Analysis
-
max time kernel
600s -
max time network
603s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
18-08-2022 14:05
General
-
Target
01970422_890527.lnk
-
Size
1KB
-
MD5
76390978f26d3c6d7f799257542796ce
-
SHA1
4d3efb8f9db9519160fe13f79ef5be1c041eed0e
-
SHA256
03160be7cb698e1684f47071cb441ff181ff299cb38429636d11542ba8d306ae
-
SHA512
8c6243c7a93974dbf1a6878fbb2ad89861a4b960fb5262ba6c0e6274f78fcf93c90e80d1f007b9a6e3deafd53969fffb8f2e66adfd0e10c19fe7f65e4c597779
Malware Config
Extracted
qakbot
403.694
obama186
1654596660
67.165.206.193:993
63.143.92.99:995
74.14.5.179:2222
182.191.92.203:995
197.89.8.51:443
89.101.97.139:443
86.97.9.190:443
124.40.244.115:2222
80.11.74.81:2222
41.215.153.104:995
179.100.20.32:32101
31.35.28.29:443
202.134.152.2:2222
109.12.111.14:443
93.48.80.198:995
120.150.218.241:995
41.38.167.179:995
177.94.57.126:32101
173.174.216.62:443
1.161.101.20:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Windows security bypass 2 TTPs 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\01970422_890527.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" 019338921.dll,DllInstall2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" 019338921.dll,DllInstall3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ljuhhvnpmp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\019338921.dll\"" /SC ONCE /Z /ST 14:10 /ET 14:225⤵
- Creates scheduled task(s)
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\019338921.dll"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\019338921.dll"2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Jpqfhem" /d "0"4⤵
- Windows security bypass
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Qhjoyvjzmjst" /d "0"4⤵
- Windows security bypass
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\019338921.dllFilesize
1.4MB
MD57bbeafc1ab9f9d1a48a99338ffec561c
SHA1a4ce6de223addbdc66e747d3abd00b9f190fb5cb
SHA256fca807ab91e7328195cafebe5761402f4d7066aef4c766c78a37f2c27fcf812c
SHA512a32b34d9c03b6a1eaa1d409968d6d211a22320cc8b46955f8cda156f4956ea4a3d2e6d0a5fd8578e274e67db36e2696a7e8722647313333d3b7825d3e3a2c263
-
C:\Users\Admin\AppData\Local\Temp\019338921.dllFilesize
1.4MB
MD57bbeafc1ab9f9d1a48a99338ffec561c
SHA1a4ce6de223addbdc66e747d3abd00b9f190fb5cb
SHA256fca807ab91e7328195cafebe5761402f4d7066aef4c766c78a37f2c27fcf812c
SHA512a32b34d9c03b6a1eaa1d409968d6d211a22320cc8b46955f8cda156f4956ea4a3d2e6d0a5fd8578e274e67db36e2696a7e8722647313333d3b7825d3e3a2c263
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/424-151-0x0000000000000000-mapping.dmp
-
memory/1456-139-0x0000000000000000-mapping.dmp
-
memory/3880-154-0x0000000000C00000-0x0000000000C22000-memory.dmpFilesize
136KB
-
memory/3880-153-0x0000000000C00000-0x0000000000C22000-memory.dmpFilesize
136KB
-
memory/3880-148-0x0000000000000000-mapping.dmp
-
memory/4496-152-0x0000000000000000-mapping.dmp
-
memory/4836-137-0x0000000000000000-mapping.dmp
-
memory/4836-141-0x0000000000550000-0x0000000000572000-memory.dmpFilesize
136KB
-
memory/4836-140-0x0000000000550000-0x0000000000572000-memory.dmpFilesize
136KB
-
memory/4896-132-0x0000000000000000-mapping.dmp
-
memory/4960-136-0x0000000002F40000-0x0000000002F62000-memory.dmpFilesize
136KB
-
memory/4960-138-0x0000000002F40000-0x0000000002F62000-memory.dmpFilesize
136KB
-
memory/4960-135-0x0000000002EF0000-0x0000000002F1D000-memory.dmpFilesize
180KB
-
memory/4960-134-0x0000000002F40000-0x0000000002F62000-memory.dmpFilesize
136KB
-
memory/4960-133-0x0000000000000000-mapping.dmp
-
memory/5044-146-0x0000000001B20000-0x0000000001B4D000-memory.dmpFilesize
180KB
-
memory/5044-147-0x0000000001B70000-0x0000000001B92000-memory.dmpFilesize
136KB
-
memory/5044-145-0x0000000001B70000-0x0000000001B92000-memory.dmpFilesize
136KB
-
memory/5044-150-0x0000000001B70000-0x0000000001B92000-memory.dmpFilesize
136KB
-
memory/5044-143-0x0000000000000000-mapping.dmp