Malware Analysis Report

2024-11-30 13:29

Sample ID 241121-a7a8vaxkd1
Target a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.exe
SHA256 a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2
Tags
qakbot tr 1634541613 banker discovery evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2

Threat Level: Known bad

The file a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.exe was found to be: Known bad.

Malicious Activity Summary

qakbot tr 1634541613 banker discovery evasion stealer trojan

Qakbot family

Qakbot/Qbot

Windows security bypass

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 00:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 00:50

Reported

2024-11-21 00:52

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Umkgzcrot = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Eroluhwur = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\2662b186 = ccb72fd1acb608f277ad6ef3080c5de876d04bc7a8251299b7c886834e468cc71cb1c770d2a9a35b83 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Imjvqptucuqdpg C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\6cb40e3e = 1f1457c5b55977464faa0a273675498778643dedcf099d283920c1b98bc191da24ab8c43c860989735d32bd1539c9b915605b9c2dfd14175afbdff66e9b36d7aa0fa5e3d9e0fd96d22f4bc22d97b4a43cc3d80bf1d9ed71ad93efebda181e42e22a458931216e540a201d1a686746304066d1fea6525a49391608827bcd767ad33ecad5d9f7ff38f86161186b8539b6318e54735c6a3b3742b30f0fe9aac920fc52be0 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\d6494927 = eb1043d9deed0b131c2965f72178faa627a8430b916f016c29c2d51d445e11df749f6f680658e9ed424b606aa3ef0b C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\ab4106ad = 8bbff41bf833cbfba0405f907d89ab9f3e1bccf25d3b18e233e3d61b1dba315444771b3e3652c694ea8fe770addf1fcf1c0111b7204bdacb986c487e17f47e2cf969de0c55b0e80a565e317e2725484bb9b69216d0532542aeea04ac436958 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\592bde70 = 2ff80728a5baad57f83be029587ca1514e0516cfeaa4c909ebdcb6f78a841a19e0b70f9b48f2da7dde246228662d2c2e17ff6b58c1d84b3281c8fb94768bace0df416b16963835b30a11f9ba638488b68f447887bb986382f3eff948087f5c5f409b622b C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\592bde70 = 2ff81028a5ba9876ceb945548e3d791bf5d4fba9298ed1fc5a529c713ef26f5a853cad7a99d540eaf0c69f21eca2dd380b0213d921af6e39f155e630377b58d95ef256599cc378da848592f7105ecc C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\6ef52e42 = 9ceeb79bfb8297b647b751671012d8fd41edd455049020827502b7d182aff720fecd55 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\13fd61c8 = 67307f7dfa2bc2a1f360486645c01dd0d844e23eea4eddbe0d3224b4ec7aae961ddd59c409fbb4dbb0021c5c6c0c930251b31371161c4e804f1cc1e07697d67b0f161281 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Imjvqptucuqdpg\d408695b = b09f2fdcd055791beb47a84fab9a1c3d2da014b28b5d1080af3b067d66fec25ec9202eb1d693b2d71f83228ab44439d3c116d3feb49d3b4b00f5b7e168f2c5ae02ca448de2311d4f402391803fa277b0ecfabef8aaa597fc78fde38bf69b17f2e8d36481f7552f C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2960 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2960 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2960 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2960 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2960 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2960 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2508 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2508 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2508 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2508 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2508 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2576 wrote to memory of 2572 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2576 wrote to memory of 2572 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2576 wrote to memory of 2572 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2576 wrote to memory of 2572 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 2832 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2596 wrote to memory of 2832 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2596 wrote to memory of 2832 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2596 wrote to memory of 2832 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2596 wrote to memory of 2832 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2832 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2832 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2832 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2832 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2832 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2832 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2832 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2864 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2856 wrote to memory of 2864 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2856 wrote to memory of 2864 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2856 wrote to memory of 2864 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2856 wrote to memory of 2864 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2856 wrote to memory of 2864 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2864 wrote to memory of 1956 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2864 wrote to memory of 1956 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2864 wrote to memory of 1956 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2864 wrote to memory of 1956 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2864 wrote to memory of 1944 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2864 wrote to memory of 1944 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2864 wrote to memory of 1944 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2864 wrote to memory of 1944 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn lhtykwp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll\"" /SC ONCE /Z /ST 00:52 /ET 01:04

C:\Windows\system32\taskeng.exe

taskeng.exe {0BE45D7F-1C7D-4959-8945-8A678111ED1E} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Umkgzcrot" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Eroluhwur" /d "0"

Network

N/A

Files

memory/2508-0-0x00000000744C0000-0x000000007466B000-memory.dmp

memory/2508-1-0x00000000744C0000-0x000000007466B000-memory.dmp

memory/2508-4-0x00000000744C0000-0x000000007466B000-memory.dmp

memory/2508-3-0x0000000074650000-0x0000000074656000-memory.dmp

memory/2576-5-0x00000000000B0000-0x00000000000B2000-memory.dmp

memory/2576-7-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2508-8-0x00000000744C0000-0x000000007466B000-memory.dmp

memory/2576-11-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2576-13-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2576-12-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2576-15-0x0000000000080000-0x00000000000A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll

