Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 05:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe
Resource
win7-20240221-en
General
-
Target
2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe
-
Size
885KB
-
MD5
64c1d4387a0973aa7d5a989312ce8754
-
SHA1
59e56c4c9f8b3fe09d47a01289aba342e1b34be1
-
SHA256
7caa0da0ccc56a5b38f0c4f7d86b6fb7239c79f8a06a5486948dc177d0ef00cd
-
SHA512
b475da80690c0525422db2627073d3e10c1925d77cbbfa1ae460b6452aaf7b7b491d84022329725f333c29dfb605382c3c5ef929a39c2b4b76c187c458e02ddb
-
SSDEEP
12288:qFluQIfi/C0T4mkdbWUhDHoDzf4Yzv2DLAfLwYXOBdzw6nPLhO8emCf4oGu94fSV:qVP/C0Umetu7XO4reBa6D8mCf4aFOG5
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
Setup.exe2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe -
Executes dropped EXE 1 IoCs
Processes:
Setup.exepid process 3580 Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
Setup.exe2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN Setup.exe File opened (read-only) \??\VBoxMiniRdrDN 2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
Setup.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS Setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\Setup.exe = "1" Setup.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Setup.exe = "0" Setup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exedescription pid process target process PID 792 wrote to memory of 3580 792 2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe Setup.exe PID 792 wrote to memory of 3580 792 2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe Setup.exe PID 792 wrote to memory of 3580 792 2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe Setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_64c1d4387a0973aa7d5a989312ce8754_mafia_qakbot.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a2WKoxjBAA\moZdFHAo\Setup.exe"C:\Users\Admin\AppData\Local\Temp\a2WKoxjBAA\moZdFHAo\Setup.exe" --relaunch2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a2WKoxjBAA\moZdFHAo\Setup.exeFilesize
885KB
MD564c1d4387a0973aa7d5a989312ce8754
SHA159e56c4c9f8b3fe09d47a01289aba342e1b34be1
SHA2567caa0da0ccc56a5b38f0c4f7d86b6fb7239c79f8a06a5486948dc177d0ef00cd
SHA512b475da80690c0525422db2627073d3e10c1925d77cbbfa1ae460b6452aaf7b7b491d84022329725f333c29dfb605382c3c5ef929a39c2b4b76c187c458e02ddb