Analysis Overview
SHA256
b2806d6f89e075e79fb607fc98f1f8475da4a9304ae57489a2dcf7268c03809b
Threat Level: Known bad
The file cce9b70b263cd92ad3f4a61065f38520-sample.zip was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Discovers systems in the same network
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-03 22:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-03 22:21
Reported
2023-01-03 22:51
Platform
win10v2004-20221111-en
Max time kernel
1800s
Max time network
1768s
Command Line
Signatures
Qakbot/Qbot
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netstat.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\cmd.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\cmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netstat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\DocumentsFolder 9790038 12202022.img"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" \cursor.dat,qqqq
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" \cursor.dat,qqqq
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\net.exe
net view
C:\Windows\SysWOW64\cmd.exe
cmd /c set
C:\Windows\SysWOW64\arp.exe
arp -a
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
C:\Windows\SysWOW64\net.exe
net share
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
C:\Windows\SysWOW64\route.exe
route print
C:\Windows\SysWOW64\netstat.exe
netstat -nao
C:\Windows\SysWOW64\net.exe
net localgroup
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\SysWOW64\whoami.exe
whoami /all
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.91.29:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 51.11.192.48:443 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 8.8.8.8:53 | xfinity.com | udp |
| N/A | 96.114.14.140:443 | xfinity.com | tcp |
| N/A | 8.8.8.8:53 | www.xfinity.com | udp |
| N/A | 104.73.145.91:443 | www.xfinity.com | tcp |
| N/A | 27.0.48.233:443 | tcp | |
| N/A | 27.0.48.233:443 | tcp | |
| N/A | 27.0.48.233:443 | tcp | |
| N/A | 27.0.48.233:443 | tcp | |
| N/A | 109.159.119.186:2222 | tcp | |
| N/A | 109.159.119.186:2222 | tcp | |
| N/A | 109.159.119.186:2222 | tcp | |
| N/A | 109.159.119.186:2222 | tcp | |
| N/A | 116.75.63.156:443 | tcp | |
| N/A | 116.75.63.156:443 | tcp | |
| N/A | 116.75.63.156:443 | tcp | |
| N/A | 116.75.63.156:443 | tcp | |
| N/A | 182.79.116.126:443 | tcp | |
| N/A | 182.79.116.126:443 | tcp | |
| N/A | 182.79.116.126:443 | tcp | |
| N/A | 182.79.116.126:443 | tcp | |
| N/A | 202.142.98.62:443 | tcp | |
| N/A | 202.142.98.62:443 | tcp | |
| N/A | 202.142.98.62:443 | tcp | |
| N/A | 202.142.98.62:443 | tcp | |
| N/A | 86.195.14.72:2222 | tcp | |
| N/A | 86.195.14.72:2222 | tcp | |
| N/A | 86.195.14.72:2222 | tcp | |
| N/A | 86.195.14.72:2222 | tcp | |
| N/A | 69.165.145.141:443 | tcp | |
| N/A | 69.165.145.141:443 | tcp | |
| N/A | 69.165.145.141:443 | tcp | |
| N/A | 69.165.145.141:443 | tcp | |
| N/A | 122.186.71.98:443 | tcp | |
| N/A | 122.186.71.98:443 | tcp | |
| N/A | 122.186.71.98:443 | tcp | |
| N/A | 122.186.71.98:443 | tcp | |
| N/A | 80.98.132.66:443 | tcp | |
| N/A | 80.98.132.66:443 | tcp | |
| N/A | 80.98.132.66:443 | tcp | |
| N/A | 80.98.132.66:443 | tcp | |
| N/A | 206.166.209.170:2222 | 206.166.209.170 | tcp |
| N/A | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | _ldap._tcp.dc._msdcs.WORKGROUP | udp |
| N/A | 8.8.8.8:53 | _ldap._tcp.dc._msdcs.WORKGROUP | udp |
| N/A | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| N/A | 23.51.123.27:80 | evcs-ocsp.ws.symantec.com | tcp |
| N/A | 206.166.209.170:2222 | 206.166.209.170 | tcp |
| N/A | 206.166.209.170:2222 | 206.166.209.170 | tcp |
| N/A | 8.8.8.8:53 | yahoo.com | udp |
| N/A | 74.6.231.21:443 | yahoo.com | tcp |
| N/A | 8.8.8.8:53 | www.yahoo.com | udp |
| N/A | 87.248.100.215:443 | www.yahoo.com | tcp |
| N/A | 206.166.209.170:2222 | 206.166.209.170 | tcp |
| N/A | 74.6.231.21:443 | yahoo.com | tcp |
| N/A | 87.248.100.215:443 | www.yahoo.com | tcp |
| N/A | 206.166.209.170:2222 | 206.166.209.170 | tcp |
| N/A | 13.107.21.200:443 | tcp | |
| N/A | 8.8.8.8:53 | cisco.com | udp |
| N/A | 72.163.4.185:443 | cisco.com | tcp |
| N/A | 8.8.8.8:53 | www.cisco.com | udp |
| N/A | 23.222.34.209:443 | www.cisco.com | tcp |
| N/A | 8.8.8.8:53 | commercial.ocsp.identrust.com | udp |
| N/A | 192.35.177.23:80 | commercial.ocsp.identrust.com | tcp |
| N/A | 206.166.209.170:2222 | 206.166.209.170 | tcp |
| N/A | 8.8.8.8:53 | broadcom.com | udp |
| N/A | 52.13.171.212:443 | broadcom.com | tcp |
| N/A | 8.8.8.8:53 | www.broadcom.com | udp |
| N/A | 104.18.32.150:443 | www.broadcom.com | tcp |
| N/A | 206.166.209.170:2222 | 206.166.209.170 | tcp |
Files
memory/4104-132-0x0000000000000000-mapping.dmp
memory/4104-133-0x0000000010000000-0x000000001002A000-memory.dmp
memory/1764-138-0x0000000000000000-mapping.dmp
memory/1764-139-0x0000000000FB0000-0x0000000000FDA000-memory.dmp
memory/1764-140-0x0000000000FB0000-0x0000000000FDA000-memory.dmp
memory/4716-141-0x0000000000000000-mapping.dmp
memory/1664-142-0x0000000000000000-mapping.dmp
memory/1392-143-0x0000000000000000-mapping.dmp
memory/1676-144-0x0000000000000000-mapping.dmp
memory/4316-145-0x0000000000000000-mapping.dmp
memory/4756-146-0x0000000000000000-mapping.dmp
memory/3680-147-0x0000000000000000-mapping.dmp
memory/1588-148-0x0000000000000000-mapping.dmp
memory/3444-149-0x0000000000000000-mapping.dmp
memory/5024-150-0x0000000000000000-mapping.dmp
memory/3676-151-0x0000000000000000-mapping.dmp
memory/2376-152-0x0000000000000000-mapping.dmp