ef2714e3d8d9684f599dd2b6828918863ead22c10b6a07e9c9b445b79d6552a8c19ec766a377c4008fe894e360600e1ed2d5960fce9ee234c9b9e1ab31d22cb49 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = 4703a4a9d79e4e6fd176ba33afe2b060ddd6f7823af19d5ccdff69821087a33586c5a7da14a126e21256639290bb8afa1c93db40577e3b27bf816ac01fadb89b51d3562ba03e85a746c1a2042a317e346f7914cfaf7e76c81bcd79d4e93cf2d001a9432e029f5f7c070db8733de05b2317 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = 84509f96bae909ff1749386a510ffe3dc3624bc63f7231bcd097b658423edd46ef02fc23c03ccab73ccbfa2fc1d5b865f898887228800b4593831b9662efce9596 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = a4b708429a90c1258a95f28caedb32d9f92ed34039fdd392d79260ed6c2528b3ccb5b0da2b9c8f4c098fa34c90a5b29a128f34620481fe130d918739983b932ac9 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\60c13ae6 = 256223388dcb5a46d0bd538a081041bf91a6c4a52f77f5436657a20e96fa058479f255d98aec23344800b2c9e9e725c5907c0afbfa166153d68b6ca531c9cca77dbcbb4f47ec0fb5619e6307a95b488060716e9e8122f1b38b290b4ba0e834ee72abc00a0fce1569afec9f6f9ba11e7533 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = a75579acd9a06066c09f6d000fc7e98794ce437b04b46a798e7e6886652c49b2efe46459975d4ccc50b8e0e17b90ad8965ff321b8eafdadbff199ecee85d45d236cf179a805517ae1871a47b59032879ab657e4e0f7e6606f678c73982c8628ce9a836fdc0a964001f30477d03587a9b6b wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\b9e1284a = e558a30d551e086a564b566d2ad9fed42a7ff541ca351be6322872f6a657adf0039ea042b56cf3b2afd44f18c71a266308aede380bda3600cecffa5589dcd199f40f13e6bba09c29da8ed64a0776b7832e4bd5b518464aace5d972d4f61284a213 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\f101262e = 85a657a3b3d1e9e18ce0601c601598a68fa839fadc2ca0b559ce356ad201ce3e3da51af19e16c6d86637c15fd4d36a58dd6c89acec025ba8dda87811f2a8332e55d3e2ebd29804cb00de384abcea61614fb4415df08cd157fe33ce99bef2a2aaaf8d584cb1d2b0f8a504b6f1218543dc11 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\99b758b0 = e7eac5a45e0ce4b9db089106d5b1455072adc8a45618a769f400b19b5657187404eb7b0581cba15e6f7ffe6a19daaf637c wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\f101262e = 85e4a94fca2526ae0da10439d865bc6b2709d82e02afa911c7480ee2aa63d4e6c59a86a0d687e8f1f5efb74e6d401ad78188ed65f76c44d8b99904f6f5645c3322ef0098098e788e77b1082fc33feda7dcee6d62139e459b80824b684ee214b8c3922ba3af7ab484d5891cdaa224156398 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = 04e7b04b9f6ca59f7fd58280e8a13f768c39f7356c34738a4d4254e017d41721f0d670846352de19efaf2f1ef37448db82562abdbb224f87b420a21e3384d40b9ad3cf68a83274ac92717942558ea553b5eafbbdc0c9fed61d409a8154ecf1bc7b2ee3769df85a6ca6e9ff3531f819a2d1 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\60c13ae6 = 6643167fa24fdde549607aa8b9b7ae18c58f50b58ff69f9f46643a66e5aa8ba1954006c9f54bd4a739b06b302b15d07b3408bae56c8dd42322e8c3d2f5bd46359c19bcacefea1612891b15d6f5e4ea05780c00be5c78c68904991cddd16c99522cfdf030c3a727861ae132d4a25bf1efd2 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\f101262e = 077930c7d028187d59f5986d80ad1fb04bc30642e305cfd32a1d8cabd845f02430b567a5f94d1d24fe19fb06fd8e61d42ea46482649760b3b87f7030abfb7cc92f1c98c2f5e09b6b4bc67776dc82254358d1ba1f61fae41801a7d8688bc41857d7d01f68bcdd639af59549bdd4d1109e7f wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = 47ad1c0a8f1e0cd2d3f3fdd9d94fd4a17c769bbd29433ca14c69102fd887e118f08d0398cfd2a9219ec0f0b61b7d033b2c47d0b93d9535d80bac95acda1f3a4c52 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\60c13ae6 = a72ec03b6e30d6663e4c37d5402bdeb2f2610c38ae2969999d7d9d4e18d40c917a01df152f69ac73414a998da0a9141adcd6cdee2a87e3564954e8bc096b667328be184e7c1d1838900c6cc1e8e014257e970d636f5b51bd69e18366a84f08ac678b17d57e6e76cfae6661f807f8256a30 