Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
-
Size
4.2MB
-
MD5
6655347cd176e076ac8c8e509841f1fb
-
SHA1
2bf60b4709e1e653ad5427761ba70c7b6c22b8ba
-
SHA256
f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2
-
SHA512
ca18ce0c69062b42d1fe4b1c563b64b3cc55eb8601a6caef4eb9a246442b152b553df08e7d6cbb200cdf6095205dd8d8c5db8d3923cfe4cdce8e109efab17d5a
-
SSDEEP
98304:YdPQzF3R/e/hh6FZFLOAkGkzdnEVomFHKnP:YA3AYFZFLOyomFHKnP
Malware Config
Extracted
Family
qakbot
Botnet
bmw02
Campaign
1706788306
C2
62.204.41.234:2222
31.210.173.10:443
185.113.8.123:443
Attributes
-
camp_date
2024-02-01 11:51:46 +0000 UTC
Signatures
-
Detect Qakbot Payload 22 IoCs
resource yara_rule behavioral2/memory/3036-1-0x000001E731120000-0x000001E73117B000-memory.dmp family_qakbot_v5 behavioral2/memory/3036-2-0x000001E731120000-0x000001E73117B000-memory.dmp family_qakbot_v5 behavioral2/memory/3036-3-0x000001E731120000-0x000001E73117B000-memory.dmp family_qakbot_v5 behavioral2/memory/3036-5-0x000001E731120000-0x000001E73117B000-memory.dmp family_qakbot_v5 behavioral2/memory/3036-4-0x000001E731120000-0x000001E73117B000-memory.dmp family_qakbot_v5 behavioral2/memory/3036-6-0x000001E731120000-0x000001E73117B000-memory.dmp family_qakbot_v5 behavioral2/memory/3036-7-0x000001E731120000-0x000001E73117B000-memory.dmp family_qakbot_v5 behavioral2/memory/3036-8-0x000001E731120000-0x000001E73117B000-memory.dmp family_qakbot_v5 behavioral2/memory/3036-9-0x000001E731120000-0x000001E73117B000-memory.dmp family_qakbot_v5 behavioral2/memory/4512-11-0x000001DBB5920000-0x000001DBB5950000-memory.dmp family_qakbot_v5 behavioral2/memory/3036-17-0x000001E731120000-0x000001E73117B000-memory.dmp family_qakbot_v5 behavioral2/memory/3036-18-0x000001E731120000-0x000001E73117B000-memory.dmp family_qakbot_v5 behavioral2/memory/4512-19-0x000001DBB5920000-0x000001DBB5950000-memory.dmp family_qakbot_v5 behavioral2/memory/4512-20-0x000001DBB5920000-0x000001DBB5950000-memory.dmp family_qakbot_v5 behavioral2/memory/3036-21-0x000001E731120000-0x000001E73117B000-memory.dmp family_qakbot_v5 behavioral2/memory/4512-22-0x000001DBB5920000-0x000001DBB5950000-memory.dmp family_qakbot_v5 behavioral2/memory/4512-32-0x000001DBB5920000-0x000001DBB5950000-memory.dmp family_qakbot_v5 behavioral2/memory/4512-33-0x000001DBB5920000-0x000001DBB5950000-memory.dmp family_qakbot_v5 behavioral2/memory/4512-35-0x000001DBB5920000-0x000001DBB5950000-memory.dmp family_qakbot_v5 behavioral2/memory/4512-34-0x000001DBB5920000-0x000001DBB5950000-memory.dmp family_qakbot_v5 behavioral2/memory/4512-36-0x000001DBB5920000-0x000001DBB5950000-memory.dmp family_qakbot_v5 behavioral2/memory/4512-38-0x000001DBB5920000-0x000001DBB5950000-memory.dmp family_qakbot_v5 -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\a294984 = 4628829154740b70097e2c415f77665f9becd88d65bea8cbee7e91e9528cdd7e8c870492e2ef0d39b8c1168ab505f9a58b3a6196127495fda2f608c2526363bf95cd27e0c94172085915782d59b788f1131e94aa5cfd30cf24f59efb8fec049b1d94b7952bd2e1bbfea5b3cfdf1e73df892c5e3027afa1c5fa205f9d834d543ad8176861a16b2ea597913265f648360e56b2b40b5163c01d81b3d51d2d3b27642e2f7a7316daa7cd4ede50dd9a9ab844b3 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\14e10f28 = c47c1c3bf78260304d9008a27b7cbdb3ffe98c3f2fcc6a49ec20f4b176cfc9e8a46f2e1bedcd21047e3ec9f218ec00bbe8472aa6cd735be616491ab2e5c0d8993b wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\c704149d = c498ebe3736708510df10c7e8adb3b4cf2acaf991eb770d7b7f1cc0909fa89252bdcd45fd4e7f62007f1ce06b7b9d6ef708954fda831baac7253405886673021be193c10bd04d2f64c34819e0f491b49843b5cd741be4e6cfbf96af070a534cd42 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\c683491a = 45550a2785add1bb589b5b65d9c456316dcdd680bc8eda3c6c05a4870b1ea14a51b9f66d63e9c652a420158ab46261fdc13d37b8f9ff5b6d3b047184ceebdc4ef0c8dfd945fbb2ed7c5a2cf8dc4b02a4d3 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\5d865ccb = 27fcd089b4eb35a6624a95028c4b1610c57308c1deb104013f5cbae4b233f1da75 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\5c01014c = 27817222e3a8252326b194c9b8f464308057e489ecbc25d7f6e415a5cbddfde8007c7510f97299d596ef824d89432ec43326b5cceb38cbb78d61fd02766638625c17baa4033287fa99759357fda7090b53 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\5c01014c = 65e06535e87b1000916ff7c9b736137e0b6a0a478107fe9b42a81b9d226a568a1bf52921d40a54542f94de29bfae2e2771a3a45c9328b89a8f42d20fcd90f7874b wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\d84b0fb6 = e725df8d5e78e900da754bb543d239e57749938bb497c20b6189efc4b2c0f44099 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\bae1403 = 67a044409ec38c016321effa4e4af544683f8611d99d4b9ba376f7acb601319c8c wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3036 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe 3036 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe 3036 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe 3036 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe 4512 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3036 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3036 wrote to memory of 4512 3036 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe 96 PID 3036 wrote to memory of 4512 3036 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe 96 PID 3036 wrote to memory of 4512 3036 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe 96 PID 3036 wrote to memory of 4512 3036 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe 96 PID 3036 wrote to memory of 4512 3036 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe"C:\Users\Admin\AppData\Local\Temp\f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4512
-