Analysis

  • max time kernel
    1558s
  • max time network
    1512s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-09-2022 06:29

General

  • Target

    aggravates.dll

  • Size

    849KB

  • MD5

    e22a4ef15b7c6c9eb884e445cefa2ef9

  • SHA1

    b9da48940ae7e41de7bc6c0909ab53465d05e3c7

  • SHA256

    5e5c55c133d644de044f5bcb782b618fd188a1c6ca707298815ab23295fb43c1

  • SHA512

    3cc653b343d7f972d823e42bda4150c0747f81617b4f795e2724dfa4f0f0f10756fc068feaeedeb69ef7b4bdcd931908c5cfb0f1e8a170925915a771ff1738f8

  • SSDEEP

    12288:VByskGoWHwa0nZXKlhb/H9TT+iTojfQCA3kptT68JtQrB5UT+QD1lNMABa:SnEjYNAeh4X668JA5w9Mqa

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

BB

Campaign

1663698873

C2

173.218.180.91:443

134.35.13.43:443

197.94.84.128:443

70.51.132.197:2222

181.118.183.123:443

189.19.189.222:32101

41.111.1.60:995

70.49.33.200:2222

99.232.140.205:2222

139.228.33.176:2222

193.3.19.37:443

41.99.57.155:443

177.255.14.99:995

31.54.39.153:2078

191.97.234.238:995

105.159.30.48:443

217.165.146.41:993

119.82.111.158:443

66.181.164.43:443

88.245.168.200:2222

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Program crash 1 IoCs
  • Discovers systems in the same network 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\aggravates.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\aggravates.dll,#1
      2⤵
        PID:348
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 708
          3⤵
          • Program crash
          PID:2952
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3712
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3612
        • C:\Windows\system32\regsvr32.exe
          regsvr32 aggravates.dll
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3604
          • C:\Windows\SysWOW64\regsvr32.exe
            aggravates.dll
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:3832
            • C:\Windows\SysWOW64\wermgr.exe
              C:\Windows\SysWOW64\wermgr.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4304
              • C:\Windows\SysWOW64\net.exe
                net view
                5⤵
                • Discovers systems in the same network
                PID:3336
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c set
                5⤵
                  PID:908
                • C:\Windows\SysWOW64\arp.exe
                  arp -a
                  5⤵
                    PID:4928
                  • C:\Windows\SysWOW64\ipconfig.exe
                    ipconfig /all
                    5⤵
                    • Gathers network information
                    PID:1020
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
                    5⤵
                      PID:3944
                    • C:\Windows\SysWOW64\net.exe
                      net share
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5036
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 share
                        6⤵
                          PID:3380
                      • C:\Windows\SysWOW64\route.exe
                        route print
                        5⤵
                          PID:4560
                        • C:\Windows\SysWOW64\netstat.exe
                          netstat -nao
                          5⤵
                          • Gathers network information
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3000
                        • C:\Windows\SysWOW64\net.exe
                          net localgroup
                          5⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4024
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 localgroup
                            6⤵
                              PID:4728
                          • C:\Windows\SysWOW64\whoami.exe
                            whoami /all
                            5⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3516
                  • C:\Windows\system32\msiexec.exe
                    C:\Windows\system32\msiexec.exe /V
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2332

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Execution

                  Command-Line Interface

                  1
                  T1059

                  Discovery

                  Remote System Discovery

                  1
                  T1018

                  System Information Discovery

                  1
                  T1082

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/348-164-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-151-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-122-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-123-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-124-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-125-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-126-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-127-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-128-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-129-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-131-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-130-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-132-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-133-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-134-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-135-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-136-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-138-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-139-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-162-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-142-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-144-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-145-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-147-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-149-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-163-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-153-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-155-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-157-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-158-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-156-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-154-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-152-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-150-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-148-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-146-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-143-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-141-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-137-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-159-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-160-0x0000000004040000-0x000000000411A000-memory.dmp
                    Filesize

                    872KB

                  • memory/348-161-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-140-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-121-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-120-0x0000000000000000-mapping.dmp
                  • memory/348-165-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-166-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-167-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-168-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-169-0x00000000047F0000-0x0000000004812000-memory.dmp
                    Filesize

                    136KB

                  • memory/348-170-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-171-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-172-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-174-0x0000000004370000-0x00000000043B1000-memory.dmp
                    Filesize

                    260KB

                  • memory/348-176-0x00000000047F0000-0x0000000004812000-memory.dmp
                    Filesize

                    136KB

                  • memory/348-175-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-177-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-178-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-173-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/348-179-0x00000000047F0000-0x0000000004812000-memory.dmp
                    Filesize

                    136KB

                  • memory/908-344-0x0000000000000000-mapping.dmp
                  • memory/1020-368-0x0000000000000000-mapping.dmp
                  • memory/3000-473-0x0000000000000000-mapping.dmp
                  • memory/3336-321-0x0000000000000000-mapping.dmp
                  • memory/3380-437-0x0000000000000000-mapping.dmp
                  • memory/3516-534-0x0000000000000000-mapping.dmp
                  • memory/3604-180-0x0000000000000000-mapping.dmp
                  • memory/3832-184-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/3832-182-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/3832-186-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/3832-281-0x0000000004B40000-0x0000000004B62000-memory.dmp
                    Filesize

                    136KB

                  • memory/3832-188-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/3832-189-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/3832-183-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/3832-181-0x0000000000000000-mapping.dmp
                  • memory/3832-187-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/3832-232-0x0000000004B40000-0x0000000004B62000-memory.dmp
                    Filesize

                    136KB

                  • memory/3832-230-0x0000000004AF0000-0x0000000004B31000-memory.dmp
                    Filesize

                    260KB

                  • memory/3832-185-0x0000000077570000-0x00000000776FE000-memory.dmp
                    Filesize

                    1MB

                  • memory/3944-386-0x0000000000000000-mapping.dmp
                  • memory/4024-493-0x0000000000000000-mapping.dmp
                  • memory/4304-280-0x00000000007B0000-0x00000000007D2000-memory.dmp
                    Filesize

                    136KB

                  • memory/4304-282-0x00000000007B0000-0x00000000007D2000-memory.dmp
                    Filesize

                    136KB

                  • memory/4304-238-0x0000000000000000-mapping.dmp
                  • memory/4560-457-0x0000000000000000-mapping.dmp
                  • memory/4728-513-0x0000000000000000-mapping.dmp
                  • memory/4928-350-0x0000000000000000-mapping.dmp
                  • memory/5036-417-0x0000000000000000-mapping.dmp