Resubmissions
16-05-2024 06:08
240516-gv9n7sff28 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-05-2024 06:08
General
-
Target
a40000.dll
-
Size
408KB
-
MD5
45234504c9fc489cb71be23f1ffeed73
-
SHA1
e51e28ac648917523c51d9b5a4a1641a3b1202c6
-
SHA256
b991ef2d58b3246bf5f313e2be71ea961fae1376ec88435173f7fb15a48b6fe2
-
SHA512
868458dee62fdb69bb5e396251a26091b71490ee7ca04b3d0342a18455f7a7e29d9981b024ce48fedbe85494374a40ed601e53bef9a615e4c8f3304c56655297
-
SSDEEP
12288:SWutt3oBwRkzp8e2gTQTLZMJpkrLThkr6S:SjtfuzQkCThkr6
Malware Config
Extracted
qakbot
403.532
tr
1645451836
190.206.211.182:443
31.35.28.29:443
105.186.167.230:995
72.252.201.34:990
40.134.247.125:995
186.64.87.194:443
2.50.41.69:61200
217.164.119.29:2222
161.142.53.137:443
74.15.2.252:2222
149.135.101.20:443
92.177.45.46:2078
190.73.3.148:2222
81.213.206.182:443
180.233.150.134:995
217.164.115.166:2222
144.202.2.175:443
105.184.116.32:995
47.180.172.159:50010
96.21.251.127:2222
140.82.49.12:443
176.67.56.94:443
66.230.104.103:443
206.217.0.154:995
47.180.172.159:443
75.99.168.194:443
24.178.196.158:2222
173.220.98.101:443
71.74.12.34:443
116.74.71.73:443
89.86.33.217:443
78.96.235.245:443
103.139.242.30:990
188.50.250.205:995
217.165.146.122:32101
173.174.216.62:443
78.101.202.183:6883
190.189.33.6:32101
47.23.89.60:993
70.45.27.254:443
102.65.38.67:443
89.101.97.139:443
69.14.172.24:443
136.143.11.232:443
103.142.10.177:443
38.70.253.226:2222
217.128.171.34:2222
197.165.161.159:995
82.152.39.39:443
111.125.245.116:995
130.164.206.70:443
39.44.136.96:995
144.202.2.175:995
75.99.168.194:61201
105.155.218.181:443
75.156.151.34:443
197.167.10.103:995
217.128.122.65:2222
102.47.31.216:995
124.41.193.166:443
67.209.195.198:443
32.221.231.1:443
182.191.92.203:995
78.101.82.120:2222
120.150.218.241:995
84.241.8.23:32103
103.87.95.131:2222
197.167.10.103:993
180.183.99.37:2222
39.52.203.68:995
190.189.33.6:443
39.52.121.208:995
41.36.82.58:3389
118.161.10.126:995
70.57.207.83:443
120.61.3.58:443
128.106.123.43:443
136.232.34.70:443
118.161.10.126:443
217.164.119.29:1194
89.137.52.44:443
175.137.153.178:443
208.107.221.224:443
86.98.150.158:995
39.41.254.161:995
76.25.142.196:443
45.46.53.140:2222
173.21.10.71:2222
47.23.89.60:995
73.151.236.31:443
189.146.51.56:443
67.165.206.193:993
109.12.111.14:443
75.188.35.168:443
86.198.170.170:2222
41.84.229.145:995
31.215.206.13:443
80.6.192.58:443
80.191.52.137:61202
103.230.180.119:443
197.92.132.79:443
86.98.55.231:995
5.237.251.118:995
41.230.62.211:993
5.89.175.136:443
86.98.11.110:443
84.241.8.23:2083
139.64.34.193:995
41.232.210.78:443
209.210.95.228:32100
70.51.137.204:2222
100.1.108.246:443
46.176.197.48:995
39.49.80.188:995
73.30.132.246:443
72.252.201.34:995
196.203.37.215:80
114.79.148.170:443
103.17.101.139:995
78.180.172.122:995
41.84.234.250:443
203.99.177.128:443
37.211.189.48:61202
108.4.67.252:443
201.40.225.216:443
200.104.16.99:993
181.98.246.214:443
217.165.109.191:993
197.89.21.163:443
188.210.148.245:443
185.113.58.135:443
39.53.116.250:995
39.52.21.207:993
72.66.116.235:995
184.149.30.83:2222
41.228.22.180:443
45.9.20.200:443
24.231.158.110:995
24.152.219.253:995
96.246.158.154:995
86.108.123.52:443
107.171.241.236:2222
5.48.205.15:443
103.116.178.85:443
182.176.180.73:443
102.132.145.147:443
47.180.172.159:993
177.205.182.145:443
24.53.49.240:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Vujuzoecgo = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ejyjl = "0" reg.exe -
Loads dropped DLL 1 IoCs
pid Process 604 regsvr32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4288 schtasks.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Ooapksyuucosox explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Ooapksyuucosox\41ea1dc = ac4cfc5af78bdccb036b1a72307aef29d1fbe8ad4ca68192fde8de2ce0c17043bda033212e46d94dca561999c88c4a15c9ec11bd80a83f6c11c654d10494551fdeaf723a29854bffdbf9d067fa4de59fadc8523082d8957ec29f3007aba07a246a387bb705c589f816450fccaaf4609c7a59759baee01d532e16217482dded9669ff3945744be7 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Ooapksyuucosox\bee3e6c5 = ff5f452f4caf5b090a3321efa7c8a704dfdc6be9427d75a7c0c5aed5a79fd12fbcb718181a1f5fdaca2807a5e6c0d5ff5ad5a7d7079edcb446a9fc348cc5e4924a8d9903a74c7e47 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Ooapksyuucosox\c3eba94f = 71757a81aa2fc23207a23d6059f7bb735e035abaffb3c406d0efcd68497fbd5d1a4360624ffdd1842206c401ad1c450096 