Analysis

  • max time kernel
    150s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2023, 10:28

General

  • Target

    fbe95e4d58b31a15569d3e4ab057bc47abb193c9afacdda186be51b2c1ac582b.msi

  • Size

    384KB

  • MD5

    bd0ebd840439189cc64af2d0cd0dd130

  • SHA1

    72cef301ca25db6f1aa42f9380ab12ae2e99a725

  • SHA256

    fbe95e4d58b31a15569d3e4ab057bc47abb193c9afacdda186be51b2c1ac582b

  • SHA512

    b6298e66cb903d58b0877a0fe9725a6fb35dc2a304a5d79532d2cbc20ee3d85667fab7cc305baf5c9b612bfed9026f54a9371de72d00eb22964fcc9ff91f9b2b

  • SSDEEP

    6144:Vn1X0lyS6gYhkJceU2iXT+XYhwNabhXx3r6FiNhRfpwt+42OTTF:V1Xw6gzJceU2khmOC4Nhxpwc6X

Malware Config

Extracted

Family

qakbot

Version

404.430

Botnet

BB12

Campaign

1675090602

C2

24.9.220.167:443

92.239.81.124:443

12.172.173.82:32101

162.248.14.107:443

213.31.90.183:2222

217.128.200.114:2222

71.31.101.183:443

81.229.117.95:2222

184.68.116.146:2222

86.130.9.183:2222

92.154.45.81:2222

70.64.77.115:443

24.71.120.191:443

86.225.214.138:2222

86.165.225.227:2222

172.90.139.138:2222

92.207.132.174:2222

70.160.80.210:443

58.162.223.233:443

47.61.70.188:2078

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fbe95e4d58b31a15569d3e4ab057bc47abb193c9afacdda186be51b2c1ac582b.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1380
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\TeamViewer\notify.vbs
      2⤵
        PID:292
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\TeamViewer\main.dll,Updt
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\TeamViewer\main.dll,Updt
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
              PID:300
            • C:\Windows\SysWOW64\wermgr.exe
              C:\Windows\SysWOW64\wermgr.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1816
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1108
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A8" "00000000000003D0"
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:1076

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\TeamViewer\main.dll

        Filesize

        594KB

        MD5

        84ad21a10cef3176d5a1604f28adeb3c

        SHA1

        72efd8d98e6a8ffb3a45d07796bbf794b5c8795d

        SHA256

        5ab4fc385b86f965460682420dc45b840225b2b0db16b38e8e6a0c54965d91c2

        SHA512

        469be94d72fc09f453acdc024fd3aa1dc691e5930ec70f592460f1f1e90f3e2742079896ecd7fb353eb5e5fc77f9b4be3aec3119455d5e883381858b9d608cab

      • C:\Users\Admin\AppData\Local\TeamViewer\notify.vbs

        Filesize

        88B

        MD5

        203e5b101aa817c99cc11a8450d12115

        SHA1

        24910eccaf2640f08d1c8948491dbe179bb044b9

        SHA256

        f8f5710726a31e7f50a4ca4a701fac52ccb2da518d5398b22d3853418a380371

        SHA512

        a1edb4501e13ca2495f1a36eb055256d0d786d17bbfa155ee3ab2767ae5953e10b3e6bdf1debfd81fc23e8e8433d95b67bfac1baf3aff8fb19afa63c90cdd7aa

      • \Users\Admin\AppData\Local\TeamViewer\main.dll

        Filesize

        594KB

        MD5

        84ad21a10cef3176d5a1604f28adeb3c

        SHA1

        72efd8d98e6a8ffb3a45d07796bbf794b5c8795d

        SHA256

        5ab4fc385b86f965460682420dc45b840225b2b0db16b38e8e6a0c54965d91c2

        SHA512

        469be94d72fc09f453acdc024fd3aa1dc691e5930ec70f592460f1f1e90f3e2742079896ecd7fb353eb5e5fc77f9b4be3aec3119455d5e883381858b9d608cab

      • \Users\Admin\AppData\Local\TeamViewer\main.dll

        Filesize

        594KB

        MD5

        84ad21a10cef3176d5a1604f28adeb3c

        SHA1

        72efd8d98e6a8ffb3a45d07796bbf794b5c8795d

        SHA256

        5ab4fc385b86f965460682420dc45b840225b2b0db16b38e8e6a0c54965d91c2

        SHA512

        469be94d72fc09f453acdc024fd3aa1dc691e5930ec70f592460f1f1e90f3e2742079896ecd7fb353eb5e5fc77f9b4be3aec3119455d5e883381858b9d608cab

      • \Users\Admin\AppData\Local\TeamViewer\main.dll

        Filesize

        594KB

        MD5

        84ad21a10cef3176d5a1604f28adeb3c

        SHA1

        72efd8d98e6a8ffb3a45d07796bbf794b5c8795d

        SHA256

        5ab4fc385b86f965460682420dc45b840225b2b0db16b38e8e6a0c54965d91c2

        SHA512

        469be94d72fc09f453acdc024fd3aa1dc691e5930ec70f592460f1f1e90f3e2742079896ecd7fb353eb5e5fc77f9b4be3aec3119455d5e883381858b9d608cab

      • \Users\Admin\AppData\Local\TeamViewer\main.dll

        Filesize

        594KB

        MD5

        84ad21a10cef3176d5a1604f28adeb3c

        SHA1

        72efd8d98e6a8ffb3a45d07796bbf794b5c8795d

        SHA256

        5ab4fc385b86f965460682420dc45b840225b2b0db16b38e8e6a0c54965d91c2

        SHA512

        469be94d72fc09f453acdc024fd3aa1dc691e5930ec70f592460f1f1e90f3e2742079896ecd7fb353eb5e5fc77f9b4be3aec3119455d5e883381858b9d608cab

      • \Users\Admin\AppData\Local\Temp\AE1D123C.dll

        Filesize

        268KB

        MD5

        53bb811ed12d2c867b354390fabf9612

        SHA1

        81b29c540c0e2a09385cf7e821639ff64fbffd91

        SHA256

        a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

        SHA512

        5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

      • \Users\Admin\AppData\Local\Temp\DDD3993D.dll

        Filesize

        268KB

        MD5

        53bb811ed12d2c867b354390fabf9612

        SHA1

        81b29c540c0e2a09385cf7e821639ff64fbffd91

        SHA256

        a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

        SHA512

        5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

      • memory/1380-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

        Filesize

        8KB

      • memory/1528-61-0x0000000074F01000-0x0000000074F03000-memory.dmp

        Filesize

        8KB

      • memory/1528-66-0x0000000000170000-0x0000000000193000-memory.dmp

        Filesize

        140KB

      • memory/1816-75-0x0000000000080000-0x00000000000A3000-memory.dmp

        Filesize

        140KB

      • memory/1816-76-0x0000000000080000-0x00000000000A3000-memory.dmp

        Filesize

        140KB