Analysis

  • max time kernel
    29s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    06-07-2021 11:25

General

  • Target

    61101e59c831732d3620689c3cf6ff3a0c302028866e109481e2fe31f5d6337e.exe

  • Size

    2.6MB

  • MD5

    1f498b538c41c22731cde9f41cf92b32

  • SHA1

    10c78eba96fd5be058bd179f464e88e1478e6d44

  • SHA256

    61101e59c831732d3620689c3cf6ff3a0c302028866e109481e2fe31f5d6337e

  • SHA512

    2e21d3fdbdc95fb98f90d4f0c9116e3924e70a3a78f32dbd920c60e857feba68ec4d62c17e9b16cdd8cbb245a462c95523c01de270031c504d31f9cd5c91228d

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

spx144

Campaign

1592561858

C2

50.247.230.33:995

75.81.25.223:443

24.71.28.247:443

47.28.135.155:443

122.147.204.4:995

189.140.137.184:990

41.228.59.231:443

39.36.254.179:995

178.221.64.104:995

75.110.250.89:443

185.246.9.69:995

94.52.160.116:443

65.24.76.114:443

86.153.98.66:2222

117.218.208.239:443

98.118.156.172:443

72.179.242.236:0

108.46.145.30:443

68.200.23.189:443

84.232.238.30:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61101e59c831732d3620689c3cf6ff3a0c302028866e109481e2fe31f5d6337e.exe
    "C:\Users\Admin\AppData\Local\Temp\61101e59c831732d3620689c3cf6ff3a0c302028866e109481e2fe31f5d6337e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Users\Admin\AppData\Local\Temp\61101e59c831732d3620689c3cf6ff3a0c302028866e109481e2fe31f5d6337e.exe
      C:\Users\Admin\AppData\Local\Temp\61101e59c831732d3620689c3cf6ff3a0c302028866e109481e2fe31f5d6337e.exe /C
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      PID:3392
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\61101e59c831732d3620689c3cf6ff3a0c302028866e109481e2fe31f5d6337e.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:512
      • C:\Windows\SysWOW64\PING.EXE
        ping.exe -n 6 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:936

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/512-119-0x0000000000000000-mapping.dmp
  • memory/936-120-0x0000000000000000-mapping.dmp
  • memory/3392-116-0x0000000000000000-mapping.dmp
  • memory/3392-117-0x00000000006F0000-0x000000000079E000-memory.dmp
    Filesize

    696KB

  • memory/3424-115-0x0000000000400000-0x000000000069F000-memory.dmp
    Filesize

    2.6MB

  • memory/3424-114-0x0000000000810000-0x0000000000847000-memory.dmp
    Filesize

    220KB