Malware Analysis Report

2024-11-30 13:29

Sample ID 241121-agw3mawdrf
Target cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.exe
SHA256 cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9
Tags
qakbot biden53 1634717752 banker discovery evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9

Threat Level: Known bad

The file cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.exe was found to be: Known bad.

Malicious Activity Summary

qakbot biden53 1634717752 banker discovery evasion stealer trojan

Qakbot family

Windows security bypass

Qakbot/Qbot

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Modifies data under HKEY_USERS

Scheduled Task/Job: Scheduled Task

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 00:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 00:11

Reported

2024-11-21 00:13

Platform

win7-20240903-en

Max time kernel

120s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Cmanvugjhcux = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ryrtkozswev = "0" C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zvjaxhdnnbomko\bef74679 = 204d99132bd762cbe24acd05c0ef1497f6e784c82317944693f1e41761bbbaf3d9f37fce730aa2aabe C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zvjaxhdnnbomko\4c9d9ea4 = f96683f85c9f0aff7c6de1b37c29a99d52b6241dd51af256a72dc5b7e4db30 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zvjaxhdnnbomko\c1be298f = 68b1ed89c10f3538361498709cb4811bb040283a7913603ada03604b5a53d3bc1da5499aa222141234421095fdeb7540a898d2a2d36182bc713cfb785bc394cfe80fe3945fea9e81a7cdcfc7f057127052de8d134675715e C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Zvjaxhdnnbomko C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zvjaxhdnnbomko\8b689637 = dd9fe7c7ab575bb390e65d53408c7df3d0f617c7c8812d9d4b5243a5bfec8256a12bef7be0dcf0f9e67b7d974d2aa3a19dba595de5096a51272ca413397af2578a5f8d48541b0a4518f232ed4684b2e35f7549ac4226cdb9416a243e0e814f5694b60927e918e199c9768fd26e03d590f790287a1d02ea26dda578e20d35979ddcbf56b451d7c0a81dd8a2be049165ebbfa82eaab4dcbb0c2dbf9bbc1b393ac7640faa02ae59a200cd189b9e725b7a3ad1ae4e41dd13102479fd276f06f1e88baf897a9c2fae38b496eb7f31 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zvjaxhdnnbomko\8929b64b = a0f59e4acec5a22b531830b9c977459680e60db0ee8ddca9c04aa3d0c30129b868f29fd267cdf419188765474b1babd76700d9361ff64214b9e405f3108986893930175feeb83e6ff68c64800ce6a3fd55905639ecda3bd9d80309c644d58f33fbfa02780992437a28ed01f6 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zvjaxhdnnbomko\3195d12e = 30633b5932c9cfc9d201101822ad607b9d3309202c675d9f7fd82f1574433574ddb693f1b13f7b700d321e399c21139b9fbd73b1a724ee1e54df826a0b51f28dc753fa5aabf3408d62887b3a1a8efe1ac53f4a61a773ab61 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zvjaxhdnnbomko\f421f9c1 = 666a86fa9e78cbdfa7609f889539ef8ab2464861ba5c534299f5ede432d095f3990e76e2db50860a8ccf621746571711c287b9d00d25dc3d76d8adc7075d568c4aa5e0168d3c421e17a98059971f8fa61211b57d32a0da2a069298facccdd0e1311f946b C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zvjaxhdnnbomko\33d4f152 = 4e84f1843e66ad1ec6f7c2e77238b34b360a81522c9e8e9eb8598e218a91393ce29870344380c3c604c7b40d8506b04a9b41c54385faf5e4a35571fb4e0267b42a6fd6dacb520a22cc353055 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zvjaxhdnnbomko\bef74679 = 204d8e132bd7576d45d45aaae7fb9e82cff706407628f709212cc3d249b819f6c8f3cc584801d179eae0e92cb96a1a1d5741f870a5526b53e222dd833ed2 C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1744 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1744 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1744 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1744 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1744 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1744 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1936 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1936 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1936 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1936 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1936 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1168 wrote to memory of 2924 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1168 wrote to memory of 2924 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1168 wrote to memory of 2924 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1168 wrote to memory of 2924 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1464 wrote to memory of 2932 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1464 wrote to memory of 2932 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1464 wrote to memory of 2932 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1464 wrote to memory of 2932 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1464 wrote to memory of 2932 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2932 wrote to memory of 1816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 1816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 1816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 1816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 1816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 1816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 1816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1816 wrote to memory of 2956 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1816 wrote to memory of 2956 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1816 wrote to memory of 2956 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1816 wrote to memory of 2956 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1816 wrote to memory of 2956 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1816 wrote to memory of 2956 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 3028 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2956 wrote to memory of 3028 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2956 wrote to memory of 3028 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2956 wrote to memory of 3028 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2956 wrote to memory of 1100 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2956 wrote to memory of 1100 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2956 wrote to memory of 1100 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2956 wrote to memory of 1100 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tmrdbvir /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll\"" /SC ONCE /Z /ST 00:13 /ET 00:25

