Analysis Overview
SHA256
9e275afd96967eb2eecaf4c8f2d6c7889760700f49deb30e47b3e75b700ab1d5
Threat Level: Known bad
The file c28c3fa5c527dbfdaba97413a340537a.bin was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Loads dropped DLL
Checks computer location settings
Program crash
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-24 01:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-24 01:54
Reported
2023-02-24 01:57
Platform
win7-20230220-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\curtness.cmd
C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exe
vibrations\unmeticulous.exe -decode vibrations\thriftlessness.sql c:\users\public\output.txt
C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exe
"C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exe" -decode vibrations\thriftlessness.sql c:\users\public\output.txt
C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exe
vibrations\unmeticulous.exe -decode c:\users\public\output.txt c:\users\public\output2.txt
C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exe
"C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exe" -decode c:\users\public\output.txt c:\users\public\output2.txt
C:\Windows\SysWOW64\rundll32.exe
rundll32 c:\users\public\output2.txt,N115
Network
Files
memory/832-125-0x0000000002460000-0x0000000002461000-memory.dmp
memory/832-161-0x0000000002460000-0x0000000002461000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-24 01:54
Reported
2023-02-24 01:57
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
100s
Command Line
Signatures
Qakbot/Qbot
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\curtness.cmd
C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exe
vibrations\unmeticulous.exe -decode vibrations\thriftlessness.sql c:\users\public\output.txt
C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exe
vibrations\unmeticulous.exe -decode c:\users\public\output.txt c:\users\public\output2.txt
C:\Windows\SysWOW64\rundll32.exe
rundll32 c:\users\public\output2.txt,N115
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3972 -ip 3972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 544
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| JP | 13.78.111.198:443 | tcp | |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp |
Files
\??\c:\users\public\output.txt
| MD5 | a1e20cd6b72079c2ed16419518c7cd62 |
| SHA1 | 660f1c063b62871a6dc8fcfa2df26ae3773634d7 |
| SHA256 | e83a4d87c62b7eb48921c18c034c4d75e2c1f060a155dc08d9b0b1de578a6010 |
| SHA512 | 2021d6114a4a011e3aa9ae44ffdbdcd447fe9029a90345635c12bf9391c0072c876556efcf3df51d771a2a9935ab26de43c058fc6d4e358bca2d1ee97d7dc489 |
\??\c:\users\public\output2.txt
| MD5 | c45edab97e4d8530994f4348836b6908 |
| SHA1 | 6814a0c947524f1997970e496eac380f5e4b2b55 |
| SHA256 | e9f82251f1a1408f9bfe31f60c6d67d8df0cc08f35dd010d63e7a996813c68e4 |
| SHA512 | ba2395e85363ea878758e96a47362e7132bc447ca325863f35a99aeba327e4cc0b3180b5e768a79da91c4278a6ff344c58040023f2eb6087e2bbc4f6c7473330 |
C:\Users\Public\output2.txt
| MD5 | c45edab97e4d8530994f4348836b6908 |
| SHA1 | 6814a0c947524f1997970e496eac380f5e4b2b55 |
| SHA256 | e9f82251f1a1408f9bfe31f60c6d67d8df0cc08f35dd010d63e7a996813c68e4 |
| SHA512 | ba2395e85363ea878758e96a47362e7132bc447ca325863f35a99aeba327e4cc0b3180b5e768a79da91c4278a6ff344c58040023f2eb6087e2bbc4f6c7473330 |
memory/3972-138-0x0000000010000000-0x0000000010023000-memory.dmp
memory/3972-143-0x0000000010000000-0x0000000010023000-memory.dmp
memory/3972-144-0x0000000000E20000-0x0000000000E23000-memory.dmp
memory/3972-145-0x0000000010000000-0x0000000010023000-memory.dmp
memory/3972-146-0x000000006D700000-0x000000006D7D1000-memory.dmp
memory/4360-148-0x0000000000800000-0x0000000000823000-memory.dmp
memory/4360-149-0x0000000000800000-0x0000000000823000-memory.dmp
memory/4360-150-0x0000000000800000-0x0000000000823000-memory.dmp
memory/4360-151-0x0000000000800000-0x0000000000823000-memory.dmp
memory/4360-152-0x0000000000800000-0x0000000000823000-memory.dmp
memory/4360-153-0x0000000000800000-0x0000000000823000-memory.dmp
memory/4360-154-0x0000000000800000-0x0000000000823000-memory.dmp
memory/4360-156-0x0000000000800000-0x0000000000823000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-02-24 01:54
Reported
2023-02-24 01:57
Platform
win7-20230220-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1212 wrote to memory of 924 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1212 wrote to memory of 924 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1212 wrote to memory of 924 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\vibrations\curtness.cmd"
C:\Windows\system32\rundll32.exe
rundll32 c:\users\public\output2.txt,N115
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-02-24 01:54
Reported
2023-02-24 01:57
Platform
win10v2004-20230220-en
Max time kernel
82s
Max time network
145s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1232 wrote to memory of 4704 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1232 wrote to memory of 4704 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vibrations\curtness.cmd"
C:\Windows\system32\rundll32.exe
rundll32 c:\users\public\output2.txt,N115
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.18.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| FR | 51.11.192.49:443 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 117.18.232.240:80 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-02-24 01:54
Reported
2023-02-24 01:55
Platform
win7-20230220-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exe
"C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exe"
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-02-24 01:54
Reported
2023-02-24 01:57
Platform
win10v2004-20230220-en
Max time kernel
60s
Max time network
124s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exe
"C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 20.189.173.5:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| NL | 8.238.177.126:80 | tcp |