Overview

overview

10

Static

static

grogramFlavorous.iso

windows7-x64

3

grogramFlavorous.iso

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2022, 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    grogramFlavorous.iso

  • Size

    3.9MB

  • MD5

    fc823731e692d229cb4ed7694108c8a3

  • SHA1

    b0ef3dba3899f1a15f2a8565ec1f4feb6199cb86

  • SHA256

    56ad587663f0a2714b1ae8187f1b1a1330f8ba8c46066967035e9588131cc3b0

  • SHA512

    d2492d755298a1a07719d364bf522a69fd9fc97793501e2799ddc1e27321a6f4db93bc393ba5a3bcd1a94540edebc48621f84a01d6a576edcf9c2c3365fef375

  • SSDEEP

    49152:yegKpXN707cQsDRm+wl40tjevzXqV/LURRrxXF1MptNHWbfFm4xI/ac+kf:Cem/

Score
10/10
qakbotbb111671561386bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.62

Botnet

BB11

Campaign

1671561386

C2

184.68.116.146:3389

92.189.214.236:2222

73.29.92.128:443

92.239.81.124:443

47.203.227.114:443

199.83.165.233:443

12.172.173.82:995

12.172.173.82:50001

136.244.25.165:443

37.15.128.31:2222

91.96.249.3:443

92.27.86.48:2222

75.156.125.215:995

93.147.134.85:443

86.176.246.195:2222

89.129.109.27:2222

70.55.120.16:2222

50.67.17.92:443

78.92.133.215:443

190.100.149.122:995
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\grogramFlavorous.iso
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4572
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2724
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""E:\ginglmiYarovized.cmd" "
      1⤵
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        2⤵
          PID:452
        • C:\Windows\system32\xcopy.exe
          xcopy C:\Windows\\\\\\system32\\\\\\wscript.exe C:\Users\Admin\AppData\Local\Temp\Unbrokenness.exe /h /s /e
          2⤵
            PID:3656
          • C:\Users\Admin\AppData\Local\Temp\Unbrokenness.exe
            C:\Users\Admin\AppData\Local\Temp\Unbrokenness.exe Hohokam\UndeceptivelyEmotiomotor.wsf
            2⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Enumerates connected drives
            • Suspicious use of WriteProcessMemory
            PID:3544
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C \Hohokam\brambleberries\sniffling.cmd
              3⤵
              • Enumerates connected drives
              • Suspicious use of WriteProcessMemory
              PID:1648
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo f"
                4⤵
                  PID:2356
                • C:\Windows\system32\xcopy.exe
                  xcopy C:\Windows\\\\\\system32\\\\\\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ginglmiYarovized.exe /h /s /e
                  4⤵
                    PID:4736
                  • C:\Users\Admin\AppData\Local\Temp\ginglmiYarovized.exe
                    C:\Users\Admin\AppData\Local\Temp\ginglmiYarovized.exe c:\\users\\public\\opisthocomidae.dll, Updt
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:3652
                    • C:\Windows\SysWOW64\rundll32.exe
                      C:\Users\Admin\AppData\Local\Temp\ginglmiYarovized.exe c:\\users\\public\\opisthocomidae.dll, Updt
                      5⤵
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of WriteProcessMemory
                      PID:3296
                      • C:\Windows\SysWOW64\wermgr.exe
                        C:\Windows\SysWOW64\wermgr.exe
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4364
                  • C:\Windows\system32\PING.EXE
                    ping 210.125.188.173
                    4⤵
                    • Runs ping.exe
                    PID:3356
              • C:\Windows\system32\PING.EXE
                ping 201.223.204.2
                2⤵
                • Runs ping.exe
                PID:3076

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\Unbrokenness.exe
              Filesize

              166KB

              MD5

              a47cbe969ea935bdd3ab568bb126bc80

              SHA1

              15f2facfd05daf46d2c63912916bf2887cebd98a

              SHA256

              34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

              SHA512

              f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Unbrokenness.exe
              Filesize

              166KB

              MD5

              a47cbe969ea935bdd3ab568bb126bc80

              SHA1

              15f2facfd05daf46d2c63912916bf2887cebd98a

              SHA256

              34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

              SHA512

              f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\ginglmiYarovized.exe
              Filesize

              70KB

              MD5

              ef3179d498793bf4234f708d3be28633

              SHA1

              dd399ae46303343f9f0da189aee11c67bd868222

              SHA256

              b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

              SHA512

              02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\ginglmiYarovized.exe
              Filesize

              70KB

              MD5

              ef3179d498793bf4234f708d3be28633

              SHA1

              dd399ae46303343f9f0da189aee11c67bd868222

              SHA256

              b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

              SHA512

              02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

              Download Submit

            • C:\Users\Public\opisthocomidae.dll
              Filesize

              2.7MB

              MD5

              1b09c2ef150fb641124492f3f34374d9

              SHA1

              ec6e5c381326bbd2908e6a8a55264aa0fc9c293c

              SHA256

              b6ef564310bbbdfc8d8aaf35dc5e99c257fc5a67a2f0aa9fb786b3b199620c00

              SHA512

              9372a5d196f09e5303a4109acd6e06910508a762cc168233b16417f8d65ed6ef2a1f511135d0866614a4e1c433c063f3221760487eb5da11c9ae72ee765ff7ed

              Download Submit

            • \??\c:\users\public\opisthocomidae.dll
              Filesize

              2.7MB

              MD5

              1b09c2ef150fb641124492f3f34374d9

              SHA1

              ec6e5c381326bbd2908e6a8a55264aa0fc9c293c

              SHA256

              b6ef564310bbbdfc8d8aaf35dc5e99c257fc5a67a2f0aa9fb786b3b199620c00

              SHA512

              9372a5d196f09e5303a4109acd6e06910508a762cc168233b16417f8d65ed6ef2a1f511135d0866614a4e1c433c063f3221760487eb5da11c9ae72ee765ff7ed

              Download Submit

            • memory/3296-150-0x0000000002760000-0x000000000278A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/3296-147-0x00000000026E0000-0x0000000002753000-memory.dmp

              Filesize

              460KB

              Download

            • memory/3296-148-0x0000000002760000-0x000000000278A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/4364-152-0x0000000000830000-0x000000000085A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/4364-153-0x0000000000830000-0x000000000085A000-memory.dmp

              Filesize

              168KB

              Download