Malware Analysis Report

2024-11-30 22:50

Sample ID 230510-wehywahf39
Target Malware.zip
SHA256 0d27af26366f183e53856cc8bb5ef9c30c45ea63e4dc28420b1305553a8ab87b
Tags
qakbot bb27 1683720157 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d27af26366f183e53856cc8bb5ef9c30c45ea63e4dc28420b1305553a8ab87b

Threat Level: Known bad

The file Malware.zip was found to be: Known bad.

Malicious Activity Summary

qakbot bb27 1683720157 banker stealer trojan

Qakbot/Qbot

Unsigned PE

Gathers network information

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-10 17:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-10 17:49

Reported

2023-05-10 18:00

Platform

win10-20230220-en

Max time kernel

376s

Max time network

440s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dropsically.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 1396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dropsically.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dropsically.dll,#1

Network

Country Destination Domain Proto
US 52.182.143.208:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-05-10 17:49

Reported

2023-05-10 18:00

Platform

win7-20230220-en

Max time kernel

600s

Max time network

600s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1932 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1932 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1596 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1236 wrote to memory of 1504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1236 wrote to memory of 1504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1236 wrote to memory of 1504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1236 wrote to memory of 1504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1236 wrote to memory of 1504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1236 wrote to memory of 1504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1504 wrote to memory of 980 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 1504 wrote to memory of 980 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 1504 wrote to memory of 980 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 1504 wrote to memory of 980 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 1504 wrote to memory of 2036 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1504 wrote to memory of 2036 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1504 wrote to memory of 2036 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1504 wrote to memory of 2036 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1504 wrote to memory of 900 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\whoami.exe
PID 1504 wrote to memory of 900 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\whoami.exe
PID 1504 wrote to memory of 900 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\whoami.exe
PID 1504 wrote to memory of 900 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\whoami.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe Dropsically.Spinose print

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe Dropsically.Spinose print

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\ping.exe

ping -n 3 yahoo.com

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\whoami.exe

whoami /all

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 cisco.com udp
US 72.163.4.185:443 cisco.com tcp
US 8.8.8.8:53 www.cisco.com udp
NL 23.222.34.209:443 www.cisco.com tcp
US 72.163.4.185:443 cisco.com tcp
NL 23.222.34.209:443 www.cisco.com tcp
US 72.163.4.185:443 cisco.com tcp
NL 23.222.34.209:443 www.cisco.com tcp
US 72.163.4.185:443 cisco.com tcp
NL 23.222.34.209:443 www.cisco.com tcp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:443 google.com tcp
TN 41.227.211.88:443 tcp
TN 41.227.211.88:443 tcp
TN 41.227.211.88:443 tcp
TN 41.227.211.88:443 tcp
PT 188.83.251.100:443 188.83.251.100 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 crl.microsoft.com udp
NL 23.72.252.170:80 crl.microsoft.com tcp
NL 173.223.113.131:80 www.microsoft.com tcp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
PT 188.83.251.100:443 188.83.251.100 tcp
PT 188.83.251.100:443 188.83.251.100 tcp
US 8.8.8.8:53 microsoft.com udp
US 20.81.111.85:443 microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 173.223.113.131:443 www.microsoft.com tcp
US 20.81.111.85:443 microsoft.com tcp
NL 173.223.113.131:443 www.microsoft.com tcp
US 20.81.111.85:443 microsoft.com tcp
NL 173.223.113.131:443 www.microsoft.com tcp
US 20.81.111.85:443 microsoft.com tcp
NL 173.223.113.131:443 www.microsoft.com tcp
US 8.8.8.8:53 irs.gov udp
US 152.216.7.110:443 irs.gov tcp
US 8.8.8.8:53 www.irs.gov udp
US 104.77.224.126:443 www.irs.gov tcp
US 152.216.7.110:443 irs.gov tcp
US 104.77.224.126:443 www.irs.gov tcp
US 152.216.7.110:443 irs.gov tcp
US 104.77.224.126:443 www.irs.gov tcp
US 152.216.7.110:443 irs.gov tcp
US 104.77.224.126:443 www.irs.gov tcp
US 8.8.8.8:53 broadcom.com udp
US 52.13.171.212:443 broadcom.com tcp
US 8.8.8.8:53 www.broadcom.com udp
US 172.64.155.106:443 www.broadcom.com tcp
PT 188.83.251.100:443 188.83.251.100 tcp

