Analysis

  • max time kernel
    210s
  • max time network
    186s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28/02/2023, 15:44

General

  • Target

    REF#7439_Sep_28.html

  • Size

    819KB

  • MD5

    e17fe46a10a26ec144d06185d46c3188

  • SHA1

    38dd32704a57dd5409cfb8183a74dbef4425d73b

  • SHA256

    fca2203c07c3494a80e178b6682823eec353973fd5cad55b89329861b47232ba

  • SHA512

    0b5c1711f108181e1abd23d365f92262afdbdd7989364fd45dd2a04e87c8c03b86ac126691719b41b3c3f572a1d36305c25659370cb382a0447e8d3ae1f48c97

  • SSDEEP

    12288:lTcd5hCllTQuusltxKbWulX91uBl5shWYo2kKyVoMp5bFJ2R+11:loCll0nWMWud9g7SNWpxFU8T

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

obama207

Campaign

1664363417

C2

217.165.146.158:993

41.97.179.58:443

86.132.13.49:2078

197.203.50.195:443

85.245.143.94:443

86.196.181.62:2222

102.190.190.242:995

105.184.133.198:995

179.111.23.186:32101

179.251.119.206:995

84.3.85.30:443

39.44.5.104:995

197.41.235.69:995

193.3.19.137:443

186.81.122.168:443

103.173.121.17:443

41.104.80.233:443

102.189.184.12:995

156.199.90.139:443

14.168.180.223:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\REF#7439_Sep_28.html
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc54139758,0x7ffc54139768,0x7ffc54139778
      2⤵
        PID:2176
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1652,i,15937651080044177257,14388086155245186264,131072 /prefetch:8
        2⤵
          PID:3880
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1652,i,15937651080044177257,14388086155245186264,131072 /prefetch:2
          2⤵
            PID:3628
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1652,i,15937651080044177257,14388086155245186264,131072 /prefetch:8
            2⤵
              PID:4656
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1652,i,15937651080044177257,14388086155245186264,131072 /prefetch:1
              2⤵
                PID:1388
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1652,i,15937651080044177257,14388086155245186264,131072 /prefetch:1
                2⤵
                  PID:2328
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1652,i,15937651080044177257,14388086155245186264,131072 /prefetch:1
                  2⤵
                    PID:4684
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 --field-trial-handle=1652,i,15937651080044177257,14388086155245186264,131072 /prefetch:8
                    2⤵
                      PID:1844
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1652,i,15937651080044177257,14388086155245186264,131072 /prefetch:8
                      2⤵
                        PID:5024
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1652,i,15937651080044177257,14388086155245186264,131072 /prefetch:8
                        2⤵
                          PID:4908
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 --field-trial-handle=1652,i,15937651080044177257,14388086155245186264,131072 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3876
                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                        1⤵
                          PID:1164
                        • C:\Windows\System32\rundll32.exe
                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                          1⤵
                            PID:3188
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
                            1⤵
                            • Checks SCSI registry key(s)
                            • Modifies data under HKEY_USERS
                            PID:4128
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "E:\gaffes\curtailmentDespoiling.js"
                            1⤵
                            • Enumerates connected drives
                            PID:3736
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""E:\gaffes\impassableRepairman.cmd" r32"
                              2⤵
                              • Enumerates connected drives
                              PID:448
                              • C:\Windows\system32\regsvr32.exe
                                regsvr32 gaffes\decelerated.db
                                3⤵
                                  PID:1472
                                  • C:\Windows\SysWOW64\regsvr32.exe
                                    gaffes\decelerated.db
                                    4⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious behavior: MapViewOfSection
                                    PID:4696
                                    • C:\Windows\SysWOW64\wermgr.exe
                                      C:\Windows\SysWOW64\wermgr.exe
                                      5⤵
                                        PID:4428

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                153bcc887e67568e870f2d2057708430

                                SHA1

                                a729f6c3f212425520b8b2ee55743d4e4f07f0f5

                                SHA256

                                ccd4bd641baf987e8ddfe8a117722f35f81c996a42ce9d5fd3ecfbac2f69ce26

                                SHA512

                                330c5299f9097cac523247d3604aebb52cc18ec46f20896f015cb2463904d3fb324351a3392e47845c16bcb593fa6fc5051352541fb5250122535a9a5375716f

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                b1b7e5824865facdc0d232faa44d25e6

                                SHA1

                                f900b8d26af288a47c2e66fc110ac72f430e9932

                                SHA256

                                8d6c51b262fe25a9f71af4553671d268299e2839abb1497bad2660213947088b

                                SHA512

                                0bdad5f161694e22fbe0402a588a1e7f041834fd888ca0ca4d02954e3dd821e95dcb6efaf4fac6dc29f376af75d104f0e6df4e6881aad9d3277a4551dfde0da0

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                86ff2ceed386e05f1dac2789bec86351

                                SHA1

                                688446dfd379a1788865fd98580f7b7fa6a4c1d5

                                SHA256

                                69227afeeaa4f94ca2722b4ad7c26b041d2a1ff03fa07f5eae820b7a8ca40ad0

                                SHA512

                                d3e0c7c31f7eaee2fc5b377adac179bfec48f9c10e58e3dd2d34acb8547acfedd6f8e12b347df1627c0f12a77604e10bc99b7c653c66fcfbd86fb06d4efa9b81

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                Filesize

                                141KB

                                MD5

                                b5820d68c4e84497dd99f8b1c5d441ca

                                SHA1

                                5928fc9dde9ca5e9ec57b7793fb510a5cb29d787

                                SHA256

                                9d0efaf1af42a78f6acb45399ce7a8f1e7c9781ffe00ad7fc554572ba6bf2210

                                SHA512

                                6a1572d658982d90366878f4be7ecb4753798847371d3a373eb0424f0ab04f6939736f3d8115416aaddc4a1aba8a446223807675ded6ddd1395f20e27ed98262

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                Filesize

                                2B

                                MD5

                                99914b932bd37a50b983c5e7c90ae93b

                                SHA1

                                bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                SHA256

                                44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                SHA512

                                27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                              • memory/3628-130-0x00007FFC5BC70000-0x00007FFC5BC71000-memory.dmp

                                Filesize

                                4KB

                              • memory/4428-247-0x0000000002AB0000-0x0000000002AD2000-memory.dmp

                                Filesize

                                136KB

                              • memory/4696-240-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

                                Filesize

                                4KB

                              • memory/4696-241-0x0000000004A90000-0x0000000004AB2000-memory.dmp

                                Filesize

                                136KB

                              • memory/4696-242-0x0000000004A90000-0x0000000004AB2000-memory.dmp

                                Filesize

                                136KB

                              • memory/4696-243-0x0000000004A40000-0x0000000004A82000-memory.dmp

                                Filesize

                                264KB

                              • memory/4696-244-0x0000000004A90000-0x0000000004AB2000-memory.dmp

                                Filesize

                                136KB

                              • memory/4696-245-0x0000000004A90000-0x0000000004AB2000-memory.dmp

                                Filesize

                                136KB

                              • memory/4696-246-0x0000000000400000-0x00000000004B3000-memory.dmp

                                Filesize

                                716KB