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\99b758b0 = 45d0e709ce65d8852cd493228046dc8015467f886643b1af1a5da2fecf9e86ebbcd7aa3bf9a59ed1a54b46129b0e49da46 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = 665ecce5103fc1adc53ce4f705c2b2e2958c31b40e47238b5bb16d11fe08245d14b34855732ba5fa50c34f50b68bbf56bf328a7c82a3d14ea893edba54949fec53 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = 44095970096d4c03fd4e5ba364d5c5663dcbbf4b9878befab2b7d56ffb0a25c4ba1f9e8fa15161393644095b72a6be7e7463c01f8e207edb281c1e417d9f1cb1c9 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\f101262e = 8770faf1a696e215382d35edb9d7de7a3b8562c27cf340e63d866b05f30d06f2ba9cd625fe6b47d31aa519c332dfa973590a1046029c2a8236456b2e98c0b7e0bde490157be96ba6de45e66ba183dd5d38c0be04e8c97693f89b1269ccb35684fb984acdfc7f8ed46c161e9914d27a0c3a wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\60c13ae6 = c5dcade411bc1dacd90645e766a6a5edc021b0cce985e2329f72d625ba534405e75d06530cd595780919f2aba349b85d5023054473c30d6e1b175247dcfd728ac2c2a2ae866433acf2fcc4bd55c441cbe3ec5e27bccf1075f2cfbb1c40526b149718b03439f67c6fc5bd7e6c08dd0d4df4 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\60c13ae6 = c6a5c5232599eadda87fe2cbe976ac9be45a5b3d5eeeaccc39ac2bf09ce2107738fe01e34b53738f7081e034aa002ce40972433333150873c3f25d498d686f74344b9b8478bdbdacb065bd48ac7eb0d08d856fb3f400acb67c5d1d0a1787259c15913cf4e13bcabd5a68073baf13ef30f9 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\60c13ae6 = 05908601cce933a86e845111eea7aa02131256755cc07a3d6954fc69acbea0f42fbef394f3ba5be62392ef48e2789987791698a4368b396d123928f1f7e6467230509d67c443a187916118a495e58409172e6b281ae03e6d50e5941979b64e9d2f1f15bb8a236474893bf4000d4c3b8166 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = e550581db6dfba61c0c58374788c6082f5064d77fae0a933a69955ad505a264acb523458cb47c0dc0fe416e9d15a2044d6c7fc1f697591a515b7b55606da7d5cc1b8d00b29b3fd2e28835ef4ce9f9a63f0c96b5e92ecb40a3e38edb0f053a0e0e5cb5489e6955462fc3ebdc284d9e2cf04 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = 47a2f0fc21672fec70e0a9f30e5a3dd2721aa1b9c1a4bbb156d0acb272ced9b5ba1f502d290d5f345e789f364f587cadb8513a19810d38a37638c049e7b768ac8b wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = 65edba1e54576dd0434a7d2ced50d3fd188762101e5f2ca911d1ede4d03bcb87428a8eab5181b3304dd7810c216ad4b02c44d03d901b6d86153449b987d502380db201ca40485dd5afcc2640b1b158c12a9b7dcc2df4292509263277c8fec8728b15382ed9197d05a00515b152e6e0a36a wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = a780b1ece7917513ab56926b6b6c544f88b87f731e2384249cde32f4d035267686da4b9f22a72f06c2d939f80e589ab07605666f2d3eef935496bec0c352e2076bdfa2b774ad36596a2ed10cb17cb93ae8d20fee1a0c952f56af5955d27621a51ca5d53a10c10a230c34cdb4fdfe68b604 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = e5f13be035e6a5d4532a952ca07f7d0ac512ecde40206d80c29d8605a4e0b1c530ecb24e080be67fa896fe8397ae5f0268094b609c1f4c50161793c01045cfe8bb wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = 46727ce96de8af52c6e3fbf664dd886b6d9bc45af2c2d9190bdf2fb14722e6533fec7b84dda61210b5ba22fcdbe39980bb9dedbb02effefbaad8e43ee79fbf13b36fcf4f8aa5312786a786d4f0213c3bff99915c6fbb8b7fee92772b90a430d4249ad33691fd02717c8ee669f11f4fbf08 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = 0677bbe29383c097a31dfdc2646d522fcfb58d695d1d1f9e7129df8ad92ce2915cdab1370d50399702c549de21cedadb98a26c3216a0a2568e7294ddd706353756 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = 073987f0b64cca3230f6d41e923c8beec153799db5b207b9984611ac83974e00a1fa43e4b93a0983e6ef8d90a6e9aa3f2de0e2dd66dae36b44ced42ffb30afdebb wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = 04039af48da4e853a3b24af6e836b53db10263d41bc405f270cc6d1355c8111e49acd95ae78260af09773fb303683e95a458a1c7428e3f8825d54805e4eb9b53d867ec7cbc445894d358656630d97e5c1b9c4bc42864f79b40816715f74ae5ea69188124b43336bf1329afd612f6e54b59 