C:\Windows\system32\taskeng.exe

taskeng.exe {64AA58DE-7159-46C1-A409-270AF0D43FDD} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Cmanvugjhcux" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ryrtkozswev" /d "0"

Network

N/A

Files

memory/1936-0-0x0000000074D60000-0x0000000074E9E000-memory.dmp

memory/1936-1-0x0000000074D60000-0x0000000074E9E000-memory.dmp

memory/1936-4-0x0000000074D60000-0x0000000074E9E000-memory.dmp

memory/1936-3-0x0000000074E8D000-0x0000000074E93000-memory.dmp

memory/1168-5-0x00000000000F0000-0x00000000000F2000-memory.dmp

memory/1168-7-0x00000000000C0000-0x00000000000E1000-memory.dmp

memory/1936-8-0x0000000074D60000-0x0000000074E9E000-memory.dmp

memory/1168-11-0x00000000000C0000-0x00000000000E1000-memory.dmp

memory/1168-12-0x00000000000C0000-0x00000000000E1000-memory.dmp

memory/1168-14-0x00000000000C0000-0x00000000000E1000-memory.dmp

memory/1168-13-0x00000000000C0000-0x00000000000E1000-memory.dmp

memory/1168-15-0x00000000000C0000-0x00000000000E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll

MD5 d8750f0357dffef6b450fc4068c715f8
SHA1 1ea42bb636b9f63cc50d7b90970fed7c832937fa
SHA256 cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9
SHA512 2c0f4816260df2f6e2c0cdd9c271cb1854c79162bbd116e62c3cf141d57fa540b6456171ad48017c32c48059fc5f53be15980afca366dfe55da851bd09330933

memory/1816-21-0x0000000074310000-0x000000007444E000-memory.dmp

memory/1816-20-0x0000000074310000-0x000000007444E000-memory.dmp

memory/1816-24-0x0000000074310000-0x000000007444E000-memory.dmp

memory/2956-26-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2956-27-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2956-28-0x0000000000080000-0x00000000000A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 00:11

