Malware Analysis Report

2024-11-30 13:29

Sample ID 241122-l72xcaymgx
Target ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.exe
SHA256 ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6
Tags
qakbot tr 1634541613 banker discovery evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6

Threat Level: Known bad

The file ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.exe was found to be: Known bad.

Malicious Activity Summary

qakbot tr 1634541613 banker discovery evasion stealer trojan

Qakbot family

Qakbot/Qbot

Windows security bypass

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 10:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 10:11

Reported

2024-11-22 10:13

Platform

win7-20240708-en

Max time kernel

137s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Srdjj = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Pksyuyupoal = "0" C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wnyedyoso\50b456b3 = 3578df6724b11a3b546d52cb3e340e1fe774bc50c149d47f8dc329dd5ff8745c59dac18a8944c87075938f851419f6f06cffba67ec56be947780d85de2945a5dd5468c24522dfac7751300d7c85cc63a84e94db4ab43f4702c7da2d17464b4f588251ab741cfc714766025 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wnyedyoso\676aa681 = bef18c2f3747e01c731903554802527eec0493d989b15131ee8fce69a4cafa0436684d6810738ce58b4201ab1fda9bd7bfebc2d28d15cb5b985cdae69c7b0221127157d8ab6b574844d6564e03d47603cdd3e7cdfa8b934bc497437edca794b3061f84b405 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wnyedyoso\a2de8e6e = 7ee2f1583518821e4925bdeeacda900fa8207d3f80c01a69956414d117e97eb54043674e95 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wnyedyoso\1a62e90b = 949c302cddb2ea6c7498dca2b920c79117fab19f629932210090ea5f965de33c73177219634f083d67ad36cc C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wnyedyoso\2ffd3945 = 4fbeb4792d5d0d040c97c49c0e7e977a3cf8cd6615589f8e3cfc07a2 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wnyedyoso\50b456b3 = 3578c86724b12fdb37f60034c6fcd8953fc5c31344f2b114de419bcf48e28669eb237defb1eaf3f1bf864ee16bc7fa1db78ab5d27706f418f650d8b83b868bacfcad7df407c2d342937ea6abf6dda82f9cce82a77028834db4ddaf45946c5482d641747726b72790c6c2acc208f9e93bdc20964554d43fb2c7edc3bef57e34e2 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wnyedyoso C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wnyedyoso\652b86fd = bb72bbda5c1240e5e66a2268bb1a193b281f0667a1e5ca9dc6e3b61942f876325b9576e12572261090e0e6c88c985ee18a576601a037f3e5b1bb185a5ab2db0ab40a257bbdf412f386cedcbc5f42a5c857c5d83478165a32a1b6f694d7dde01990dd4f68f3dd47c045cbf093188a90985e13c1e5575e28cb163f1f C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wnyedyoso\dfd6c1e4 = a940426f3467a94b8a2dfef80cce45d8177161b3ed8a9a96874a111a7902c6217e91e4f7e4a054a11c581453bf898c6c9c22 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wnyedyoso\dd97e198 = dfe36db155b6c109f64fb478ce91246da4764e60347537d0be31126c66f32c4eabc3e6b7c72fd207533f54937187de213bc95276cadcdfc9c55263451d86cf59fd952aeca70570ef731aaf3f596d13fdb823f7 C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2280 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2280 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2280 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2280 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2280 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2764 wrote to memory of 2772 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 2772 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 2772 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 2772 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2912 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2912 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2912 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2912 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2912 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 700 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 700 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 700 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 700 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 700 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 700 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 700 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2804 wrote to memory of 2420 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2804 wrote to memory of 2420 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2804 wrote to memory of 2420 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2804 wrote to memory of 2420 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2804 wrote to memory of 2420 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2804 wrote to memory of 2420 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2420 wrote to memory of 2316 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2420 wrote to memory of 2316 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2420 wrote to memory of 2316 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2420 wrote to memory of 2316 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2420 wrote to memory of 1688 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2420 wrote to memory of 1688 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2420 wrote to memory of 1688 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2420 wrote to memory of 1688 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tkxumndic /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll\"" /SC ONCE /Z /ST 10:13 /ET 10:25

C:\Windows\system32\taskeng.exe

taskeng.exe {EB6DC9BC-0220-44E5-A01B-85F59EBBB6CC} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Srdjj" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Pksyuyupoal" /d "0"

Network

N/A

Files

memory/2280-1-0x0000000074A30000-0x0000000074BDB000-memory.dmp

memory/2280-0-0x0000000074A30000-0x0000000074BDB000-memory.dmp

memory/2280-4-0x0000000074A30000-0x0000000074BDB000-memory.dmp

memory/2280-3-0x0000000074BC0000-0x0000000074BC6000-memory.dmp

memory/2764-5-0x00000000000B0000-0x00000000000B2000-memory.dmp

memory/2764-7-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2280-9-0x0000000074A30000-0x0000000074BDB000-memory.dmp

memory/2764-14-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2764-13-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2764-12-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2764-15-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2764-16-0x0000000000080000-0x00000000000A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll

