Analysis Overview
SHA256
504d1d0d80751825c8a2a2994b0a5a2ae65ae7072838b3ef144e0991c540fe09
Threat Level: Known bad
The file fc600017ebd6e3866e6ac4b407962a5f1f9befe4a4b1966874d523fd4a984d31.zip was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-09 12:34
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-09 12:34
Reported
2023-02-09 12:38
Platform
win10-20220812-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Qakbot/Qbot
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4956 wrote to memory of 3156 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4956 wrote to memory of 3156 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4956 wrote to memory of 3156 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3156 wrote to memory of 4100 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wermgr.exe |
| PID 3156 wrote to memory of 4100 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wermgr.exe |
| PID 3156 wrote to memory of 4100 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wermgr.exe |
| PID 3156 wrote to memory of 4100 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wermgr.exe |
| PID 3156 wrote to memory of 4100 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\wermgr.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\publish\eardrum.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\publish\eardrum.dll
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
Files
memory/3156-116-0x0000000000000000-mapping.dmp
memory/3156-117-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-118-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-119-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-120-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-121-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-122-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-123-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-124-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-125-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-126-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-127-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-128-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-129-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-130-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-131-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-133-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-132-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-136-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-137-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-138-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-134-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-139-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-141-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-142-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-143-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-144-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-145-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-146-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-147-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-149-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-150-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-151-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-152-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-153-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-154-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-148-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-140-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-135-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-155-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-156-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-158-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-157-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-159-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-160-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-161-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-162-0x0000000000D30000-0x0000000000E7A000-memory.dmp
memory/3156-163-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-165-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-164-0x0000000000D30000-0x0000000000E7A000-memory.dmp
memory/3156-166-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-167-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-168-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-169-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-170-0x0000000000000000-mapping.dmp
memory/4100-171-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-172-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-173-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-174-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-175-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-176-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-177-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-178-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-180-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-181-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-179-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-182-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-183-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/4100-220-0x0000000002D10000-0x0000000002D32000-memory.dmp
memory/4100-228-0x0000000002D10000-0x0000000002D32000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-02-09 12:34
Reported
2023-02-09 12:38
Platform
win10-20220901-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\publish\overawesBets.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.11:443 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-02-09 12:34
Reported
2023-02-09 12:38
Platform
win10-20220812-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\publish\supernumerariesUnlearned.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 52.182.143.208:443 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-09 12:34
Reported
2023-02-09 12:38
Platform
win10-20220901-en
Max time kernel
150s
Max time network
54s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Contract.lnk
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding