Analysis Overview
SHA256
01fc3fa3cdd3e0c8170ba73b754e4b285199c18a625ea8202d418147dc4d9e15
Threat Level: Known bad
The file Archive.zip was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-06-07 15:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-07 15:02
Reported
2023-06-07 15:05
Platform
win7-20230220-en
Max time kernel
151s
Max time network
33s
Command Line
Signatures
Qakbot/Qbot
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\qbot.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe qbot.dll,menu
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe qbot.dll,menu
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
Files
memory/1752-54-0x0000000000130000-0x0000000000133000-memory.dmp
memory/1752-55-0x00000000001E0000-0x0000000000204000-memory.dmp
memory/1740-60-0x00000000000F0000-0x00000000000F2000-memory.dmp
memory/1740-61-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1740-67-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1740-68-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1740-69-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1740-70-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1740-71-0x00000000000C0000-0x00000000000E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-07 15:02
Reported
2023-06-07 15:05
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Qakbot/Qbot
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\qbot.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe qbot.dll,menu
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe qbot.dll,menu
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.130.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.150.43.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 13.89.178.27:443 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/2200-133-0x00000000013F0000-0x00000000013F3000-memory.dmp
memory/2200-134-0x0000000001400000-0x0000000001424000-memory.dmp
memory/3492-139-0x0000000000A60000-0x0000000000A62000-memory.dmp
memory/3492-140-0x0000000000A30000-0x0000000000A54000-memory.dmp
memory/3492-146-0x0000000000A30000-0x0000000000A54000-memory.dmp
memory/3492-147-0x0000000000A30000-0x0000000000A54000-memory.dmp
memory/3492-148-0x0000000000A30000-0x0000000000A54000-memory.dmp
memory/3492-149-0x0000000000A30000-0x0000000000A54000-memory.dmp
memory/3492-150-0x0000000000A30000-0x0000000000A54000-memory.dmp
memory/3492-153-0x0000000000A30000-0x0000000000A54000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-06-07 15:02
Reported
2023-06-07 15:05
Platform
win7-20230220-en
Max time kernel
31s
Max time network
34s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1700 wrote to memory of 848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qbot.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qbot.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-06-07 15:02
Reported
2023-06-07 15:05
Platform
win10v2004-20230220-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2100 wrote to memory of 1016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2100 wrote to memory of 1016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2100 wrote to memory of 1016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qbot.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qbot.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1016 -ip 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| IE | 13.69.239.74:443 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.248.5.254:80 | tcp | |
| US | 8.248.5.254:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.248.5.254:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |