Analysis

  • max time kernel
    143s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 13:39

General

  • Target

    AVC67.iso

  • Size

    742KB

  • MD5

    685f279b87a90a7fad35d2c36ac25b10

  • SHA1

    767f16470c4bf219cb5d35226b1eec6ab93a6cca

  • SHA256

    c62bad06cef065e8baee469fb0de8c34ce9b994cce656f1842e228bf903fda7d

  • SHA512

    3fc74eebb8fabc7c06ee585c09ab54cdb3f3c9d6e01201770332f7ea0cee608589c12b3592a845b994e8fcd1356b740c5ad48d89b3d2ac841d509d91c1561326

  • SSDEEP

    12288:FNCm1Mcw5EO6dHvDe0P3lx5EBto8BkfzNbuTyGrC6N2c2mcsAMzxGBRA4cZDNgvN:FN5MFEO6dHvDe0P335EXpUNSleQ2cYi8

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

BB08

Campaign

1669628564

C2

98.147.155.235:443

85.52.73.34:2222

75.158.15.211:443

2.91.184.252:995

92.106.70.62:2222

85.152.152.46:443

86.159.48.25:2222

217.128.91.196:2222

92.11.189.236:2222

83.92.85.93:443

2.83.62.105:443

93.24.192.142:20

76.20.42.45:443

24.64.114.59:2078

73.36.196.11:443

130.43.99.103:995

172.117.139.142:995

100.16.107.117:443

12.172.173.82:22

176.151.15.101:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\AVC67.iso
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:632
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3080
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "E:\AS.js"
      1⤵
      • Checks computer location settings
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass peseta\persistence.ps1
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\users\public\test1.txt DrawThemeIcon
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3272
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\users\public\test1.txt DrawThemeIcon
            4⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4396
            • C:\Windows\SysWOW64\wermgr.exe
              C:\Windows\SysWOW64\wermgr.exe
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3060

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\test1.txt
      Filesize

      472KB

      MD5

      c89575b2d429b29a9d434d4a089f34f9

      SHA1

      4eea86d109a16d930ed7c2dee480dec926d68a49

      SHA256

      9d91fd2db63d8227afad1b24ba15e8c1edf28d01152efa91402efa7872c2200c

      SHA512

      83e464a3b042445d6fdee7a612b45292d1360f6e68ccd03bf83024be15aadff8756748bead37193f6d5916da2549e9eba98f76a541bc6f6f766a8ea694feaa3c

    • C:\users\public\test1.txt
      Filesize

      472KB

      MD5

      c89575b2d429b29a9d434d4a089f34f9

      SHA1

      4eea86d109a16d930ed7c2dee480dec926d68a49

      SHA256

      9d91fd2db63d8227afad1b24ba15e8c1edf28d01152efa91402efa7872c2200c

      SHA512

      83e464a3b042445d6fdee7a612b45292d1360f6e68ccd03bf83024be15aadff8756748bead37193f6d5916da2549e9eba98f76a541bc6f6f766a8ea694feaa3c

    • memory/1376-133-0x0000024A57D30000-0x0000024A57D52000-memory.dmp
      Filesize

      136KB

    • memory/1376-134-0x00007FFE90550000-0x00007FFE91011000-memory.dmp
      Filesize

      10.8MB

    • memory/1376-132-0x0000000000000000-mapping.dmp
    • memory/1376-138-0x00007FFE90550000-0x00007FFE91011000-memory.dmp
      Filesize

      10.8MB

    • memory/3060-142-0x0000000000000000-mapping.dmp
    • memory/3060-145-0x0000000000C50000-0x0000000000C7A000-memory.dmp
      Filesize

      168KB

    • memory/3060-144-0x0000000000C50000-0x0000000000C7A000-memory.dmp
      Filesize

      168KB

    • memory/3272-135-0x0000000000000000-mapping.dmp
    • memory/4396-141-0x00000000023C0000-0x00000000023EA000-memory.dmp
      Filesize

      168KB

    • memory/4396-143-0x00000000023C0000-0x00000000023EA000-memory.dmp
      Filesize

      168KB

    • memory/4396-140-0x0000000002390000-0x00000000023BA000-memory.dmp
      Filesize

      168KB

    • memory/4396-137-0x0000000000000000-mapping.dmp