Resubmissions

28-12-2022 20:37

221228-zea5taef5v 10

13-07-2021 12:27

210713-cvc55ag4yn 10

25-02-2021 06:56

210225-dwftz9jkjn 10

04-11-2019 11:15

191104-athqk1tjxn 10

Analysis

  • max time kernel
    138s
  • max time network
    149s
  • resource
    win10v191014
  • submitted
    04-11-2019 11:15

General

  • Target

    update2.exe

  • Size

    746KB

  • MD5

    0bfb4a1efbb20a7291fcc022dec7d58b

  • SHA1

    faec2a0afe296224f980ac059cf63f18eba800ce

  • SHA256

    73ae67036a0d291c18208037010de359520cd613dda2f9eabfde3fec5558324f

  • SHA512

    eae0e585ef29f56f27da897783ec582b228124437a6355cfd7b56be229558913dfd87d3005482c0fe54ba8f5e79fb1d50f869bd0e619b0ca7318ac055c62b425

Malware Config

Extracted

Family

qakbot

Campaign

1572863946

Credentials

  • Protocol:
    ftp
  • Host:
    192.185.5.208
  • Port:
    21
  • Username:
    logger@dustinkeeling.com
  • Password:
    NxdkxAp4dUsY

  • Protocol:
    ftp
  • Host:
    162.241.218.118
  • Port:
    21
  • Username:
    logger@misterexterior.com
  • Password:
    EcOV0DyGVgVN

  • Protocol:
    ftp
  • Host:
    69.89.31.139
  • Port:
    21
  • Username:
    cpanel@vivekharris-architects.com
  • Password:
    fcR7OvyLrMW6!

  • Protocol:
    ftp
  • Host:
    169.207.67.14
  • Port:
    21
  • Username:
    cpanel@dovetailsolar.com
  • Password:
    eQyicNLzzqPN
C2

112.171.126.153:443

67.200.146.98:2222

174.16.234.171:993

71.30.56.170:443

71.77.231.251:443

72.213.98.233:443

2.50.170.151:443

184.180.157.203:2222

96.35.170.82:2222

64.19.74.29:995

104.32.185.213:2222

104.3.91.20:995

173.22.120.11:2222

173.3.132.17:995

74.194.4.181:443

75.131.72.82:443

68.238.144.55:443

100.4.185.8:443

104.34.122.18:443

65.30.12.240:443

Signatures

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Windows security modification 2 TTPs 11 IoCs
  • Turns off Windows Defender SpyNet reporting 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Drops file in Windows directory 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies service 2 TTPs 5 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Suspicious use of WriteProcessMemory 46 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • System policy modification 1 TTPs 1 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\update2.exe
    "C:\Users\Admin\AppData\Local\Temp\update2.exe"
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Users\Admin\AppData\Local\Temp\update2.exe
      C:\Users\Admin\AppData\Local\Temp\update2.exe /C
      • Suspicious behavior: EnumeratesProcesses
      • Checks SCSI registry key(s)
      PID:4976
    • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      PID:364
      • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C
        • Suspicious behavior: EnumeratesProcesses
        • Checks SCSI registry key(s)
        • Executes dropped EXE
        PID:3060
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        • Suspicious behavior: EnumeratesProcesses
        • Adds Run entry to start application
        PID:3052
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tdqnfqf /tr "\"C:\Users\Admin\AppData\Local\Temp\update2.exe\" /I tdqnfqf" /SC ONCE /Z /ST 12:17 /ET 12:29
      • Creates scheduled task(s)
      PID:1016
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
        PID:5048
    • C:\Users\Admin\AppData\Local\Temp\update2.exe
      C:\Users\Admin\AppData\Local\Temp\update2.exe /I tdqnfqf
      • Suspicious behavior: EnumeratesProcesses
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        • Windows security modification
        • Turns off Windows Defender SpyNet reporting
        PID:3840
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        • Windows security modification
        • Turns off Windows Defender SpyNet reporting
        PID:4284
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          PID:4264
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            PID:4628
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            • Windows security modification
            • Turns off Windows Defender SpyNet reporting
            PID:4584
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            • Windows security modification
            • Turns off Windows Defender SpyNet reporting
            PID:4684
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            • Windows security modification
            • Turns off Windows Defender SpyNet reporting
            PID:4700
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            • Windows security modification
            • Turns off Windows Defender SpyNet reporting
            PID:4360
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr" /d "0"
            • Windows security bypass
            PID:3700
          • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            • Executes dropped EXE
            PID:2052
            • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C
              • Suspicious behavior: EnumeratesProcesses
              • Checks SCSI registry key(s)
              • Executes dropped EXE
              PID:4152
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\update2.exe"
              PID:4244
              • C:\Windows\system32\PING.EXE
                ping.exe -n 6 127.0.0.1
                • Runs ping.exe
                PID:4180
            • C:\Windows\system32\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /DELETE /F /TN tdqnfqf
                PID:4188
            • \??\c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s BITS
              • Modifies data under HKEY_USERS
              • Drops file in Windows directory
              • Modifies service
              PID:4892
            • \??\c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
              • Modifies service
              PID:4816
            • \??\c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
              • Checks system information in the registry
              PID:3536
            • \??\c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k unistacksvcgroup
                PID:3044
              • \??\c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
                • Windows security modification
                • Checks whether UAC is enabled
                • Modifies service
                • System policy modification
                PID:384

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Execution

              Scheduled Task

              1
              T1053

              Persistence

              Scheduled Task

              1
              T1053

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Scheduled Task

              1
              T1053

              Defense Evasion

              Disabling Security Tools

              2
              T1089

              Modify Registry

              5
              T1112

              Discovery

              System Information Discovery

              3
              T1082

              Query Registry

              3
              T1012

              Peripheral Device Discovery

              1
              T1120

              Remote System Discovery

              1
              T1018

              Replay Monitor

              00:00 00:00

              Downloads

              • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.dat
              • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
              • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
              • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
              • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
              • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
              • memory/364-5-0x0000000002800000-0x0000000002892000-memory.dmp
                Filesize

                584KB

              • memory/3060-4-0x0000000002A80000-0x0000000002A81000-memory.dmp
                Filesize

                4KB

              • memory/4152-9-0x0000000002800000-0x0000000002801000-memory.dmp
                Filesize

                4KB

              • memory/4976-0-0x0000000002AF0000-0x0000000002AF1000-memory.dmp
                Filesize

                4KB