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = 270b95ea96471603e585f8ee6a39a0a667f670f7698972d3706a37286d5fe50dd485491436f3b960f07e4c7426b1810a15daf73805c2792ce6638f96caf7ff7a4c5ffe80465db75136ec257121ae283ed48aab2dda6c6e1dd0c3da0d01518f4423a05e6de29538fc16891c83525a2faec7 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = 876c81c4dd3a32cd9cf226495bbb551d071e3285496d3bee6572903c3dcf49ff0d270903802e555460ee7a31c4d6db9a56b33ddf4c90af115cd8d1852e5de7c7a1 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\f101262e = a4c86773c99b62ad79116c8ff8a56e386764ceb97ab9e9c69f02936f615219b2465112a992321974e07cfdb0c5448d4e79b20e96cad4401290cb1d135b92b0c9191bf27a623a1bdbb35671fe6d9def2e19ef4a7d8a87ea1b325a2c80f40f25f1266b3bf12f836a49dc6929715fb731bce0 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\60c13ae6 = 0408d12a1b2ddf3d9bebd9fa2a1751b263f248292084c43fd4028a885efb470e30c089c3e2ca18e67c33f3f8d7d4247148c196b2de41abe42484208d993cbd1d740d7661bbbc40c1209861f14ab2314dbe4e32c336262edc77893bbe9c5c5e4af69768c4a1fc920a7df2754c18add671ab wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\99b758b0 = 04d6bf8ea8484e41e3a220b3e1b206e73087064456db0766a206885a0f3ec4c84f7009ff2d00ed9bdbf6a4c885cbfc238d wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = 855ea1a006de9f9f1a2442f0d7531d4d48ab33150df4a7df074c124e4f8f8e6ae28cf84ac5af0b34728f13679f5cd540159c072ec3869baad8178ee049ebf53b33150ebd5f8a4ff5d0cb9f3ad3d4dc1e4b8f637c9425b3b66a84dbd1d65fcd14f295d3f2ca0afa9cd24826c254aa6cbacd wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = a6625eacb0829f1c8f13bfc5e7f6f1535d646fb8cdd0d810f27488a934d7b7bd0010f1261a5249f57dd246f68da7b41f41981225002c4bd0a11a48d54676a2a542 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\f101262e = 45900f852d9d230b18c2aad91e06f882d3c336aef38df67faa4f9212b5ddcd981b63d49bc1f42656fc7789bd3bc9b59117400387b61e9550e5fdcd86faaa69f99169a9ec10988a5e15edf3aa45aeb86bab03e145f764e031866fce7f8cccbddde32d8d00b0983f01315115645eda00a3d3 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\7f8e21cd = 65b5b2a93967f07a92bf89a637623f7d7ff11f7692869d8ace0ad66bae8a6508eecdc1c39d9a4435c3b1850596d8785d62f52a9681a97e0b4687d85d0d0a6fd75c wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\99b758b0 = c61680525ed8a638920211c887c434692e51c18863f458a7a4f44b868ad2ac225347e662f491e04104e6ebd5e6adff8e8f wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = 44960e4a14de8d7ce083599fc9f8ffbd5cc268bb8b8c638484d3f3061559866cef9f966793f94b639ee5dbc65508797e9c2c745a5de14f20fce5968eaffd441bf6ea4658b17f06fd5fffe5e99342097125100e9e97bb7de3f83623abf47d3cb837e07297ced9171ca4474f8c504bb248c6 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\f101262e = c6a170a9140e0647cf971d338773c44251bfa1613e2a04040b4a31ccc3b02b59964a1adbb353bbb81729259c51ec1aed1daf2547da04e7241d32b4292ae5bdf07b52337310107f359f30ee24b2ba296fa3efc05e1178747bc01e4e17a92bd046e234b919ca47bfcec5d847a6b65384f04f wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\f101262e = 867e87b54f9657a3a17611c5f7aac677de42079cca702a3600e2ccaeb3e49b9b4ddeb30e3200fe108552d8170ab13b40f0c714b097fba16918a923635aeaa1a5d442b24bdb1e253c416e1fcb061f665847ff5be5003ee1eadd281c93ac667cfabc188ffaafdbaa8ff082d2d2e46a488cd5 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\60c13ae6 = e4d3b966a74ddef6fc4d1d7b9c61a1353715d5ff83c32e63c19225c070b042c6b59c7c722406c0c99d8fbace314bd4d0aedb046f66f1d63cc5510bf7e20d3790629d5376c63d5128cbc0daae84ddb8bc43ece2467f15c0a944384926dde40af621bd37614f31773121bf5613451a83c2c9 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = 