qakbot | hxxp://lindentowncenter[.]com/xnvejyacq/2767/Darlehensvertrag_2767_18052020[.]zip

General

Target

http://lindentowncenter.com/xnvejyacq/2767/Darlehensvertrag_2767_18052020.zip

Score

10^/10

trojan banker stealer qakbot

Malware Config

Extracted

Family

qakbot

Botnet

spx122

Campaign

1589882380

C2

72.183.129.56:443

72.190.101.70:443

74.75.216.202:443

47.40.244.237:443

209.182.121.133:2222

85.121.42.12:995

203.213.104.25:995

98.118.156.172:443

74.215.201.122:443

67.250.184.157:443

79.78.131.124:443

108.54.205.207:443

72.224.213.98:2222

24.27.82.216:2222

188.26.156.131:443

41.228.239.54:443

5.36.67.194:443

101.108.119.168:443

5.13.141.223:443

105.101.126.6:443

Signatures

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

iexplore.exeWScript.exePicturesViewer.exeWScript.exedeveaoo.exePicturesViewer.exeWScript.exePicturesViewer.exedeveaoo.exedeveaoo.exe

description	pid	process	target process
PID 1312 wrote to memory of 1588	1312	iexplore.exe	IEXPLORE.EXE
PID 1312 wrote to memory of 1588	1312	iexplore.exe	IEXPLORE.EXE
PID 1312 wrote to memory of 1588	1312	iexplore.exe	IEXPLORE.EXE
PID 976 wrote to memory of 500	976	WScript.exe	PicturesViewer.exe
PID 976 wrote to memory of 500	976	WScript.exe	PicturesViewer.exe
PID 976 wrote to memory of 500	976	WScript.exe	PicturesViewer.exe
PID 500 wrote to memory of 3068	500	PicturesViewer.exe	PicturesViewer.exe
PID 500 wrote to memory of 3068	500	PicturesViewer.exe	PicturesViewer.exe
PID 500 wrote to memory of 3068	500	PicturesViewer.exe	PicturesViewer.exe
PID 500 wrote to memory of 3508	500	PicturesViewer.exe	deveaoo.exe
PID 500 wrote to memory of 3508	500	PicturesViewer.exe	deveaoo.exe
PID 500 wrote to memory of 3508	500	PicturesViewer.exe	deveaoo.exe
PID 500 wrote to memory of 952	500	PicturesViewer.exe	schtasks.exe
PID 500 wrote to memory of 952	500	PicturesViewer.exe	schtasks.exe
PID 500 wrote to memory of 952	500	PicturesViewer.exe	schtasks.exe
PID 3076 wrote to memory of 3196	3076	WScript.exe	PicturesViewer.exe
PID 3076 wrote to memory of 3196	3076	WScript.exe	PicturesViewer.exe
PID 3076 wrote to memory of 3196	3076	WScript.exe	PicturesViewer.exe
PID 3508 wrote to memory of 1268	3508	deveaoo.exe	deveaoo.exe
PID 3508 wrote to memory of 1268	3508	deveaoo.exe	deveaoo.exe
PID 3508 wrote to memory of 1268	3508	deveaoo.exe	deveaoo.exe
