Analysis Overview
SHA256
4e4ef37cbbe04766712cd6a9dd1985f718f7dd82fecf00ade30a018ad2146c7a
Threat Level: Known bad
The file 31b56e2f-5992-4669-adf3-2b4fd3a2fdf1.zip was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-09 05:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-09 05:36
Reported
2023-01-09 05:40
Platform
win7-20221111-en
Max time kernel
150s
Max time network
33s
Command Line
Signatures
Qakbot/Qbot
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WP.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\possessively.ps1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\users\public\mercifulHaddock.txt DrawThemeIcon
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
Files
memory/792-54-0x000007FEFC131000-0x000007FEFC133000-memory.dmp
memory/620-55-0x0000000000000000-mapping.dmp
memory/620-56-0x00000000763D1000-0x00000000763D3000-memory.dmp
memory/620-57-0x0000000074190000-0x000000007473B000-memory.dmp
memory/620-58-0x0000000074190000-0x000000007473B000-memory.dmp
memory/560-59-0x0000000000000000-mapping.dmp
memory/620-62-0x0000000074190000-0x000000007473B000-memory.dmp
C:\users\public\mercifulHaddock.txt
| MD5 | 76593549a3162a83902138109f2de318 |
| SHA1 | be119fe481e00dbf35429e001015907f511bae3d |
| SHA256 | 24d7bb336cff00af352ee187d6c215dc037ac3f39ef1936deca18bb3ac472eb7 |
| SHA512 | b4964c156bb802a7e1ced49c3ac61cde62c9fa78659fd53772a665f4f5c56131e01427635c016241c08798eb68aa86d3ece354e9e05a0df8a55462de263f8ac9 |
\Users\Public\mercifulHaddock.txt
| MD5 | 76593549a3162a83902138109f2de318 |
| SHA1 | be119fe481e00dbf35429e001015907f511bae3d |
| SHA256 | 24d7bb336cff00af352ee187d6c215dc037ac3f39ef1936deca18bb3ac472eb7 |
| SHA512 | b4964c156bb802a7e1ced49c3ac61cde62c9fa78659fd53772a665f4f5c56131e01427635c016241c08798eb68aa86d3ece354e9e05a0df8a55462de263f8ac9 |
memory/560-65-0x0000000000680000-0x00000000006AA000-memory.dmp
memory/560-64-0x0000000000680000-0x00000000006AA000-memory.dmp
memory/560-66-0x0000000000650000-0x000000000067D000-memory.dmp
memory/560-67-0x0000000000680000-0x00000000006AA000-memory.dmp
memory/864-68-0x0000000000000000-mapping.dmp
memory/560-70-0x0000000000680000-0x00000000006AA000-memory.dmp
memory/864-71-0x0000000000080000-0x00000000000AA000-memory.dmp
memory/864-72-0x0000000000080000-0x00000000000AA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-09 05:36
Reported
2023-01-09 05:40
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Qakbot/Qbot
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WP.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\possessively.ps1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\users\public\mercifulHaddock.txt DrawThemeIcon
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 20.52.64.200:443 | tcp |
Files
memory/4468-132-0x0000000000000000-mapping.dmp
memory/4468-133-0x00000000029C0000-0x00000000029F6000-memory.dmp
memory/4468-134-0x0000000005610000-0x0000000005C38000-memory.dmp
memory/4468-135-0x0000000005410000-0x0000000005432000-memory.dmp
memory/4468-136-0x00000000054B0000-0x0000000005516000-memory.dmp
memory/4468-137-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/4468-138-0x00000000062E0000-0x00000000062FE000-memory.dmp
memory/4468-139-0x0000000007570000-0x0000000007606000-memory.dmp
memory/4468-140-0x0000000006800000-0x000000000681A000-memory.dmp
memory/4468-141-0x00000000068A0000-0x00000000068C2000-memory.dmp
memory/4468-142-0x0000000007BC0000-0x0000000008164000-memory.dmp
memory/5088-143-0x0000000000000000-mapping.dmp
C:\users\public\mercifulHaddock.txt
| MD5 | 76593549a3162a83902138109f2de318 |
| SHA1 | be119fe481e00dbf35429e001015907f511bae3d |
| SHA256 | 24d7bb336cff00af352ee187d6c215dc037ac3f39ef1936deca18bb3ac472eb7 |
| SHA512 | b4964c156bb802a7e1ced49c3ac61cde62c9fa78659fd53772a665f4f5c56131e01427635c016241c08798eb68aa86d3ece354e9e05a0df8a55462de263f8ac9 |
C:\Users\Public\mercifulHaddock.txt
| MD5 | 76593549a3162a83902138109f2de318 |
| SHA1 | be119fe481e00dbf35429e001015907f511bae3d |
| SHA256 | 24d7bb336cff00af352ee187d6c215dc037ac3f39ef1936deca18bb3ac472eb7 |
| SHA512 | b4964c156bb802a7e1ced49c3ac61cde62c9fa78659fd53772a665f4f5c56131e01427635c016241c08798eb68aa86d3ece354e9e05a0df8a55462de263f8ac9 |
memory/5088-146-0x0000000000D20000-0x0000000000D4D000-memory.dmp
memory/5088-147-0x0000000000D50000-0x0000000000D7A000-memory.dmp