4613ffb1cb8efeadd056329b2dd067f98dfc498911fcbe0d6bc3429be84221aab270c6d11ab12161dfd1a24b447e57a57b5a5c21dc704d1192fa7a8066dd6e8ed73c35918c59cfba79c73a6c5f8bbf40ee3fd4cc9ab28d610ed69e5e58b1eda2e1f7fbbf04bfa1c00fc0d3c41497b9f71f wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = e45250600e1db97873d54bac79247911630fe2287cce683510095907b610b922d54318e5974092778879a45d3f470640d9793f685e37324ed8f27ea5ea55f9d54dafe6781ecccc7a10db01fe9905a36ec41c4b97fb02747275025550b47d306da9eecf6afae27f649f3937072e982135c0 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\60c13ae6 = 26820bee65afcf5b5963023249a3f4cbdebb0e867f9d79c9f1e464de7694292a64f5f85dc9cce4a106104d67c8e390637b29b06105c6888512cb3a49aeae2d31aa2b9e8d8880171aba2d48c23791c287410426813cb0dadbd4fbbdad23c0bb74740f7eeec72c8e81996268c466d21b9b4e wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\ce184dff = e533708bd48b9a993f1ec2682ab13da3b79bc6a295f286671ab0f5396fda43a2287b7b648c1df8292a6de1ba9dbeee9eafe9e76cebfbe41be11397a2472975cb2be1a9db9e7f22eb9118a6d0d2966d5d175014d8f43d211d9f119272cbc930b9aff61c9f9d2606ca621870e7917005c0d1 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\99b758b0 = e5b1c1f9e27904cf8047224e8a393642917760d1b0be4729a9fe9d49535647dd39e2951224d00d3b451886a955e7eceb25 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\99b758b0 = a524914b360b737eb9bf30b45fcc850728b3f6df7c76e3dc27494a8ba04a13c38ef5f309a4c5756a287f6e1f96a711b63e wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\vpieaknxxq\86f8439b = 25ce8c75c1ae8d589f0cd8782b7bb0f5560fbe2bfddcc94731bca02671a62d8a469bac4b57b8f320bf86436607f29b1a4ebb7b43252a7f8844b5989d371110df71c93f4e1fa8d3e29abf1004aa2f4221c2c1112131eb7c31b63c8fc68353d987f76a47125ff04db34f5edd30d7cb620848 wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4564 rundll32.exe 4564 rundll32.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe 1904 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeDebugPrivilege 4396 whoami.exe Token: SeSecurityPrivilege 4372 msiexec.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1540 wrote to memory of 4564 1540 cmd.exe 73 PID 1540 wrote to memory of 4564 1540 cmd.exe 73 PID 4564 wrote to memory of 1904 4564 rundll32.exe 74 PID 4564 wrote to memory of 1904 4564 rundll32.exe 74 PID 4564 wrote to memory of 1904 4564 rundll32.exe 74 PID 4564 wrote to memory of 1904 4564 rundll32.exe 74 PID 4564 wrote to memory of 1904 4564 rundll32.exe 74 PID 1540 wrote to memory of 4788 1540 cmd.exe 75 PID 1540 wrote to memory of 4788 1540 cmd.exe 75 PID 1540 wrote to memory of 3616 1540 cmd.exe 76 PID 1540 wrote to memory of 3616 1540 cmd.exe 76 PID 1540 wrote to memory of 3616 1540 cmd.exe 76 PID 1904 wrote to memory of 3712 1904 wermgr.exe 78 PID 1904 wrote to memory of 3712 1904 wermgr.exe 78 PID 1904 wrote to memory of 4396 1904 wermgr.exe 80 PID 1904 wrote to memory of 4396 1904 wermgr.exe 80 PID 1904 wrote to memory of 1824 1904 wermgr.exe 82 PID 1904 wrote to memory of 1824 1904 wermgr.exe 82 PID 1904 wrote to memory of 1516 1904 wermgr.exe 84 PID 1904 wrote to memory of 1516 1904 wermgr.exe 84
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Run-Malware-1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\system32\rundll32.exerundll32.exe 02.dll,checkit2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\System32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:3712
-
-
C:\Windows\System32\whoami.exewhoami /all4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\System32\nltest.exenltest /domain_trusts /all_trusts4⤵PID:1824
-
-
C:\Windows\System32\qwinsta.exeqwinsta4⤵PID:1516
-
-
-
-
C:\Windows\system32\timeout.exetimeout /t 102⤵
- Delays execution with timeout.exe
PID:4788
-
-
C:\Users\Admin\AppData\Local\Temp\qd_x86.exeqd_x86.exe -i2⤵PID:3616
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4372