Analysis Overview
SHA256
a0dc9d602575ef4a682bb0e9935464b96cc26cc2973730593d06013e595f67c5
Threat Level: Known bad
The file Malware.zip was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Discovers systems in the same network
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-03 02:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-03 02:48
Reported
2023-02-03 02:58
Platform
win10-20220812-en
Max time kernel
600s
Max time network
588s
Command Line
Signatures
Qakbot/Qbot
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netstat.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netstat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe index1.png,Wind
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe index1.png,Wind
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\net.exe
net view
C:\Windows\SysWOW64\cmd.exe
cmd /c set
C:\Windows\SysWOW64\arp.exe
arp -a
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
C:\Windows\SysWOW64\net.exe
net share
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
C:\Windows\SysWOW64\route.exe
route print
C:\Windows\SysWOW64\netstat.exe
netstat -nao
C:\Windows\SysWOW64\net.exe
net localgroup
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\SysWOW64\whoami.exe
whoami /all
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| DE | 2.16.119.157:443 | tcp | |
| US | 52.168.112.66:443 | tcp | |
| US | 8.8.8.8:53 | yahoo.com | udp |
| US | 98.137.11.163:443 | yahoo.com | tcp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| IE | 87.248.100.215:443 | www.yahoo.com | tcp |
| PR | 64.237.207.9:443 | 64.237.207.9 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | _ldap._tcp.dc._msdcs.WORKGROUP | udp |
| US | 8.8.8.8:53 | _ldap._tcp.dc._msdcs.WORKGROUP | udp |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| GB | 23.43.75.27:80 | evcs-ocsp.ws.symantec.com | tcp |
| PR | 64.237.207.9:443 | 64.237.207.9 | tcp |
| PR | 64.237.207.9:443 | 64.237.207.9 | tcp |
| US | 8.8.8.8:53 | oracle.com | udp |
| US | 138.1.33.162:443 | oracle.com | tcp |
| US | 8.8.8.8:53 | www.oracle.com | udp |
| NL | 95.101.125.213:443 | www.oracle.com | tcp |
| PR | 64.237.207.9:443 | 64.237.207.9 | tcp |
Files
memory/5060-120-0x0000000000000000-mapping.dmp
memory/5084-121-0x0000000000000000-mapping.dmp
memory/5084-122-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-123-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-124-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-125-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-126-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-127-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-128-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-129-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-130-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-131-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-132-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-133-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-135-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-134-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-136-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-137-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-138-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-139-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-140-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-141-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-142-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-143-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-144-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-145-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-146-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-147-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-148-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-150-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-152-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-151-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-149-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-153-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-154-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-155-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-156-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-157-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-158-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-159-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-160-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-161-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-162-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-163-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-164-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-165-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-166-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-169-0x0000000003410000-0x0000000003433000-memory.dmp
