Resubmissions

26/12/2022, 16:35

221226-t3qyaagd2y 1

26/12/2022, 07:03

221226-hvbmvafg2x 10

Analysis

  • max time kernel
    162s
  • max time network
    157s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26/12/2022, 07:03

General

  • Target

    DCIM 2213433 (1).html

  • Size

    324KB

  • MD5

    853fd4b573c8edff78b8204d7a6681bc

  • SHA1

    859529d1769f5b7f4faa41541b80be1ee2809ee3

  • SHA256

    5b401b8c6cd16f30343f881d961b8b0d8db5de67c1edfd72a6ac067549948249

  • SHA512

    a351a9088ecf2eb5b04fae901497301eb937694577d3adc830ef9119edb96817f83060236971f70cab26f936a1fffa5db8a238a7ae7fb3a6c9c38556a06fc443

  • SSDEEP

    6144:R7fHlcXOXuQgW9PDWBEirw1anCzg8rldx6/0HluKZDiiHuMy5wgNzc:RxFXuE9GkY8rlae4KLHuME1o

Malware Config

Extracted

Family

qakbot

Version

404.52

Botnet

obama227

Campaign

1670928929

C2

27.109.19.90:2078

108.44.207.232:443

156.220.0.161:993

77.86.98.236:443

23.242.141.218:2222

108.162.6.34:443

73.223.248.31:443

217.43.16.149:443

91.178.75.146:2222

193.251.52.34:2222

86.165.15.180:2222

73.36.196.11:443

24.228.132.224:2222

86.98.23.199:443

176.151.15.101:443

70.55.120.16:2222

181.164.194.223:443

69.133.162.35:443

92.154.17.149:2222

184.68.116.146:61202

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\DCIM 2213433 (1).html"
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2788
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3468
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:792
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="792.0.737918481\2116001546" -parentBuildID 20200403170909 -prefsHandle 1524 -prefMapHandle 1516 -prefsLen 1 -prefMapSize 219938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 792 "\\.\pipe\gecko-crash-server-pipe.792" 1624 gpu
        3⤵
          PID:4256
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="792.3.2104103950\1854636238" -childID 1 -isForBrowser -prefsHandle 2020 -prefMapHandle 2004 -prefsLen 156 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 792 "\\.\pipe\gecko-crash-server-pipe.792" 2156 tab
          3⤵
            PID:5108
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="792.13.179639219\618611813" -childID 2 -isForBrowser -prefsHandle 3216 -prefMapHandle 3284 -prefsLen 6938 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 792 "\\.\pipe\gecko-crash-server-pipe.792" 3296 tab
            3⤵
              PID:4564
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="792.20.1777098363\2047863352" -childID 3 -isForBrowser -prefsHandle 4164 -prefMapHandle 3772 -prefsLen 7942 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 792 "\\.\pipe\gecko-crash-server-pipe.792" 4384 tab
              3⤵
                PID:4712
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:212
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
              1⤵
              • Checks SCSI registry key(s)
              • Modifies data under HKEY_USERS
              PID:4056
            • C:\Windows\System32\rundll32.exe
              "C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq
              1⤵
                PID:4832
                • C:\Windows\SysWOW64\rundll32.exe
                  "C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:4848
                  • C:\Windows\SysWOW64\wermgr.exe
                    C:\Windows\SysWOW64\wermgr.exe
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3016
              • C:\Windows\System32\rundll32.exe
                "C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq
                1⤵
                  PID:876
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    PID:4404
                    • C:\Windows\SysWOW64\wermgr.exe
                      C:\Windows\SysWOW64\wermgr.exe
                      3⤵
                        PID:1528
                  • C:\Windows\System32\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq
                    1⤵
                      PID:1068
                      • C:\Windows\SysWOW64\rundll32.exe
                        "C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq
                        2⤵
                        • Suspicious behavior: MapViewOfSection
                        PID:3844
                        • C:\Windows\SysWOW64\wermgr.exe
                          C:\Windows\SysWOW64\wermgr.exe
                          3⤵
                            PID:3824

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                              Filesize

