Analysis

  • max time kernel
    128s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 16:31

General

  • Target

    40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe

  • Size

    2.0MB

  • MD5

    e5607c54c026676782b24856d4214d58

  • SHA1

    a0e576281fa43368f48a93b6009f4329ed35aa34

  • SHA256

    40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2

  • SHA512

    c7317c8caf82a0cebf63ad70f0095aeb6d884b93495f9b2c576dc4d8672ffb2c88ef0be4ae8d8c187bbc0476179598a95452a9c52b45b1ef9a493be94c376a13

Malware Config

Extracted

Family

qakbot

Version

324.127

Botnet

spx105

Campaign

1587988969

C2

24.184.5.251:2222

184.98.104.7:995

97.127.144.203:2222

121.74.205.27:995

75.87.161.32:995

24.201.79.208:2078

86.125.208.132:443

84.247.55.190:443

94.53.119.108:443

58.177.238.186:443

71.77.231.251:443

89.137.208.171:443

5.107.186.224:2222

72.183.129.56:443

71.220.191.200:443

68.82.125.234:443

172.113.74.96:443

70.95.94.91:2222

86.127.12.161:21

216.16.178.115:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe
    "C:\Users\Admin\AppData\Local\Temp\40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Local\Temp\40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe
      C:\Users\Admin\AppData\Local\Temp\40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1748
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\SysWOW64\PING.EXE
        ping.exe -n 6 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1632

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1608-54-0x0000000075531000-0x0000000075533000-memory.dmp
    Filesize

    8KB

  • memory/1608-55-0x0000000000220000-0x0000000000259000-memory.dmp
    Filesize

    228KB

  • memory/1608-56-0x0000000000400000-0x00000000005F8000-memory.dmp
    Filesize

    2.0MB

  • memory/1748-58-0x0000000000400000-0x00000000005F8000-memory.dmp
    Filesize

    2.0MB