MD5 1a08c65ed3d2e8d3f85cd07b1c7d645d
SHA1 ef75bb2f2db20c678f9b4b2c8af75a7f645368c1
SHA256 ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6
SHA512 06894f16a7a2691c6ef78c1c352441cdabbf791778bdb55a50e524a066374cffc2f55c02d0d4ce44aab5c673c8e4e3811d0c9794aa6e47e3e59c7b6e0fa0db63

memory/2804-21-0x0000000074180000-0x000000007432B000-memory.dmp

memory/2804-22-0x0000000074180000-0x000000007432B000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2804-26-0x0000000074180000-0x000000007432B000-memory.dmp

memory/2420-28-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2420-30-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2420-29-0x0000000000080000-0x00000000000A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 10:11

Reported

2024-11-22 10:13

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Uuwaaeeiv = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Epqoiwngxc = "0" C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Pciigvmbl\a0b74842 = c78eb6c320e3556aec9fa88e9d5f8699f9be0e4ffc1db97f1527675056f480e8dfedfbdf0c6448496f89c508bc75d0419fe0846dfc06b557a93ee6fccf6013bb76b8d6463f8abb78079046e23d75b0a4b2bbcb31246257c0bf53c94dcf877945215b20de37ac C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Pciigvmbl\a2f6683e = 87be2349a8c5b1ad4673f18d417e C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Pciigvmbl\674240d1 = da112ca51fa533365b9a312099696eb36b1398903d5459e78c780d507776efdd7af5f941677fd5bc3d559402d7bce25491f6b14f7e1d8db31d83a076eea39144a2746152 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Pciigvmbl\dffe27b4 = d768776d20f414d5c359f04d29d2 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Pciigvmbl\ea61f7fa = e14b388fb1798b638ed44ebbe14c9238582c4306abe7e779071c86db9e C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Pciigvmbl\9528980c = e57135ac735cbd4dcb6c73142b07f314a2697f5a2c191f1ad96a05fe03f4e26030a6a21d9c8eca3f9cdb7d571095d8b0802eaeb983efe965378a70a528b405e7 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Pciigvmbl C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Pciigvmbl\9528980c = e57122ac735c880b1534d7818ac5b3fbb5eeaae844efce467df33a0bbd01eff6593b6661ad687d491eea12 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Pciigvmbl\1a4a0f5b = 4cd4e89debd967c23c6c30a908a20b3f6abaf0ea64d4a512c2a30d3fac6cdd7c992cba9828e63d79a3ba5169c24c8bac30bb43743237783734d3802b9f20c91c224040981500bc3e23dd61a0d516958d0bff6bebfd0739502860577893a3 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Pciigvmbl\180b2f27 = 986270c64b08d1e14328164408953ab5c3ead5a30e C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3988 wrote to memory of 4144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3988 wrote to memory of 4144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3988 wrote to memory of 4144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4144 wrote to memory of 4544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 4144 wrote to memory of 4544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 4144 wrote to memory of 4544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 4144 wrote to memory of 4544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 4144 wrote to memory of 4544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 4544 wrote to memory of 5108 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4544 wrote to memory of 5108 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4544 wrote to memory of 5108 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 3760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2428 wrote to memory of 3760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2428 wrote to memory of 3760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3760 wrote to memory of 3080 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3760 wrote to memory of 3080 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3760 wrote to memory of 3080 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3760 wrote to memory of 3080 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3760 wrote to memory of 3080 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3080 wrote to memory of 1264 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 3080 wrote to memory of 1264 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 3080 wrote to memory of 740 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 3080 wrote to memory of 740 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nkboxckgl /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll\"" /SC ONCE /Z /ST 10:13 /ET 10:25

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Uuwaaeeiv" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Epqoiwngxc" /d "0"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.161.55.23.in-addr.arpa udp

Files

memory/4144-0-0x00000000756A0000-0x000000007584B000-memory.dmp

memory/4144-1-0x0000000075830000-0x0000000075836000-memory.dmp

memory/4144-2-0x00000000756A0000-0x000000007584B000-memory.dmp

memory/4144-3-0x00000000756A0000-0x000000007584B000-memory.dmp

memory/4144-5-0x00000000756A0000-0x000000007584B000-memory.dmp

memory/4544-6-0x00000000004B0000-0x00000000004D1000-memory.dmp

memory/4544-10-0x00000000004B0000-0x00000000004D1000-memory.dmp

memory/4544-12-0x00000000004B0000-0x00000000004D1000-memory.dmp

memory/4544-11-0x00000000004B0000-0x00000000004D1000-memory.dmp

memory/4544-14-0x00000000004B0000-0x00000000004D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6.dll

MD5 1a08c65ed3d2e8d3f85cd07b1c7d645d
SHA1 ef75bb2f2db20c678f9b4b2c8af75a7f645368c1
SHA256 ba6275b5a96e023334f2e5e3a02b1afea4543071eb867bbc170782926f7ed6c6
SHA512 06894f16a7a2691c6ef78c1c352441cdabbf791778bdb55a50e524a066374cffc2f55c02d0d4ce44aab5c673c8e4e3811d0c9794aa6e47e3e59c7b6e0fa0db63

memory/3760-18-0x0000000073F00000-0x00000000740AB000-memory.dmp

memory/3760-19-0x0000000073F00000-0x00000000740AB000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3760-22-0x0000000073F00000-0x00000000740AB000-memory.dmp

memory/3080-24-0x0000000000840000-0x0000000000861000-memory.dmp

memory/3080-25-0x0000000000840000-0x0000000000861000-memory.dmp

memory/3080-26-0x0000000000840000-0x0000000000861000-memory.dmp