                              471B

                              MD5

                              b373d75a1062fd2158e3d68dab288e35

                              SHA1

                              e99d234b133ae945c8e272f2df62f774cbfa51a2

                              SHA256

                              a67e5caae4c6dae06ba77fc7116868376e2fffddabda276864e6b37b696502de

                              SHA512

                              c0b916b9766e8224cb7ad17db485de23325754cfa4e464b670fe8b4b61c95bcb60e12891bc46bc935c3ab4022deca3ddbfb57e321186dda3a5f21522d622ac0a

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                              Filesize

                              404B

                              MD5

                              f7458b51f906f46d989493532f17773b

                              SHA1

                              644c7dcefecc1710bc3a461130519e9d4d53854d

                              SHA256

                              5196ff4d7cceea8c8a04ebe08960e8e79af2f2766c5cb94ff2ed873e3da7978d

                              SHA512

                              beeb88146ba92cf40709d021d8f1e343609313986f32c3ca98b36031cf3ce1e3c8d76f6b9d1bceba7e3c221be0460d95cf343a6ade5e0fb5c470bf08bd66fcd6

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\B5VMA20I.cookie

                              Filesize

                              615B

                              MD5

                              d4bbaeb877e40befdb1319e1210df223

                              SHA1

                              a0f166b8b84faa487d963af79abcb4eb0842798a

                              SHA256

                              4499f03d1ac6523d1738f5c5aea14292c4ce44e1f60580701627cf899438a228

                              SHA512

                              b237278b459c7ac9fcd8e212c2cdbbda60b904e9ec62d4a385f9ad4d18cdd8b60347e3b845996801d10a612ac1b51f26bdb33b1496cdd43124d5a699d043bbab

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\KJK70I44.cookie

                              Filesize

                              615B

                              MD5

                              7f9b90eb6711f30952798e836d2208c3

                              SHA1

                              ac808cceeb3cce71d426a4f484beb70b9ea68f95

                              SHA256

                              583756e1c6918d16864d93c00670588a2143a17da46225ed22df95c6e8dc6473

                              SHA512

                              c6fbd401365b5794f4f9c7366b5cc3fb4de20393f8b6d1b0201ce4235442ae34ec0cb14c747cdb499c5fe623bfb01029437ebf42c232a4604bac08ba4ac95aba

                            • \??\pipe\chrome.792.10.55065980

                              Filesize

                              348B

                              MD5

                              4c17b239c4e95df8082cc33bca3c46c1

                              SHA1

                              7ff0f8373e5f5c176cd680b5d16fa371acc01bd8

                              SHA256

                              393c6b34a888d9607aad45a620e472016dea800c443be78ef175097fa8261cf9

                              SHA512

                              b9ed54d1e93c7c8cf55b90d5b73a4697b025fd81db7e93c76e794af3532da6c055b96f81cb2a7d2342880c191e17a887be06795dad578f8839b3456f43d874a5

                            • memory/1528-341-0x00000000006F0000-0x000000000071A000-memory.dmp

                              Filesize

                              168KB

                            • memory/3016-239-0x0000000000820000-0x000000000084A000-memory.dmp

                              Filesize

                              168KB

                            • memory/3016-184-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/3016-183-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/3016-182-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/3016-238-0x0000000000820000-0x000000000084A000-memory.dmp

                              Filesize

                              168KB

                            • memory/3016-187-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/3016-186-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/3016-185-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/3824-443-0x0000000003000000-0x000000000302A000-memory.dmp

                              Filesize

                              168KB

                            • memory/4848-151-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-159-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-135-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-136-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-137-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-138-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-139-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-140-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-141-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-142-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-143-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-144-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-145-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-146-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-147-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-149-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-148-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-150-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-133-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-152-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-153-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-154-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-155-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-157-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-156-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-158-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-160-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-134-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-161-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-162-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-164-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-163-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-165-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-166-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-167-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-168-0x00000000027E1000-0x00000000027FA000-memory.dmp

                              Filesize

                              100KB

                            • memory/4848-169-0x00000000027E0000-0x000000000280A000-memory.dmp

                              Filesize

                              168KB

                            • memory/4848-173-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-174-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-175-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-176-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-132-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-131-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-129-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-130-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-128-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-127-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-126-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-125-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-124-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-123-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-177-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-178-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-179-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB

                            • memory/4848-180-0x0000000077580000-0x000000007770E000-memory.dmp

                              Filesize

                              1.6MB