Analysis
-
max time kernel
81s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
24-07-2022 14:32
General
-
Target
f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
-
Size
520KB
-
MD5
534394261be4f63a4b59501be880ee5d
-
SHA1
2909b52711253adf9e475a0f4ba487402f634298
-
SHA256
f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f
-
SHA512
75b86c62eae4b76ec42c749805a9c27e10c78ff8332509b81688c34b5e1fa1fcb9174121415398595eb7aa60d8d9aab361dbd43f978c807dc433f485bd20b57b
Malware Config
Extracted
qakbot
322.742
hhh23
1554720361
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
184.186.76.228:80
65.153.32.170:443
65.116.179.83:443
100.16.222.65:443
148.240.66.99:6881
172.78.85.124:443
71.210.140.93:995
72.29.181.77:2078
162.237.221.101:443
70.105.162.74:995
192.198.85.26:443
24.73.69.42:443
190.120.196.18:995
67.202.178.142:443
208.69.72.135:2222
69.159.223.202:443
174.48.72.160:443
75.183.171.155:3389
81.103.144.77:443
76.27.113.181:995
Signatures
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe"C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exeC:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1720-141-0x0000000000000000-mapping.dmp
-
memory/1944-135-0x0000000000000000-mapping.dmp
-
memory/1944-140-0x0000000002140000-0x00000000021B5000-memory.dmpFilesize
468KB
-
memory/2236-142-0x0000000000000000-mapping.dmp
-
memory/3528-130-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/3528-134-0x0000000002290000-0x0000000002305000-memory.dmpFilesize
468KB