qakbot | b293691f6cf941d9841b65a58f8b75b97e37da6752531bdcfba449ec7fe3128b

Analysis

max time kernel
143s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c42e511e79fa6c3b2931080364522dfc_JaffaCakes118.vbs
Size

1.8MB
MD5

c42e511e79fa6c3b2931080364522dfc
SHA1

413fa44b48570a07420aa1511276bb4c72374cd7
SHA256

b293691f6cf941d9841b65a58f8b75b97e37da6752531bdcfba449ec7fe3128b
SHA512

d114ffc76a5c9de6bb02228fe84f76e78ebcfcbf28be9f3dd02cfb2f00dfbc38579cee379cfb7adb580b6a5eb54c7d6e37b4fa346fcfea3ab9dd9abecf2b0295
SSDEEP

49152:lP3fgyBTbzDjvjwSBLoZFVf4d6enfWoKFxCZqOoFBvQC6bztk2KSZxE2i:s

Score

10^/10

qakbot spx01 1567608215 banker discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

323.79

Botnet

spx01

Campaign

1567608215

72.16.212.107:995

107.12.140.181:443

69.70.37.246:465

66.51.231.183:443

108.160.123.244:443

65.30.12.240:443

47.49.7.42:443

73.202.121.222:443

47.153.115.154:995

47.153.115.154:443

72.29.181.77:2083

104.3.91.20:995

190.144.81.158:995

186.7.117.189:443

50.247.230.33:443

216.221.88.160:443

67.246.16.250:995

107.180.70.163:443

70.169.2.228:21

72.36.14.160:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud = "0"	reg.exe

Executes dropped EXE 7 IoCs

Processes:

itUsiSHOi.exeitUsiSHOi.exeayoeiizp.exeayoeiizp.exeitUsiSHOi.exeayoeiizp.exeayoeiizp.exe

pid process

1748 itUsiSHOi.exe
3628 itUsiSHOi.exe
4236 ayoeiizp.exe
4436 ayoeiizp.exe
1712 itUsiSHOi.exe
2388 ayoeiizp.exe
4696 ayoeiizp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ljbwtveh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Qcyggyscuud\\ayoeiizp.exe\""	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

itUsiSHOi.exeschtasks.exeayoeiizp.exeexplorer.exeitUsiSHOi.exeayoeiizp.exeayoeiizp.exeitUsiSHOi.exeayoeiizp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	itUsiSHOi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ayoeiizp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	itUsiSHOi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ayoeiizp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ayoeiizp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	itUsiSHOi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ayoeiizp.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

4884 cmd.exe
2204 PING.EXE

pid	process
4884	cmd.exe
2204	PING.EXE

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

itUsiSHOi.exeayoeiizp.exeayoeiizp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	itUsiSHOi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	ayoeiizp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	ayoeiizp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	itUsiSHOi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	itUsiSHOi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	ayoeiizp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ayoeiizp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	ayoeiizp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ayoeiizp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	itUsiSHOi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	ayoeiizp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	ayoeiizp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ayoeiizp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	ayoeiizp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	itUsiSHOi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	itUsiSHOi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ayoeiizp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	ayoeiizp.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

itUsiSHOi.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	itUsiSHOi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	itUsiSHOi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	itUsiSHOi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	itUsiSHOi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	itUsiSHOi.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2204 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3772 schtasks.exe

pid	process
2204	PING.EXE

pid	process
3772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

itUsiSHOi.exeitUsiSHOi.exeayoeiizp.exeayoeiizp.exeexplorer.exeitUsiSHOi.exeayoeiizp.exeayoeiizp.exe

pid	process
1748	itUsiSHOi.exe
1748	itUsiSHOi.exe
3628	itUsiSHOi.exe
3628	itUsiSHOi.exe
3628	itUsiSHOi.exe
3628	itUsiSHOi.exe
4236	ayoeiizp.exe
4236	ayoeiizp.exe
4436	ayoeiizp.exe
4436	ayoeiizp.exe
4436	ayoeiizp.exe
4436	ayoeiizp.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
1712	itUsiSHOi.exe
1712	itUsiSHOi.exe
2388	ayoeiizp.exe
2388	ayoeiizp.exe
4696	ayoeiizp.exe
4696	ayoeiizp.exe
4696	ayoeiizp.exe
4696	ayoeiizp.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ayoeiizp.exe

