Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 13:10
Static task
static1
Behavioral task
behavioral1
Sample
fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe
-
Size
1.3MB
-
MD5
f9073d4ac3089ecc2c43b73b3818582e
-
SHA1
38813f19e54d28055b2cc4d7030cf608ca5d4c5a
-
SHA256
fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92
-
SHA512
bc52575d876e84c7b9b92590dc9168785021da7ce9c53e81421b307cb6de157be3e88f19aee095b0ecc6bf57f7ed02da0df1198b71ba6c292ec37d3ad50b7d35
-
SSDEEP
24576:bH4G8P8VYqjxxT6qZk1rFrXc0lLF5HskwGpLFg:cG8P8VcrlcwLXPpL6
Malware Config
Extracted
Family
qakbot
Botnet
bmw01
Campaign
1706268333
C2
116.202.110.87:443
77.73.39.175:32103
185.156.172.62:443
185.117.90.142:6882
Attributes
-
camp_date
2024-01-26 11:25:33 +0000 UTC
Signatures
-
Detect Qakbot Payload 26 IoCs
resource yara_rule behavioral2/memory/4868-2-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/4144-6-0x0000000002040000-0x0000000002093000-memory.dmp family_qakbot_v5 behavioral2/memory/4868-7-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/4868-5-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/4868-3-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/4144-4-0x0000000000510000-0x000000000055E000-memory.dmp family_qakbot_v5 behavioral2/memory/4144-10-0x0000000002040000-0x0000000002093000-memory.dmp family_qakbot_v5 behavioral2/memory/4868-9-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/4868-8-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/4868-11-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/4868-12-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/4868-13-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/4868-14-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/4868-23-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/908-17-0x0000021DC6A90000-0x0000021DC6AC0000-memory.dmp family_qakbot_v5 behavioral2/memory/4868-26-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/908-25-0x0000021DC6A90000-0x0000021DC6AC0000-memory.dmp family_qakbot_v5 behavioral2/memory/908-27-0x0000021DC6A90000-0x0000021DC6AC0000-memory.dmp family_qakbot_v5 behavioral2/memory/908-24-0x0000021DC6A90000-0x0000021DC6AC0000-memory.dmp family_qakbot_v5 behavioral2/memory/4868-15-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/908-37-0x0000021DC6A90000-0x0000021DC6AC0000-memory.dmp family_qakbot_v5 behavioral2/memory/908-38-0x0000021DC6A90000-0x0000021DC6AC0000-memory.dmp family_qakbot_v5 behavioral2/memory/908-41-0x0000021DC6A90000-0x0000021DC6AC0000-memory.dmp family_qakbot_v5 behavioral2/memory/908-39-0x0000021DC6A90000-0x0000021DC6AC0000-memory.dmp family_qakbot_v5 behavioral2/memory/908-40-0x0000021DC6A90000-0x0000021DC6AC0000-memory.dmp family_qakbot_v5 behavioral2/memory/908-43-0x0000021DC6A90000-0x0000021DC6AC0000-memory.dmp family_qakbot_v5 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4144 set thread context of 4868 4144 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 85 -
Modifies registry class 10 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\iflvusoovof\38c6730f = 45d0986df6d8e1d8b97fd72603d1365393043896e0731991f31384426cb8ed6431a3f6f1752bde703d5f8a365eb551377ec07bd2527abbab3b2bb41306f301ab72e49f3cf76fa7839d373d1827efb90dc779a94d78942f62de42bda729749de615 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\iflvusoovof\f46c7391 = e4853525240f79797b9ffb7c048f92503990663372ba884e716b007e47e715af22 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\iflvusoovof\39412e88 = 062e04227855552c594c59402a6d38a8496c09a796400c555021ee6380d57752f8b05b64722c1dc95f26ad6c4b16fcf3d39c4c5b52b83dd8694458a643d8cf2ca4bb93c6a205d9069f1f2810eb0b9923123dc4e1f4f7d893858234adcb515b85b0 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\iflvusoovof\a2443b59 = 850fcd3236e4f57bef3ae1217f4dbd34e03a62046e90cc45ca592b29c1953cc8dc9d56bc88a48ba8fc0fa0e872cdbad849bb0cbf70a8e7394d506bdd01ae8b7ea41d9c1f906f4e4de6c802e578322fc3c635e395738ec57d412665fb250f2b0e2a9a7a7418234aeca85ece52606ab52f5a wermgr.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\iflvusoovof wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\iflvusoovof\a3c366de = e757e64a7b07b211b724988e9da78dcf0823fed97093643d575d8742931dc414aa33a6268e18819b77ba743085197d9b0d wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\iflvusoovof\27896824 = 87f415b354f23d4c6da09e5baa770ddc45b39a228f0a9b0b40b673fac63d09d2f44c6f492b75adf98efae53c34cd268b77ef5ff178e0ed03c34f3f931362eaa9601888d5437f8f832a8e1381bb4b2efb0d wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\iflvusoovof\f5eb2e16 = a5ebd7e9bf98dc86fbd990933af17aa3381092b0b72b27b0cb68aa2e89cc4ca751cf6564849b6dbac011773a416af3dc6750732cfd3019518f52f2653e6270ba82dbf881112c37bdf5dd6613156da0a3da37d3b774832e2dff48893c098c8f6ce71c5204393f9dd9b59c7771c2e4ea96a7ddac1bfca4df14cca3de8162c53b3b473337ffc36e477c45b4b6b1c68acef59a wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\iflvusoovof\eb2368ba = 87afdb026081be427592c1a7816d388d1959bb0723ba40a8b3b7ea1aed1f89e9d4912ab2103bf3e631d6159dbf17b141b8 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\iflvusoovof\a3c366de = e4ea6c5fd7afc5bbf0b25fa34f030e362e6bf34ea1b27b19db5b3234c2ae716bdbffd4d2f91df0629c74be119c3ef863b7e81ef0d3e750faa6e7649bafda95141e61d720fdc78e45ae6552d1355fa2c1e2 wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4868 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 4868 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 4868 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 4868 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe 908 wermgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4144 wrote to memory of 4868 4144 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 85 PID 4144 wrote to memory of 4868 4144 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 85 PID 4144 wrote to memory of 4868 4144 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 85 PID 4144 wrote to memory of 4868 4144 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 85 PID 4144 wrote to memory of 4868 4144 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 85 PID 4144 wrote to memory of 4868 4144 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 85 PID 4144 wrote to memory of 4868 4144 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 85 PID 4144 wrote to memory of 4868 4144 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 85 PID 4868 wrote to memory of 908 4868 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 91 PID 4868 wrote to memory of 908 4868 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 91 PID 4868 wrote to memory of 908 4868 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 91 PID 4868 wrote to memory of 908 4868 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 91 PID 4868 wrote to memory of 908 4868 fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe"C:\Users\Admin\AppData\Local\Temp\fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe"C:\Users\Admin\AppData\Local\Temp\fda2abd24764809fb36d4d2ee7ab5f6e8c06381fe6d9bb191bde62411c96ba92.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:908
-
-