Malware Analysis Report

2024-11-30 13:29

Sample ID 241120-zfj44ssejd
Target 0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.exe
SHA256 0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2
Tags
qakbot biden54 1634810637 banker discovery evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2

Threat Level: Known bad

The file 0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.exe was found to be: Known bad.

Malicious Activity Summary

qakbot biden54 1634810637 banker discovery evasion stealer trojan

Windows security bypass

Qakbot family

Qakbot/Qbot

Loads dropped DLL

Unsigned PE

System Location Discovery: System Language Discovery

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 20:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 20:39

Reported

2024-11-20 20:41

Platform

win7-20241023-en

Max time kernel

97s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Dfciko = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ulizmchuv = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\4d124ce4 = f8bb5699a2ba3730430141380e268b43fadfc1ad2d09e94e97dd1de22b6aef199d755b0545a9df647948f7329103beb0c2306f354ab494bf6bd7eb71bf557e20bef5d84036fb17c24008aa6731eac60067f29d0bc38cb19f73879dcedff59db154d2ea5f6c02fc471463e94d05fa44ec2f369e4cb1171ef4c1e5f1c0c983371142dd45a39d84314b12b047080db79415635e29 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\4f536c98 = 7f56a4ab027e5de46beefc2bb986a83993d0834fc35b553f7812ad83219f5c201816ad426cdb6089ff57c0e5d997ee68fdc6b0e52a6460d8b527072e363ce1498838fc34b291c56cc7975f C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\f7ef0bfd = 31bf1cc83ca67045fe5bc1b4e5bd6502 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\8ae74477 = 8d42d6009e4744933518e52e13584171ed8df8441b741dbc7f43a26f169452b3b0310aa0 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\f5ae2b81 = 7c61e02bd6028938047b6e0b7708bb2a671413f0eadc4863c1b45f86d7eaf129b01bdebb0be73a8a8ed064e1312d3500eed1ddaf1a53403b4b5e784474a6f12fd41cd4510361f9c686a36066dd628a5a7d60d5923b1ad103f4fb17b5c476508d0bb91f6752476e57822b361d3d38e318 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\7c4f35c = 1c408ab892e301a13cafcf6d3aaa5e1506e0ae49fea4e492cdcd4afeceb5547f2ff34fecfd38ccef132f8368edebc9244e5d440f983e9968d1a8e3cce9e87db0d9e1299be78f353f1b094dc509b505460acee318be2e32112b8b748781d1 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Awfcdaj C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\788d9caa = abf811732701d0b679e91a682c78ed360cccc15f24cfac67bea3339ae7c35093ba0d652a3371e62e3d9a150c8de71d6b33217d686f6b9b73f58fbd88c6c728f02d18e166a496135cb98f58be32468a C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\325b2312 = 1847229c778bb1723db3aef94c8112ac5edb4bd867e9bb1bbefb391131d6b9d37755f6f0b645a889e8611877a3b06cdc3b8488bfcdf9214d9d386cae45c83d9ed9e15b32f1e98b8303f114e4 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Awfcdaj\788d9caa = abf806732701e5db5cbaff96ab5b6d28fcab0a09c6ae685e8b7d4ad54f686d4a48b2501dbcde9a42253f9df53651f54f6961f7b4658692b60ec9d077062177f49589278a555156bee0a552dd62d19801d89ae160da63d89de8c72bafd80044a886382abe C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 1788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1272 wrote to memory of 1788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1272 wrote to memory of 1788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1272 wrote to memory of 1788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1272 wrote to memory of 1788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1272 wrote to memory of 1788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1272 wrote to memory of 1788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1788 wrote to memory of 2508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1788 wrote to memory of 2508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1788 wrote to memory of 2508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1788 wrote to memory of 2508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1788 wrote to memory of 2508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1788 wrote to memory of 2508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2508 wrote to memory of 2476 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2476 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2476 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2476 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1144 wrote to memory of 2908 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1144 wrote to memory of 2908 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1144 wrote to memory of 2908 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1144 wrote to memory of 2908 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1144 wrote to memory of 2908 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2908 wrote to memory of 1812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2908 wrote to memory of 1812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2908 wrote to memory of 1812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2908 wrote to memory of 1812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2908 wrote to memory of 1812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2908 wrote to memory of 1812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2908 wrote to memory of 1812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1812 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1812 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1812 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1812 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1812 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1812 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1828 wrote to memory of 352 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1828 wrote to memory of 352 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1828 wrote to memory of 352 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1828 wrote to memory of 352 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1828 wrote to memory of 1644 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1828 wrote to memory of 1644 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1828 wrote to memory of 1644 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1828 wrote to memory of 1644 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn micrvxligw /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll\"" /SC ONCE /Z /ST 20:41 /ET 20:53