Files

memory/1236-54-0x0000000000130000-0x0000000000133000-memory.dmp

memory/1236-55-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1504-60-0x0000000000080000-0x0000000000082000-memory.dmp

memory/1504-61-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-62-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-63-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-64-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-65-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-66-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-67-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-69-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-72-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-73-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-75-0x00000000000E0000-0x0000000000104000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar3E40.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

memory/1504-578-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-579-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-581-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-582-0x00000000000E0000-0x0000000000104000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 e21eed460985b69dae4c53ef60ced22c
SHA1 6119e6c4634ac155ce5e2f1844bc4adcf25cf442
SHA256 8e9d0a5cdbf6dbd65844587293b9ff7bb183a0a40742ff54ec135f7624cb232e
SHA512 12d8a73d4aa203001aa8fb4fa93c6dd150f8394b105a862cb5e608013d1e4459cee02f3850d82e63cf401e8e4f6dadd41563a7a8caec084676f2f44fa04f8933

memory/1504-661-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-662-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-663-0x00000000000E0000-0x0000000000104000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 081bf738abe7efb6687ff2a64fd44cc5
SHA1 9418a60156038f22c57734c5105fad3aa530e3fc
SHA256 69b53a80286ddc02c3ce2191abe63388de7732fc42886b03caa77bab17e62e65
SHA512 552dba8f8069274dae2cd6c6c2a6821ef7076c62d885bcdae6d91294211c6a07fd396a2599acb9bbd5e8c83a6acc23d465678218f3f27d37bc146b5b76ab6774

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

memory/1504-1741-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-1768-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-1769-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-1770-0x00000000000E0000-0x0000000000104000-memory.dmp

memory/1504-1771-0x00000000000E0000-0x0000000000104000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-05-10 17:49

Reported

2023-05-10 18:00

Platform

win10-20230220-en

Max time kernel

603s

Max time network

543s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3648 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3648 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2372 wrote to memory of 4252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 4252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 4252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4252 wrote to memory of 4292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4252 wrote to memory of 4292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4252 wrote to memory of 4292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4252 wrote to memory of 4292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4252 wrote to memory of 4292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4292 wrote to memory of 4844 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 4292 wrote to memory of 4844 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 4292 wrote to memory of 4844 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 4292 wrote to memory of 4548 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4292 wrote to memory of 4548 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4292 wrote to memory of 4548 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4292 wrote to memory of 3560 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\whoami.exe
PID 4292 wrote to memory of 3560 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\whoami.exe
PID 4292 wrote to memory of 3560 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\whoami.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe Dropsically.Spinose print

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe Dropsically.Spinose print

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\ping.exe

ping -n 3 yahoo.com

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\whoami.exe

whoami /all

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 yahoo.com udp
US 20.42.65.85:443 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 180.197.77.23.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 broadcom.com udp
US 50.112.202.115:443 broadcom.com tcp
US 8.8.8.8:53 www.broadcom.com udp
US 104.18.32.150:443 www.broadcom.com tcp
US 8.8.8.8:53 115.202.112.50.in-addr.arpa udp
US 67.10.9.125:995 67.10.9.125 tcp
US 8.8.8.8:53 150.32.18.104.in-addr.arpa udp
US 8.8.8.8:53 125.9.10.67.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 90.38.199.152.in-addr.arpa udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
US 152.199.38.90:80 evcs-ocsp.ws.symantec.com tcp
US 67.10.9.125:995 67.10.9.125 tcp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
US 67.10.9.125:995 67.10.9.125 tcp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:443 google.com tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 67.10.9.125:995 67.10.9.125 tcp

Files

memory/4252-119-0x0000000002A60000-0x0000000002A63000-memory.dmp

memory/4252-120-0x0000000010000000-0x0000000010024000-memory.dmp

memory/4292-125-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-126-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-127-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-130-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-131-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-132-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-133-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-135-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-137-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-138-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-140-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-146-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-153-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-159-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-160-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-161-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-176-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-179-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-180-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-181-0x0000000000710000-0x0000000000734000-memory.dmp

memory/4292-182-0x0000000000710000-0x0000000000734000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-10 17:49

Reported

2023-05-10 18:00

Platform

win7-20230220-en

Max time kernel

403s

Max time network

406s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dropsically.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1580 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1580 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1580 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1580 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1580 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1580 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dropsically.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dropsically.dll,#1

Network

N/A

Files

N/A