Analysis

  • max time kernel
    149s
  • resource
    win10v191014
  • submitted
    16-12-2019 17:39

General

  • Target

    b5b4.exe

  • Sample

    191216-2se5jb3s4x

  • SHA256

    b5b4b488a0a8f8ad6c5a738c2bc7dcbd7c198005d6adf2297b6f482b748440f6

Malware Config

Extracted

Family

qakbot

Campaign

1576221125

C2

72.187.35.131:443

188.61.134.98:2222

47.153.115.154:995

75.130.117.134:443

174.131.181.120:995

24.32.119.146:443

184.101.230.153:443

70.124.29.226:443

47.227.198.155:443

12.176.32.146:443

172.89.144.89:995

66.214.75.176:443

99.228.5.106:443

98.237.120.65:995

206.51.202.106:50002

50.247.230.33:995

96.37.137.42:443

73.226.220.56:443

70.164.39.91:443

104.152.16.45:995

Signatures

  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 1 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Turn off Windows Defender SpyNet reporting 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities

  • Windows security modification 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5b4.exe
    "C:\Users\Admin\AppData\Local\Temp\b5b4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    PID:4916
    • C:\Users\Admin\AppData\Local\Temp\b5b4.exe
      C:\Users\Admin\AppData\Local\Temp\b5b4.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4972
    • C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      PID:364
      • C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe /C
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3060
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3052
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wptxwaijpz /tr "\"C:\Users\Admin\AppData\Local\Temp\b5b4.exe\" /I wptxwaijpz" /SC ONCE /Z /ST 18:41 /ET 18:53
      2⤵
        PID:1016
    • C:\Windows\system32\SppExtComObj.exe
      C:\Windows\system32\SppExtComObj.exe -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:5016
      • C:\Windows\System32\SLUI.exe
        "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
        2⤵
          PID:5048
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s BITS
        1⤵
        • Drops file in Windows directory
        PID:3748
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
        1⤵
          PID:4636
        • C:\Users\Admin\AppData\Local\Temp\b5b4.exe
          C:\Users\Admin\AppData\Local\Temp\b5b4.exe /I wptxwaijpz
          1⤵
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: EnumeratesProcesses
          PID:4204
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            2⤵
              PID:4956
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              2⤵
                PID:804
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                2⤵
                  PID:5008
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                  2⤵
                    PID:1676
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                    2⤵
                      PID:5060
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                      2⤵
                        PID:3536
                      • C:\Windows\system32\reg.exe
                        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                        2⤵
                          PID:2972
                        • C:\Windows\system32\reg.exe
                          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                          2⤵
                            PID:4928
                          • C:\Windows\system32\reg.exe
                            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti" /d "0"
                            2⤵
                              PID:1784
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
                              C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3044
                              • C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
                                C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe /C
                                3⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                PID:68
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\b5b4.exe"
                              2⤵
                                PID:3632
                                • C:\Windows\system32\PING.EXE
                                  ping.exe -n 6 127.0.0.1
                                  3⤵
                                  • Runs ping.exe
                                  PID:808
                              • C:\Windows\system32\schtasks.exe
                                "C:\Windows\system32\schtasks.exe" /DELETE /F /TN wptxwaijpz
                                2⤵
                                  PID:3560
                              • \??\c:\windows\system32\svchost.exe
                                c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
                                1⤵
                                  PID:4184
                                • \??\c:\windows\system32\svchost.exe
                                  c:\windows\system32\svchost.exe -k unistacksvcgroup
                                  1⤵
                                    PID:4848
                                  • \??\c:\windows\system32\svchost.exe
                                    c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
                                    1⤵
                                      PID:4816

                                    Network

                                    MITRE ATT&CK Matrix ATT&CK v6

                                    Persistence

                                    Registry Run Keys / Startup Folder

                                    1
                                    T1060

                                    Defense Evasion

                                    Modify Registry

                                    3
                                    T1112

                                    Disabling Security Tools

                                    2
                                    T1089

                                    Discovery

                                    Query Registry

                                    3
                                    T1012

                                    Peripheral Device Discovery

                                    1
                                    T1120

                                    System Information Discovery

                                    2
                                    T1082

                                    Remote System Discovery

                                    1
                                    T1018

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.dat
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
                                    • memory/68-20-0x0000000002A70000-0x0000000002A71000-memory.dmp
                                      Filesize

                                      4KB

                                    • memory/364-5-0x0000000002B00000-0x0000000002B92000-memory.dmp
                                      Filesize

                                      584KB

                                    • memory/3060-4-0x0000000002A00000-0x0000000002A01000-memory.dmp
                                      Filesize

                                      4KB

                                    • memory/4972-0-0x0000000002A30000-0x0000000002A31000-memory.dmp
                                      Filesize

                                      4KB