pid process

4236 ayoeiizp.exe

pid	process
4236	ayoeiizp.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

itUsiSHOi.exeayoeiizp.exeitUsiSHOi.execmd.exeayoeiizp.exe

description	pid	process	target process
PID 1748 wrote to memory of 3628	1748	itUsiSHOi.exe	itUsiSHOi.exe
PID 1748 wrote to memory of 3628	1748	itUsiSHOi.exe	itUsiSHOi.exe
PID 1748 wrote to memory of 3628	1748	itUsiSHOi.exe	itUsiSHOi.exe
PID 1748 wrote to memory of 4236	1748	itUsiSHOi.exe	ayoeiizp.exe
PID 1748 wrote to memory of 4236	1748	itUsiSHOi.exe	ayoeiizp.exe
PID 1748 wrote to memory of 4236	1748	itUsiSHOi.exe	ayoeiizp.exe
PID 1748 wrote to memory of 3772	1748	itUsiSHOi.exe	schtasks.exe
PID 1748 wrote to memory of 3772	1748	itUsiSHOi.exe	schtasks.exe
PID 1748 wrote to memory of 3772	1748	itUsiSHOi.exe	schtasks.exe
PID 4236 wrote to memory of 4436	4236	ayoeiizp.exe	ayoeiizp.exe
PID 4236 wrote to memory of 4436	4236	ayoeiizp.exe	ayoeiizp.exe
PID 4236 wrote to memory of 4436	4236	ayoeiizp.exe	ayoeiizp.exe
PID 4236 wrote to memory of 3620	4236	ayoeiizp.exe	explorer.exe
PID 4236 wrote to memory of 3620	4236	ayoeiizp.exe	explorer.exe
PID 4236 wrote to memory of 3620	4236	ayoeiizp.exe	explorer.exe
PID 4236 wrote to memory of 3620	4236	ayoeiizp.exe	explorer.exe
PID 1712 wrote to memory of 3784	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 3784	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 760	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 760	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 4956	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 4956	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 1720	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 1720	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 4152	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 4152	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 748	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 748	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 4424	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 4424	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 3408	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 3408	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 3108	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 3108	1712	itUsiSHOi.exe	reg.exe
PID 1712 wrote to memory of 2388	1712	itUsiSHOi.exe	ayoeiizp.exe
PID 1712 wrote to memory of 2388	1712	itUsiSHOi.exe	ayoeiizp.exe
PID 1712 wrote to memory of 2388	1712	itUsiSHOi.exe	ayoeiizp.exe
PID 1712 wrote to memory of 4884	1712	itUsiSHOi.exe	cmd.exe
PID 1712 wrote to memory of 4884	1712	itUsiSHOi.exe	cmd.exe
PID 1712 wrote to memory of 708	1712	itUsiSHOi.exe	schtasks.exe
PID 1712 wrote to memory of 708	1712	itUsiSHOi.exe	schtasks.exe
PID 4884 wrote to memory of 2204	4884	cmd.exe	PING.EXE
PID 4884 wrote to memory of 2204	4884	cmd.exe	PING.EXE
PID 2388 wrote to memory of 4696	2388	ayoeiizp.exe	ayoeiizp.exe
PID 2388 wrote to memory of 4696	2388	ayoeiizp.exe	ayoeiizp.exe
PID 2388 wrote to memory of 4696	2388	ayoeiizp.exe	ayoeiizp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c42e511e79fa6c3b2931080364522dfc_JaffaCakes118.vbs"
1⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
  C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe /C
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:3628
- C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe /C
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:4436
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3620
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xswbenfjc /tr "\"C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe\" /I xswbenfjc" /SC ONCE /Z /ST 02:01 /ET 02:13
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3772

C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe
C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe /I xswbenfjc
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
  2⤵
  PID:3784
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
  2⤵
  PID:760
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
  2⤵
  PID:4956
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
  2⤵
  PID:1720
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
  2⤵
  PID:4152
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
  2⤵
  PID:748
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
  2⤵
  PID:4424
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
  2⤵
  PID:3408
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud" /d "0"
  2⤵
  - Windows security bypass
  PID:3108
- C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe /C
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:4696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\system32\PING.EXE
    ping.exe -n 6 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2204
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /DELETE /F /TN xswbenfjc
  2⤵
  PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe

Filesize
644KB

MD5
e372d668d9e1d734b76655f5b0ebd0e6

SHA1
b6fc1da195130a16f15e471835041ed05473c795

SHA256
07ee7be992525cfa1a66ca03ee127f2df8041e88bf6c12a1fffcb206660606e7

SHA512
06b4be1d2ebb82860e6d8396ab963707840dcd35678c512cf18f085ba2c0d75c4f5341f2189685e65a8dc611317c93012bb8b3944758172377aa23bae1469496

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.dat

Filesize
63B

MD5
3293bed115d40541731b160527d6ff11

SHA1
c4aae3b347d81be32acb12f6d6b2785f00379ab8

SHA256
d9ce80e3d62e331b532a941289aa21f128eeb28980cd14d1dc65de1db8992774

SHA512
bc029a7e0ef0a5e4193ebdd67836a3d78ade05cbed80802ea8f02d9a44dab68aa1b8f5264ed46fa9ddc7661be3d04b19b889d6d654f86f5fcc9e48999973ec27

Download Submit
memory/1712-50-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1712-43-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1748-20-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1748-6-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1748-24-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1748-4-0x00000000021C0000-0x0000000002251000-memory.dmp

Filesize
580KB

Download
memory/2388-56-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3620-32-0x0000000001400000-0x0000000001491000-memory.dmp

Filesize
580KB

Download
memory/3620-34-0x0000000001400000-0x0000000001491000-memory.dmp

Filesize
580KB

Download
memory/3620-33-0x0000000003290000-0x00000000032D0000-memory.dmp

Filesize
256KB

Download
memory/3620-37-0x0000000003290000-0x00000000032D0000-memory.dmp

Filesize
256KB

Download
memory/3620-39-0x0000000003290000-0x00000000032D0000-memory.dmp

Filesize
256KB

Download
memory/3620-36-0x0000000003290000-0x00000000032D0000-memory.dmp

Filesize
256KB

Download
memory/3620-30-0x0000000001400000-0x0000000001491000-memory.dmp

Filesize
580KB

Download
memory/3628-9-0x0000000002190000-0x0000000002221000-memory.dmp

Filesize
580KB

Download
memory/3628-13-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4236-35-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4436-29-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4696-55-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download