Analysis Overview
SHA256
df8b232d54f0df487bcf03d77ddaed30650a6452c71cef3b18a34a7f3090f224
Threat Level: Known bad
The file 2024-10-07_23690845e877f9d22e798d9574e7b659_magniber_qakbot was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 23:03
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 23:03
Reported
2024-10-07 23:13
Platform
win7-20240903-en
Max time kernel
149s
Max time network
77s
Command Line
Signatures
Urelas
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ctfmom.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-07_23690845e877f9d22e798d9574e7b659_magniber_qakbot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ctfmom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-07_23690845e877f9d22e798d9574e7b659_magniber_qakbot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-07_23690845e877f9d22e798d9574e7b659_magniber_qakbot.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-07_23690845e877f9d22e798d9574e7b659_magniber_qakbot.exe"
C:\Users\Admin\AppData\Local\Temp\sander.exe
"C:\Users\Admin\AppData\Local\Temp\sander.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
"C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11300 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 112.223.217.101:11300 | tcp |
Files
memory/2276-0-0x0000000000120000-0x0000000000603000-memory.dmp
\Users\Admin\AppData\Local\Temp\sander.exe
| MD5 | fdd930486af123ad495500d8bba50803 |
| SHA1 | 71ae9898da4b5227a6c546b6ba1e86a1f65635a3 |
| SHA256 | 55e7c6665c6f5c74207e32d205449104e34560e34a77c67c61878a2027276a1f |
| SHA512 | fda2af219e1e55234f757c6e9a480df01f75187ee721b1c2bfd29879fa1ea6ce62cfb472327a97d02242018490d62d56f6610c8ae9aefb01f731d50308a45171 |
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | 2ff029275333345f349d87bd2da43beb |
| SHA1 | 623b15acfddbbc2845fa093bcf29c9a46d3ab7ae |
| SHA256 | d23e3379d58c23a15f2f37f124c79e579f080986e7670f7bd357411f7acc1fe2 |
| SHA512 | 59dfd1e0a5e8a2426083be45c11a1a94b88e6bb6b3958cbd3a96938cb6e57389fa67b45de0a78e5c73fa23def243dfe7cd5830da0b06939735233c1699c3c94e |
memory/2276-16-0x0000000003480000-0x0000000003963000-memory.dmp
memory/2276-17-0x0000000000120000-0x0000000000603000-memory.dmp
memory/3056-18-0x00000000003B0000-0x0000000000893000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 04113afab96ff36e7da4cabf336079cf |
| SHA1 | 2ab6a01f123c1ef4227cb134612749b67a237bf6 |
| SHA256 | 8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16 |
| SHA512 | 68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9 |
memory/3056-21-0x00000000003B0000-0x0000000000893000-memory.dmp
\Users\Admin\AppData\Local\Temp\ctfmom.exe
| MD5 | 867a0c87622fb12e776a28057418b9d3 |
| SHA1 | 360ed8f313d3615368cadba46dc0afc6b876a04d |
| SHA256 | a5fca208d04e68ca9be9433f8ddfdb9d3456fa032bc623a73f7726db906503ea |
| SHA512 | 03188e6e98ef981d80b66b190c0cc1e4a23958b4c4f335226927b7c85ccdeb6ad6021b09150106286f820890fe55c84281832e72b004c393b37eb5860bfe87b0 |
memory/3056-27-0x0000000003970000-0x0000000003A11000-memory.dmp
memory/3056-33-0x00000000003B0000-0x0000000000893000-memory.dmp
memory/2856-30-0x0000000000DA0000-0x0000000000E41000-memory.dmp
memory/2856-29-0x0000000000DA0000-0x0000000000E41000-memory.dmp
memory/2856-34-0x0000000000DA0000-0x0000000000E41000-memory.dmp
memory/2856-35-0x0000000000DA0000-0x0000000000E41000-memory.dmp
memory/2856-36-0x0000000000DA0000-0x0000000000E41000-memory.dmp
memory/2856-37-0x0000000000DA0000-0x0000000000E41000-memory.dmp
memory/2856-38-0x0000000000DA0000-0x0000000000E41000-memory.dmp
memory/2856-39-0x0000000000DA0000-0x0000000000E41000-memory.dmp
memory/2856-40-0x0000000000DA0000-0x0000000000E41000-memory.dmp
