Resubmissions

03/01/2023, 22:21

230103-19zbkadb27 10

03/01/2023, 21:37

230103-1ggaaagc4v 3

20/12/2022, 21:04

221220-zwk2caec3s 10

20/12/2022, 20:57

221220-zrtgxsec2x 10

20/12/2022, 19:58

221220-ypwzlaah56 10

20/12/2022, 19:49

221220-yjtx2sea5z 3

Analysis

  • max time kernel
    1800s
  • max time network
    1768s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2023, 22:21

General

  • Target

    DocumentsFolder 9790038 12202022.img

  • Size

    2.3MB

  • MD5

    9c48a4a759736c484133d5f0b7f8fb6b

  • SHA1

    f3789ccf422731acd0267c6401b48f7369942e9a

  • SHA256

    d11c02eedbdce883293bc676d4f635357ab3dab76ccc4c3d100c73e41e1e7a65

  • SHA512

    276f572e8e835b5a4425b169bfa0bf12844692747c61fbbcfc3417f5be27cc7b157086808208493ac3c7ed9bda1359e17fefb0e21e8ac0d139e729ea79d36063

  • SSDEEP

    24576:MKbbqQlRH90zhBs7tl+vJtzsJPwfwXR1F0yvc8NTmIg9EcjZdFkz:MKXqQz901gcDsJPwfwXfFxvFnQ

Malware Config

Extracted

Family

qakbot

Version

404.60

Botnet

obama231

Campaign

1671537480

C2

181.118.206.65:995

83.110.95.209:995

147.148.234.231:2222

93.156.97.50:443

217.128.200.114:2222

76.11.14.249:443

80.98.132.66:443

175.139.130.191:2222

27.99.45.237:2222

72.200.109.104:443

184.153.132.82:443

92.148.54.239:2222

90.119.197.132:2222

86.96.75.237:2222

199.83.165.233:443

12.172.173.82:995

12.172.173.82:50001

37.15.128.31:2222

86.99.15.254:2222

91.96.249.3:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Discovers systems in the same network 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\DocumentsFolder 9790038 12202022.img"
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4272
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1616
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" \cursor.dat,qqqq
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" \cursor.dat,qqqq
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4104
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1764
          • C:\Windows\SysWOW64\net.exe
            net view
            4⤵
            • Discovers systems in the same network
            PID:4716
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c set
            4⤵
              PID:1664
            • C:\Windows\SysWOW64\arp.exe
              arp -a
              4⤵
                PID:1392
              • C:\Windows\SysWOW64\ipconfig.exe
                ipconfig /all
                4⤵
                • Gathers network information
                PID:1676
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
                4⤵
                  PID:4316
                • C:\Windows\SysWOW64\net.exe
                  net share
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4756
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 share
                    5⤵
                      PID:3680
                  • C:\Windows\SysWOW64\route.exe
                    route print
                    4⤵
                      PID:1588
                    • C:\Windows\SysWOW64\netstat.exe
                      netstat -nao
                      4⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3444
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5024
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup
                        5⤵
                          PID:3676
                      • C:\Windows\SysWOW64\whoami.exe
                        whoami /all
                        4⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2376
                • C:\Windows\system32\msiexec.exe
                  C:\Windows\system32\msiexec.exe /V
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3240

                Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/1764-140-0x0000000000FB0000-0x0000000000FDA000-memory.dmp

                        Filesize

                        168KB

                      • memory/1764-139-0x0000000000FB0000-0x0000000000FDA000-memory.dmp

                        Filesize

                        168KB

                      • memory/4104-133-0x0000000010000000-0x000000001002A000-memory.dmp

                        Filesize

                        168KB