Analysis

  • max time kernel
    134s
  • resource
    win7v191014
  • submitted
    06-12-2019 16:08

General

  • Target

    update.bin.exe

  • Sample

    191206-s2wazv1yle

  • SHA256

    983ea66816fa3e0a089be5ac33e8f3e2ff92b53e804389805fc591ea12cf09d0

Malware Config

Extracted

Family

qakbot

Campaign

1575272833

C2

173.172.205.216:995

71.77.231.251:443

75.110.250.89:443

72.190.101.70:443

12.5.37.3:995

68.49.120.179:443

184.74.101.234:995

24.30.71.200:443

100.4.185.8:443

72.218.167.183:443

80.14.209.42:2222

187.206.88.42:995

104.34.122.18:443

81.103.144.77:443

75.110.219.10:443

12.5.37.3:443

74.134.35.54:443

70.183.3.199:443

64.250.55.239:443

75.142.59.167:443

Signatures

  • Suspicious use of WriteProcessMemory 19 IoCs
  • Loads dropped DLL 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities

  • Turn off Windows Defender SpyNet reporting 6 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\update.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\update.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\update.bin.exe
      C:\Users\Admin\AppData\Local\Temp\update.bin.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1108
    • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      • Loads dropped DLL
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      PID:1092
      • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe /C
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Executes dropped EXE
        PID:548
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2024
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn krtbzyfwy /tr "\"C:\Users\Admin\AppData\Local\Temp\update.bin.exe\" /I krtbzyfwy" /SC ONCE /Z /ST 17:10 /ET 17:22
      2⤵
        PID:1324
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "-115038910015188956801145298583-1479397551652332624-1907009593-191511810289101129"
      1⤵
        PID:796
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {1B7528C7-3971-41D9-82F6-2A1D9447D177} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Users\Admin\AppData\Local\Temp\update.bin.exe
          C:\Users\Admin\AppData\Local\Temp\update.bin.exe /I krtbzyfwy
          2⤵
          • Suspicious use of WriteProcessMemory
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:1120
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            3⤵
              PID:1620
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              3⤵
                PID:1292
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                3⤵
                  PID:1424
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                  3⤵
                    PID:1520
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                    3⤵
                      PID:1804
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                      3⤵
                        PID:1180
                      • C:\Windows\system32\reg.exe
                        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                        3⤵
                          PID:320
                        • C:\Windows\system32\reg.exe
                          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                          3⤵
                            PID:776
                          • C:\Windows\system32\reg.exe
                            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn" /d "0"
                            3⤵
                              PID:1144
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                              C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              • Loads dropped DLL
                              • Suspicious behavior: EnumeratesProcesses
                              • Executes dropped EXE
                              PID:1732
                              • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe /C
                                4⤵
                                • Loads dropped DLL
                                • Suspicious behavior: EnumeratesProcesses
                                • Executes dropped EXE
                                PID:864
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\update.bin.exe"
                              3⤵
                                PID:1932
                                • C:\Windows\system32\PING.EXE
                                  ping.exe -n 6 127.0.0.1
                                  4⤵
                                  • Runs ping.exe
                                  PID:1716
                              • C:\Windows\system32\schtasks.exe
                                "C:\Windows\system32\schtasks.exe" /DELETE /F /TN krtbzyfwy
                                3⤵
                                  PID:1680
                            • C:\Windows\system32\conhost.exe
                              \??\C:\Windows\system32\conhost.exe "1925843867-1252870584-153587140418042367762066435233-97244725714215768374936589"
                              1⤵
                                PID:792
                              • C:\Windows\system32\conhost.exe
                                \??\C:\Windows\system32\conhost.exe "5991945751477317584481580963-28244590631661012-26451545-1512751781211705908"
                                1⤵
                                  PID:1452
                                • C:\Windows\system32\conhost.exe
                                  \??\C:\Windows\system32\conhost.exe "1217975599-26466555014628137673306857831265789172-1018989508-318191391-743193213"
                                  1⤵
                                    PID:1904
                                  • C:\Windows\system32\conhost.exe
                                    \??\C:\Windows\system32\conhost.exe "-1125423169122185108510964049223639841713832155-343241470-2115370341245017430"
                                    1⤵
                                      PID:1016
                                    • C:\Windows\system32\conhost.exe
                                      \??\C:\Windows\system32\conhost.exe "-802413980570330605193772083-9101082131045606861-1156282892-188116258779215992"
                                      1⤵
                                        PID:1344
                                      • C:\Windows\system32\conhost.exe
                                        \??\C:\Windows\system32\conhost.exe "-397546529-843389547-26192131516565029721734074481465266374-1136034080-1528723127"
                                        1⤵
                                          PID:1860
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "77852560294720291500936098-465784873-2122278567-1481228945-9190777731422459859"
                                          1⤵
                                            PID:656
                                          • C:\Windows\system32\conhost.exe
                                            \??\C:\Windows\system32\conhost.exe "4916208491596549119997024938-6061279751786413012-5610594391857924242-1377142757"
                                            1⤵
                                              PID:1084
                                            • C:\Windows\system32\conhost.exe
                                              \??\C:\Windows\system32\conhost.exe "1436907015-1852971359145929777513809988051237679605208291478816425429341522235461"
                                              1⤵
                                                PID:1724
                                              • C:\Windows\system32\conhost.exe
                                                \??\C:\Windows\system32\conhost.exe "134596354628802124-977017570-1107757775740560907-1244859459-1860076521674221769"
                                                1⤵
                                                  PID:544
                                                • C:\Windows\system32\conhost.exe
                                                  \??\C:\Windows\system32\conhost.exe "13618150012014722858873317201-354127923-1032783271-15507425611090549047-1012148730"
                                                  1⤵
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:576

                                                Network

                                                MITRE ATT&CK Matrix ATT&CK v6

                                                Persistence

                                                Registry Run Keys / Startup Folder

                                                1
                                                T1060

                                                Defense Evasion

                                                Modify Registry

                                                2
                                                T1112

                                                Disabling Security Tools

                                                1
                                                T1089

                                                Discovery

                                                Query Registry

                                                1
                                                T1012

                                                Remote System Discovery

                                                1
                                                T1018

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.dat
                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
                                                • memory/548-13-0x0000000002650000-0x0000000002661000-memory.dmp
                                                  Filesize

                                                  68KB

                                                • memory/864-27-0x0000000002460000-0x0000000002471000-memory.dmp
                                                  Filesize

                                                  68KB

                                                • memory/1092-14-0x00000000020A0000-0x0000000002132000-memory.dmp
                                                  Filesize

                                                  584KB

                                                • memory/1108-0-0x0000000002520000-0x0000000002531000-memory.dmp
                                                  Filesize

                                                  68KB