Overview

overview

10

Static

static

SCAN_WE2280.html

windows10-2004-x64

10

Analysis

  • max time kernel
    600s
  • max time network
    603s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2022 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SCAN_WE2280.html

  • Size

    1.4MB

  • MD5

    54307d4ba06cdc14a22d67372a9b7fee

  • SHA1

    70a338410cbd7335366922bea140b98d5f63ed9b

  • SHA256

    c2b17bc002f4db968e771b34a64e74c5cb04ace0e7b16d5cf18382b5e2ad45d4

  • SHA512

    9653e0413bc9b2663e6e45d64d217e30a9e9f082dc4f0ff35634163ec92829182bb8b6cbff6efe63a2a2e40916bcb31891b92bc7b0d54328ac602d4cafbd3dbc

  • SSDEEP

    24576:4cEyMGTCmlO13OxIZGrntxnWZnj35DzcXbaY2YZTcwaw0Znj3Kp6:1B8eDnt5WZoOAa/ZW4

Score
10/10
qakbotazd1670585059bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

azd

Campaign

1670585059

C2

173.239.94.212:443

91.169.12.198:32100

74.66.134.24:443

66.191.69.18:995

182.75.189.42:995

78.69.251.252:2222

98.145.23.67:443

103.71.21.107:443

197.94.219.133:443

91.68.227.219:443

12.172.173.82:993

86.176.83.127:2222

64.121.161.102:443

41.98.21.114:443

92.154.17.149:2222

151.65.67.211:443

89.129.109.27:2222

76.11.14.249:443

69.119.123.159:2222

70.66.199.12:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\SCAN_WE2280.html
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:820 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2988
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3776
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.0.443671055\1516324930" -parentBuildID 20200403170909 -prefsHandle 1724 -prefMapHandle 1716 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 1796 gpu
        3⤵
          PID:3944
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.3.2118457887\509526952" -childID 1 -isForBrowser -prefsHandle 2244 -prefMapHandle 2248 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 2468 tab
          3⤵
            PID:4424
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.13.1116275841\11846297" -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3648 -prefsLen 6894 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 3652 tab
            3⤵
              PID:4080
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.20.552976513\897917464" -childID 3 -isForBrowser -prefsHandle 4768 -prefMapHandle 2992 -prefsLen 7822 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 4740 tab
              3⤵
                PID:4996
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:376
            • C:\Program Files\7-Zip\7zG.exe
              "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\attachment\" -spe -an -ai#7zMap2979:82:7zEvent17931
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              PID:2896
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c YouNewRules\NewIssues.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
              1⤵
              • Enumerates connected drives
              PID:4632
              • C:\Windows\system32\rundll32.exe
                rundll32 /s newinvoice.patch,DrawThemeIcon
                2⤵
                  PID:1252
                  • C:\Windows\SysWOW64\rundll32.exe
                    rundll32 /s newinvoice.patch,DrawThemeIcon
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    PID:3980
                    • C:\Windows\SysWOW64\wermgr.exe
                      C:\Windows\SysWOW64\wermgr.exe
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4540
                      • C:\Windows\SysWOW64\net.exe
                        net view
                        5⤵
                        • Discovers systems in the same network
                        PID:260
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c set
                        5⤵
                          PID:2172
                        • C:\Windows\SysWOW64\arp.exe
                          arp -a
                          5⤵
                            PID:4072
                          • C:\Windows\SysWOW64\ipconfig.exe
                            ipconfig /all
                            5⤵
                            • Gathers network information
                            PID:4908
                          • C:\Windows\SysWOW64\nslookup.exe
                            nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
                            5⤵
                              PID:204
                            • C:\Windows\SysWOW64\net.exe
                              net share
                              5⤵
                                PID:796
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 share
                                  6⤵
                                    PID:1652
                                • C:\Windows\SysWOW64\route.exe
                                  route print
                                  5⤵
                                    PID:2112
                                  • C:\Windows\SysWOW64\netstat.exe
                                    netstat -nao
                                    5⤵
                                    • Gathers network information
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2080
                                  • C:\Windows\SysWOW64\net.exe
                                    net localgroup
                                    5⤵
                                      PID:1492
                                      • C:\Windows\SysWOW64\net1.exe
                                        C:\Windows\system32\net1 localgroup
                                        6⤵
                                          PID:1032
                                      • C:\Windows\SysWOW64\whoami.exe
                                        whoami /all
                                        5⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1888
                              • C:\Windows\system32\msiexec.exe
                                C:\Windows\system32\msiexec.exe /V
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1380

                              Network

                              MITRE ATT&CK Matrix ATT&CK v6

                              Initial Access

                              Execution

                              Command-Line Interface

                              1
                              T1059

                              Persistence

                              Privilege Escalation

                              Defense Evasion

                              Modify Registry

                              2
                              T1112

                              Credential Access

                              Discovery

                              Query Registry

                              2
                              T1012

                              Peripheral Device Discovery

                              1
                              T1120

                              System Information Discovery

                              3
                              T1082

                              Remote System Discovery

                              1
                              T1018

                              Lateral Movement

                              Collection

                              Exfiltration

                              Command and Control

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\Downloads\attachment.zip
                                Filesize

                                425KB

                                MD5

                                c90e12c5fd0061ee08dbfedc3d76c5a6

                                SHA1

                                1ab2ef0696d03ecb69c8d3e780607649b21bd01f

                                SHA256

                                fda7ee3a400614bda8238a61d0f93c883329cf9b8912873b2c60d8f5c9deaea0

                                SHA512

                                2c944fa035d7fe034ed82621aac90cad148e009e6db2b6e098531d3e66f8726a2ef50ef030a9bbfc89ebf78493497d94330d227926ca4cdef6ac74bb17ea43c9

                                Download Submit
                              • memory/204-145-0x0000000000000000-mapping.dmp
                                Download
                              • memory/260-141-0x0000000000000000-mapping.dmp
                                Download
                              • memory/796-146-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1032-151-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1252-133-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1492-150-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1652-147-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1888-152-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2080-149-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2112-148-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2172-142-0x0000000000000000-mapping.dmp
                                Download
                              • memory/3980-138-0x00000000013F0000-0x000000000141A000-memory.dmp
                                Filesize

                                168KB

                                Download
                              • memory/3980-136-0x00000000013F0000-0x000000000141A000-memory.dmp
                                Filesize

                                168KB

                                Download
                              • memory/3980-135-0x00000000013C0000-0x00000000013EA000-memory.dmp
                                Filesize

                                168KB

                                Download
                              • memory/3980-134-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4072-143-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4540-140-0x0000000000680000-0x00000000006AA000-memory.dmp
                                Filesize

                                168KB

                                Download
                              • memory/4540-139-0x0000000000680000-0x00000000006AA000-memory.dmp
                                Filesize

                                168KB

                                Download
                              • memory/4540-137-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4908-144-0x0000000000000000-mapping.dmp
                                Download