Resubmissions

05-12-2022 21:51

221205-1qkdasag75 10

05-12-2022 21:06

221205-zx2qgsah5z 10

Analysis

  • max time kernel
    510s
  • max time network
    512s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 21:06

General

  • Target

    c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi

  • Size

    597KB

  • MD5

    13bd4a09264d6312d957d61d64e79f53

  • SHA1

    5ebf19ba1be83ad9e15991e76e509a57aaa9e9c0

  • SHA256

    c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad

  • SHA512

    b7943be0b78a7de293b19e2b75a6b44bae34997c555e1a83a0064087d828616e601cc04cb8f13e6e44e8b9cb67fe2328b3826c8d31edf8cd5a74e9def710e582

  • SSDEEP

    12288:rZzDzxF3RR3sSRogrrYW4OH5IBwBZ3TzChsL4o1U:rZzDzvvRoCBH2WBJChsMo1U

Malware Config

Extracted

Family

qakbot

Version

403.573

Botnet

AA

Campaign

1649749884

C2

120.150.218.241:995

186.64.67.38:443

196.203.37.215:80

1.161.71.109:443

82.152.39.39:443

76.69.155.202:2222

72.66.116.235:995

103.107.113.120:443

113.11.89.165:995

208.107.221.224:443

103.88.226.30:443

75.99.168.194:443

75.113.214.234:2222

76.169.147.192:32103

190.73.3.148:2222

39.52.2.90:995

38.70.253.226:2222

5.95.58.211:2087

74.15.2.252:2222

76.70.9.169:2222

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Blocklisted process makes network request 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1444
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 03A5A7A085A82EB6BB46716EE5B0DFFC
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\SysWOW64\regsvr32.exe" C:\Users\Admin\AppData\Local\SetupTest\1.dll
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1512
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:892
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003BC" "0000000000000578"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
    Filesize

    765B

    MD5

    6af6b6f4ae6196f189dddbc3359153d0

    SHA1

    a6b8bcd8d52bc78e6ab09a4691eb235bc342da76

    SHA256

    56843ed6f900a0b68969b73463c867953773db38d9070ad3f3bc9f17019199e4

    SHA512

    3ceab49c2e2ed4103e34f9174c69931dba4fd85442084ce37d7bd6bd829068e023f8dcba5f5cdc6c9f5633ab549d481cb322252b75ffd58ae316c273e70888e0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_D2D3A37B25AAA89445E8EFE144391472
    Filesize

    637B

    MD5

    f65e6919f241c149d42e36d0e6751e12

    SHA1

    ed0f88a86d27ab339f1b5ac02dd8a01fdd969a0e

    SHA256

    6e31167e7da0fc7f95061a6ba9201fe52bcaf0e58bca6b22d3d2be857fff1a69

    SHA512

    3b02e7a213b3f625c942ec818a53dcb2c08916b3820991256d9c8168b9cccfa4193019e410ddae30ce52c1afacb3068421da1c0ffa506709673871a263c1bdfb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
    Filesize

    1KB

    MD5

    c2e74c923e71f2331e4ac3e559feed88

    SHA1

    0dafbf3c9b11edb7a0c7d149f545b88004a951f8

    SHA256

    e2d1f43e63c1fda37b1c26cbeac110ad9edd19f6e3b337b616d57a6c0cb0c54c

    SHA512

    7ee607f0f947a04137c3849697ad5b8ca70b142d2cca8520c7b1f29e009369aff67528ccc01f8a64909bc250dbfcfbf7cbe3a42625a6320196f2f5b253ac9e71

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
    Filesize

    484B

    MD5

    87c8627254a5c6185bdf73b0006e0a03

    SHA1

    bac75eb563cf4b72c1dc8f7510fc0086a0787da9

    SHA256

    3a23bb46e8f3feafd41b8d50b204d9c0554f6e4e4770e8a47d829ddca3ab6eaf

    SHA512

    b8ca37fb33df89f60db2bf6351c2f0ceebd9f461efce316c502378158665138e2ccc657edd30568a6391fc9c455bc2cbc8deb7475665671e4c490844fe6674bc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    5db142672c46c24ec1a3eb2c0924ee10

    SHA1

    41e3aed24e7c1aeb0c53a31bed301c651c9a4054

    SHA256

    9cfbc79fa4744efa4d25de6d298cca5ca769f36fcbd7f48ef882dc826d0c2c40

    SHA512

    89235195c46202442267a1308b4ce5d8f80c18dbb8e32f7d9d616b96f9918a7ce0df3941050ade897372952d5b71808c7a5b68f311e2f1e751960fc80a63a14e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_D2D3A37B25AAA89445E8EFE144391472
    Filesize

    488B

    MD5

    073c45fe16b7c283fdd22ce3d67a0b8b

    SHA1

    2bc57b1f3ae1f67c85b49e36da28399bf7ce2e2d

    SHA256

    6e4a7817ba2e7800ad016c6bcf392c296a7c39406cb36b8b81b3d7a70ef8897b

    SHA512

    ff09ac2eca3c9b5063af816c5d4e960957deb248928416f34bef814efb0645b0ded9f089caa404637941e34b5721b4b1bcb566c53aa04980c4c94c06de2a798f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
    Filesize

    482B

    MD5

    1e7bb7e1b214b7e5eee0dba98b532934

    SHA1

    d73982d16c95e1b3a87734919397ac6fd946094f

    SHA256

    5711988a4a6af026294cc168161fb9be628af2764b0ddc99c2686ad09db710c3

    SHA512

    e63b20fb0f232e4c1f22ad13b83c93fb65a5e494d96b40b5989721b9fb515788383a73f7db0cc905a829cb91228347950ac7bbe1e87d60e92cb0e3a0020be2b2

  • C:\Users\Admin\AppData\Local\SetupTest\1.dll
    Filesize

    716KB

    MD5

    726a41b2959768c5c3d2c7c213e6d0d8

    SHA1

    e28186bc0d771d20527b5f80757f4ee3f0ce442e

    SHA256

    6d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647

    SHA512

    4c349bc12d66be7abde0af38491ce082a9e13036db882bfaeff3ee6ede650c070b1c0f73bea18ae75d7eaff457436a04f0467d50c45c077162e63487cb5a7f34

  • \Users\Admin\AppData\Local\SetupTest\1.dll
    Filesize

    716KB

    MD5

    726a41b2959768c5c3d2c7c213e6d0d8

    SHA1

    e28186bc0d771d20527b5f80757f4ee3f0ce442e

    SHA256

    6d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647

    SHA512

    4c349bc12d66be7abde0af38491ce082a9e13036db882bfaeff3ee6ede650c070b1c0f73bea18ae75d7eaff457436a04f0467d50c45c077162e63487cb5a7f34

  • memory/1444-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp
    Filesize

    8KB

  • memory/1512-76-0x0000000000000000-mapping.dmp
  • memory/1512-78-0x0000000074BE1000-0x0000000074BE3000-memory.dmp
    Filesize

    8KB

  • memory/1512-79-0x0000000000180000-0x000000000020F000-memory.dmp
    Filesize

    572KB

  • memory/1512-80-0x0000000000180000-0x000000000020F000-memory.dmp
    Filesize

    572KB

  • memory/1716-66-0x0000000000000000-mapping.dmp
  • memory/1716-70-0x0000000010000000-0x000000001008F000-memory.dmp
    Filesize

    572KB

  • memory/2004-64-0x0000000000000000-mapping.dmp
  • memory/2004-65-0x0000000075D71000-0x0000000075D73000-memory.dmp
    Filesize

    8KB