Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Calculation.lnk

windows7-x64

10

Calculation.lnk

windows10-2004-x64

10

vertices/a...al.cmd

windows7-x64

1

vertices/a...al.cmd

windows10-2004-x64

1

vertices/b...ll.dll

windows7-x64

10

vertices/b...ll.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2022, 15:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Calculation.lnk

  • Size

    1KB

  • MD5

    9ff4d8fdc5288f2c110d40c80c4dcc25

  • SHA1

    522c827b70102c114c3efbe0e8dacf71ca7ce2b5

  • SHA256

    6bcfce0c879a9fb19af5860fc8cad59149dbfe003e6b330f04ee25fd37554ee4

  • SHA512

    563faf37901162d8e79efcbe94db9123a2e1987e2f1cf22fa9e47722ca019736422c1c1d4fceb14a9f31102acbaf3cba6bf96a83e4f7d6a9ad0b6a077ecf9c00

Score
10/10
qakbotobama2141666019778bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

obama214

Campaign

1666019778

C2

105.96.221.136:443

37.37.80.2:3389

105.154.56.232:995

41.107.116.19:443

105.103.52.189:443

159.192.204.135:443

41.107.58.251:443

177.152.65.142:443

102.47.218.41:443

176.45.35.243:443

70.173.248.13:443

102.159.77.134:995

220.123.29.76:443

82.12.196.197:443

103.156.237.71:443

149.126.159.254:443

176.44.119.153:443

181.56.171.3:995

190.205.229.67:2222

151.251.50.117:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Calculation.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vertices\asteroidal.cmd regsvr
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Users\Admin\AppData\Local\Temp\mb.exe
        C:\Users\Admin\AppData\Local\Temp\mb.exe vertices\bombshell.asc
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Windows\SysWOW64\regsvr32.exe
          vertices\bombshell.asc
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1260
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:972
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1128

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\mb.exe
    Filesize

    19KB

    MD5

    59bce9f07985f8a4204f4d6554cff708

    SHA1

    645c424974fbe5fe7a04cac73f1c23c96e1570b8

    SHA256

    ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

    SHA512

    3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

    Download Submit

  • \Users\Admin\AppData\Local\Temp\mb.exe
    Filesize

    19KB

    MD5

    59bce9f07985f8a4204f4d6554cff708

    SHA1

    645c424974fbe5fe7a04cac73f1c23c96e1570b8

    SHA256

    ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

    SHA512

    3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

    Download Submit

  • memory/576-54-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/972-107-0x0000000000080000-0x00000000000A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/972-106-0x0000000000080000-0x00000000000A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1260-98-0x0000000000200000-0x0000000000229000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1260-100-0x0000000000190000-0x00000000001BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1260-101-0x0000000000200000-0x0000000000229000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1260-99-0x0000000000200000-0x0000000000229000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1260-104-0x0000000000200000-0x0000000000229000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1260-97-0x0000000075911000-0x0000000075913000-memory.dmp

    Filesize

    8KB

    Download