memory/2360-148-0x0000000000000000-mapping.dmp
memory/5088-149-0x0000000000D50000-0x0000000000D7A000-memory.dmp
memory/2360-150-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2360-151-0x0000000000160000-0x000000000018A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-01-09 05:36
Reported
2023-01-09 05:40
Platform
win7-20220901-en
Max time kernel
43s
Max time network
47s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1752 wrote to memory of 1716 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\rundll32.exe |
| PID 1752 wrote to memory of 1716 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\rundll32.exe |
| PID 1752 wrote to memory of 1716 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\metaphysic\possessively.ps1
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\users\public\mercifulHaddock.txt DrawThemeIcon
Network
Files
memory/1752-54-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp
memory/1752-55-0x000007FEF31B0000-0x000007FEF3BD3000-memory.dmp
memory/1752-56-0x000007FEF2650000-0x000007FEF31AD000-memory.dmp
memory/1752-57-0x000000001B830000-0x000000001BB2F000-memory.dmp
memory/1752-58-0x0000000002484000-0x0000000002487000-memory.dmp
memory/1752-59-0x000000000248B000-0x00000000024AA000-memory.dmp
memory/1716-60-0x0000000000000000-mapping.dmp
memory/1752-61-0x0000000002484000-0x0000000002487000-memory.dmp
memory/1752-62-0x000000000248B000-0x00000000024AA000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-01-09 05:36
Reported
2023-01-09 05:40
Platform
win10v2004-20220812-en
Max time kernel
90s
Max time network
153s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1564 wrote to memory of 4564 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\rundll32.exe |
| PID 1564 wrote to memory of 4564 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\metaphysic\possessively.ps1
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\users\public\mercifulHaddock.txt DrawThemeIcon
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 13.69.239.73:443 | tcp |
Files
memory/1564-132-0x0000018B657C0000-0x0000018B657E2000-memory.dmp
memory/1564-133-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp
memory/4564-134-0x0000000000000000-mapping.dmp
memory/1564-135-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-01-09 05:36
Reported
2023-01-09 05:40
Platform
win7-20221111-en
Max time kernel
31s
Max time network
33s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1192 wrote to memory of 852 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1192 wrote to memory of 852 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1192 wrote to memory of 852 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1192 wrote to memory of 852 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\metaphysic\privates.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\possessively.ps1
Network
Files
memory/1192-54-0x000007FEFC201000-0x000007FEFC203000-memory.dmp
memory/852-55-0x0000000000000000-mapping.dmp
memory/852-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
memory/852-57-0x00000000743F0000-0x000000007499B000-memory.dmp
memory/852-58-0x00000000743F0000-0x000000007499B000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-01-09 05:36
Reported
2023-01-09 05:40
Platform
win10v2004-20220812-en
Max time kernel
83s
Max time network
141s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4208 wrote to memory of 420 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4208 wrote to memory of 420 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4208 wrote to memory of 420 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\metaphysic\privates.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\possessively.ps1
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 20.42.65.89:443 | tcp | |
| N/A | 104.110.191.133:80 | tcp | |
| N/A | 104.110.191.133:80 | tcp |
Files
memory/420-132-0x0000000000000000-mapping.dmp
memory/420-133-0x0000000002CD0000-0x0000000002D06000-memory.dmp
memory/420-134-0x0000000005830000-0x0000000005E58000-memory.dmp
memory/420-135-0x0000000005700000-0x0000000005722000-memory.dmp
memory/420-136-0x00000000057A0000-0x0000000005806000-memory.dmp
memory/420-137-0x0000000005ED0000-0x0000000005F36000-memory.dmp
memory/420-138-0x00000000065D0000-0x00000000065EE000-memory.dmp