Overview

overview

10

Static

static

WT-163WP.iso

windows10-2004-x64

10

Resubmissions

09-12-2022 21:31

221209-1c7lnsed59 10

01-12-2022 01:51

221201-b99d4ade82 10

01-12-2022 01:46

221201-b7b1tagf7t 3

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WT-163WP.iso

  • Size

    101.2MB

  • MD5

    b650be9066248fd19bf55295a3dd91c1

  • SHA1

    08dbe772979f2cf9b70637ecb4fbed0a29517b4a

  • SHA256

    ad914a64e27ceb65f105dda2b9333507503acf7b5dfa24dcaf0eebed70e10c9b

  • SHA512

    cd2dbb0d4addb80ff59126febd145b6a127378a6eadb18bdc3bffe8eab54b2db71352920c12be1882df88aa2eb8bd5b1d3b38124a4d607fabfd4194f380c3aaf

  • SSDEEP

    24576:xFolOZ7iwCywfHH3vwLwZ0RV9Z0OEdMddz52kqAaBJP8fnLJ518VCqoI2ytH2:xFolOZ7iwCywfHH3vwLwDuDHAH2

Score
10/10
qakbotobama2241669794048bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\WT-163WP.iso
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2372
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2404
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "E:\WP.vbs"
      1⤵
      • Checks computer location settings
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\theologian.ps1
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3676
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\users\public\arsonistEfficaciously.txt DrawThemeIcon
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4592
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4676
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "E:\WP.vbs"
      1⤵
      • Checks computer location settings
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\theologian.ps1
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\users\public\arsonistEfficaciously.txt DrawThemeIcon
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3344
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
              PID:2164
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "E:\WP.vbs"
        1⤵
        • Checks computer location settings
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\theologian.ps1
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\users\public\arsonistEfficaciously.txt DrawThemeIcon
            3⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4628
            • C:\Windows\SysWOW64\wermgr.exe
              C:\Windows\SysWOW64\wermgr.exe
              4⤵
                PID:4536

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        3
        T1082

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          1KB

          MD5

          def65711d78669d7f8e69313be4acf2e

          SHA1

          6522ebf1de09eeb981e270bd95114bc69a49cda6

          SHA256

          aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

          SHA512

          05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          Filesize

          53KB

          MD5

          d4d8cef58818612769a698c291ca3b37

          SHA1

          54e0a6e0c08723157829cea009ec4fe30bea5c50

          SHA256

          98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

          SHA512

          f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

          Download Submit
        • C:\Users\Public\arsonistEfficaciously.txt
          Filesize

          577KB

          MD5

          a8c6be5d4821e00f7c3be140bd097493

          SHA1

          3f43db3e6862f64d51b95105c196204a956c2a4b

          SHA256

          41c245c859bad2bfce11d9a13d14925b7e31968587e32e6c523b2679673bab03

          SHA512

          b1355dff2e69f3a8ff858fd77b411bf437e26750a503ab8231a7444be5d2b1dde62b6f5d16708f0cb5ed0718a44ec30b306f3ef97ff15ebe423e1fec9aea13ae

          Download Submit
        • C:\Users\Public\arsonistEfficaciously.txt
          Filesize

          577KB

          MD5

          a8c6be5d4821e00f7c3be140bd097493

          SHA1

          3f43db3e6862f64d51b95105c196204a956c2a4b

          SHA256

          41c245c859bad2bfce11d9a13d14925b7e31968587e32e6c523b2679673bab03

          SHA512

          b1355dff2e69f3a8ff858fd77b411bf437e26750a503ab8231a7444be5d2b1dde62b6f5d16708f0cb5ed0718a44ec30b306f3ef97ff15ebe423e1fec9aea13ae

          Download Submit
        • C:\Users\Public\arsonistEfficaciously.txt
          Filesize

          577KB

          MD5

          a8c6be5d4821e00f7c3be140bd097493

          SHA1

          3f43db3e6862f64d51b95105c196204a956c2a4b

          SHA256

          41c245c859bad2bfce11d9a13d14925b7e31968587e32e6c523b2679673bab03

          SHA512

          b1355dff2e69f3a8ff858fd77b411bf437e26750a503ab8231a7444be5d2b1dde62b6f5d16708f0cb5ed0718a44ec30b306f3ef97ff15ebe423e1fec9aea13ae

          Download Submit
        • C:\users\public\arsonistEfficaciously.txt
          Filesize

          577KB

          MD5

          a8c6be5d4821e00f7c3be140bd097493

          SHA1

          3f43db3e6862f64d51b95105c196204a956c2a4b

          SHA256

          41c245c859bad2bfce11d9a13d14925b7e31968587e32e6c523b2679673bab03

          SHA512

          b1355dff2e69f3a8ff858fd77b411bf437e26750a503ab8231a7444be5d2b1dde62b6f5d16708f0cb5ed0718a44ec30b306f3ef97ff15ebe423e1fec9aea13ae

