Analysis
-
max time kernel
138s -
max time network
55s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
20-05-2020 15:14
Static task
static1
Behavioral task
behavioral1
Sample
Darlehensvertrag_237886470423_19052020.vbs
Resource
win7v200430
General
-
Target
Darlehensvertrag_237886470423_19052020.vbs
-
Size
36.3MB
-
MD5
a6eb9d904fc5eddda76ad4f9cf678e03
-
SHA1
c370a3c9e108ae2452dfdedc91a2aa04634c7002
-
SHA256
dfacae17a54e54e9b25d77399619859ed6b196318bd06341c22c7a8b4a090254
-
SHA512
c00ac4ecaf2623ac4eb4d47191b3b0608d80bd3da552310652a2ccbc306b408f8c0d6d9e3f35208e2ad93b0c7a872ff8c055db7f2a3ecbb259ae639b55d780fb
Malware Config
Extracted
qakbot
spx123
1589977350
71.77.252.14:2222
174.130.225.61:443
76.187.97.98:2222
187.19.151.218:995
82.127.193.151:2222
72.204.242.138:993
72.204.242.138:993
66.208.105.6:443
24.183.39.93:443
98.243.187.85:443
68.49.120.179:443
72.204.242.138:995
72.29.181.77:2078
72.204.242.138:443
24.136.33.120:2222
96.56.237.174:990
107.2.148.99:443
216.201.162.158:443
71.213.29.14:995
84.247.55.190:443
86.124.2.219:443
189.236.29.119:443
199.116.241.147:443
79.115.20.123:443
67.170.137.8:443
200.113.201.83:993
100.12.173.247:995
82.210.157.185:443
79.78.131.124:443
186.94.179.27:2078
102.41.121.242:995
24.202.42.48:2222
208.93.202.49:443
72.16.212.108:465
98.118.156.172:443
31.125.140.150:2222
5.36.67.194:443
108.30.125.94:443
190.130.235.79:443
151.205.102.42:443
68.39.160.40:443
68.204.164.222:443
108.54.205.207:443
47.203.89.185:443
79.114.195.15:443
174.34.67.106:2222
73.214.231.2:443
96.18.240.158:443
156.222.43.142:995
178.27.203.107:443
116.202.36.62:21
173.173.68.41:443
47.136.224.60:443
80.184.100.90:443
100.40.48.96:443
71.56.53.127:443
68.4.137.211:443
92.17.167.87:2222
188.27.64.124:443
96.23.62.35:2222
46.102.65.66:443
185.145.113.249:443
181.140.208.0:443
66.57.216.53:993
197.210.96.222:995
46.102.52.45:443
72.240.245.253:443
59.98.97.3:443
140.82.21.191:443
72.132.249.144:995
86.97.85.36:443
86.124.215.242:21
5.14.251.226:443
148.75.231.53:443
75.110.250.89:443
47.232.26.181:443
47.180.66.10:443
71.8.33.238:443
24.188.48.139:443
117.241.53.134:443
41.96.159.95:443
100.38.123.22:443
5.182.39.156:443
207.255.161.8:2222
85.204.189.105:443
81.245.66.237:995
79.101.206.85:995
86.166.85.205:2222
68.174.15.223:443
173.245.152.231:443
137.103.143.124:443
73.23.194.75:443
81.196.29.4:2222
184.164.160.157:995
82.76.171.120:443
46.214.62.199:443
98.121.187.78:443
76.117.227.153:443
189.159.144.227:995
81.133.234.36:2222
117.216.184.78:443
79.116.237.126:443
187.155.61.44:443
31.5.189.71:443
72.204.242.138:443
72.204.242.138:2078
72.204.242.138:990
47.153.115.154:443
207.255.161.8:995
207.255.161.8:2078
50.244.112.10:443
66.76.255.133:2078
72.204.242.138:20
77.159.149.74:443
65.116.179.83:443
96.35.170.82:2222
72.204.242.138:2087
71.193.126.206:443
142.129.227.86:443
72.204.242.138:53
207.255.161.8:2087
84.117.60.157:443
24.96.22.21:443
207.255.161.8:32102
108.58.9.238:995
173.175.29.210:443
1.40.42.4:443
74.33.69.208:443
70.183.127.6:995
66.222.88.126:995
115.134.147.27:443
47.152.210.233:443
172.242.156.50:443
65.24.76.114:443
78.96.245.58:443
70.124.29.226:443
86.124.228.119:443
24.43.22.220:993
188.173.214.88:443
24.231.54.185:2222
64.121.114.87:443
184.21.151.81:995
209.182.121.133:2222
203.213.104.25:995
72.183.129.56:443
68.98.142.248:995
86.3.137.90:443
107.5.252.194:443
94.52.160.116:443
188.173.185.139:443
Signatures
