Analysis

  • max time kernel
    600s
  • max time network
    588s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/02/2023, 02:48

General

  • Target

    RunDLL-1.bat

  • Size

    28B

  • MD5

    707a85392304853a2f2c42e1e39cafd4

  • SHA1

    d5d67d2dbcfa5f4061ca32da36cfbee9f3c2a213

  • SHA256

    06b1fc756f405efb9f1ef0446bfe9366315ed9e25cfeb98750475e7ed4266161

  • SHA512

    3cedae886b9a658f0c566226c5633358d8571fc494a95c968d9df08c40183e206eaeae12860e1c56bcaebde236af4a9b885b7b2760edc38ae34780cc463d7416

Malware Config

Extracted

Family

qakbot

Version

404.432

Botnet

BB12

Campaign

1675352134

C2

213.67.255.57:2222

86.96.72.139:2222

119.82.122.226:443

86.96.34.182:2222

12.172.173.82:50001

107.146.12.26:2222

97.116.78.96:443

47.61.70.188:2078

197.148.17.17:2078

82.127.204.82:2222

82.121.195.187:2222

73.155.10.79:443

91.231.173.199:995

86.196.12.21:2222

90.78.51.182:2222

90.165.109.4:2222

202.186.177.88:443

92.27.86.48:2222

88.171.156.150:50000

78.130.215.67:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Loads dropped DLL 2 IoCs
  • Discovers systems in the same network 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3856
    • C:\Windows\system32\rundll32.exe
      rundll32.exe index1.png,Wind
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe index1.png,Wind
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:5084
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          4⤵
            PID:2736
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Windows\SysWOW64\net.exe
              net view
              5⤵
              • Discovers systems in the same network
              PID:4992
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c set
              5⤵
                PID:4820
              • C:\Windows\SysWOW64\arp.exe
                arp -a
                5⤵
                  PID:4868
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig /all
                  5⤵
                  • Gathers network information
                  PID:1700
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
                  5⤵
                    PID:2236
                  • C:\Windows\SysWOW64\net.exe
                    net share
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2276
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 share
                      6⤵
                        PID:1840
                    • C:\Windows\SysWOW64\route.exe
                      route print
                      5⤵
                        PID:2936
                      • C:\Windows\SysWOW64\netstat.exe
                        netstat -nao
                        5⤵
                        • Gathers network information
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3968
                      • C:\Windows\SysWOW64\net.exe
                        net localgroup
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2164
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 localgroup
                          6⤵
                            PID:5068
                        • C:\Windows\SysWOW64\whoami.exe
                          whoami /all
                          5⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3532
                • C:\Windows\system32\msiexec.exe
                  C:\Windows\system32\msiexec.exe /V
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1020

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • \Users\Admin\AppData\Local\Temp\86064E86.dll

                  Filesize

                  1.8MB

                  MD5

                  f7202e522a8901da566cbd69d7b195e0

                  SHA1

                  3990af71966ceab9bf73636fcd845dac0b269942

                  SHA256

                  772c5718a6ddaa89d6e6144f275b76046477306afdf8ad3f46c4749845e4248a

                  SHA512

                  a58ca60cbe37c8b0cc195d1bbe8ee9c986392f8781187378d1f2aa96bff1834e4c24f76580d779f6024c0841fc826146d8d4aa909defc7639c95edda079ae124

                • \Users\Admin\AppData\Local\Temp\88BEEA16.dll

                  Filesize

                  1.8MB

                  MD5

                  f7202e522a8901da566cbd69d7b195e0

                  SHA1

                  3990af71966ceab9bf73636fcd845dac0b269942

                  SHA256

                  772c5718a6ddaa89d6e6144f275b76046477306afdf8ad3f46c4749845e4248a

                  SHA512

                  a58ca60cbe37c8b0cc195d1bbe8ee9c986392f8781187378d1f2aa96bff1834e4c24f76580d779f6024c0841fc826146d8d4aa909defc7639c95edda079ae124

                • memory/2672-190-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/2672-189-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/2672-186-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/2672-188-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/2672-187-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/2672-244-0x0000000000E80000-0x0000000000EA3000-memory.dmp

                  Filesize

                  140KB

                • memory/2672-228-0x0000000000E80000-0x0000000000EA3000-memory.dmp

                  Filesize

                  140KB

                • memory/5084-140-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-173-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-145-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-146-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-147-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-148-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-150-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-152-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-151-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-149-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-153-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-154-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-155-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-156-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-157-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-158-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-159-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-160-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-161-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-162-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-163-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-164-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-165-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-166-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-169-0x0000000003410000-0x0000000003433000-memory.dmp

                  Filesize

                  140KB

                • memory/5084-172-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-175-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-176-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-174-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-144-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-177-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-179-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-178-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-180-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-143-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-182-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-142-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-141-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-139-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-138-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-137-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-136-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-184-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-134-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-135-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-133-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-132-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-131-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-130-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-129-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-128-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-127-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-126-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-125-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-124-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-123-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB

                • memory/5084-122-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

                  Filesize

                  1.6MB