C:\Windows\system32\taskeng.exe

taskeng.exe {9BCA5A4F-365B-4188-B185-ACD2CBF55478} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Dfciko" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ulizmchuv" /d "0"

Network

N/A

Files

memory/1788-1-0x0000000074FB0000-0x00000000750A3000-memory.dmp

memory/1788-4-0x0000000074FB0000-0x00000000750A3000-memory.dmp

memory/1788-3-0x000000007508F000-0x0000000075095000-memory.dmp

memory/1788-0-0x0000000074FB0000-0x00000000750A3000-memory.dmp

memory/2508-5-0x00000000000B0000-0x00000000000B2000-memory.dmp

memory/2508-7-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/1788-8-0x0000000074FB0000-0x00000000750A3000-memory.dmp

memory/2508-11-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2508-13-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2508-14-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2508-12-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2508-15-0x0000000000080000-0x00000000000A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll

MD5 44e60ee86b4cb4188bdd08e3b49c0bf5
SHA1 c271311550ce154650896787afef4a3f8ae86620
SHA256 0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2
SHA512 193619bda32192c7ac61a8ed427cde79ca8aa2d77775bc714cfcb564915b3d7967cfc338877a27e633030aff30f1ce35c3056979e56941dafb9dc85e015e1e03

memory/1812-20-0x0000000074670000-0x0000000074763000-memory.dmp

memory/1812-21-0x0000000074670000-0x0000000074763000-memory.dmp

memory/1812-24-0x0000000074670000-0x0000000074763000-memory.dmp

memory/1828-26-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/1828-28-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/1828-27-0x0000000000080000-0x00000000000A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 20:39