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Ooapksyuucosox\31817192 = b249ebd6174a975ea49396a63577a223a3d2d470508f9192ea089679523cf4407b38a991d2a553ec1f67f9a2973ee0fbb4963defa645e9e5e5cb31196d explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Ooapksyuucosox\65f81a0 = 6ffea6e4a954f15313b3460874a0c0bf552453fa7ebd622a90a738741b0bce6b9fc61bf49d7dedc8b2cf57fe93db7ec976507bfb9d7f487c792fb629a2568c65b0bb7aa2752fdefc28404d6dfa explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Ooapksyuucosox\7b57ce2a = 2ba12af477e7ebf0cb12824c377639116d47c0f563edb0cb07a03b14e4f79f0131335ac4ddb70705f434458677167e7ceaf1cd983646750a2339a60449fda5e8cf62ca75cfdfe295 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Ooapksyuucosox\bca2c6b9 = 71d79dd4a23e23be1cb5488264999132984509287e3e7b78d347035d0d3cbf08397e00adf88a73ecf59f946c7afc4b063ba854e28256488e052d1b7afaffa4c74b346229eab115107c25f6b0916cb793bc65e76f44e4e5db7aba47c6 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Ooapksyuucosox\4ec81e64 = 2add777123cd660d9454c88eaec6f332deabf04c9caec46d4fa50e84866948ec286add44906e9f8aea783a8963453d61ac5611 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Ooapksyuucosox\31817192 = b249fcd6174aa21e4f304fb95182dd92567dc71e447d45c67d1377e3c6de8c58fa6c1f29431b29584dfb30b91ad79d5cecb923b88f6c652a8e897ccdb1c207ba9b58c0fbee8506b36b30394fa2606361b2b5 explorer.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings control.exe Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1096 regsvr32.exe 1096 regsvr32.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1096 regsvr32.exe 604 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 3996 control.exe Token: SeCreatePagefilePrivilege 3996 control.exe Token: SeDebugPrivilege 3996 taskmgr.exe Token: SeSystemProfilePrivilege 3996 taskmgr.exe Token: SeCreateGlobalPrivilege 3996 taskmgr.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe 3996 taskmgr.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1456 wrote to memory of 1096 1456 regsvr32.exe 80 PID 1456 wrote to memory of 1096 1456 regsvr32.exe 80 PID 1456 wrote to memory of 1096 1456 regsvr32.exe 80 PID 1096 wrote to memory of 2772 1096 regsvr32.exe 82 PID 1096 wrote to memory of 2772 1096 regsvr32.exe 82 PID 1096 wrote to memory of 2772 1096 regsvr32.exe 82 PID 1096 wrote to memory of 2772 1096 regsvr32.exe 82 PID 1096 wrote to memory of 2772 1096 regsvr32.exe 82 PID 2772 wrote to memory of 4288 2772 explorer.exe 85 PID 2772 wrote to memory of 4288 2772 explorer.exe 85 PID 2772 wrote to memory of 4288 2772 explorer.exe 85 PID 2208 wrote to memory of 604 2208 regsvr32.exe 108 PID 2208 wrote to memory of 604 2208 regsvr32.exe 108 PID 2208 wrote to memory of 604 2208 regsvr32.exe 108 PID 604 wrote to memory of 3600 604 regsvr32.exe 109 PID 604 wrote to memory of 3600 604 regsvr32.exe 109 PID 604 wrote to memory of 3600 604 regsvr32.exe 109 PID 604 wrote to memory of 3600 604 regsvr32.exe 109 PID 604 wrote to memory of 3600 604 regsvr32.exe 109 PID 3600 wrote to memory of 4632 3600 explorer.exe 110 PID 3600 wrote to memory of 4632 3600 explorer.exe 110 PID 3600 wrote to memory of 2288 3600 explorer.exe 112 PID 3600 wrote to memory of 2288 3600 explorer.exe 112
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\a40000.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\a40000.dll2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rfjjabylaq /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\a40000.dll\"" /SC ONCE /Z /ST 06:11 /ET 06:234⤵
- Creates scheduled task(s)
PID:4288
-
-
-
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:4536
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3324
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:712
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:484
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\a40000.dll"1⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\a40000.dll"2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Vujuzoecgo" /d "0"4⤵
- Windows security bypass
PID:4632
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ejyjl" /d "0"4⤵
- Windows security bypass
PID:2288
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD545234504c9fc489cb71be23f1ffeed73
SHA1e51e28ac648917523c51d9b5a4a1641a3b1202c6
SHA256b991ef2d58b3246bf5f313e2be71ea961fae1376ec88435173f7fb15a48b6fe2
SHA512868458dee62fdb69bb5e396251a26091b71490ee7ca04b3d0342a18455f7a7e29d9981b024ce48fedbe85494374a40ed601e53bef9a615e4c8f3304c56655297