Analysis

  • max time kernel
    135s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 17:29

General

  • Target

    2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe

  • Size

    2.3MB

  • MD5

    51ef7ab29ff078954cde12e57af0c290

  • SHA1

    f7dbe4d2f84d55a2f85baf5b58e6a452e04007fc

  • SHA256

    2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd

  • SHA512

    ead5962cf7057b102d9dfe38187df0e4e90b75f08ae53a85603e6b224fa228b8b56c8f7290b3642e6c28d6dd66c47b9a5ebf19fd7321b3fa93535f4c9e438fec

Malware Config

Extracted

Family

qakbot

Version

324.127

Botnet

spx98

Campaign

1587042061

C2

24.37.178.158:990

24.110.96.149:443

68.1.171.93:443

24.210.45.215:443

77.159.149.74:443

72.190.101.70:443

71.187.170.235:443

24.110.14.40:443

46.102.52.24:443

96.234.20.230:443

184.57.17.74:443

47.153.115.154:993

72.142.106.198:995

12.5.37.3:443

168.103.52.51:995

216.163.4.91:443

100.4.185.8:443

72.172.49.164:443

5.2.149.216:443

47.202.98.230:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe
    "C:\Users\Admin\AppData\Local\Temp\2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Users\Admin\AppData\Local\Temp\2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe
      C:\Users\Admin\AppData\Local\Temp\2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1184
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\SysWOW64\PING.EXE
        ping.exe -n 6 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1184-57-0x0000000000400000-0x0000000000649000-memory.dmp
    Filesize

    2.3MB

  • memory/1312-53-0x0000000075D51000-0x0000000075D53000-memory.dmp
    Filesize

    8KB

  • memory/1312-54-0x00000000007E0000-0x0000000000819000-memory.dmp
    Filesize

    228KB

  • memory/1312-55-0x0000000000400000-0x0000000000649000-memory.dmp
    Filesize

    2.3MB