7caa0da0ccc56a5b38f0c4f7d86b6fb7239c79f8a06a5486948dc177d0ef00cd

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe
Size

885KB
MD5

64c1d4387a0973aa7d5a989312ce8754
SHA1

59e56c4c9f8b3fe09d47a01289aba342e1b34be1
SHA256

7caa0da0ccc56a5b38f0c4f7d86b6fb7239c79f8a06a5486948dc177d0ef00cd
SHA512

b475da80690c0525422db2627073d3e10c1925d77cbbfa1ae460b6452aaf7b7b491d84022329725f333c29dfb605382c3c5ef929a39c2b4b76c187c458e02ddb
SSDEEP

12288:qFluQIfi/C0T4mkdbWUhDHoDzf4Yzv2DLAfLwYXOBdzw6nPLhO8emCf4oGu94fSV:qVP/C0Umetu7XO4reBa6D8mCf4aFOG5

Score

9^/10

evasion spyware stealer

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Setup.exe2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe

Executes dropped EXE 1 IoCs

Processes:

Setup.exe

pid process

3580 Setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3580	Setup.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

Setup.exe2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	Setup.exe
File opened (read-only)	\??\VBoxMiniRdrDN	2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Setup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\Setup.exe = "1"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Setup.exe = "0"	Setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe

description	pid	process	target process
PID 792 wrote to memory of 3580	792	2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe	Setup.exe
PID 792 wrote to memory of 3580	792	2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe	Setup.exe
PID 792 wrote to memory of 3580	792	2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\a2WKoxjBAA\moZdFHAo\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\a2WKoxjBAA\moZdFHAo\Setup.exe" --relaunch
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies Internet Explorer settings
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a2WKoxjBAA\moZdFHAo\Setup.exe
Filesize
885KB

MD5
64c1d4387a0973aa7d5a989312ce8754

SHA1
59e56c4c9f8b3fe09d47a01289aba342e1b34be1

SHA256
7caa0da0ccc56a5b38f0c4f7d86b6fb7239c79f8a06a5486948dc177d0ef00cd

SHA512
b475da80690c0525422db2627073d3e10c1925d77cbbfa1ae460b6452aaf7b7b491d84022329725f333c29dfb605382c3c5ef929a39c2b4b76c187c458e02ddb

Download Submit