Darlehensvertrag_42816504192_15052020.vbs

General
Target

Darlehensvertrag_42816504192_15052020.vbs

Filesize

36MB

Completed

19-05-2020 13:09

Score
10 /10
MD5

e44fb6c9a050ae7ef4b55cce6a71cdcd

SHA1

dd77b217e503fddaf28bb60b6e3280a692807976

SHA256

c888b058cd85352ec803eb2a6e78bef567b844e9982176efbcd7074982a760de

Malware Config

Extracted

Family qakbot
Botnet spx121
Campaign 1589802571
C2

72.209.191.27:443

72.204.242.138:443

47.202.98.230:443

72.204.242.138:465

96.35.170.82:2222

96.56.237.174:465

65.60.228.130:443

76.187.8.160:443

79.101.206.85:995

64.19.74.29:995

84.117.60.157:443

94.176.128.176:443

72.204.242.138:32102

187.155.61.44:443

72.204.242.138:443

73.163.242.114:443

86.127.7.148:21

76.187.97.98:2222

82.178.63.31:443

174.52.64.212:443

68.174.15.223:443

89.137.162.193:443

24.183.39.93:443

104.50.141.139:995

98.219.77.197:443

72.204.242.138:53

207.255.161.8:32102

1.40.42.4:443

70.183.127.6:995

74.33.69.208:443

66.222.88.126:995

47.152.210.233:443

5.107.144.131:2222

39.32.30.170:993

70.57.15.187:993

63.155.158.242:995

76.170.77.99:443

97.127.144.203:2222

74.215.201.122:443

95.77.144.238:443

72.204.242.138:50003

71.220.191.200:443

67.83.54.76:2222

73.214.231.2:443

68.1.171.93:443

97.119.244.150:443

201.183.224.74:443

75.183.135.48:443

79.118.105.207:443

78.97.207.104:443

Signatures 13

Filter: none

Defense Evasion
Discovery
Persistence
  • Suspicious behavior: MapViewOfSection
    wnieyjug.exe

    Reported IOCs

    pidprocess
    1572wnieyjug.exe
  • Windows security modification
    reg.exereg.exereg.exereg.exereg.exereg.exe

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNetreg.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNetreg.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNetreg.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNetreg.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynetreg.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynetreg.exe
  • Windows security bypass
    reg.exe

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Pathsreg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue = "0"reg.exe
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    864PING.EXE
  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Executes dropped EXE
    PicturesViewer.exePicturesViewer.exewnieyjug.exewnieyjug.exePicturesViewer.exewnieyjug.exewnieyjug.exe

    Reported IOCs

    pidprocess
    1884PicturesViewer.exe
    1608PicturesViewer.exe
    1572wnieyjug.exe
    1964wnieyjug.exe
    1028PicturesViewer.exe
    484wnieyjug.exe
    952wnieyjug.exe
  • Suspicious use of WriteProcessMemory
    WScript.exePicturesViewer.exewnieyjug.exetaskeng.exePicturesViewer.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1068 wrote to memory of 18841068WScript.exePicturesViewer.exe
    PID 1068 wrote to memory of 18841068WScript.exePicturesViewer.exe
    PID 1068 wrote to memory of 18841068WScript.exePicturesViewer.exe
    PID 1068 wrote to memory of 18841068WScript.exePicturesViewer.exe
    PID 1884 wrote to memory of 16081884PicturesViewer.exePicturesViewer.exe
    PID 1884 wrote to memory of 16081884PicturesViewer.exePicturesViewer.exe
    PID 1884 wrote to memory of 16081884PicturesViewer.exePicturesViewer.exe
    PID 1884 wrote to memory of 16081884PicturesViewer.exePicturesViewer.exe
    PID 1884 wrote to memory of 15721884PicturesViewer.exewnieyjug.exe
    PID 1884 wrote to memory of 15721884PicturesViewer.exewnieyjug.exe
    PID 1884 wrote to memory of 15721884PicturesViewer.exewnieyjug.exe
    PID 1884 wrote to memory of 15721884PicturesViewer.exewnieyjug.exe
    PID 1884 wrote to memory of 19361884PicturesViewer.exeschtasks.exe
    PID 1884 wrote to memory of 19361884PicturesViewer.exeschtasks.exe
    PID 1884 wrote to memory of 19361884PicturesViewer.exeschtasks.exe
    PID 1884 wrote to memory of 19361884PicturesViewer.exeschtasks.exe
    PID 1572 wrote to memory of 19641572wnieyjug.exewnieyjug.exe
    PID 1572 wrote to memory of 19641572wnieyjug.exewnieyjug.exe
    PID 1572 wrote to memory of 19641572wnieyjug.exewnieyjug.exe
    PID 1572 wrote to memory of 19641572wnieyjug.exewnieyjug.exe
    PID 1572 wrote to memory of 19561572wnieyjug.exeexplorer.exe
    PID 1572 wrote to memory of 19561572wnieyjug.exeexplorer.exe
    PID 1572 wrote to memory of 19561572wnieyjug.exeexplorer.exe
    PID 1572 wrote to memory of 19561572wnieyjug.exeexplorer.exe
    PID 1572 wrote to memory of 19561572wnieyjug.exeexplorer.exe
    PID 1200 wrote to memory of 10281200taskeng.exePicturesViewer.exe
    PID 1200 wrote to memory of 10281200taskeng.exePicturesViewer.exe
    PID 1200 wrote to memory of 10281200taskeng.exePicturesViewer.exe
    PID 1200 wrote to memory of 10281200taskeng.exePicturesViewer.exe
    PID 1028 wrote to memory of 16921028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 16921028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 16921028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 16921028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 5161028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 5161028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 5161028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 5161028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 14481028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 14481028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 14481028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 14481028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 15121028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 15121028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 15121028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 15121028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 10201028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 10201028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 10201028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 10201028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 20081028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 20081028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 20081028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 20081028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 17641028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 17641028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 17641028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 17641028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 11801028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 11801028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 11801028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 11801028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 14561028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 14561028PicturesViewer.exereg.exe
    PID 1028 wrote to memory of 14561028PicturesViewer.exereg.exe
  • Suspicious behavior: EnumeratesProcesses
    PicturesViewer.exePicturesViewer.exewnieyjug.exewnieyjug.exeexplorer.exePicturesViewer.exewnieyjug.exewnieyjug.exe

    Reported IOCs

    pidprocess
    1884PicturesViewer.exe
    1608PicturesViewer.exe
    1608PicturesViewer.exe
    1572wnieyjug.exe
    1964wnieyjug.exe
    1964wnieyjug.exe
    1956explorer.exe
    1956explorer.exe
    1028PicturesViewer.exe
    484wnieyjug.exe
    952wnieyjug.exe
    952wnieyjug.exe
  • Loads dropped DLL
    PicturesViewer.exePicturesViewer.exe

    Reported IOCs

    pidprocess
    1884PicturesViewer.exe
    1884PicturesViewer.exe
    1884PicturesViewer.exe
    1028PicturesViewer.exe
  • Turns off Windows Defender SpyNet reporting
    reg.exereg.exereg.exereg.exereg.exereg.exe

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2"reg.exe
  • Modifies data under HKEY_USERS
    PicturesViewer.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\PicturesViewer.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"PicturesViewer.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"PicturesViewer.exe
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1936schtasks.exe
  • Blacklisted process makes network request
    WScript.exe

    Reported IOCs

    flowpidprocess
    21068WScript.exe
    41068WScript.exe
    71068WScript.exe
    91068WScript.exe
Processes 23
  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Darlehensvertrag_42816504192_15052020.vbs"
    Suspicious use of WriteProcessMemory
    Blacklisted process makes network request
    PID:1068
    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
      C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      Suspicious behavior: EnumeratesProcesses
      Loads dropped DLL
      PID:1884
      • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
        C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:1608
      • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        Suspicious behavior: EnumeratesProcesses
        PID:1572
        • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe /C
          Executes dropped EXE
          Suspicious behavior: EnumeratesProcesses
          PID:1964
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          Suspicious behavior: EnumeratesProcesses
          PID:1956
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vibhuwyoc /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I vibhuwyoc" /SC ONCE /Z /ST 15:09 /ET 15:21
        Creates scheduled task(s)
        PID:1936
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {993A98C4-DF39-4597-990B-D65ECEADDFDC} S-1-5-18:NT AUTHORITY\System:Service:
    Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
      C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /I vibhuwyoc
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      Suspicious behavior: EnumeratesProcesses
      Loads dropped DLL
      Modifies data under HKEY_USERS
      PID:1028
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        Windows security modification
        Turns off Windows Defender SpyNet reporting
        PID:1692
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        Windows security modification
        Turns off Windows Defender SpyNet reporting
        PID:516
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        PID:1448
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        PID:1512
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        Windows security modification
        Turns off Windows Defender SpyNet reporting
        PID:1020
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        Windows security modification
        Turns off Windows Defender SpyNet reporting
        PID:2008
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        Windows security modification
        Turns off Windows Defender SpyNet reporting
        PID:1764
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        Windows security modification
        Turns off Windows Defender SpyNet reporting
        PID:1180
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue" /d "0"
        Windows security bypass
        PID:1456
      • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:484
        • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe /C
          Executes dropped EXE
          Suspicious behavior: EnumeratesProcesses
          PID:952
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe"
        PID:1824
        • C:\Windows\system32\PING.EXE
          ping.exe -n 6 127.0.0.1
          Runs ping.exe
          PID:864
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /DELETE /F /TN vibhuwyoc
        PID:1760
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

                    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

                    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

                    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.dat

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

                    • \Users\Admin\AppData\Local\Temp\PicturesViewer.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

                    • memory/952-18-0x00000000022E0000-0x00000000022F1000-memory.dmp

                    • memory/1068-1-0x0000000002FB0000-0x0000000002FB4000-memory.dmp

                    • memory/1572-12-0x00000000002F0000-0x000000000032A000-memory.dmp

                    • memory/1608-5-0x0000000002350000-0x0000000002361000-memory.dmp

                    • memory/1964-11-0x0000000002320000-0x0000000002331000-memory.dmp