Reported

2024-11-21 00:13

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Bmslmawbsh = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Laaehf = "0" C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xxvgcpbeybrdfa\86be0683 = abbabd0f8b6706c73f927ae60232 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xxvgcpbeybrdfa\b321d6cd = 4a7c9dba88e0593dceb8def878c4a38187326cf1725b11f9c66c0629e66536e3099a1a4851d93888699c2db3b9521d99591c659a50503b8f36358073adf36330a02bd475d7110378d1306d2b67d4585b082c33b6555759eb1f9726504a07e52d680a049e9905430c4a1cea8415d9f587 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xxvgcpbeybrdfa C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xxvgcpbeybrdfa\b160f6b1 = c618de3410d953317c9411648861fd62f7421854c4c2d22f1638f392da40ebc491cc10bd7988e2782ffe25344b30536d618175bb09d6bca92a35c4f5135f876e090a98da0c390b21 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xxvgcpbeybrdfa\9dc91d4 = 375c81286f2565b6caefb773cd7b2460a24b11579863971fc6d391820a64a786399848adbec705e977b8 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xxvgcpbeybrdfa\74d4de5e = 7311b2ab20cb4e58b3146a9e560e84760b1504191a67b0cf5a7dfadd6846331b3c8f4ad61520ae90cf732029fc9530a9ab195bf26c819d2eddd393a6f7dc60991da5cbe27ec8635357a46eab9a076d56cac9bac24a6d9886591442b849792b02 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xxvgcpbeybrdfa\cc68b93b = 71f8d58309558a04e6c06cb8b3df058f6661c1c01b3c698b3f7126f61d8034895a20f81d8999da7936b36bc2a4c26842596a7a27015a5abc542673fac1041f310772ec47c74fc64315b5ffc1d1dce56bf50aed5b4842f4a82ca56f105c96 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xxvgcpbeybrdfa\b9db1a8 = ce80af1020d9066ff4235b2950094931011783db7b6673545df3cff1b4cbf517c39cfce5c4e56f1199e70ecdc7195dbf5cfd0981bea456ecfb7b26508ccbb241f06d4418e29ce0d7e6624489ed4fb57d168af7ab76dfed9eb1b95d07c1f5392417d80b29e63c279b0f5edf45115cda1ac53d C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xxvgcpbeybrdfa\f9f76975 = 8f1ce8b454351f7645b3d48faf123145d4eb0cf1cccee4fd4a6c70116943b02dbf575be2f1439fef4904bdc5dd319d79b3ddc2901dd6cc8fa0cad9ac33fe0a64dbf334effeb25de959a340bc82099523006a0f1df41da24357cf32e7e767dc C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xxvgcpbeybrdfa\86be0683 = abbaaa0f8b6733b0e908856a88e8e47aec9bc765c4ffcccde1a8c1e2eed7890b648220 C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3180 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3180 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3180 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 116 wrote to memory of 2932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 116 wrote to memory of 2932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 116 wrote to memory of 2932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 116 wrote to memory of 2932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 116 wrote to memory of 2932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2932 wrote to memory of 436 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 436 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 436 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 3532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1820 wrote to memory of 3532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1820 wrote to memory of 3532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3532 wrote to memory of 3776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3532 wrote to memory of 3776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3532 wrote to memory of 3776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3532 wrote to memory of 3776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3532 wrote to memory of 3776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3776 wrote to memory of 996 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 3776 wrote to memory of 996 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 3776 wrote to memory of 4384 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 3776 wrote to memory of 4384 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ddkldeyc /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll\"" /SC ONCE /Z /ST 00:13 /ET 00:25

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Bmslmawbsh" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Laaehf" /d "0"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/116-0-0x00000000752F0000-0x000000007542E000-memory.dmp

memory/116-2-0x00000000752F0000-0x000000007542E000-memory.dmp

memory/116-3-0x00000000752F0000-0x000000007542E000-memory.dmp

memory/116-1-0x000000007541D000-0x0000000075423000-memory.dmp

memory/2932-5-0x0000000000560000-0x0000000000581000-memory.dmp

memory/116-6-0x00000000752F0000-0x000000007542E000-memory.dmp

memory/2932-11-0x0000000000560000-0x0000000000581000-memory.dmp

memory/2932-10-0x0000000000560000-0x0000000000581000-memory.dmp

memory/2932-9-0x0000000000560000-0x0000000000581000-memory.dmp

memory/2932-13-0x0000000000560000-0x0000000000581000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9.dll

MD5 d8750f0357dffef6b450fc4068c715f8
SHA1 1ea42bb636b9f63cc50d7b90970fed7c832937fa
SHA256 cffd139605da08354ec82ae6acc030bef2ccef95879d98e71f3b9366cd65e6a9
SHA512 2c0f4816260df2f6e2c0cdd9c271cb1854c79162bbd116e62c3cf141d57fa540b6456171ad48017c32c48059fc5f53be15980afca366dfe55da851bd09330933

memory/3532-17-0x0000000073BC0000-0x0000000073CFE000-memory.dmp

memory/3532-18-0x0000000073BC0000-0x0000000073CFE000-memory.dmp

memory/3532-20-0x0000000073BC0000-0x0000000073CFE000-memory.dmp

memory/3776-22-0x0000000000C10000-0x0000000000C31000-memory.dmp

memory/3776-23-0x0000000000C10000-0x0000000000C31000-memory.dmp

memory/3776-24-0x0000000000C10000-0x0000000000C31000-memory.dmp