memory/2856-41-0x0000000000DA0000-0x0000000000E41000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 23:03
Reported
2024-10-08 10:57
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-10-07_23690845e877f9d22e798d9574e7b659_magniber_qakbot.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ctfmom.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sander.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ctfmom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-07_23690845e877f9d22e798d9574e7b659_magniber_qakbot.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-07_23690845e877f9d22e798d9574e7b659_magniber_qakbot.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-07_23690845e877f9d22e798d9574e7b659_magniber_qakbot.exe"
C:\Users\Admin\AppData\Local\Temp\sander.exe
"C:\Users\Admin\AppData\Local\Temp\sander.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
"C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 121.88.5.183:11300 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 112.223.217.101:11300 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
Files
memory/2656-0-0x0000000000CE0000-0x00000000011C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sander.exe
| MD5 | fe79d4c2bf2858c385c34b753879d5ce |
| SHA1 | 806c5fbff0bbdad5f537b0ae911342308afaccfc |
| SHA256 | 79a23eddd8cb1504518e58bf303a86be56ebdb981abdb329c4565fb6c2bdcd07 |
| SHA512 | 0eb1a14dd0c2f9c9d2ffa308202b976768c55f16eaa2aeb16db2e1d37d014caefb4688decc08dafcf975e2f50d98acdbf959f133b12b3280c0f09b70f5c0e83e |
memory/4964-12-0x0000000000730000-0x0000000000C13000-memory.dmp
memory/2656-14-0x0000000000CE0000-0x00000000011C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
| MD5 | 2ff029275333345f349d87bd2da43beb |
| SHA1 | 623b15acfddbbc2845fa093bcf29c9a46d3ab7ae |
| SHA256 | d23e3379d58c23a15f2f37f124c79e579f080986e7670f7bd357411f7acc1fe2 |
| SHA512 | 59dfd1e0a5e8a2426083be45c11a1a94b88e6bb6b3958cbd3a96938cb6e57389fa67b45de0a78e5c73fa23def243dfe7cd5830da0b06939735233c1699c3c94e |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 04113afab96ff36e7da4cabf336079cf |
| SHA1 | 2ab6a01f123c1ef4227cb134612749b67a237bf6 |
| SHA256 | 8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16 |
| SHA512 | 68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9 |
memory/4964-17-0x0000000000730000-0x0000000000C13000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
| MD5 | 29dc07562f7846ccd17b6de1311caea1 |
| SHA1 | 75c7a1fd730fa9279f8cdd725f3af985bca63441 |
| SHA256 | b3c18afcfa8ac1952c5763d748b15aeea1308f77f54a6c977f7aa51dc0b866ba |
| SHA512 | ae182aa17906ad0a0a071b0e91334787e85ae9a2ccc229a8543c92524245c4a3f4e2ff26539d34d40cd070384d98be1b24401400e2a9f17e3fca09d5ab3ffc54 |
memory/4776-26-0x0000000000290000-0x0000000000331000-memory.dmp
memory/4776-27-0x0000000000270000-0x0000000000272000-memory.dmp
memory/4776-28-0x0000000000290000-0x0000000000331000-memory.dmp
memory/4964-31-0x0000000000730000-0x0000000000C13000-memory.dmp
memory/4776-33-0x0000000000270000-0x0000000000272000-memory.dmp
memory/4776-32-0x0000000000290000-0x0000000000331000-memory.dmp
memory/4776-34-0x0000000000290000-0x0000000000331000-memory.dmp
memory/4776-35-0x0000000000290000-0x0000000000331000-memory.dmp
memory/4776-36-0x0000000000290000-0x0000000000331000-memory.dmp
memory/4776-37-0x0000000000290000-0x0000000000331000-memory.dmp
memory/4776-38-0x0000000000290000-0x0000000000331000-memory.dmp
memory/4776-39-0x0000000000290000-0x0000000000331000-memory.dmp
memory/4776-40-0x0000000000290000-0x0000000000331000-memory.dmp
memory/4776-41-0x0000000000290000-0x0000000000331000-memory.dmp