Malware Analysis Report

2024-11-30 22:54

Sample ID 230521-hjns2abc3y
Target c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.exe
SHA256 c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166
Tags
qakbot aa 1651213605 banker evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166

Threat Level: Known bad

The file c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.exe was found to be: Known bad.

Malicious Activity Summary

qakbot aa 1651213605 banker evasion stealer trojan

Windows security bypass

Qakbot/Qbot

Loads dropped DLL

Program crash

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-21 06:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-21 06:46

Reported

2023-05-21 06:49

Platform

win7-20230220-en

Max time kernel

150s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll,#1

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Unposfyg = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Oyvecpjgm = "0" C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Esguqpltrme C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\b857f64f = 192096032c70d5de13a78fd30d998bbfe03a70734e3741283c2201a0830e96c3346ce7a4a5fcb18063427b736cb1a844170aad8d67e8a1f0e17faa52c47d217a470b50def34e2338be1d7a23088c5ad9846a982824fb6a5f8db4269d0faebf6403b571aa39287fb1d8ab69b12a6a C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\ba16d633 = 93ba06443a51e10813ac4872f8b59d328780ae81c5d7a9f66ecebc2a7315 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\7fa2fedc = 5ff6e3ed297635111e562d441970849c058d671fd3c5f465ad7a0318b233c606af1a851303aa7f7d7a4b7710ee205ef03166caa83e371b92cd9414b418ca1c42cfbf2cb9c5f2d12b80c2c2a1d275ed9e3fd4eab31473adb7027fe96dd3d53427284c1c77a37d173073e0327b5260d0 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\c71e99b9 = 2fb25fa888cd299bef54417ea2f683d4cf243c91 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\8dc82601 = f0ff3e930f50c5b4778b60f729cda7496fed74f0685392e9a8eebca2e567205e46a14f935383c62ed8fd1a9e2574464c18789dd612e28398a9a7faea229b19bc7814d48353a1c9ff6ba976f211eb21cc6799a53e6ea523c3b184ced76915bf7036916c875b9e7b79fc3c C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\2aab156 = e9532de64fcee3c6d0500a90b4799d093a3dec627d7e20d6f3b4f9 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\eb912a = 6ea8084f2ddc9799df9866947cd2bdc4b9884499569fb2e739dfc6e86c354fe9cd2c115130e77b277406fa87d8c941e4937044ec33c7b6434958c8de40204664aaaca4aeb2 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\f28149f7 = c548a20209dd20726eec6b51044478128a47262b1d664091fa5e C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\8dc82601 = f0ff29930f50f0e060832ab34aeb2b6a8cfa466b5501c4931cbc262eca2e30822695f89766181f998f652b789d094a4ca156e306b1b6902449074c8c416af7979335731e3bb98c63b852c4711875ccd11733bdcb80cbae449065996f646358675c991a5dea630c1e67c3e3d2c56cf663de7a767c5ddb453f0398f234cb2434 C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 528 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 528 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 528 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 528 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 528 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 528 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 528 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1508 wrote to memory of 560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1508 wrote to memory of 560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1508 wrote to memory of 560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1508 wrote to memory of 560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1508 wrote to memory of 560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1508 wrote to memory of 560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 560 wrote to memory of 580 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 560 wrote to memory of 580 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 560 wrote to memory of 580 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 560 wrote to memory of 580 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 108 wrote to memory of 576 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 108 wrote to memory of 576 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 108 wrote to memory of 576 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 108 wrote to memory of 576 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 108 wrote to memory of 576 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 576 wrote to memory of 1892 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 576 wrote to memory of 1892 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 576 wrote to memory of 1892 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 576 wrote to memory of 1892 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 576 wrote to memory of 1892 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 576 wrote to memory of 1892 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 576 wrote to memory of 1892 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1892 wrote to memory of 1940 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1892 wrote to memory of 1940 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1892 wrote to memory of 1940 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1892 wrote to memory of 1940 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1892 wrote to memory of 1940 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1892 wrote to memory of 1940 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 1940 wrote to memory of 844 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1940 wrote to memory of 844 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1940 wrote to memory of 844 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1940 wrote to memory of 844 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1940 wrote to memory of 928 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1940 wrote to memory of 928 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1940 wrote to memory of 928 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 1940 wrote to memory of 928 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn owuecfzhc /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll\"" /SC ONCE /Z /ST 08:48 /ET 09:00

C:\Windows\system32\taskeng.exe

taskeng.exe {58803928-68FA-43D3-97A7-651191E75FD6} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Unposfyg" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Oyvecpjgm" /d "0"