memory/5084-172-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-175-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-176-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-174-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-173-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-177-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-179-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-178-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/5084-180-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
\Users\Admin\AppData\Local\Temp\86064E86.dll
| MD5 | f7202e522a8901da566cbd69d7b195e0 |
| SHA1 | 3990af71966ceab9bf73636fcd845dac0b269942 |
| SHA256 | 772c5718a6ddaa89d6e6144f275b76046477306afdf8ad3f46c4749845e4248a |
| SHA512 | a58ca60cbe37c8b0cc195d1bbe8ee9c986392f8781187378d1f2aa96bff1834e4c24f76580d779f6024c0841fc826146d8d4aa909defc7639c95edda079ae124 |
memory/5084-182-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/2672-186-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/2672-189-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/2672-190-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/2672-188-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/2672-187-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
memory/2672-185-0x0000000000000000-mapping.dmp
memory/5084-184-0x0000000077DE0000-0x0000000077F6E000-memory.dmp
\Users\Admin\AppData\Local\Temp\88BEEA16.dll
| MD5 | f7202e522a8901da566cbd69d7b195e0 |
| SHA1 | 3990af71966ceab9bf73636fcd845dac0b269942 |
| SHA256 | 772c5718a6ddaa89d6e6144f275b76046477306afdf8ad3f46c4749845e4248a |
| SHA512 | a58ca60cbe37c8b0cc195d1bbe8ee9c986392f8781187378d1f2aa96bff1834e4c24f76580d779f6024c0841fc826146d8d4aa909defc7639c95edda079ae124 |
memory/2672-228-0x0000000000E80000-0x0000000000EA3000-memory.dmp
memory/2672-244-0x0000000000E80000-0x0000000000EA3000-memory.dmp
memory/4992-275-0x0000000000000000-mapping.dmp
memory/4820-298-0x0000000000000000-mapping.dmp
memory/4868-304-0x0000000000000000-mapping.dmp
memory/1700-322-0x0000000000000000-mapping.dmp
memory/2236-340-0x0000000000000000-mapping.dmp
memory/2276-371-0x0000000000000000-mapping.dmp
memory/1840-391-0x0000000000000000-mapping.dmp
memory/2936-411-0x0000000000000000-mapping.dmp
memory/3968-412-0x0000000000000000-mapping.dmp
memory/2164-432-0x0000000000000000-mapping.dmp
memory/5068-452-0x0000000000000000-mapping.dmp
memory/3532-473-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-03 02:48
Reported
2023-02-03 02:58
Platform
win7-20221111-en
Max time kernel
600s
Max time network
598s
Command Line
Signatures
Qakbot/Qbot
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe index1.png,Wind
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe index1.png,Wind
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yahoo.com | udp |
| US | 98.137.11.164:443 | yahoo.com | tcp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| IE | 87.248.100.216:443 | www.yahoo.com | tcp |
| GB | 86.161.143.7:2222 | tcp | |
| GB | 86.161.143.7:2222 | tcp | |
| GB | 86.161.143.7:2222 | tcp | |
| GB | 86.161.143.7:2222 | tcp | |
| US | 72.188.121.121:443 | tcp | |
| US | 72.188.121.121:443 | tcp | |
| US | 72.188.121.121:443 | tcp | |
| US | 72.188.121.121:443 | tcp | |
| IN | 183.82.112.209:443 | tcp | |
| IN | 183.82.112.209:443 | tcp | |
| IN | 183.82.112.209:443 | tcp | |
| IN | 183.82.112.209:443 | tcp | |
| IN | 103.169.83.89:443 | tcp | |
| IN | 103.169.83.89:443 | tcp | |
| IN | 103.169.83.89:443 | tcp | |
| IN | 103.169.83.89:443 | tcp | |
| IE | 78.16.206.181:443 | tcp |
Files
memory/960-54-0x0000000000000000-mapping.dmp
memory/948-55-0x0000000000000000-mapping.dmp
memory/948-56-0x0000000075551000-0x0000000075553000-memory.dmp
memory/948-57-0x0000000000250000-0x0000000000273000-memory.dmp
\Users\Admin\AppData\Local\Temp\A54D33C6.dll
| MD5 | 53bb811ed12d2c867b354390fabf9612 |
| SHA1 | 81b29c540c0e2a09385cf7e821639ff64fbffd91 |
| SHA256 | a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133 |
| SHA512 | 5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24 |
\Users\Admin\AppData\Local\Temp\2F2D8E20.dll
| MD5 | 53bb811ed12d2c867b354390fabf9612 |
| SHA1 | 81b29c540c0e2a09385cf7e821639ff64fbffd91 |
| SHA256 | a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133 |
| SHA512 | 5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24 |
memory/556-64-0x0000000000000000-mapping.dmp
memory/556-66-0x0000000000080000-0x00000000000A3000-memory.dmp
memory/556-67-0x0000000000080000-0x00000000000A3000-memory.dmp