PID 3196 wrote to memory of 3760	3196	PicturesViewer.exe	PicturesViewer.exe
PID 3196 wrote to memory of 3760	3196	PicturesViewer.exe	PicturesViewer.exe
PID 3196 wrote to memory of 3760	3196	PicturesViewer.exe	PicturesViewer.exe
PID 3508 wrote to memory of 2236	3508	deveaoo.exe	explorer.exe
PID 3508 wrote to memory of 2236	3508	deveaoo.exe	explorer.exe
PID 3508 wrote to memory of 2236	3508	deveaoo.exe	explorer.exe
PID 3508 wrote to memory of 2236	3508	deveaoo.exe	explorer.exe
PID 3996 wrote to memory of 4036	3996	WScript.exe	PicturesViewer.exe
PID 3996 wrote to memory of 4036	3996	WScript.exe	PicturesViewer.exe
PID 3996 wrote to memory of 4036	3996	WScript.exe	PicturesViewer.exe
PID 3196 wrote to memory of 1840	3196	PicturesViewer.exe	deveaoo.exe
PID 3196 wrote to memory of 1840	3196	PicturesViewer.exe	deveaoo.exe
PID 3196 wrote to memory of 1840	3196	PicturesViewer.exe	deveaoo.exe
PID 3196 wrote to memory of 2820	3196	PicturesViewer.exe	schtasks.exe
PID 3196 wrote to memory of 2820	3196	PicturesViewer.exe	schtasks.exe
PID 3196 wrote to memory of 2820	3196	PicturesViewer.exe	schtasks.exe
PID 4036 wrote to memory of 1348	4036	PicturesViewer.exe	PicturesViewer.exe
PID 4036 wrote to memory of 1348	4036	PicturesViewer.exe	PicturesViewer.exe
PID 4036 wrote to memory of 1348	4036	PicturesViewer.exe	PicturesViewer.exe
PID 1840 wrote to memory of 2052	1840	deveaoo.exe	deveaoo.exe
PID 1840 wrote to memory of 2052	1840	deveaoo.exe	deveaoo.exe
PID 1840 wrote to memory of 2052	1840	deveaoo.exe	deveaoo.exe
PID 4036 wrote to memory of 2108	4036	PicturesViewer.exe	deveaoo.exe
PID 4036 wrote to memory of 2108	4036	PicturesViewer.exe	deveaoo.exe
PID 4036 wrote to memory of 2108	4036	PicturesViewer.exe	deveaoo.exe
PID 4036 wrote to memory of 2080	4036	PicturesViewer.exe	schtasks.exe
PID 4036 wrote to memory of 2080	4036	PicturesViewer.exe	schtasks.exe
PID 4036 wrote to memory of 2080	4036	PicturesViewer.exe	schtasks.exe
PID 2108 wrote to memory of 2636	2108	deveaoo.exe	deveaoo.exe
PID 2108 wrote to memory of 2636	2108	deveaoo.exe	deveaoo.exe
PID 2108 wrote to memory of 2636	2108	deveaoo.exe	deveaoo.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1312 iexplore.exe
1312 iexplore.exe
1588 IEXPLORE.EXE
1588 IEXPLORE.EXE
Blacklisted process makes network request 3 IoCs

Processes:

WScript.exeWScript.exeWScript.exe

flow pid process

17 976 WScript.exe
18 3076 WScript.exe
19 3996 WScript.exe

pid	process
1312	iexplore.exe
1312	iexplore.exe
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE

flow	pid	process
17	976	WScript.exe
18	3076	WScript.exe
19	3996	WScript.exe

Executes dropped EXE 12 IoCs

Processes:

PicturesViewer.exePicturesViewer.exedeveaoo.exePicturesViewer.exedeveaoo.exePicturesViewer.exePicturesViewer.exedeveaoo.exePicturesViewer.exedeveaoo.exedeveaoo.exedeveaoo.exe

pid	process
500	PicturesViewer.exe
3068	PicturesViewer.exe
3508	deveaoo.exe
3196	PicturesViewer.exe
1268	deveaoo.exe
3760	PicturesViewer.exe
4036	PicturesViewer.exe
1840	deveaoo.exe
1348	PicturesViewer.exe
2052	deveaoo.exe
2108	deveaoo.exe
2636	deveaoo.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

deveaoo.exe

pid process

3508 deveaoo.exe

pid	process
3508	deveaoo.exe

Checks whether UAC is enabled 2 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

Modifies system certificate store 8 IoCs

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\CTLs	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658BE73ACF0A4930C0F99B92F01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658BE73ACF0A4930C0F99B92F01\Blob = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\Certificates\5FF1348C80820F2A988D0C0C7ABEA0EA394B5E6C	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\Certificates\5FF1348C80820F2A988D0C0C7ABEA0EA394B5E6C\Blob = 0300000001000000140000005ff1348c80820f2a988d0c0c7abea0ea394b5e6c040000000100000010000000fd42404f68fae3f0d490e8d19d08ab1d0f00000001000000200000005546bb2210de2560292e6f4610af4ffbdb453f9bf9983e62942c35959e16038d140000000100000014000000b3b30880146b0eb235e8e136e7d15c9c4847f5f3190000000100000010000000e142e209d34bfb2eac257eb76a2b61e15c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000e5050000308205e1308203c9a0030201020213330000016fd585f24b93e88a0700000000016f300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3139313231323030303333315a170d3231303331323030303333315a3081a3310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3121301f06092a864886f70d010901161271666265406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cfb24782c35c66c63688c01ed857df9a4330b81628c86831de4d577f8cb2155b880ee41953a18ac28de644bacfa97558ec6f522490f103b7fa0092430f8e0ba55c36dd91f6f1f91baec6eb3581d89133141e1580e02ec2445e5380b178f92f81e97193be8be1223d36e5f2be070a3db6ac17987ea3b42d15994c73a10e64794da4660a5d875e179c567bb06ecfd7cbf4c1ee4fe453284e72877d746a3e178788a1bd540ba9250a931a11105bb98f1b2b757fa6c5ade16e7cc1d1628fedb716018526f5b56630b54cd5f75f938e9b4a956609cc441aac84a10a101f6429b6fceb9434a41b24f0ca9781bf72b010f14bd13dc5d996b6ed6c4d53156969dd04f7390203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414b3b30880146b0eb235e8e136e7d15c9c4847f5f3301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038202010064d81278e224099c122690412271d5f2d92ae1c00f7135d64f63663ccc0588826bf24cc6cffa0d6666b7e3f989825dd1021fd1bdc6a9d4a492c0f46198534382204d8668b0f3c8d85f9f614f7fff47e391a4fdc89dba1b423f1d2a8d4986ff42bac032a21224b246b03ffef26e7da49d3ef381ff9d669cda0234445bff395be1b70627f013ccde692280d75d690b4f4c5e3a123b379bd30bdc6cf1af0c69d97eb0aa4f580eb4e876465b2c62514a612a3971f6bc6ace33f569e0cbcbd5498caf2af949952c310221a382d0a7fbc4594b0bfe96a1c81d26639b249beea28179ead8377bf70e9a09596997af2b405c5425a1e5e6e46b065016901b7cd120e2389d47924b1f834955135461f7592c9487e3910bf0de382ad5906dd8c46b321b176698caaec19d1ee10aa6679981d8f2f5c40d69240a7075ce4341305d2bbd082e03c81c41baeb557b41904482ae88d0566f339ab517ae2f84223d567f9ec734c1c5a2be39aa24c49930b6428bbe2fa300f2369e1c8cc554c14010f1ee518afa32e4bf0a15cb251d37791338f5ade8ced4b67ca5fc56320c2c2973f9b13e250dabe4a373580becf787afd552c6b293dfc7bfb1f67739c64df74ae3d373e2db9c27090fe15e58591824e4f150602af628917a6d1353919cd0a8489596f97070833a98b34c2d3a0ebafda2f81096533b773c5914d7f05e66cb17af2bcd11ad517440b5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\Certificates	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\CRLs	iexplore.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

PicturesViewer.exePicturesViewer.exedeveaoo.exePicturesViewer.exedeveaoo.exePicturesViewer.exePicturesViewer.exeexplorer.exedeveaoo.exePicturesViewer.exedeveaoo.exedeveaoo.exedeveaoo.exe

