Overview

overview

10

Static

static

OB76.iso

windows10-2004-x64

10

Resubmissions

18-11-2022 21:52

221118-1q7tlahh95 10

18-11-2022 20:51

221118-znmj7sca2s 3

Analysis

  • max time kernel
    1846s
  • max time network
    1833s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2022 21:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OB76.iso

  • Size

    842KB

  • MD5

    e44811e8afd7e0227dfa35ff28643752

  • SHA1

    6378e72d856b153affaf3caf44a89f19b008f1a8

  • SHA256

    5a0f6ebc772c3a8897ba35aafba430f1fd262320f290b42764988d2c9c5454f4

  • SHA512

    14a50038fc9d8aed163b88861f5ecc346d0a1b7f25988d061f530b48c5143bd9131740a5468a5cf9caf831165f5cea294802b32d8ce2072cecfcd4541e494550

  • SSDEEP

    24576:ENdpWbYGQajBp6Pi1YWaw46K8zWcCTiUQsC3:YUbzQaNpx1DaIK8Iq3

Score
10/10
qakbotbb061668752705bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.30

Botnet

BB06

Campaign

1668752705

C2

98.147.155.235:443

49.175.72.56:443

82.31.37.241:443

73.36.196.11:443

2.84.98.228:2222

188.54.79.88:995

184.153.132.82:443

74.66.134.24:443

172.117.139.142:995

12.172.173.82:990

24.64.114.59:3389

12.172.173.82:2087

78.92.133.215:443

24.64.114.59:2222

50.68.204.71:995

105.184.161.242:443

12.172.173.82:22

221.161.103.6:443

98.145.23.67:443

73.161.176.218:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\OB76.iso
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3276
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3096
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "E:\SK.js"
      1⤵
      • Checks computer location settings
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:3464
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" manacle\wined.temp
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3104
        • C:\Windows\SysWOW64\regsvr32.exe
          manacle\wined.temp
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3184
            • C:\Windows\SysWOW64\net.exe
              net view
              5⤵
              • Discovers systems in the same network
              PID:4780
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c set
              5⤵
                PID:2544
              • C:\Windows\SysWOW64\arp.exe
                arp -a
                5⤵
                  PID:4588
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig /all
                  5⤵
                  • Gathers network information
                  PID:3968
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
                  5⤵
                    PID:4516
                  • C:\Windows\SysWOW64\net.exe
                    net share
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1512
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 share
                      6⤵
                        PID:1032
                    • C:\Windows\SysWOW64\route.exe
                      route print
                      5⤵
                        PID:2000
                      • C:\Windows\SysWOW64\netstat.exe
                        netstat -nao
                        5⤵
                        • Gathers network information
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2552
                      • C:\Windows\SysWOW64\net.exe
                        net localgroup
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2188
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 localgroup
                          6⤵
                            PID:3012
                        • C:\Windows\SysWOW64\whoami.exe
                          whoami /all
                          5⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1924
                • C:\Windows\system32\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" E:\manacle\hinged.txt
                  1⤵
                  • Enumerates connected drives
                  PID:384
                • C:\Windows\system32\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" E:\manacle\unquestioningly.txt
                  1⤵
                  • Enumerates connected drives
                  PID:3276
                • C:\Windows\system32\OpenWith.exe
                  C:\Windows\system32\OpenWith.exe -Embedding
                  1⤵
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3632
                  • C:\Windows\system32\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" E:\manacle\wined.temp
                    2⤵
                    • Enumerates connected drives
                    PID:4372
                • C:\Windows\system32\msiexec.exe
                  C:\Windows\system32\msiexec.exe /V
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2312

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/1032-147-0x0000000000000000-mapping.dmp

                  Download

                • memory/1512-146-0x0000000000000000-mapping.dmp

                  Download

                • memory/1924-152-0x0000000000000000-mapping.dmp

                  Download

                • memory/1972-137-0x00000000021C0000-0x00000000021EA000-memory.dmp

                  Filesize

                  168KB

                  Download

                • memory/1972-133-0x0000000000000000-mapping.dmp

                  Download

                • memory/1972-135-0x00000000021C0000-0x00000000021EA000-memory.dmp

                  Filesize

                  168KB

                  Download

                • memory/1972-134-0x0000000002190000-0x00000000021BE000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/2000-148-0x0000000000000000-mapping.dmp

                  Download

                • memory/2188-150-0x0000000000000000-mapping.dmp

                  Download

                • memory/2544-142-0x0000000000000000-mapping.dmp

                  Download

                • memory/2552-149-0x0000000000000000-mapping.dmp

                  Download

                • memory/3012-151-0x0000000000000000-mapping.dmp

                  Download

                • memory/3104-132-0x0000000000000000-mapping.dmp

                  Download

                • memory/3184-138-0x00000000010B0000-0x00000000010DA000-memory.dmp

                  Filesize

                  168KB

                  Download

                • memory/3184-139-0x00000000010B0000-0x00000000010DA000-memory.dmp

                  Filesize

                  168KB

                  Download

                • memory/3184-136-0x0000000000000000-mapping.dmp

                  Download

                • memory/3968-144-0x0000000000000000-mapping.dmp

                  Download

                • memory/4372-140-0x0000000000000000-mapping.dmp

                  Download

                • memory/4516-145-0x0000000000000000-mapping.dmp

                  Download

                • memory/4588-143-0x0000000000000000-mapping.dmp

                  Download

                • memory/4780-141-0x0000000000000000-mapping.dmp

                  Download