          Download Submit
        • C:\users\public\arsonistEfficaciously.txt
          Filesize

          577KB

          MD5

          a8c6be5d4821e00f7c3be140bd097493

          SHA1

          3f43db3e6862f64d51b95105c196204a956c2a4b

          SHA256

          41c245c859bad2bfce11d9a13d14925b7e31968587e32e6c523b2679673bab03

          SHA512

          b1355dff2e69f3a8ff858fd77b411bf437e26750a503ab8231a7444be5d2b1dde62b6f5d16708f0cb5ed0718a44ec30b306f3ef97ff15ebe423e1fec9aea13ae

          Download Submit
        • C:\users\public\arsonistEfficaciously.txt
          Filesize

          577KB

          MD5

          a8c6be5d4821e00f7c3be140bd097493

          SHA1

          3f43db3e6862f64d51b95105c196204a956c2a4b

          SHA256

          41c245c859bad2bfce11d9a13d14925b7e31968587e32e6c523b2679673bab03

          SHA512

          b1355dff2e69f3a8ff858fd77b411bf437e26750a503ab8231a7444be5d2b1dde62b6f5d16708f0cb5ed0718a44ec30b306f3ef97ff15ebe423e1fec9aea13ae

          Download Submit
        • C:\users\public\arsonistEfficaciously.txt
          Filesize

          4KB

          MD5

          4506b4c74746144031e742f667992ba9

          SHA1

          3c403d161a8ef03647026c75886b19b5e9cd02f6

          SHA256

          03ceb3ba15e810310dc24305ca2b8d5439e93058320c74b6c3665fb31ffc2585

          SHA512

          60f4b81d667173dac0e732858b0b28d6a1becb3a3d9f2193540c8384f73015a2539855c5a13291afef73076737c3186ff1803f4edee23a2fe7e1b97729fc636f

          Download Submit
        • C:\users\public\arsonistEfficaciously.txt
          Filesize

          4KB

          MD5

          4506b4c74746144031e742f667992ba9

          SHA1

          3c403d161a8ef03647026c75886b19b5e9cd02f6

          SHA256

          03ceb3ba15e810310dc24305ca2b8d5439e93058320c74b6c3665fb31ffc2585

          SHA512

          60f4b81d667173dac0e732858b0b28d6a1becb3a3d9f2193540c8384f73015a2539855c5a13291afef73076737c3186ff1803f4edee23a2fe7e1b97729fc636f

          Download Submit
        • memory/1064-142-0x0000000006C00000-0x0000000006C22000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1064-135-0x0000000000000000-mapping.dmp
          Download
        • memory/1064-137-0x0000000005F00000-0x0000000005F66000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1064-138-0x0000000005F70000-0x0000000005FD6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1064-140-0x0000000007650000-0x00000000076E6000-memory.dmp
          Filesize

          600KB

          Download
        • memory/2164-169-0x00000000003A0000-0x00000000003CA000-memory.dmp
          Filesize

          168KB

          Download
        • memory/2164-161-0x0000000000000000-mapping.dmp
          Download
        • memory/2852-144-0x0000000000000000-mapping.dmp
          Download
        • memory/3344-157-0x0000000000760000-0x000000000078A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/3344-164-0x0000000000760000-0x000000000078A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/3344-149-0x0000000000000000-mapping.dmp
          Download
        • memory/3676-143-0x0000000007830000-0x0000000007DD4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3676-139-0x0000000005E60000-0x0000000005E7E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/3676-132-0x0000000000000000-mapping.dmp
          Download
        • memory/3676-141-0x0000000006520000-0x000000000653A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/3676-136-0x0000000005100000-0x0000000005122000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3676-133-0x00000000026A0000-0x00000000026D6000-memory.dmp
          Filesize

          216KB

          Download
        • memory/3676-134-0x00000000051C0000-0x00000000057E8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/4536-160-0x0000000000000000-mapping.dmp
          Download
        • memory/4536-168-0x0000000001000000-0x000000000102A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/4592-150-0x0000000000000000-mapping.dmp
          Download
        • memory/4592-165-0x0000000002CF0000-0x0000000002D1A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/4592-158-0x0000000002CF0000-0x0000000002D1A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/4592-156-0x0000000002BC0000-0x0000000002BED000-memory.dmp
          Filesize

          180KB

          Download
        • memory/4628-163-0x0000000000C10000-0x0000000000C3A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/4628-159-0x0000000000C10000-0x0000000000C3A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/4628-148-0x0000000000000000-mapping.dmp
          Download
        • memory/4676-162-0x0000000000000000-mapping.dmp
          Download
        • memory/4676-170-0x0000000000E00000-0x0000000000E2A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/4676-171-0x0000000000E00000-0x0000000000E2A000-memory.dmp
          Filesize

          168KB

          Download