Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Summary_75...22.img

windows7-x64

3

Summary_75...22.img

windows10-2004-x64

10

Resubmissions

20/12/2022, 14:04

221220-rdrgeach8z 10

20/12/2022, 13:54

221220-q7t9qach6w 3

Analysis

  • max time kernel
    300s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/12/2022, 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Summary_7566182_12202022.img

  • Size

    1.6MB

  • MD5

    f6f3320f5b8fb43eb56810ddbf392b32

  • SHA1

    5985f18fcee5044f2c7f4a5852aeb7538a57188f

  • SHA256

    09dede775ba5d3440038634552e44061c779a531139b685610972a76f2a78ca1

  • SHA512

    8a3749384491d9e52b733c81ea8bb12aac2959f7642ccff4829baf7d8c7aec7f06c5a640fbb5d46b7a533eb5a0db52705bd37cf65453068eb5d4f1857edb096b

  • SSDEEP

    6144:8sK8UXXfATbrOQBOs5QpxL66KiHpKlVfvBPA3BKyDGQVu/QNUWxk:8sK8UXXwrMyzPVpPqtGCuoN2

Score
10/10
qakbotbb111671442875bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

BB11

Campaign

1671442875

C2

24.71.120.191:443

121.121.100.148:995

172.90.139.138:2222

70.55.120.16:2222

75.99.125.234:2222

172.248.42.122:443

37.14.229.220:2222

83.7.52.202:443

85.241.180.94:443

90.206.194.248:443

31.53.29.141:2222

72.80.7.6:50003

74.92.243.113:50000

90.48.151.17:2222

176.142.207.63:443

178.153.5.54:443

74.66.134.24:443

46.162.109.183:443

12.172.173.82:993

64.237.240.3:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Summary_7566182_12202022.img
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3180
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2352
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" \Nlsdl.dat,DrawThemeIcon
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" \Nlsdl.dat,DrawThemeIcon
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4332
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2092

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2092-137-0x00000000008E0000-0x000000000090A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2092-138-0x00000000008E0000-0x000000000090A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4332-133-0x0000000002EE0000-0x0000000002F53000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4332-134-0x0000000002F90000-0x0000000002FBA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4332-136-0x0000000002F90000-0x0000000002FBA000-memory.dmp

      Filesize

      168KB

      Download