Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 13:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
-
Size
1.3MB
-
MD5
041f11543edf5591a8fb7b0037e3d115
-
SHA1
ee5fb2448d4437c2eaefdfb7cac13a0a2162a775
-
SHA256
2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d
-
SHA512
3e3e5634cb560178ec75b2a74a92a9bbacedf53f046491ebf9e2d7849b1b1ea5327cf9e8e3cc2ffc3938ca12d6ab281ae466b4446c2b338fa35976ef6f5b83c4
-
SSDEEP
24576:6H4G8P8VYqjxxT6qZk1rFrXc0lLF5HskwGpLF2:1G8P8VcrlcwLXPpL8
Malware Config
Extracted
Family
qakbot
Botnet
bmw01
Campaign
1706268333
C2
116.202.110.87:443
77.73.39.175:32103
185.156.172.62:443
185.117.90.142:6882
Attributes
-
camp_date
2024-01-26 11:25:33 +0000 UTC
Signatures
-
Detect Qakbot Payload 26 IoCs
resource yara_rule behavioral2/memory/1444-1-0x0000000002010000-0x000000000205E000-memory.dmp family_qakbot_v5 behavioral2/memory/1444-4-0x0000000002060000-0x00000000020B3000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-5-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-3-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-6-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-7-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-8-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-9-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/1444-10-0x0000000002060000-0x00000000020B3000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-11-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-12-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-13-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-14-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-15-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/2876-17-0x00000223F7A10000-0x00000223F7A40000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-23-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/2876-24-0x00000223F7A10000-0x00000223F7A40000-memory.dmp family_qakbot_v5 behavioral2/memory/2876-25-0x00000223F7A10000-0x00000223F7A40000-memory.dmp family_qakbot_v5 behavioral2/memory/3288-26-0x0000000140000000-0x0000000140030000-memory.dmp family_qakbot_v5 behavioral2/memory/2876-27-0x00000223F7A10000-0x00000223F7A40000-memory.dmp family_qakbot_v5 behavioral2/memory/2876-37-0x00000223F7A10000-0x00000223F7A40000-memory.dmp family_qakbot_v5 behavioral2/memory/2876-39-0x00000223F7A10000-0x00000223F7A40000-memory.dmp family_qakbot_v5 behavioral2/memory/2876-40-0x00000223F7A10000-0x00000223F7A40000-memory.dmp family_qakbot_v5 behavioral2/memory/2876-38-0x00000223F7A10000-0x00000223F7A40000-memory.dmp family_qakbot_v5 behavioral2/memory/2876-41-0x00000223F7A10000-0x00000223F7A40000-memory.dmp family_qakbot_v5 behavioral2/memory/2876-43-0x00000223F7A10000-0x00000223F7A40000-memory.dmp family_qakbot_v5 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1444 set thread context of 3288 1444 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 85 -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\9d3802e8 = 2463b45b3833f198225e305b44568e309891dfb56d3aae905902b55899bcb2bf8613066e4d80388201bf7922adfe09ddabe023e0c7478ef5fade05d9f7c2fdf68aa14ca9e600ffeacc975e790bbf9dd4fe wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\cb104a20 = e629a118f034087555f4c562d9189463f4506385dbce048d6f77926e968b953d628c86a6cb7baf4fdb7f06f5ac9e82cb1df0d69f82383a65adce92e417f0bdd13ba34235ab173e06c15293323ed0e0a9d3a7b4a2a025b706218021a2fbf2c6c23542c7dfbdaa3cda6987b70ebb531ca720c4b34e8d1c985a14393e662df245022208d9360cb5337ff41568c4310b83a1fff0fc1d333f011f9062f5805932a886baaa0619e5c6f3cdd4a74d4c59fcd80663 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\d5d80c8c = 053fdfc23053f13bbce9698c36062c0b77c8340590309b4bb0e31d9aba2852c05f33d4deaca7b2837567a6878a57395e9d507e3be3ee1508314decd6464820e0f69ad1382ed260337554743da8287387d2e746b0e14978e0f52f91d243c0c6bbe7 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\19720c12 = 851bea487375155486c3a36fd8e023ab54b70293fe4a025a99956ab2c7f6f2f2404b5d21f0a80662f75ef1db51b108e540c366de8c6ec2e6746fe4cd442c388b99 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\63d1739 = e67bc4beb42000b289a999d89b77ad00be4b9277eb92dfd08097cec81da1415a7ce56fdb5b5a921c0a7950a71fe785d41e6d10826c8315f9162c0025a58e93add7 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\ca9717a7 = e53d8958b9c8f7b2e504ac8d5befb4fe6da81d8c9bbbd2e6bbcd54f3fe4b5de6b6929083188b70baadd5a305495f80506f5eaf086a50bb060b721f20c662dacb0a wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\7ba4abe = 4677b3c09ad606f9bffc3b2316bd68350d5f6c5bc311ee652402f98ffbb54864af10d9f58b0746f1947116ea3be804fe3cf4551d492a39a68ed0eb759185c993cde6c74e56428b13e1f28f5a749cb86ff8453ace6f879e7d768df6f0ff0f121c1f wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\9cbf5f6f = 6666e863f11ede338cb0dd1df0d0e1f7066b3a1997b0a021daf0b5838cf318dc04aa98fed9699efbe548fbaa841ddd012f00806dbef24aa55e53fadd7152b713b3 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\9d3802e8 = 466ae389ecc87bfb121b21b8c28919b7a189509751325e7df6867881378d6c2580dc27816010a2623a9605492601303b037b499c7f102e958ea5bfdac43b3941e589e0d4c9bd1701f9cee69a084b249e358b83d5f58e3508042d51910c0ee3ab0d0f64f0eef940c9a97cc68dbb8ace958e wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3288 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 3288 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 3288 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 3288 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe 2876 wermgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1444 wrote to memory of 3288 1444 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 85 PID 1444 wrote to memory of 3288 1444 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 85 PID 1444 wrote to memory of 3288 1444 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 85 PID 1444 wrote to memory of 3288 1444 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 85 PID 1444 wrote to memory of 3288 1444 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 85 PID 1444 wrote to memory of 3288 1444 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 85 PID 1444 wrote to memory of 3288 1444 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 85 PID 1444 wrote to memory of 3288 1444 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 85 PID 3288 wrote to memory of 2876 3288 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 91 PID 3288 wrote to memory of 2876 3288 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 91 PID 3288 wrote to memory of 2876 3288 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 91 PID 3288 wrote to memory of 2876 3288 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 91 PID 3288 wrote to memory of 2876 3288 2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe"C:\Users\Admin\AppData\Local\Temp\2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe"C:\Users\Admin\AppData\Local\Temp\2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
-