0d055d602cf947aaeb575e8252466d83d851937e6c3c861b86a374bce8dda33f

Analysis

max time kernel
142s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2022, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qbotagain.js
Size

114KB
MD5

c030a938b6bebf1c124656ca120c741a
SHA1

bd869324ed7bd891ffd4d9907c890e7635e121a5
SHA256

0d055d602cf947aaeb575e8252466d83d851937e6c3c861b86a374bce8dda33f
SHA512

971776f1fed61bb48b5c902a9bd4d32d8282be18840c2c003ff57202acff9a825b5dc13c4e0e43047a4b818943af80068d183e3be8eea68a858c00c4d7731913
SSDEEP

1536:Vhoco1LtLgG4c3rWpY0Ji9oW/Vb5g8oXe4ntHJQQfzWZiZZuYoVzm+QUklu8uWzd:Ve6c6pYb9bx3sHCvVz4u8PzNrnc

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
16	2828	wscript.exe
18	2828	wscript.exe
20	2828	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
944	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 3244	2828	wscript.exe	87
PID 2828 wrote to memory of 3244	2828	wscript.exe	87
PID 3244 wrote to memory of 944	3244	cmd.exe	89
PID 3244 wrote to memory of 944	3244	cmd.exe	89
PID 3244 wrote to memory of 3356	3244	cmd.exe	94
PID 3244 wrote to memory of 3356	3244	cmd.exe	94

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\qbotagain.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping go.com && regsvr32 _Vkc.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\system32\PING.EXE
    ping go.com
    3⤵
    - Runs ping.exe
    PID:944
- - C:\Windows\system32\regsvr32.exe
    regsvr32 _Vkc.dll
    3⤵
    PID:3356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...