Reported

2024-11-20 20:41

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ydgdxc = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Oexepotiakf = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\8f82410 = 468368145399893f67b8c181e099d97d4cae5ff90919a6ffe684444b5b11f1d585934bbc49e0ac1f167942118fc59baceaac7bfd83a201b5cef22e850cd7cd0788ad0f0af9ef8d146fc85b4a4805e4868b94477617f2e6d88f7895788fd04d5a569284b95039209249eb C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\77b14be6 = c6e2f182e0f4a928585b22423ec08a9fb89afa9e35d6d537a0aec0f08c6bfe01f5908b4c2e24b30468dc63b58bfeed64d97b2025b304b90d5079a7e7f785a8dfa5e9e39f04dee7d5ff7c38b2c0308b0abc20a3ea129a77ef2db39b234f6e92facc5bd44972c1d5d1 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\fa92fccd = fb8e264a2365a2dd364f2ae2820fb1ddc20b8277c8ffb65df35351f7d8e7a33205a007736cb7afa9777d6d3e7513b7b13c8b1d648491bd93876c6e47c1c090f4f86c4a6394caa30fb5d670b7b81779e473f61bab42acf17ee85ad8411763 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\cf0d2c83 = f26326f132a63a3940c004422dfddec2685a32e819dbb9b4cd3436b7abbca591237262be4c296814a7f96d4b6797b84755f61254f78ff1c413eae2b102e8f8ba9c8a4bc4678a7e5ba524dbba69ef5120cd1226e9f025fbc256b9d13636d3ded94269469840476110bbd789e31b20637dd945929817f79f1b6591aa8dcf14c5227368fed42a2a6a096cf7b3ca9376972d740a90b1f57e3d57095e3d952b615a097cd58b5b920c25c019a89fd427e3b7ef515447244746a1efb34b702375b30def4aa7d84f778a C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\cd4c0cff = 722b23307bc44c2aa02208c748f8ebf3f81d4f94e8335bd869f4c5b5f09f3e89fa941e87879a9c0cd2e7353be0c982aa747b3caecc72d7206c7ead1237ad146a C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\75f06b9a = c68fb9c245ff8b68d672b7f2d900bf36372dc36e5cb40904ca76e346b8eb30816616d0d8dcdca4dfca29a06457e96ec554c0c4a23de7cccaaa63239170972d05c6b6f60d530acfb4ef6201f46aa1694e36900651d61b4297a804e556fb2beba54b6eca1176d254735c9e69ff9aec0936d678 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\fa92fccd = fb8e314a236597ede2e365ff6411599f21e848f630a71d15030c0436ad09ee3b981e2fd3a928b9a3c2b74b8b8ca8738e4760556e8660f3ffac3584c91c810677404b8b86efd95c5d60 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\b0444375 = 112b97bcdcfae281b7013c2956e27dbab5d81080acb2bc9e6717c59ad7f0a6cfde89dacb62dccf55a61f28c26e58ff282898335bef434f0f4ac3a833f566cfda1bff5df7d42773fd9f28b714518b5b32c27f614e2902b5d08b9695eeefb5ca071948c8de0bcc0f1803 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Owzaxqszeuoaub\85db933b = 875741f27f3e40e61ba8cc64a4f7672a56661e510e77479b403f2596c4e0316abacb478b2a93dd135dd01e2a232824a358ccfc91c7af18e9e3fdc341b89f93b69ddeb4b5695e7fb64ab8f5cf6dee930d10612e1f5b6639f22d145d2b5a384a4c0023271c5507dbc9d6ece8 C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4596 wrote to memory of 1152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 1152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 1152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2312 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1152 wrote to memory of 2312 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1152 wrote to memory of 2312 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1152 wrote to memory of 2312 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1152 wrote to memory of 2312 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2312 wrote to memory of 3496 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2312 wrote to memory of 3496 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2312 wrote to memory of 3496 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4536 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4536 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 4184 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2488 wrote to memory of 4184 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2488 wrote to memory of 4184 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2488 wrote to memory of 4184 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2488 wrote to memory of 4184 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4184 wrote to memory of 2052 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 4184 wrote to memory of 2052 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 4184 wrote to memory of 4476 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 4184 wrote to memory of 4476 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hgneaeot /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll\"" /SC ONCE /Z /ST 20:41 /ET 20:53

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Oexepotiakf" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ydgdxc" /d "0"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 101.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1152-0-0x0000000074AE0000-0x0000000074BD3000-memory.dmp

memory/1152-1-0x0000000074BBF000-0x0000000074BC5000-memory.dmp

memory/1152-2-0x0000000074AE0000-0x0000000074BD3000-memory.dmp

memory/1152-3-0x0000000074AE0000-0x0000000074BD3000-memory.dmp

memory/2312-5-0x0000000000D50000-0x0000000000D71000-memory.dmp

memory/1152-6-0x0000000074AE0000-0x0000000074BD3000-memory.dmp

memory/2312-9-0x0000000000D50000-0x0000000000D71000-memory.dmp

memory/2312-10-0x0000000000D50000-0x0000000000D71000-memory.dmp

memory/2312-11-0x0000000000D50000-0x0000000000D71000-memory.dmp

memory/2312-13-0x0000000000D50000-0x0000000000D71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2.dll

MD5 44e60ee86b4cb4188bdd08e3b49c0bf5
SHA1 c271311550ce154650896787afef4a3f8ae86620
SHA256 0bc79d1993e95c1c112bde2e26ba54f2132e74c3e3b143ee2c7b101c57b6f5b2
SHA512 193619bda32192c7ac61a8ed427cde79ca8aa2d77775bc714cfcb564915b3d7967cfc338877a27e633030aff30f1ce35c3056979e56941dafb9dc85e015e1e03

memory/2488-17-0x0000000074A50000-0x0000000074B43000-memory.dmp

memory/2488-18-0x0000000074A50000-0x0000000074B43000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2488-21-0x0000000074A50000-0x0000000074B43000-memory.dmp

memory/4184-23-0x0000000000940000-0x0000000000961000-memory.dmp

memory/4184-24-0x0000000000940000-0x0000000000961000-memory.dmp

memory/4184-25-0x0000000000940000-0x0000000000961000-memory.dmp