Network

N/A

Files

memory/1508-54-0x0000000000980000-0x0000000000A9D000-memory.dmp

memory/1508-55-0x0000000002140000-0x00000000021CF000-memory.dmp

memory/1508-57-0x0000000002140000-0x00000000021CF000-memory.dmp

memory/1508-56-0x0000000002140000-0x00000000021CF000-memory.dmp

memory/1508-59-0x0000000002140000-0x00000000021CF000-memory.dmp

memory/1508-58-0x0000000002140000-0x00000000021CF000-memory.dmp

memory/1508-60-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/1508-61-0x0000000000310000-0x000000000039A000-memory.dmp

memory/1508-62-0x0000000002140000-0x00000000021CF000-memory.dmp

memory/1508-63-0x0000000000980000-0x0000000000A9D000-memory.dmp

memory/560-64-0x0000000000110000-0x0000000000112000-memory.dmp

memory/1508-65-0x0000000002140000-0x00000000021CF000-memory.dmp

memory/560-68-0x0000000000080000-0x000000000010F000-memory.dmp

memory/560-70-0x0000000000080000-0x000000000010F000-memory.dmp

memory/560-71-0x0000000000080000-0x000000000010F000-memory.dmp

memory/560-72-0x0000000000080000-0x000000000010F000-memory.dmp

memory/560-73-0x0000000000080000-0x000000000010F000-memory.dmp

memory/560-75-0x0000000000080000-0x000000000010F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll

MD5 8f24a209d47eae18b6f6b5b3b5806982
SHA1 c9dfcb0ea4efd3920c8f89d9ba0ad6ce0df3dbd6
SHA256 c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166
SHA512 49d9adb4ad98e4dadaf092df7921c3b08cb93965ba9d486e7767a81689d501deb9cc187f5fff61beed29dd35daf9e94bfa7439e84dc28766f80acddeb807cc39

\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll

MD5 8f24a209d47eae18b6f6b5b3b5806982
SHA1 c9dfcb0ea4efd3920c8f89d9ba0ad6ce0df3dbd6
SHA256 c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166
SHA512 49d9adb4ad98e4dadaf092df7921c3b08cb93965ba9d486e7767a81689d501deb9cc187f5fff61beed29dd35daf9e94bfa7439e84dc28766f80acddeb807cc39

memory/1892-80-0x0000000000AC0000-0x0000000000BDD000-memory.dmp

memory/1892-81-0x0000000000180000-0x0000000000181000-memory.dmp

memory/1892-82-0x00000000010D0000-0x000000000115F000-memory.dmp

memory/1892-83-0x00000000010D0000-0x000000000115F000-memory.dmp

memory/1892-84-0x00000000010D0000-0x000000000115F000-memory.dmp

memory/1892-85-0x00000000010D0000-0x000000000115F000-memory.dmp

memory/1892-86-0x00000000010D0000-0x000000000115F000-memory.dmp

memory/1892-87-0x0000000000AC0000-0x0000000000BDD000-memory.dmp

memory/1892-88-0x0000000000FB0000-0x000000000103A000-memory.dmp

memory/1892-89-0x00000000010D0000-0x000000000115F000-memory.dmp

memory/1892-92-0x00000000010D0000-0x000000000115F000-memory.dmp

memory/1940-93-0x0000000000080000-0x000000000010F000-memory.dmp

memory/1940-96-0x0000000000080000-0x000000000010F000-memory.dmp

memory/1940-97-0x0000000000080000-0x000000000010F000-memory.dmp

memory/1940-98-0x0000000000080000-0x000000000010F000-memory.dmp

memory/1940-99-0x0000000000080000-0x000000000010F000-memory.dmp

memory/1940-101-0x0000000000080000-0x000000000010F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-21 06:46

Reported

2023-05-21 06:48

Platform

win10v2004-20230220-en

Max time kernel

139s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll,#1

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4052 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4052 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4052 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1696 -ip 1696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 696

Network

Country Destination Domain Proto
US 117.18.237.29:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 13.89.178.26:443 tcp
NL 95.101.78.106:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 204.79.197.203:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

memory/1696-133-0x0000000000B60000-0x0000000000B61000-memory.dmp

memory/1696-134-0x0000000002EA0000-0x0000000002F2F000-memory.dmp

memory/1696-135-0x0000000002EA0000-0x0000000002F2F000-memory.dmp

memory/1696-136-0x0000000002EA0000-0x0000000002F2F000-memory.dmp

memory/1696-137-0x0000000002D80000-0x0000000002E0A000-memory.dmp

memory/1696-138-0x0000000002EA0000-0x0000000002F2F000-memory.dmp

memory/1696-140-0x0000000000400000-0x000000000051D000-memory.dmp