Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2023 10:01

General

  • Target

    ProjectFunding_406103_Jun01.js

  • Size

    1KB

  • MD5

    466f176d7c53eb5d67bbd974bedc4acf

  • SHA1

    b4ac021b9170a2a63d0e392bc9d25849195f5848

  • SHA256

    12035df7d8c57f2cf204d6c0748dfee8d4a5c82c621c384e72df73bf822e3e11

  • SHA512

    ff4ca4579dd6acc93676022bfdcc5edd4fa360bd3fd62f78fc3897d8a1ea0d951e3bd3e9d77e092b84b78d338b9a61c73cf2e1146fd2428b57829926d31424df

Malware Config

Extracted

Family

qakbot

Version

404.1346

Botnet

obama266

Campaign

1685611378

C2

24.234.220.88:990

70.28.50.223:2078

96.56.197.26:2083

103.123.223.133:443

83.249.198.100:2222

199.27.66.213:443

90.104.151.37:2222

94.204.202.106:443

72.205.104.134:443

65.95.141.84:2222

82.131.141.209:443

77.126.99.230:443

71.38.155.217:443

205.237.67.69:995

84.215.202.8:443

24.234.220.88:465

76.178.148.107:2222

116.74.163.130:443

70.28.50.223:2087

147.147.30.126:2222

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectFunding_406103_Jun01.js
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5072
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2168
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3832
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2940
      • C:\Windows\system32\wscript.exe
        wscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
        2⤵
          PID:2884
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:4000

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e578d1e.rbs

        Filesize

        9KB

        MD5

        9b32faba324626d5ff9489215f17e700

        SHA1

        59693ce94811fc663a0c69d01b6aa61e44231160

        SHA256

        04259a03359a6726f8ec98f8e93bf72a0296a4047bac2755725cbbc4a25f4b13

        SHA512

        d2d63380590ac30492fb4bfcf7cfddfc3f4a3c04a2436f19fe05c26ae20c6d2190399cb109352a8f9299e7c378db75c8f8bada1b7940cb5a0376a143b92a1a2b

      • C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

        Filesize

        752KB

        MD5

        5aff39cf05365b14a2d97a5dc187f307

        SHA1

        ba6e300d41333bbf638b6abaf8c1b505f0703237

        SHA256

        eed89bcfe938e41f982166cd9afba140dca256b4d4820f08c2e05bfc4570170a

        SHA512

        e3df408f7492ac156dc33b73642e680cc426a67b239ca6007048df26e862441ac3d88b21bfe2f996b86c9b25a6faf50a2befa88a42c3d33de84f6e327dffccdc

      • C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

        Filesize

        752KB

        MD5

        5aff39cf05365b14a2d97a5dc187f307

        SHA1

        ba6e300d41333bbf638b6abaf8c1b505f0703237

        SHA256

        eed89bcfe938e41f982166cd9afba140dca256b4d4820f08c2e05bfc4570170a

        SHA512

        e3df408f7492ac156dc33b73642e680cc426a67b239ca6007048df26e862441ac3d88b21bfe2f996b86c9b25a6faf50a2befa88a42c3d33de84f6e327dffccdc

      • C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs

        Filesize

        132B

        MD5

        0d4c9f15ce74465c59ae36a27f98c817

        SHA1

        9cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a

        SHA256

        d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a

        SHA512

        9bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f

      • C:\Windows\Installer\MSI13A7.tmp

        Filesize

        404KB

        MD5

        91b232c9a333ba61544a4232c96ab427

        SHA1

        93fcd78bc68207d37c97a6ecb424d11197276b4b

        SHA256

        551b9f802218a50dbe8279137959c43e37f8e57315e768b50dcaefebc62632c0

        SHA512

        c1d2568e7353f50724abe523fffb6ffc2181dd1920d6870f800619b07d902214d7b5ccc881f4f328f2e244661c1ba8c041510a82f6dbf2c996c20fbfc3ba6150

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

        Filesize

        23.0MB

        MD5

        cc58c5430dcfd3c311cc51d5c5ddd74b

        SHA1

        84e0271af80d86669c9eda1111e482b2a45a5f98

        SHA256

        b37c9f00b5fd3c92673b8b5211c152dd72cdda5d646ebc770df98fe40bac9eee

        SHA512

        a9b8100dbd845bd70722201490615515755ff48d0e6f01ebc87d7d573e066cf80704958db05650449d2fcf42a12b2f8c5871b53354a280b8ade622db80562cb2

      • \??\Volume{93c6d6f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bb5d2234-0341-4dad-95a7-2f3b901f3682}_OnDiskSnapshotProp

        Filesize

        5KB

        MD5

        35e9a6be99afba0c305dce133529bf73

        SHA1

        aab519bdf9b293e854964b480bc52f0a12d8c95a

        SHA256

        6a5cd085975f1bf3867ad4bb27b5c53e105a7201cc41dbe577f3d6f3c95cb472

        SHA512

        1b0d594996ba077790abfea29387aa20008d926b4bd5b08a6e40a693bc2f44abb35ce45881f95ba930973ee4fca33592863a863f03f129fdfa4a92861d38a2a9

      • memory/2940-172-0x0000000000960000-0x0000000000984000-memory.dmp

        Filesize

        144KB

      • memory/2940-171-0x0000000000990000-0x0000000000992000-memory.dmp

        Filesize

        8KB

      • memory/2940-178-0x0000000000960000-0x0000000000984000-memory.dmp

        Filesize

        144KB

      • memory/2940-179-0x0000000000960000-0x0000000000984000-memory.dmp

        Filesize

        144KB

      • memory/2940-180-0x0000000000960000-0x0000000000984000-memory.dmp

        Filesize

        144KB

      • memory/2940-181-0x0000000000960000-0x0000000000984000-memory.dmp

        Filesize

        144KB

      • memory/2940-182-0x0000000000960000-0x0000000000984000-memory.dmp

        Filesize

        144KB

      • memory/3832-166-0x0000000000810000-0x0000000000834000-memory.dmp

        Filesize

        144KB

      • memory/3832-165-0x0000000000800000-0x0000000000803000-memory.dmp

        Filesize

        12KB