MD5 2f24812ec4d8c7a26a71f58b922db523
SHA1 4c44eb5006e99bc72d728a31929461a3a500b2a7
SHA256 a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2
SHA512 35dac3271667b2087ae9724d018dff96ba4eba8229e12e61f952d8434cc06e67830bb6dd4b76e2976394d228ec858b15cfb58d9dd1aa20500a9f26ac78df1206

memory/2856-20-0x0000000073BF0000-0x0000000073D9B000-memory.dmp

memory/2856-21-0x0000000073BF0000-0x0000000073D9B000-memory.dmp

memory/2856-24-0x0000000073BF0000-0x0000000073D9B000-memory.dmp

memory/2864-27-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2864-28-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2864-26-0x0000000000080000-0x00000000000A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 00:50

Reported

2024-11-21 00:52

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Nwkavejjz = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ewhearvhuv = "0" C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\c324bef7 = e3f6bd942c2c76893cd74dbe8688d5b3794d45dd C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\bc6dd101 = 124400cc24304a76b4ce6cd25aa7e34bb6ab4e3d170955f639136a56947522cf05b51c25dd C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\8bb32133 = acb443c2ce960aa1cd033a410c851c8b19415af2c5377e151fc4d014ae7aea642529c96b1236e9fbd84df211f4785191a942ac7878bc3851b333bdca9def85fff147f4a5b612c30517f60e0236c8b94f69e0eb0395f6b530a15aa893 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\4e0709dc = 3ef8290b6cb3943dfdc8077589e8f343293926eb3c11ab3e41b0603688fc86 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\f6bb6eb9 = 45f12b7dd1e5e902ad7c6315e247fb5bb29ae2f4919aa46cb733bd4790c10f C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\bc6dd101 = 124417cc24307fd997f68f112d3389bdf331b9d957b5d4d4fe4a6a260f672175065b76faf3c2235599a7d007de65c156a231119eb0b931627956 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\89f2014f = 3d37a092d5e66c84f7b07f4a8b2bdcc6dca20a3678c080f695e275a902146d67deb3794ec65f88174c5b4ce21932b53b082992a8e46d03439ac232cd4d87d4d32465732c0988feb60289b0f345a20588a0646d440b0d816aada2c5294f9398dcd89f368d43ada133a55abc82011ef055c408f3787705f5fd4344d04687 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\330f4656 = 3eed7f29917338a4b8be79dc31cecd7fac07f7a85515fcc7bebc441a98d611 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqoaaier\314e662a = a7158b9aadbbbfe6f127755f5bad024b70ca95b09e358037b3da56ee4f C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 3144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1600 wrote to memory of 3144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1600 wrote to memory of 3144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3144 wrote to memory of 1388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1388 wrote to memory of 752 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1388 wrote to memory of 752 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1388 wrote to memory of 752 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4472 wrote to memory of 4912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4472 wrote to memory of 4912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4472 wrote to memory of 4912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4912 wrote to memory of 660 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4912 wrote to memory of 660 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4912 wrote to memory of 660 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4912 wrote to memory of 660 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4912 wrote to memory of 660 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 660 wrote to memory of 632 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 660 wrote to memory of 632 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 660 wrote to memory of 4540 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 660 wrote to memory of 4540 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn owbbhhgno /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll\"" /SC ONCE /Z /ST 00:52 /ET 01:04

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Nwkavejjz" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ewhearvhuv" /d "0"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

memory/3144-1-0x0000000075260000-0x0000000075266000-memory.dmp

memory/3144-4-0x00000000750D0000-0x000000007527B000-memory.dmp

memory/3144-2-0x00000000750D0000-0x000000007527B000-memory.dmp

memory/3144-0-0x00000000750D0000-0x000000007527B000-memory.dmp

memory/3144-5-0x00000000750D0000-0x000000007527B000-memory.dmp

memory/1388-6-0x00000000010E0000-0x0000000001101000-memory.dmp

memory/1388-10-0x00000000010E0000-0x0000000001101000-memory.dmp

memory/1388-12-0x00000000010E0000-0x0000000001101000-memory.dmp

memory/1388-11-0x00000000010E0000-0x0000000001101000-memory.dmp

memory/1388-14-0x00000000010E0000-0x0000000001101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2.dll

MD5 2f24812ec4d8c7a26a71f58b922db523
SHA1 4c44eb5006e99bc72d728a31929461a3a500b2a7
SHA256 a8a24ff6f2021b620eeb073eef6549a4408014835883bebfadfad28887067aa2
SHA512 35dac3271667b2087ae9724d018dff96ba4eba8229e12e61f952d8434cc06e67830bb6dd4b76e2976394d228ec858b15cfb58d9dd1aa20500a9f26ac78df1206

memory/4912-19-0x0000000073930000-0x0000000073ADB000-memory.dmp

memory/4912-18-0x0000000073930000-0x0000000073ADB000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4912-22-0x0000000073930000-0x0000000073ADB000-memory.dmp

memory/660-24-0x0000000000AA0000-0x0000000000AC1000-memory.dmp

memory/660-25-0x0000000000AA0000-0x0000000000AC1000-memory.dmp

memory/660-26-0x0000000000AA0000-0x0000000000AC1000-memory.dmp