Malware Analysis Report

2024-11-30 13:29

Sample ID 241122-smzptayrar
Target 3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.exe
SHA256 3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573
Tags
qakbot tr 1634541613 banker discovery evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573

Threat Level: Known bad

The file 3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.exe was found to be: Known bad.

Malicious Activity Summary

qakbot tr 1634541613 banker discovery evasion stealer trojan

Qakbot family

Qakbot/Qbot

Windows security bypass

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 15:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 15:15

Reported

2024-11-22 15:17

Platform

win7-20241010-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Wqldtngyl = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ewvyhzyttu = "0" C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wggpcufbixboze\6e1a7108 = a07f31da8df5c2767fc9a4dbed859567a1e90d73574c12a94174fd60f38cea948653cdc261fc82e86ad69bc7fd678246 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wggpcufbixboze C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wggpcufbixboze\6e1a7108 = a07f26da8df5f7ffa4c8e609566451ec223a9e7caeb6bc21f4cf73 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wggpcufbixboze\5b85a146 = 1c9e690d45fd1b8bf425811384adc70f90ac8e69badd57d3c0c6227b5148c9986c9d93fc72786307445c5f38383994ebda36e01832e436dba498c70dec0f75464bd8a4c6ae06ce1d2e6c7db9b94eefd1d6571a68377bd958c547b1d892daec421fba483dabf19d5f80d8166bef C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wggpcufbixboze\59c4813a = 1b5856ac4a1e4030dae5a493a4ec9ee7f509a66d377d4607ab7a9c6d79898a4e292b614d7f1c769ba638d191da1d3b3ce772da3d6e25bcbe46dceed6ed6432b65b456361b8c8ed10b2f4611ec4ad4a82cc055fd7e5fbf6ebb8e204c151c1c03554e9a743efb864ac5d0f80893707cb9d89 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wggpcufbixboze\e178e65f = 1a03a9a7f76e71e91229d66bc7c24e9d1807b708ade0ecb4d41cb982d6b1267355af99355ca1bb8bd40ffbb720ea4ec59fd9e285ab34529b20a0b9392afe985a69be1a16a9f7f9baccb83263632a9073c517f62a070743669b929a0ab440c0d35544c8ea308c C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wggpcufbixboze\9c70a9d5 = 4faac72279cc4bcc8104b0850ab4661f9478eb8983942a51705b123f1f9f3d8bbd508077b251998a2a C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wggpcufbixboze\24ccceb0 = 1ad12ac07f111596990071b8bc2044d3495e439fa52ee9a11ee7ee5c6e853d86dd20707bf1263b5c7fcd17e8e6201d56a4222fc0 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wggpcufbixboze\e339c623 = 69579a864f8c482b09bb11d9ca11f445 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Wggpcufbixboze\11531efe = 35baae786fc3f9b929827e88c9dc0a1c527f6a4e06ff56a7a02fe05abb759626a404c183bf0b8597b2eafbe8a2e8cd7f3cb4273bb14a44dac8a558a96ead40a3cf6915e2b81b567c51935cdf846ed0154f746f933a9fd12f8f C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2776 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2776 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2776 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2776 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2776 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2784 wrote to memory of 3012 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 3012 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 3012 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 3012 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 3036 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 3036 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 3036 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 3036 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2628 wrote to memory of 1484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 1484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 1484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 1484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 1484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 1484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 1484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1484 wrote to memory of 1188 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1484 wrote to memory of 1188 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1484 wrote to memory of 1188 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1484 wrote to memory of 1188 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1484 wrote to memory of 1188 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1484 wrote to memory of 1188 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1188 wrote to memory of 2168 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1188 wrote to memory of 2168 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1188 wrote to memory of 2168 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1188 wrote to memory of 2168 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1188 wrote to memory of 2156 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1188 wrote to memory of 2156 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1188 wrote to memory of 2156 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1188 wrote to memory of 2156 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn kugmijjurr /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll\"" /SC ONCE /Z /ST 15:17 /ET 15:29

C:\Windows\system32\taskeng.exe

taskeng.exe {F9596CF0-0551-41FF-8607-CD16D95F3A5E} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Wqldtngyl" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ewvyhzyttu" /d "0"

Network

N/A

Files

memory/2776-0-0x0000000075000000-0x00000000751AB000-memory.dmp

memory/2776-3-0x0000000075000000-0x00000000751AB000-memory.dmp

memory/2776-2-0x0000000075000000-0x00000000751AB000-memory.dmp

memory/2776-1-0x0000000075190000-0x0000000075196000-memory.dmp

memory/2784-5-0x0000000000080000-0x0000000000082000-memory.dmp

memory/2784-7-0x00000000000D0000-0x00000000000F1000-memory.dmp

memory/2776-9-0x0000000075000000-0x00000000751AB000-memory.dmp

memory/2784-12-0x00000000000D0000-0x00000000000F1000-memory.dmp

memory/2784-13-0x00000000000D0000-0x00000000000F1000-memory.dmp

memory/2784-14-0x00000000000D0000-0x00000000000F1000-memory.dmp

memory/2784-16-0x00000000000D0000-0x00000000000F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll

MD5 8823100dee1a4504843572e377a6ff7a
SHA1 5646e3ee6bf1fdf57abe2b5df51109888e54cd44
SHA256 3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573
SHA512 c7adfcff9ef8cccee3b7bafddb9573da6ac646b0dfec4bf4104fb7e46aeb21d5b6c4673a74c48b4354f0952afc44f29dd80f40033257cbd6e6b39bed44eac88d

memory/1484-22-0x00000000745D0000-0x000000007477B000-memory.dmp

memory/1484-21-0x00000000745D0000-0x000000007477B000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1484-26-0x00000000745D0000-0x000000007477B000-memory.dmp

memory/1188-28-0x00000000000D0000-0x00000000000F1000-memory.dmp

memory/1188-30-0x00000000000D0000-0x00000000000F1000-memory.dmp

memory/1188-29-0x00000000000D0000-0x00000000000F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 15:15

Reported

2024-11-22 15:17

Platform

win10v2004-20241007-en

Max time kernel

113s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Cwuthvih = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Pktciyiuyoi = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eaxlmypejfsdl C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eaxlmypejfsdl\c00d1d53 = 60d4e1a6b68c0a3f330cb53ce44e98ba C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eaxlmypejfsdl\bd0552d9 = 17145c3b9347868c1f327a096d1d7f8ba1fb01314931af1650ded4 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eaxlmypejfsdl\3026e5f2 = bd617516854512f3f0b109ff50c0dd66a6bc75ee5aa860ddd4e080453b51fafcbeaa26019dd96773e0f24d1301c3f044fb6f938cf5c341834517cd2570c99bd30e089bbc11721d3769045a0b23b9d73049b3eca9dffad6188dd33a802748018e2b7a450a85e57a9a1e2c7ba9f9a816 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eaxlmypejfsdl\c24c3d2f = ef7d41d02c06d5f307cc314369132c63f56de1a70d859fb5ccade90220de44 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eaxlmypejfsdl\4f6f8a04 = d7acf55554a4d4d1da9e17dbffcecd12d7be1f49a58777491d4350c53959adf759a2377f11de459cf1270381be39014d40596f276f7609fd73567bd283caa8bcf7269482e318725c2601066aff2b44b02d2bbfca7ec2 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eaxlmypejfsdl\4f6f8a04 = d7ace25554a4e1d48b3d6bd24b32cd2b20359d01c5e9e97a010b40b29bec465013e1b28f006d3854465c5cef2629bedea72c949ad804613b7e3091ae74d0ccf9ef C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eaxlmypejfsdl\7af05a4a = 85b3dc53aa74caee6f8626ad69768228f95bf34715318af7e95cf8837390cbcbefa539140a01394b4fe954cc9f0d7f84ea258779aadf21cf0999748aa1c4603b729dcda6268d72d2b0613f42a82abb34c690f6b2a2f13cfc5f0534eef54ce0e10a027e1b0b C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eaxlmypejfsdl\78b17a36 = 93f2d97bca1e9782f88ddbdaf799dfe7e1bcf7bf6142a52f11c8bd380ed80c6537744bf4a0420ad61d6e31579080b1262bce003a12d40e3a6bee30feca C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eaxlmypejfsdl\5b935bc = af0c1f8558e02bc8a95c89b536c594470950374581c3b94ebd7336d88297d7348112da4943a90af65414d26e19d24a5a9ee25e65972f161d89a218 C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4008 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4008 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4008 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 3512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2360 wrote to memory of 3512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2360 wrote to memory of 3512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2360 wrote to memory of 3512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2360 wrote to memory of 3512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 3512 wrote to memory of 2820 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3512 wrote to memory of 2820 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3512 wrote to memory of 2820 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3600 wrote to memory of 2348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3600 wrote to memory of 2348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3600 wrote to memory of 2348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2348 wrote to memory of 1520 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2348 wrote to memory of 1520 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2348 wrote to memory of 1520 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2348 wrote to memory of 1520 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2348 wrote to memory of 1520 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1520 wrote to memory of 3328 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1520 wrote to memory of 3328 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1520 wrote to memory of 4744 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1520 wrote to memory of 4744 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn scfnyogjqf /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll\"" /SC ONCE /Z /ST 15:17 /ET 15:29

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Cwuthvih" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Pktciyiuyoi" /d "0"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 194.86.200.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2360-1-0x0000000075250000-0x0000000075256000-memory.dmp

memory/2360-0-0x00000000750C0000-0x000000007526B000-memory.dmp

memory/2360-2-0x00000000750C0000-0x000000007526B000-memory.dmp

memory/2360-3-0x00000000750C0000-0x000000007526B000-memory.dmp

memory/3512-5-0x0000000000B30000-0x0000000000B51000-memory.dmp

memory/2360-6-0x00000000750C0000-0x000000007526B000-memory.dmp

memory/3512-9-0x0000000000B30000-0x0000000000B51000-memory.dmp

memory/3512-11-0x0000000000B30000-0x0000000000B51000-memory.dmp

memory/3512-10-0x0000000000B30000-0x0000000000B51000-memory.dmp

memory/3512-13-0x0000000000B30000-0x0000000000B51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573.dll

MD5 8823100dee1a4504843572e377a6ff7a
SHA1 5646e3ee6bf1fdf57abe2b5df51109888e54cd44
SHA256 3c7b19ab8e40e2ed803d0d3adada6eebc5f18a970c8093f8f8e8ca1a552a2573
SHA512 c7adfcff9ef8cccee3b7bafddb9573da6ac646b0dfec4bf4104fb7e46aeb21d5b6c4673a74c48b4354f0952afc44f29dd80f40033257cbd6e6b39bed44eac88d

memory/2348-17-0x0000000073920000-0x0000000073ACB000-memory.dmp

memory/2348-18-0x0000000073920000-0x0000000073ACB000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2348-21-0x0000000073920000-0x0000000073ACB000-memory.dmp

memory/1520-23-0x0000000000350000-0x0000000000371000-memory.dmp

memory/1520-24-0x0000000000350000-0x0000000000371000-memory.dmp

memory/1520-25-0x0000000000350000-0x0000000000371000-memory.dmp