Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1205s
  • max time network
    1166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 13:50

General

  • Target

    WP#3272.html

  • Size

    1.3MB

  • MD5

    bde0e3672c5de82a86f83c6315c2eb95

  • SHA1

    57dca61336755ce5631248e8b56642a369ffecc0

  • SHA256

    65ccb33e111a2bfe4e74dafd5c3cb62f8dc4cfedb4492785dfc2d0838841b10e

  • SHA512

    267bf372fa88917e928c5a65907fab19a9365f8f82532ea63c0edd221cd9f5882114163d9d0c31992057d5ab247bcb0dcb6e98662e18fb16e925938f5f338c45

  • SSDEEP

    12288:swiSePqm22VGDFKObVwAfqmRw696LzA9kKS9EOIWV4T9OaJn267hjmFPpQx90DLz:mJ2P9Bfq+cGNrOIWyBOD6F0o4ghBgP

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Discovers systems in the same network 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\WP#3272.html
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\WP#3272.html
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.0.1951694526\1410177173" -parentBuildID 20200403170909 -prefsHandle 1692 -prefMapHandle 1612 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 1792 gpu
        3⤵
          PID:1176
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.3.50820148\455962081" -childID 1 -isForBrowser -prefsHandle 1528 -prefMapHandle 2440 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 2368 tab
          3⤵
            PID:3376
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.13.315758764\1733898112" -childID 2 -isForBrowser -prefsHandle 2972 -prefMapHandle 2760 -prefsLen 897 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 3024 tab
            3⤵
              PID:4428
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.20.321864617\1646043501" -childID 3 -isForBrowser -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 7286 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 3952 tab
              3⤵
                PID:4236
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:3192
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "E:\WP.vbs"
              1⤵
              • Checks computer location settings
              • Enumerates connected drives
              PID:3432
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\flag.ps1
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4884
                • C:\Windows\SysWOW64\rundll32.exe
                  "C:\Windows\system32\rundll32.exe" C:\users\public\madamSmuggler.txt DrawThemeIcon
                  3⤵
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:4704
                  • C:\Windows\SysWOW64\wermgr.exe
                    C:\Windows\SysWOW64\wermgr.exe
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:732
                    • C:\Windows\SysWOW64\net.exe
                      net view
                      5⤵
                      • Discovers systems in the same network
                      PID:2608
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c set
                      5⤵
                        PID:4840
                      • C:\Windows\SysWOW64\arp.exe
                        arp -a
                        5⤵
                          PID:2396
                        • C:\Windows\SysWOW64\ipconfig.exe
                          ipconfig /all
                          5⤵
                          • Gathers network information
                          PID:4680
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
                          5⤵
                            PID:388
                          • C:\Windows\SysWOW64\net.exe
                            net share
                            5⤵
                              PID:1324
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 share
                                6⤵
                                  PID:1316
                              • C:\Windows\SysWOW64\route.exe
                                route print
                                5⤵
                                  PID:4216
                                • C:\Windows\SysWOW64\netstat.exe
                                  netstat -nao
                                  5⤵
                                  • Gathers network information
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3976
                                • C:\Windows\SysWOW64\net.exe
                                  net localgroup
                                  5⤵
                                    PID:1848
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 localgroup
                                      6⤵
                                        PID:4752
                                    • C:\Windows\SysWOW64\whoami.exe
                                      whoami /all
                                      5⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2820
                            • C:\Windows\system32\msiexec.exe
                              C:\Windows\system32\msiexec.exe /V
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2692

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Public\madamSmuggler.txt

                              Filesize

                              577KB

                              MD5

                              66a6d4bb6da8d1683092f651421c028f

                              SHA1

                              81e7e9ecff5e59ce00829b4bb0a94ccc960b8b93

                              SHA256

                              14efc89f9a135724fe635e0ce4f61c871b27358bc9b64c7408ab81bffe446424

                              SHA512

                              bd0a002cc51d499b39d7bb7ae316d58df36c00bbcae2272ed2529274c67b6bb60a61f48484fae6804c392f18cf62bac10b968452b7498b0f099d6701e540c8c5

                            • C:\users\public\madamSmuggler.txt

                              Filesize

                              577KB

                              MD5

                              66a6d4bb6da8d1683092f651421c028f

                              SHA1

                              81e7e9ecff5e59ce00829b4bb0a94ccc960b8b93

                              SHA256

                              14efc89f9a135724fe635e0ce4f61c871b27358bc9b64c7408ab81bffe446424

                              SHA512

                              bd0a002cc51d499b39d7bb7ae316d58df36c00bbcae2272ed2529274c67b6bb60a61f48484fae6804c392f18cf62bac10b968452b7498b0f099d6701e540c8c5

                            • memory/732-151-0x0000000001200000-0x000000000122A000-memory.dmp

                              Filesize

                              168KB

                            • memory/732-150-0x0000000001200000-0x000000000122A000-memory.dmp

                              Filesize

                              168KB

                            • memory/4704-147-0x0000000001FE0000-0x000000000200A000-memory.dmp

                              Filesize

                              168KB

                            • memory/4704-149-0x0000000001FE0000-0x000000000200A000-memory.dmp

                              Filesize

                              168KB

                            • memory/4704-146-0x0000000001FB0000-0x0000000001FDD000-memory.dmp

                              Filesize

                              180KB

                            • memory/4884-133-0x0000000002E00000-0x0000000002E36000-memory.dmp

                              Filesize

                              216KB

                            • memory/4884-140-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

                              Filesize

                              104KB

                            • memory/4884-142-0x0000000007E20000-0x00000000083C4000-memory.dmp

                              Filesize

                              5.6MB

                            • memory/4884-139-0x00000000077D0000-0x0000000007866000-memory.dmp

                              Filesize

                              600KB

                            • memory/4884-138-0x0000000005430000-0x000000000544E000-memory.dmp

                              Filesize

                              120KB

                            • memory/4884-134-0x0000000005B60000-0x0000000006188000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4884-135-0x00000000058E0000-0x0000000005902000-memory.dmp

                              Filesize

                              136KB

                            • memory/4884-137-0x00000000059F0000-0x0000000005A56000-memory.dmp

                              Filesize

                              408KB

                            • memory/4884-141-0x0000000006D50000-0x0000000006D72000-memory.dmp

                              Filesize

                              136KB

                            • memory/4884-136-0x0000000005980000-0x00000000059E6000-memory.dmp

                              Filesize

                              408KB