pid	process
500	PicturesViewer.exe
500	PicturesViewer.exe
3068	PicturesViewer.exe
3068	PicturesViewer.exe
3068	PicturesViewer.exe
3068	PicturesViewer.exe
3508	deveaoo.exe
3508	deveaoo.exe
3196	PicturesViewer.exe
3196	PicturesViewer.exe
1268	deveaoo.exe
1268	deveaoo.exe
3760	PicturesViewer.exe
3760	PicturesViewer.exe
1268	deveaoo.exe
1268	deveaoo.exe
4036	PicturesViewer.exe
4036	PicturesViewer.exe
2236	explorer.exe
2236	explorer.exe
3760	PicturesViewer.exe
3760	PicturesViewer.exe
1840	deveaoo.exe
1840	deveaoo.exe
1348	PicturesViewer.exe
1348	PicturesViewer.exe
2236	explorer.exe
2236	explorer.exe
2052	deveaoo.exe
2052	deveaoo.exe
1348	PicturesViewer.exe
1348	PicturesViewer.exe
2108	deveaoo.exe
2108	deveaoo.exe
2052	deveaoo.exe
2052	deveaoo.exe
2636	deveaoo.exe
2636	deveaoo.exe
2636	deveaoo.exe
2636	deveaoo.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30813739"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2016190791"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30813739"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{6E090CC3-AA6D-4C95-A392-F6BA3E2278D4}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2016190791"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2041346614"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c00b827b2b2ed601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "296708268"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A3304F2A-9A1E-11EA-BF1A-628A94616A87} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "296691674"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "296740259"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c020000000000200000000001066000000010000200000003c93462e5dd3c9aca0925b1071644dc10af346d9d8bf43aa55a41051162c6719000000000e8000000002000020000000adcf28a7e7a2350a2d546f33d9a54cc5bf0fbe795143347b6c70c41a2ffddabd20000000a9f107287e74e2ad515dfbd25fef73fd7a16a04c449657f978c92f9b8d4071d640000000d50cfa5103f9a14625351ea43c7879623dae9f288ef1addc8001324af01c9a0b22258170c922279bd162e0d37d85b3e72c2922dcc81a6574ad672a79f6d864f5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 908f977b2b2ed601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c020000000000200000000001066000000010000200000004e7dda14e9e7248efd95b0e69673f1e81c4da50e1c887e3ef8c5c3a960e2180d000000000e80000000020000200000003543dd72e7ced8d7cf7991b85d5fe635f8d4d5f218ca5ad894d0b7bb2cba16d620000000a3aebcc8d6d625eb144fdfe4069b3559c7b1987cea6cd52ce3b2151ebb5027b6400000002dede2638bb05476eba72531c483df11f716dc9ae44d21d7d8929594747d5396900551456d877517150379456cc650bc7fb47f6319db7f0f8ca4fe8a6df378c3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = f9dff4ce2a1fd601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30813739"	iexplore.exe

Modifies registry class 1 IoCs

Processes:

iexplore.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings iexplore.exe
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1312 iexplore.exe
1312 iexplore.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

952 schtasks.exe
2820 schtasks.exe
2080 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings	iexplore.exe

pid	process
1312	iexplore.exe
1312	iexplore.exe

pid	process
952	schtasks.exe
2820	schtasks.exe
2080	schtasks.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

deveaoo.exePicturesViewer.exedeveaoo.exedeveaoo.exePicturesViewer.exePicturesViewer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	deveaoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	PicturesViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	deveaoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	PicturesViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	PicturesViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	deveaoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	PicturesViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	PicturesViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	PicturesViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	PicturesViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	deveaoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	deveaoo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	PicturesViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	deveaoo.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://lindentowncenter.com/xnvejyacq/2767/Darlehensvertrag_2767_18052020.zip
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Modifies system certificate store
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1312

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:1588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2816

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Darlehensvertrag_2767_18052020.zip\Darlehensvertrag_243181159708_18052020.vbs"
1⤵
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
PID:976

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:500

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
PID:3068

C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
PID:1268

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nrwjuqhdz /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I nrwjuqhdz" /SC ONCE /Z /ST 22:22 /ET 22:34
3⤵
- Creates scheduled task(s)
PID:952

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Darlehensvertrag_243181159708_18052020.vbs"
1⤵
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
PID:3076

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
PID:3760

C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1840

C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
PID:2052

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bffgutc /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I bffgutc" /SC ONCE /Z /ST 22:22 /ET 22:34
3⤵
- Creates scheduled task(s)
PID:2820

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Darlehensvertrag_243181159708_18052020.vbs"
1⤵
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
PID:3996

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4036

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
PID:1348

C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2108

C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
PID:2636

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fymqwgu /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I fymqwgu" /SC ONCE /Z /ST 22:22 /ET 22:34
3⤵
- Creates scheduled task(s)
PID:2080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\WScript.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4FFTI156\Darlehensvertrag_2767_18052020.zip.3c8cezq.partial

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\G7BCGXMW.cookie

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe

Download Submit
memory/1268-30-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1348-38-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2052-41-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2636-43-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/3068-20-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3076-3-0x00000216ED0E0000-0x00000216ED0E4000-memory.dmp

Filesize
16KB

Download
memory/3508-31-0x0000000002170000-0x00000000021AA000-memory.dmp

Filesize
232KB

Download
memory/3760-33-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads