Analysis Overview
SHA256
a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2
Threat Level: Known bad
The file a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.exe was found to be: Known bad.
Malicious Activity Summary
Qakbot family
Qakbot/Qbot
Windows security bypass
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 00:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 00:50
Reported
2024-11-21 00:52
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Qakbot family
Qakbot/Qbot
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Umkgzcrot = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Eroluhwur = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\2662b186 = ccb72fd1acb608f277ad6ef3080c5de876d04bc7a8251299b7c886834e468cc71cb1c770d2a9a35b83 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Imjvqptucuqdpg | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\6cb40e3e = 1f1457c5b55977464faa0a273675498778643dedcf099d283920c1b98bc191da24ab8c43c860989735d32bd1539c9b915605b9c2dfd14175afbdff66e9b36d7aa0fa5e3d9e0fd96d22f4bc22d97b4a43cc3d80bf1d9ed71ad93efebda181e42e22a458931216e540a201d1a686746304066d1fea6525a49391608827bcd767ad33ecad5d9f7ff38f86161186b8539b6318e54735c6a3b3742b30f0fe9aac920fc52be0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\d6494927 = eb1043d9deed0b131c2965f72178faa627a8430b916f016c29c2d51d445e11df749f6f680658e9ed424b606aa3ef0b | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\ab4106ad = 8bbff41bf833cbfba0405f907d89ab9f3e1bccf25d3b18e233e3d61b1dba315444771b3e3652c694ea8fe770addf1fcf1c0111b7204bdacb986c487e17f47e2cf969de0c55b0e80a565e317e2725484bb9b69216d0532542aeea04ac436958 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\592bde70 = 2ff80728a5baad57f83be029587ca1514e0516cfeaa4c909ebdcb6f78a841a19e0b70f9b48f2da7dde246228662d2c2e17ff6b58c1d84b3281c8fb94768bace0df416b16963835b30a11f9ba638488b68f447887bb986382f3eff948087f5c5f409b622b | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\592bde70 = 2ff81028a5ba9876ceb945548e3d791bf5d4fba9298ed1fc5a529c713ef26f5a853cad7a99d540eaf0c69f21eca2dd380b0213d921af6e39f155e630377b58d95ef256599cc378da848592f7105ecc | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\6ef52e42 = 9ceeb79bfb8297b647b751671012d8fd41edd455049020827502b7d182aff720fecd55 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\13fd61c8 = 67307f7dfa2bc2a1f360486645c01dd0d844e23eea4eddbe0d3224b4ec7aae961ddd59c409fbb4dbb0021c5c6c0c930251b31371161c4e804f1cc1e07697d67b0f161281 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\d408695b = b09f2fdcd055791beb47a84fab9a1c3d2da014b28b5d1080af3b067d66fec25ec9202eb1d693b2d71f83228ab44439d3c116d3feb49d3b4b00f5b7e168f2c5ae02ca448de2311d4f402391803fa277b0ecfabef8aaa597fc78fde38bf69b17f2e8d36481f7552f | C:\Windows\SysWOW64\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll,#1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn lhtykwp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll\"" /SC ONCE /Z /ST 00:52 /ET 01:04
C:\Windows\system32\taskeng.exe
taskeng.exe {0BE45D7F-1C7D-4959-8945-8A678111ED1E} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll"
C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Umkgzcrot" /d "0"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Eroluhwur" /d "0"
Network
Files
memory/2508-0-0x00000000744C0000-0x000000007466B000-memory.dmp
memory/2508-1-0x00000000744C0000-0x000000007466B000-memory.dmp
memory/2508-4-0x00000000744C0000-0x000000007466B000-memory.dmp
memory/2508-3-0x0000000074650000-0x0000000074656000-memory.dmp
memory/2576-5-0x00000000000B0000-0x00000000000B2000-memory.dmp
memory/2576-7-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2508-8-0x00000000744C0000-0x000000007466B000-memory.dmp
memory/2576-11-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2576-13-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2576-12-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2576-15-0x0000000000080000-0x00000000000A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll
| MD5 | 2f24812ec4d8c7a26a71f58b922db523 |
| SHA1 | 4c44eb5006e99bc72d728a31929461a3a500b2a7 |
| SHA256 | a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2 |
| SHA512 | 35dac3271667b2087ae9724d018dff96ba4eba8229e12e61f952d8434cc06e67830bb6dd4b76e2976394d228ec858b15cfb58d9dd1aa20500a9f26ac78df1206 |
memory/2856-20-0x0000000073BF0000-0x0000000073D9B000-memory.dmp
memory/2856-21-0x0000000073BF0000-0x0000000073D9B000-memory.dmp
memory/2856-24-0x0000000073BF0000-0x0000000073D9B000-memory.dmp
memory/2864-27-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2864-28-0x0000000000080000-0x00000000000A1000-memory.dmp
memory/2864-26-0x0000000000080000-0x00000000000A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 00:50
Reported
2024-11-21 00:52
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Qakbot family
Qakbot/Qbot
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Nwkavejjz = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ewhearvhuv = "0" | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\c324bef7 = e3f6bd942c2c76893cd74dbe8688d5b3794d45dd | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\bc6dd101 = 124400cc24304a76b4ce6cd25aa7e34bb6ab4e3d170955f639136a56947522cf05b51c25dd | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\8bb32133 = acb443c2ce960aa1cd033a410c851c8b19415af2c5377e151fc4d014ae7aea642529c96b1236e9fbd84df211f4785191a942ac7878bc3851b333bdca9def85fff147f4a5b612c30517f60e0236c8b94f69e0eb0395f6b530a15aa893 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\4e0709dc = 3ef8290b6cb3943dfdc8077589e8f343293926eb3c11ab3e41b0603688fc86 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\f6bb6eb9 = 45f12b7dd1e5e902ad7c6315e247fb5bb29ae2f4919aa46cb733bd4790c10f | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\bc6dd101 = 124417cc24307fd997f68f112d3389bdf331b9d957b5d4d4fe4a6a260f672175065b76faf3c2235599a7d007de65c156a231119eb0b931627956 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\89f2014f = 3d37a092d5e66c84f7b07f4a8b2bdcc6dca20a3678c080f695e275a902146d67deb3794ec65f88174c5b4ce21932b53b082992a8e46d03439ac232cd4d87d4d32465732c0988feb60289b0f345a20588a0646d440b0d816aada2c5294f9398dcd89f368d43ada133a55abc82011ef055c408f3787705f5fd4344d04687 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\330f4656 = 3eed7f29917338a4b8be79dc31cecd7fac07f7a85515fcc7bebc441a98d611 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\314e662a = a7158b9aadbbbfe6f127755f5bad024b70ca95b09e358037b3da56ee4f | C:\Windows\SysWOW64\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll,#1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn owbbhhgno /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll\"" /SC ONCE /Z /ST 00:52 /ET 01:04
C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll"
C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Nwkavejjz" /d "0"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ewhearvhuv" /d "0"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
Files
memory/3144-1-0x0000000075260000-0x0000000075266000-memory.dmp
memory/3144-4-0x00000000750D0000-0x000000007527B000-memory.dmp
memory/3144-2-0x00000000750D0000-0x000000007527B000-memory.dmp
memory/3144-0-0x00000000750D0000-0x000000007527B000-memory.dmp
memory/3144-5-0x00000000750D0000-0x000000007527B000-memory.dmp
memory/1388-6-0x00000000010E0000-0x0000000001101000-memory.dmp
memory/1388-10-0x00000000010E0000-0x0000000001101000-memory.dmp
memory/1388-12-0x00000000010E0000-0x0000000001101000-memory.dmp
memory/1388-11-0x00000000010E0000-0x0000000001101000-memory.dmp
memory/1388-14-0x00000000010E0000-0x0000000001101000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll
| MD5 | 2f24812ec4d8c7a26a71f58b922db523 |
| SHA1 | 4c44eb5006e99bc72d728a31929461a3a500b2a7 |
| SHA256 | a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2 |
| SHA512 | 35dac3271667b2087ae9724d018dff96ba4eba8229e12e61f952d8434cc06e67830bb6dd4b76e2976394d228ec858b15cfb58d9dd1aa20500a9f26ac78df1206 |
memory/4912-19-0x0000000073930000-0x0000000073ADB000-memory.dmp
memory/4912-18-0x0000000073930000-0x0000000073ADB000-memory.dmp
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4912-22-0x0000000073930000-0x0000000073ADB000-memory.dmp
memory/660-24-0x0000000000AA0000-0x0000000000AC1000-memory.dmp
memory/660-25-0x0000000000AA0000-0x0000000000AC1000-memory.dmp
memory/660-26-0x0000000000AA0000-0x0000000000AC1000-memory.dmp