Analysis

  • max time kernel
    150s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2023, 02:00

General

  • Target

    RR.lnk

  • Size

    1KB

  • MD5

    02ffb37fb80d62bccbe6013ff3d4d2f0

  • SHA1

    8f06f89e0fa1ef30b3be0637c3f9a009f8492854

  • SHA256

    acbfe9386d83f7db8529f9a5d10a0add6a26b1ee6a855210a4f4100f94dea21c

  • SHA512

    0f4883a7d35e3cee520ba8c3b78c6cf9d339cd273172f999a9d6cd4149120aca330c01c078653af99a171f7a49ddd0d61ffe2af3aab9a66421d814c923b9149e

Malware Config

Extracted

Family

qakbot

Version

404.9

Botnet

BB16

Campaign

1677046917

C2

47.21.51.138:443

72.80.7.6:50003

82.127.204.82:2222

49.175.72.56:443

201.244.108.183:995

122.184.143.82:443

102.156.253.86:443

74.58.71.237:443

47.21.51.138:995

77.86.98.236:443

71.31.101.183:443

136.232.184.134:995

86.225.214.138:2222

95.242.101.251:995

109.11.175.42:2222

90.78.138.217:2222

184.176.35.223:2222

35.143.97.145:995

202.186.177.88:443

114.79.180.14:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\polaroid.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe
        vibrations\airtightness.exe -decode vibrations\croaks.sql c:\users\public\output.txt
        3⤵
          PID:3008
        • C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe
          vibrations\airtightness.exe -decode c:\users\public\output.txt c:\users\public\output2.txt
          3⤵
            PID:1764
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 c:\users\public\output2.txt,N115
            3⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1160
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 556
              4⤵
              • Program crash
              PID:4716
            • C:\Windows\SysWOW64\wermgr.exe
              C:\Windows\SysWOW64\wermgr.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1160 -ip 1160
        1⤵
          PID:3348

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\output2.txt

          Filesize

          904KB

          MD5

          a6baa56cc1fb0fb73ad86142aa7b55d9

          SHA1

          8651cf4de25617b9727afd4004fe70e516f05c6f

          SHA256

          860f6be05c43522e405e9bfd862ee9a02c16c406ee87d8da662764d0cb3c39cd

          SHA512

          cbbb171a14fb0376924302cc160a8130b82403cd9644af424baf96617774f463813ae90cf8c7a676cebfffd5c2441ef283f2ddb890cc051fed283059a61e43e3

        • \??\c:\users\public\output.txt

          Filesize

          1.2MB

          MD5

          22cfe9eedc2e6c8ff516656b6242ac41

          SHA1

          f59c6a1431ad36bb9035dc8043ca2aa7f151607d

          SHA256

          ffc649866a338db3fd611a8ad361674ce83d20dfaf547f76fdd37c0442c287c4

          SHA512

          1c02a208d0ff6142247ef9eb2ffbf73ea06b0f3c06903462c46b55c0cd3420b9c471d6f29aa6bdd844b32c489828bdb6c4455fc1fff838cf2c4fc3d923eb2b03

        • \??\c:\users\public\output2.txt

          Filesize

          904KB

          MD5

          a6baa56cc1fb0fb73ad86142aa7b55d9

          SHA1

          8651cf4de25617b9727afd4004fe70e516f05c6f

          SHA256

          860f6be05c43522e405e9bfd862ee9a02c16c406ee87d8da662764d0cb3c39cd

          SHA512

          cbbb171a14fb0376924302cc160a8130b82403cd9644af424baf96617774f463813ae90cf8c7a676cebfffd5c2441ef283f2ddb890cc051fed283059a61e43e3

        • memory/1160-138-0x0000000010000000-0x0000000010023000-memory.dmp

          Filesize

          140KB

        • memory/1160-143-0x0000000010000000-0x0000000010023000-memory.dmp

          Filesize

          140KB

        • memory/1160-144-0x0000000000550000-0x0000000000553000-memory.dmp

          Filesize

          12KB

        • memory/1160-145-0x0000000010000000-0x0000000010023000-memory.dmp

          Filesize

          140KB

        • memory/1160-146-0x000000006D700000-0x000000006D7D1000-memory.dmp

          Filesize

          836KB

        • memory/4612-148-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

          Filesize

          140KB

        • memory/4612-149-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

          Filesize

          140KB

        • memory/4612-150-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

          Filesize

          140KB

        • memory/4612-151-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

          Filesize

          140KB

        • memory/4612-152-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

          Filesize

          140KB

        • memory/4612-154-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

          Filesize

          140KB

        • memory/4612-155-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

          Filesize

          140KB

        • memory/4612-157-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

          Filesize

          140KB