Windows Analysis Report
pebbles.dat.dll

Overview

General Information

Sample Name: pebbles.dat.dll
Analysis ID: 715156
MD5: d89521adaf6418e6ebe43b1a1a9d2af9
SHA1: 38cac8495ef43e51cdac1cb5e85d10137b365bee
SHA256: 1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
Tags: dll
Infos:

Detection

Qbot
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Qbot
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Entry point lies outside standard sections
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Registers a DLL
PE file overlay found
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: pebbles.dat.dll ReversingLabs: Detection: 16%
Source: pebbles.dat.dll Joe Sandbox ML: detected
Source: pebbles.dat.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: pebbles.dat.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: E:\cpp\out\out\desktop.pdb source: regsvr32.exe, 00000003.00000002.269410643.000000006D4B4000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.269325200.000000006D4B4000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.269366163.000000006D4B4000.00000080.00000001.01000000.00000003.sdmp, pebbles.dat.dll
Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.270246920.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.269783536.0000000003761000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.270387540.0000000001081000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.270246920.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.269783536.0000000003761000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.270387540.0000000001081000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0099C123 FindFirstFileW,FindNextFileW, 3_2_0099C123
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0445C123 FindFirstFileW,FindNextFileW, 4_2_0445C123
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00995D1E GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject, 3_2_00995D1E

System Summary

barindex
Source: 9.2.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.2.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.2.rundll32.exe.4450000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.2.rundll32.exe.4450000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.0.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.0.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.2.rundll32.exe.2ee0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.2.rundll32.exe.2ee0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.3.rundll32.exe.4430000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.3.rundll32.exe.4430000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.0.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.0.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.3.regsvr32.exe.590000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.3.regsvr32.exe.590000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.0.wermgr.exe.12a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.0.wermgr.exe.12a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.2.rundll32.exe.4450000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.2.rundll32.exe.4450000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.3.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.3.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.2.wermgr.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.2.wermgr.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.2.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.2.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.0.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.0.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.0.wermgr.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.0.wermgr.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.3.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.3.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.3.rundll32.exe.4430000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.3.rundll32.exe.4430000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.2.rundll32.exe.2ee0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.2.rundll32.exe.2ee0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.2.regsvr32.exe.990000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.2.regsvr32.exe.990000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.2.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.2.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.3.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.3.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.0.wermgr.exe.12a0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.0.wermgr.exe.12a0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: pebbles.dat.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: 9.2.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.2.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.2.rundll32.exe.4450000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.2.rundll32.exe.4450000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.0.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.0.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.2.rundll32.exe.2ee0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.2.rundll32.exe.2ee0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.3.rundll32.exe.4430000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.3.rundll32.exe.4430000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.0.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.0.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.3.regsvr32.exe.590000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.3.regsvr32.exe.590000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.0.wermgr.exe.12a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.0.wermgr.exe.12a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.2.rundll32.exe.4450000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.2.rundll32.exe.4450000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.3.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.3.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.2.wermgr.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.2.wermgr.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.2.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.2.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.0.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.0.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.0.wermgr.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.0.wermgr.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.3.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.3.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.3.rundll32.exe.4430000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.3.rundll32.exe.4430000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.2.rundll32.exe.2ee0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.2.rundll32.exe.2ee0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.2.regsvr32.exe.990000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.2.regsvr32.exe.990000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.2.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.2.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.3.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.3.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.0.wermgr.exe.12a0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.0.wermgr.exe.12a0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_009A29E9 3_2_009A29E9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_009A35EE 3_2_009A35EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_009A82A0 3_2_009A82A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_009A63B0 3_2_009A63B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_009A676F 3_2_009A676F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044635EE 4_2_044635EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044629E9 4_2_044629E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044682A0 4_2_044682A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0446676F 4_2_0446676F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_044663B0 4_2_044663B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0099D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 3_2_0099D9DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0099D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose, 3_2_0099D538
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0445D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose, 4_2_0445D538
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0445D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 4_2_0445D9DE
Source: pebbles.dat.dll.8.dr Static PE information: No import functions for PE file found
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: pebbles.dat.dll.8.dr Static PE information: Data appended to the last section found
Source: pebbles.dat.dll ReversingLabs: Detection: 16%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x2ac
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Ikoqhruop Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@21/1@0/0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0099E485 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 3_2_0099E485
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0099BAF6 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification, 3_2_0099BAF6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{8EEC79E5-2878-4F5F-A98E-FA689CEEF067}
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{446EBB9A-7BA4-4C43-A020-E163B2EC3F81}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_01
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{8EEC79E5-2878-4F5F-A98E-FA689CEEF067}
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: pebbles.dat.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\cpp\out\out\desktop.pdb source: regsvr32.exe, 00000003.00000002.269410643.000000006D4B4000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.269325200.000000006D4B4000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.269366163.000000006D4B4000.00000080.00000001.01000000.00000003.sdmp, pebbles.dat.dll
Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.270246920.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.269783536.0000000003761000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.270387540.0000000001081000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.270246920.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.269783536.0000000003761000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.270387540.0000000001081000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_009AB066 push ebx; ret 3_2_009AB067
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_009AADB4 push cs; iretd 3_2_009AAE8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_009AAEB6 push cs; iretd 3_2_009AAE8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_009ACB95 push esi; iretd 3_2_009ACB9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0446B066 push ebx; ret 4_2_0446B067
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0446ADB4 push cs; iretd 4_2_0446AE8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0446AEB6 push cs; iretd 4_2_0446AE8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0446CB95 push esi; iretd 4_2_0446CB9A
Source: pebbles.dat.dll Static PE information: section name: .reloc6s
Source: pebbles.dat.dll Static PE information: section name: .hata
Source: pebbles.dat.dll.8.dr Static PE information: section name: .reloc6s
Source: pebbles.dat.dll.8.dr Static PE information: section name: .hata
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0099EF38 LoadLibraryA,GetProcAddress, 3_2_0099EF38
Source: initial sample Static PE information: section where entry point is pointing to: .data
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
Source: initial sample Static PE information: section name: .data entropy: 7.0153365923230595
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\Desktop\pebbles.dat.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 3472 base: 1353C50 value: E9 42 26 62 FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4884 base: 1353C50 value: E9 42 26 AF FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 612 base: 1353C50 value: E9 42 26 F5 FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: wermgr.exe, 00000008.00000003.272109944.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.271989769.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.272071328.00000000037D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: wermgr.exe, 00000008.00000003.272109944.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.271989769.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.272071328.00000000037D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXEP
Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXE
Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXE
Source: wermgr.exe, 00000008.00000003.272109944.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.271989769.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.272071328.00000000037D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PROC_ANALYZER.EXE
Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE
Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXE
Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXEV
Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FILEMON.EXE
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep count: 134 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5772 Thread sleep count: 111 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 1960 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5284 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5608 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wermgr.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0099DDE7 GetSystemInfo, 3_2_0099DDE7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0099C123 FindFirstFileW,FindNextFileW, 3_2_0099C123
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0445C123 FindFirstFileW,FindNextFileW, 4_2_0445C123
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0099EF38 LoadLibraryA,GetProcAddress, 3_2_0099EF38

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\System32\audiodg.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 9A0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1353C50 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: E70000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1353C50 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 9A0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: E70000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0099A1F8 GetSystemTimeAsFileTime, 3_2_0099A1F8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0099DFC2 GetCurrentProcessId,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW, 3_2_0099DFC2
Source: regsvr32.exe, 00000003.00000003.262266220.000000000452F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.262272208.000000000450F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.262465589.000000000312F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: regsvr32.exe, 00000003.00000003.262266220.000000000452F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.262272208.000000000450F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.262465589.000000000312F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vsserv.exe
Source: regsvr32.exe, 00000003.00000003.262266220.000000000452F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.262272208.000000000450F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.262465589.000000000312F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: regsvr32.exe, 00000003.00000003.262266220.000000000452F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.262272208.000000000450F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.262465589.000000000312F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgcsrvx.exe
Source: regsvr32.exe, 00000003.00000003.262266220.000000000452F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.262272208.000000000450F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.262465589.000000000312F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: regsvr32.exe, 00000003.00000003.262266220.000000000452F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.262272208.000000000450F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.262465589.000000000312F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: 9.2.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4450000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.12a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wermgr.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.12a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 9.2.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4450000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.12a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wermgr.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.12a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY