Analysis

  • max time kernel
    133s
  • resource
    win7v191014
  • submitted
    27-01-2020 17:27

General

  • Target

    444444.png

  • Sample

    200127-qphfsygwzj

  • SHA256

    2ada31879ae7419da5f19095e6a086938475e97f8b022fe24bf25208778eb850

Malware Config

Signatures

  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities

  • Turn off Windows Defender SpyNet reporting 6 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Windows security modification 2 TTPs 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\444444.png.exe
    "C:\Users\Admin\AppData\Local\Temp\444444.png.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    PID:316
    • C:\Users\Admin\AppData\Local\Temp\444444.png.exe
      C:\Users\Admin\AppData\Local\Temp\444444.png.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1088
    • C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      PID:1108
      • C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe /C
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Executes dropped EXE
        PID:2004
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Adds Run entry to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:1968
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nulffedj /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.png.exe\" /I nulffedj" /SC ONCE /Z /ST 18:29 /ET 18:41
      2⤵
        PID:1104
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {B1917106-BE34-4D49-9738-E2B89A2336B6} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Users\Admin\AppData\Local\Temp\444444.png.exe
        C:\Users\Admin\AppData\Local\Temp\444444.png.exe /I nulffedj
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          3⤵
          • Turn off Windows Defender SpyNet reporting
          • Windows security modification
          PID:1900
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          3⤵
          • Turn off Windows Defender SpyNet reporting
          • Windows security modification
          PID:1148
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          3⤵
            PID:2028
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            3⤵
              PID:1832
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
              3⤵
              • Turn off Windows Defender SpyNet reporting
              • Windows security modification
              PID:1264
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              3⤵
              • Turn off Windows Defender SpyNet reporting
              • Windows security modification
              PID:1964
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
              3⤵
              • Turn off Windows Defender SpyNet reporting
              • Windows security modification
              PID:1104
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              3⤵
              • Turn off Windows Defender SpyNet reporting
              • Windows security modification
              PID:1100
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza" /d "0"
              3⤵
              • Windows security bypass
              PID:1352
            • C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              • Executes dropped EXE
              PID:1220
              • C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
                C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe /C
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Executes dropped EXE
                PID:520
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\444444.png.exe"
              3⤵
                PID:988
                • C:\Windows\system32\PING.EXE
                  ping.exe -n 6 127.0.0.1
                  4⤵
                  • Runs ping.exe
                  PID:1800
              • C:\Windows\system32\schtasks.exe
                "C:\Windows\system32\schtasks.exe" /DELETE /F /TN nulffedj
                3⤵
                  PID:1128

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Defense Evasion

            Modify Registry

            3
            T1112

            Disabling Security Tools

            2
            T1089

            Discovery

            Remote System Discovery

            1
            T1018

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.dat
            • C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
            • C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
            • C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
            • C:\Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
            • \Users\Admin\AppData\Roaming\Microsoft\Ekpgnmoza\zytkuh.exe
            • memory/520-9-0x00000000023A0000-0x00000000023B1000-memory.dmp
              Filesize

              68KB

            • memory/1088-0-0x0000000002230000-0x0000000002241000-memory.dmp
              Filesize

              68KB

            • memory/1108-5-0x0000000000530000-0x000000000056B000-memory.dmp
              Filesize

              236KB

            • memory/2004-4-0x00000000022F0000-0x0000000002301000-memory.dmp
              Filesize

              68KB