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 PicturesViewer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc PicturesViewer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service PicturesViewer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 ffovc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service ffovc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 ffovc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 PicturesViewer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc PicturesViewer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service ffovc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc ffovc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service PicturesViewer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc ffovc.exe -
Blacklisted process makes network request 1 IoCs
flow pid Process 4 3656 WScript.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3656 wrote to memory of 3936 3656 WScript.exe 73 PID 3656 wrote to memory of 3936 3656 WScript.exe 73 PID 3656 wrote to memory of 3936 3656 WScript.exe 73 PID 3936 wrote to memory of 3956 3936 PicturesViewer.exe 74 PID 3936 wrote to memory of 3956 3936 PicturesViewer.exe 74 PID 3936 wrote to memory of 3956 3936 PicturesViewer.exe 74 PID 3936 wrote to memory of 3940 3936 PicturesViewer.exe 75 PID 3936 wrote to memory of 3940 3936 PicturesViewer.exe 75 PID 3936 wrote to memory of 3940 3936 PicturesViewer.exe 75 PID 3936 wrote to memory of 3976 3936 PicturesViewer.exe 76 PID 3936 wrote to memory of 3976 3936 PicturesViewer.exe 76 PID 3936 wrote to memory of 3976 3936 PicturesViewer.exe 76 PID 3940 wrote to memory of 3008 3940 ffovc.exe 78 PID 3940 wrote to memory of 3008 3940 ffovc.exe 78 PID 3940 wrote to memory of 3008 3940 ffovc.exe 78 PID 3940 wrote to memory of 700 3940 ffovc.exe 79 PID 3940 wrote to memory of 700 3940 ffovc.exe 79 PID 3940 wrote to memory of 700 3940 ffovc.exe 79 PID 3940 wrote to memory of 700 3940 ffovc.exe 79 -
Executes dropped EXE 4 IoCs
pid Process 3936 PicturesViewer.exe 3956 PicturesViewer.exe 3940 ffovc.exe 3008 ffovc.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3936 PicturesViewer.exe 3936 PicturesViewer.exe 3956 PicturesViewer.exe 3956 PicturesViewer.exe 3956 PicturesViewer.exe 3956 PicturesViewer.exe 3940 ffovc.exe 3940 ffovc.exe 3008 ffovc.exe 3008 ffovc.exe 3008 ffovc.exe 3008 ffovc.exe 700 explorer.exe 700 explorer.exe 700 explorer.exe 700 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3940 ffovc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3976 schtasks.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Darlehensvertrag_237886470423_19052020.vbs"1⤵
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exeC:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exeC:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C3⤵
- Checks SCSI registry key(s)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3956
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Luolyfxaj\ffovc.exeC:\Users\Admin\AppData\Roaming\Microsoft\Luolyfxaj\ffovc.exe3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3940 -
C:\Users\Admin\AppData\Roaming\Microsoft\Luolyfxaj\ffovc.exeC:\Users\Admin\AppData\Roaming\Microsoft\Luolyfxaj\ffovc.exe /C4⤵
- Checks SCSI registry key(s)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:700
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nwaiuqck /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I nwaiuqck" /SC ONCE /Z /ST 17:18 /ET 17:303⤵
- Creates scheduled task(s)
PID:3976
-
-