Analysis Overview
SHA256
929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf
Threat Level: Known bad
The file 929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.exe was found to be: Known bad.
Malicious Activity Summary
Qakbot family
Qakbot/Qbot
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-20 23:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 23:42
Reported
2024-11-20 23:44
Platform
win7-20240903-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Qakbot family
Qakbot/Qbot
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll,#1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hojjksaila /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll\"" /SC ONCE /Z /ST 23:44 /ET 23:56
C:\Windows\system32\taskeng.exe
taskeng.exe {53FEE0B6-EF00-43FE-B657-2402B8FB0EB5} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll"
C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll"
Network
Files
memory/2772-0-0x0000000074A10000-0x0000000074BBB000-memory.dmp
memory/2772-4-0x0000000074A10000-0x0000000074BBB000-memory.dmp
memory/2772-3-0x0000000074BA0000-0x0000000074BA6000-memory.dmp
memory/2956-5-0x00000000000B0000-0x00000000000B2000-memory.dmp
memory/2956-7-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2772-8-0x0000000074A10000-0x0000000074BBB000-memory.dmp
memory/2956-11-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2956-14-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2956-12-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2956-13-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2956-15-0x0000000000080000-0x00000000000A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll
| MD5 | 1c399b307dc2464ace2fe06e227171c9 |
| SHA1 | 073d37ed9ee2a7f2090118925785636dbaf1cb6c |
| SHA256 | 929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf |
| SHA512 | 64fa64b1e9fbaf67e0f54375bd0236b5338ed5fe4bea7a89123fdfe452084bd663f4085ad3e01d3c982ad20b6cf6cd08212f4adfc4a8a5be65784bab10f3250a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-20 23:42
Reported
2024-11-20 23:44
Platform
win10v2004-20241007-en
Max time kernel
116s
Max time network
97s
Command Line
Signatures
Qakbot family
Qakbot/Qbot
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll,#1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qxwiirv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll\"" /SC ONCE /Z /ST 23:44 /ET 23:56
C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll"
C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3452-0-0x0000000074CB0000-0x0000000074E5B000-memory.dmp
memory/3452-4-0x0000000074CB0000-0x0000000074E5B000-memory.dmp
memory/3452-3-0x0000000074E40000-0x0000000074E46000-memory.dmp
memory/3452-1-0x0000000074CB0000-0x0000000074E5B000-memory.dmp
memory/3452-5-0x0000000074CB0000-0x0000000074E5B000-memory.dmp
memory/2460-6-0x0000000000190000-0x00000000001B1000-memory.dmp
memory/3452-7-0x0000000074CB0000-0x0000000074E5B000-memory.dmp
memory/2460-11-0x0000000000190000-0x00000000001B1000-memory.dmp
memory/2460-12-0x0000000000190000-0x00000000001B1000-memory.dmp
memory/2460-10-0x0000000000190000-0x00000000001B1000-memory.dmp
memory/2460-14-0x0000000000190000-0x00000000001B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll
| MD5 | 1c399b307dc2464ace2fe06e227171c9 |
| SHA1 | 073d37ed9ee2a7f2090118925785636dbaf1cb6c |
| SHA256 | 929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf |
| SHA512 | 64fa64b1e9fbaf67e0f54375bd0236b5338ed5fe4bea7a89123fdfe452084bd663f4085ad3e01d3c982ad20b6cf6cd08212f4adfc4a8a5be65784bab10f3250a |