Analysis Overview
SHA256
afd28ea23e2855ea0aebf6bcc375612a6fcd508c093ba3fec3827280aec72102
Threat Level: Known bad
The file b6a0458e6ef077b43106ac606f4bd132.bin was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Program crash
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-24 01:49
Signatures
Analysis: behavioral5
Detonation Overview
Submitted
2023-02-24 01:49
Reported
2023-02-24 01:49
Platform
win7-20230220-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe
"C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe"
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-02-24 01:49
Reported
2023-02-24 01:51
Platform
win10v2004-20230220-en
Max time kernel
101s
Max time network
115s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe
"C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.108.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.113.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-24 01:49
Reported
2023-02-24 01:51
Platform
win7-20230220-en
Max time kernel
25s
Max time network
29s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\disharmony.cmd
C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe
vibrations\smirch.exe -decode vibrations\stateswoman.sql c:\users\public\output.txt
C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe
"C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe" -decode vibrations\stateswoman.sql c:\users\public\output.txt
C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe
vibrations\smirch.exe -decode c:\users\public\output.txt c:\users\public\output2.txt
C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe
"C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe" -decode c:\users\public\output.txt c:\users\public\output2.txt
C:\Windows\SysWOW64\rundll32.exe
rundll32 c:\users\public\output2.txt,N115
Network
Files
memory/1708-125-0x0000000002200000-0x0000000002201000-memory.dmp
memory/1708-161-0x0000000002200000-0x0000000002201000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-24 01:49
Reported
2023-02-24 01:51
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Qakbot/Qbot
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\disharmony.cmd
C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe
vibrations\smirch.exe -decode vibrations\stateswoman.sql c:\users\public\output.txt
C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe
vibrations\smirch.exe -decode c:\users\public\output.txt c:\users\public\output2.txt
C:\Windows\SysWOW64\rundll32.exe
rundll32 c:\users\public\output2.txt,N115
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1160 -ip 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 544
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.42.73.25:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
\??\c:\users\public\output.txt
| MD5 | 89fc5ce67cf242cc5b83d8faa7b5e51d |
| SHA1 | 8e895df0b516a0c62b95f54643c90e67395f63ae |
| SHA256 | 55fbd2380d89035f0ac744c832ba6f27e3430ae877c3b013cfb8b3577e2a4ad6 |
| SHA512 | 4aac5fdc2f1e374f2ead608856b087156dda368e0fba523ea1693e6dc1a9332db46bca2c78b2c70bbb8bf5840e353728c991519deebaa4a45bcc4b8eb3dcd91e |
\??\c:\users\public\output2.txt
| MD5 | e167b519cf6baad2089f2bec22012ead |
| SHA1 | ba000e9403ce92eab037edca6f92eaf6cbbcb8f5 |
| SHA256 | 8152566ab0b74913edaf3cfdc1d5f44d157d6b35545a782c2f5dcf40dc0c5cbe |
| SHA512 | 56838ee5dc29457efce3e8923290fbcb82d669844d2453d4ed8bf6688ceaa723c4050c83026f0572c568651e91a41a0bab6ae6c58b8be5821452fa8161d65a8d |
C:\Users\Public\output2.txt
| MD5 | e167b519cf6baad2089f2bec22012ead |
| SHA1 | ba000e9403ce92eab037edca6f92eaf6cbbcb8f5 |
| SHA256 | 8152566ab0b74913edaf3cfdc1d5f44d157d6b35545a782c2f5dcf40dc0c5cbe |
| SHA512 | 56838ee5dc29457efce3e8923290fbcb82d669844d2453d4ed8bf6688ceaa723c4050c83026f0572c568651e91a41a0bab6ae6c58b8be5821452fa8161d65a8d |
memory/1160-138-0x0000000010000000-0x0000000010023000-memory.dmp
memory/1160-143-0x0000000010000000-0x0000000010023000-memory.dmp
memory/1160-144-0x00000000011F0000-0x00000000011F3000-memory.dmp
memory/1160-145-0x0000000010000000-0x0000000010023000-memory.dmp
memory/1160-146-0x000000006D700000-0x000000006D7D1000-memory.dmp
memory/1900-148-0x0000000000120000-0x0000000000143000-memory.dmp
memory/1900-149-0x0000000000120000-0x0000000000143000-memory.dmp
memory/1900-150-0x0000000000120000-0x0000000000143000-memory.dmp
memory/1900-151-0x0000000000120000-0x0000000000143000-memory.dmp
memory/1900-152-0x0000000000120000-0x0000000000143000-memory.dmp
memory/1900-154-0x0000000000120000-0x0000000000143000-memory.dmp
memory/1900-156-0x0000000000120000-0x0000000000143000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-02-24 01:49
Reported
2023-02-24 01:51
Platform
win7-20230220-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1644 wrote to memory of 1588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1644 wrote to memory of 1588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1644 wrote to memory of 1588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\vibrations\disharmony.cmd"
C:\Windows\system32\rundll32.exe
rundll32 c:\users\public\output2.txt,N115
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-02-24 01:49
Reported
2023-02-24 01:51
Platform
win10v2004-20230221-en
Max time kernel
110s
Max time network
113s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 440 wrote to memory of 1456 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 440 wrote to memory of 1456 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vibrations\disharmony.cmd"
C:\Windows\system32\rundll32.exe
rundll32 c:\users\public\output2.txt,N115
Network
| Country | Destination | Domain | Proto |
| US | 20.44.10.123:443 | tcp | |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |