Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\050_qbot.dll"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\050_qbot.dll,lcopy_block_row

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 176

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\050_qbot.dll,lcopy_sample_rows

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\050_qbot.dll,ldiv_round_up

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lcopy_block_row

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lcopy_sample_rows

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",ldiv_round_up

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",next

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lround_up

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lpeg_write_tables

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7644 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 652

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

There are 8 hidden processes, click here to show them.

URLs

Name

Malicious

https://www.xfinity.com/mobile/policies/broadband-disclosures

unknown

http://upx.sf.net

unknown

https://www.xfinity.com/learn/internet-service/acp

unknown

https://www.xfinity.com/networkmanagement

unknown

https://xfinity.com/

68.87.41.40

Details

Name:	https://xfinity.com/
IP:	68.87.41.40
TargetID:	22
From Memory:	false
Current Path:	C:\Windows\SysWOW64\wermgr.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Domains

Name

Malicious

xfinity.com

68.87.41.40

Details

Name:	xfinity.com
IP:	68.87.41.40
TargetID:	22
Current Path:	C:\Windows\SysWOW64\wermgr.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample uses string decryption to hide its real strings	AV Detection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

www.xfinity.com

unknown

IPs

Domain

Country

Malicious

38.2.18.164

unknown

United States

2.82.8.80

unknown

Portugal

70.160.67.203

unknown

United States

83.110.223.61

unknown

United Arab Emirates

209.171.160.69

unknown

Canada

84.215.202.8

unknown

Norway

184.182.66.109

unknown

United States

200.84.211.255

unknown

Venezuela

125.99.69.178

unknown

India

174.4.89.3

unknown

Canada

121.121.108.120

unknown

Malaysia

161.142.103.187

unknown

Malaysia

213.64.33.92

unknown

Sweden

114.143.176.236

unknown

India

24.234.220.88

unknown

United States

67.70.120.249

unknown

Canada

73.88.173.113

unknown

United States

72.205.104.134

unknown

United States

117.195.17.148

unknown

India

69.160.121.6

unknown

Jamaica

176.133.4.230

unknown

France

183.87.163.165

unknown

India

184.181.75.148

unknown

United States

70.49.205.198

unknown

Canada

87.221.153.182

unknown

Spain

70.50.1.252

unknown

Canada

85.101.239.116

unknown

Turkey

181.4.225.225

unknown

Argentina

100.4.163.158

unknown

United States

103.141.50.43

unknown

India

70.50.83.216

unknown

Canada

92.1.170.110

unknown

United Kingdom

64.121.161.102

unknown

United States

96.56.197.26

unknown

United States

188.28.19.84

unknown

United Kingdom

125.99.76.102

unknown

India

81.101.185.146

unknown

United Kingdom

116.75.63.183

unknown

India

124.246.122.199

unknown

Singapore

147.147.30.126

unknown

United Kingdom

109.130.247.84

unknown

Belgium

75.109.111.89

unknown

United States

88.126.94.4

unknown

France

124.122.47.148

unknown

Thailand

66.241.183.99

unknown

United States

180.151.19.13

unknown

India

94.204.202.106

unknown

United Arab Emirates

47.205.25.170

unknown

United States

95.45.50.93

unknown

Ireland

103.212.19.254

unknown

India

85.61.165.153

unknown

Spain

91.160.70.68

unknown

France

201.143.215.69

unknown

Mexico

184.63.133.131

unknown

United States

203.109.44.236

unknown

India

90.104.151.37

unknown

France

201.244.108.183

unknown

Colombia

2.49.63.160

unknown

United Arab Emirates

103.42.86.42

unknown

India

80.6.50.34

unknown

United Kingdom

175.156.217.7

unknown

Singapore

103.139.242.6

unknown

India

27.0.48.233

unknown

India

70.28.50.223

unknown

Canada

173.17.45.60

unknown

United States

81.229.117.95

unknown

Sweden

70.64.77.115

unknown

Canada

87.252.106.39

unknown

Italy

79.77.142.22

unknown

United Kingdom

98.163.227.79

unknown

United States

93.187.148.45

unknown

United Kingdom

186.75.95.6

unknown

Panama

50.68.186.195

unknown

Canada

45.62.70.33

unknown

Canada

83.249.198.100

unknown

Sweden

12.172.173.82

unknown

United States

47.199.241.39

unknown

United States

79.168.224.165

unknown

Portugal

199.27.66.213

unknown

United States

200.44.198.47

unknown

Venezuela

176.142.207.63

unknown

France

86.173.2.12

unknown

United Kingdom

45.62.75.250

unknown

Canada

92.154.17.149

unknown

France

90.29.86.138

unknown

France

174.58.146.57

unknown

United States

223.166.13.95

unknown

China

5.192.141.228

unknown

United Arab Emirates

65.95.141.84

unknown

Canada

75.98.154.19

unknown

United States

77.126.99.230

unknown

Israel

103.123.223.133

unknown

India

74.12.147.139

unknown

Canada

92.9.45.20

unknown

United Kingdom

113.11.92.30

unknown

Bangladesh

77.86.98.236

unknown

United Kingdom

103.140.174.20

unknown

India

78.192.109.105

unknown

France

68.87.41.40

xfinity.com

United States

192.168.2.1

unknown

There are 90 hidden IPs, click here to show them.

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property

0018000CAA868BB9

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceId

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

ApplicationFlags

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug

ExceptionRecord

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHivePermissionsCorrect

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHiveOwnerCorrect

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager

PendingFileRenameOperations

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiOverridePath

\REGISTRY\A\{5cd36e04-f07d-40da-c658-aa07a4483f02}\Root\InventoryApplicationFile

WritePermissionsCheck

\REGISTRY\A\{5cd36e04-f07d-40da-c658-aa07a4483f02}\Root\InventoryApplicationFile

ProviderSyncId