Overview

overview

10

Static

static

7965/3601.js

windows7-x64

3

7965/3601.js

windows10-2004-x64

1

7965/6388.cmd

windows7-x64

1

7965/6388.cmd

windows10-2004-x64

1

7965/usurpers.dll

windows7-x64

10

7965/usurpers.dll

windows10-2004-x64

10

ContractCopy.lnk

windows7-x64

10

ContractCopy.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2022 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ContractCopy.lnk

  • Size

    1KB

  • MD5

    c4a27e331d90565b9c5c41df4f8521c2

  • SHA1

    fd82da522c132784bd65848f5e782fc99ce9ccc5

  • SHA256

    c26d8122378f47949e55d83eed5de107e7a2d08b1a6b5826d185458fa6142309

  • SHA512

    9098dfd1c7c35c718b7697a754519d4ae2e7311a4790fbaba6e7395f24abf3a6a9e6d5c7d593034cf75022534566c99f4695c65db4c89df2e457048e446404d8

Score
10/10
qakbotbankerstealertrojan

Malware Config

Extracted

Family

qakbot

C2

156.36.22.250:12263

73.225.210.175:40922

19.138.81.187:38748

191.101.43.136:10968

145.20.244.169:39814

74.30.254.35:15530

138.94.26.23:49965

218.175.98.133:15428

181.245.40.43:1982

24.10.174.212:30807

253.219.195.173:1546

51.182.7.163:21304

191.68.117.56:28754

246.29.132.217:16625

149.181.112.217:33637

136.20.21.112:41199

80.65.15.199:35765

0.222.227.111:63041

209.240.1.52:53226

66.57.60.202:19263
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\ContractCopy.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c %cd%\7965\3601.js
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7965\3601.js"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7965\6388.cmd" reg sv"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4924
          • C:\Windows\system32\regsvr32.exe
            regsvr32 7965\usurpers.dat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4504
            • C:\Windows\SysWOW64\regsvr32.exe
              7965\usurpers.dat
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4216
              • C:\Windows\SysWOW64\wermgr.exe
                C:\Windows\SysWOW64\wermgr.exe
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1500

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1500-141-0x0000000000000000-mapping.dmp

    Download

  • memory/1500-144-0x00000000012C0000-0x00000000012E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1500-143-0x00000000012C0000-0x00000000012E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4216-138-0x0000000002840000-0x0000000002862000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4216-136-0x0000000000000000-mapping.dmp

    Download

  • memory/4216-137-0x0000000000910000-0x00000000009CF000-memory.dmp

    Filesize

    764KB

    Download

  • memory/4216-139-0x00000000027D0000-0x0000000002811000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4216-140-0x0000000002840000-0x0000000002862000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4216-142-0x0000000002840000-0x0000000002862000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4460-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4504-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4604-133-0x0000000000000000-mapping.dmp

    Download

  • memory/4924-134-0x0000000000000000-mapping.dmp

    Download