Analysis
-
max time kernel
141s -
max time network
48s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
24-05-2020 14:05
Static task
static1
Behavioral task
behavioral1
Sample
Kaufvertrag_335774592927_20052020.vbs
Resource
win7v200430
General
-
Target
Kaufvertrag_335774592927_20052020.vbs
-
Size
36.2MB
-
MD5
e4c51a265a25b187d92ce90b381aff5f
-
SHA1
b95bb9ca726d717703880c340f7a5c3c3f5e7bed
-
SHA256
a468327ee5c173269fec06282bdc618a10f5770112147280fae282659d65ac44
-
SHA512
de7ef4026401a3c371e58e3c40e63ed18adec9273a6c88e955eb32570e844f0b0cb640fd274eae0a485474f244ea1990cfd16bc47688e380a45015a81bc2e33c
Malware Config
Extracted
qakbot
spx124
1590052330
188.173.185.139:443
117.241.53.130:443
81.103.144.77:443
217.219.50.172:990
103.76.160.110:443
68.204.164.222:443
98.32.60.217:443
173.245.152.231:443
72.240.245.253:443
112.171.126.153:443
141.85.114.172:443
31.5.189.71:443
71.77.231.251:443
72.190.101.70:443
140.82.21.191:443
31.5.41.52:443
78.188.109.130:443
70.124.29.226:443
24.43.22.220:993
101.108.114.66:443
137.103.143.124:443
203.213.104.25:995
182.56.134.44:995
24.201.79.208:2078
24.110.96.149:443
98.222.23.221:443
50.104.186.71:443
67.83.54.76:2222
104.36.135.227:443
68.1.171.93:443
24.43.22.220:995
75.183.171.155:3389
47.41.3.40:443
68.98.142.248:995
81.133.234.36:2222
98.121.187.78:443
47.205.231.60:443
66.26.160.37:443
69.92.54.95:995
67.209.195.198:3389
41.228.231.93:443
184.98.104.7:995
72.204.242.138:6881
210.61.141.92:443
35.142.12.163:2222
24.46.40.189:2222
96.56.237.174:993
189.231.179.154:443
98.115.138.61:443
50.29.166.232:995
173.79.220.156:443
70.174.3.241:443
47.146.169.85:443
50.29.181.193:995
216.110.249.252:2222
76.117.227.153:443
98.118.156.172:443
70.173.46.139:443
79.114.195.15:443
75.110.250.89:443
50.96.232.242:995
203.106.194.13:443
47.232.26.181:443
47.180.66.10:443
71.8.33.238:443
71.241.247.189:443
71.80.66.107:443
207.255.161.8:2222
173.173.68.41:443
116.202.36.62:21
68.46.142.48:443
100.40.48.96:443
47.136.224.60:443
98.173.34.212:995
197.37.177.211:993
185.145.113.249:443
95.77.223.148:443
72.204.242.138:20
68.60.221.169:465
72.204.242.138:2087
72.69.180.183:61202
68.4.137.211:443
72.204.242.138:53
59.124.10.133:443
171.97.10.201:2222
188.214.99.182:995
102.190.173.155:6881
108.58.9.238:443
188.173.214.88:443
66.76.255.133:2078
41.129.128.231:443
5.15.237.243:443
50.244.112.10:443
72.204.242.138:443
72.204.242.138:2078
72.204.242.138:990
102.41.118.44:995
47.153.115.154:443
68.149.64.58:2222
207.255.161.8:995
207.255.161.8:2078
73.76.47.127:443
76.187.97.98:2222
5.14.251.226:443
65.116.179.83:443
96.35.170.82:2222
84.117.60.157:443
108.58.9.238:993
207.255.161.8:2087
142.129.227.86:443
37.8.32.154:443
24.96.22.21:443
207.255.161.8:32102
1.40.42.4:443
108.58.9.238:995
74.33.69.208:443
66.222.88.126:995
47.152.210.233:443
24.99.180.247:443
50.244.112.106:443
172.242.156.50:443
67.131.59.17:443
24.10.42.174:443
190.198.125.194:2078
49.191.9.180:995
41.96.210.164:443
50.247.230.33:995
76.170.77.99:443
70.183.127.6:995
66.68.22.151:443
97.127.144.203:2222
137.99.224.198:443
209.182.121.133:2222
50.78.93.74:443
72.204.242.138:50003
79.101.206.85:995
24.122.228.88:443
24.213.191.38:0
50.246.229.50:443
203.33.139.134:443
75.137.60.81:443
207.255.161.8:443
24.229.245.124:995
24.43.22.220:443
172.78.87.180:443
67.0.73.239:443
79.116.237.126:443
47.155.19.205:443
75.81.25.223:443
31.5.21.66:443
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 3 1016 WScript.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
WScript.exePicturesViewer.exerakuuc.exedescription pid process target process PID 1016 wrote to memory of 648 1016 WScript.exe PicturesViewer.exe PID 1016 wrote to memory of 648 1016 WScript.exe PicturesViewer.exe PID 1016 wrote to memory of 648 1016 WScript.exe PicturesViewer.exe PID 1016 wrote to memory of 648 1016 WScript.exe PicturesViewer.exe PID 648 wrote to memory of 728 648 PicturesViewer.exe PicturesViewer.exe PID 648 wrote to memory of 728 648 PicturesViewer.exe PicturesViewer.exe PID 648 wrote to memory of 728 648 PicturesViewer.exe PicturesViewer.exe PID 648 wrote to memory of 728 648 PicturesViewer.exe PicturesViewer.exe PID 648 wrote to memory of 612 648 PicturesViewer.exe rakuuc.exe PID 648 wrote to memory of 612 648 PicturesViewer.exe rakuuc.exe PID 648 wrote to memory of 612 648 PicturesViewer.exe rakuuc.exe PID 648 wrote to memory of 612 648 PicturesViewer.exe rakuuc.exe PID 648 wrote to memory of 1672 648 PicturesViewer.exe schtasks.exe PID 648 wrote to memory of 1672 648 PicturesViewer.exe schtasks.exe PID 648 wrote to memory of 1672 648 PicturesViewer.exe schtasks.exe PID 648 wrote to memory of 1672 648 PicturesViewer.exe schtasks.exe PID 612 wrote to memory of 1588 612 rakuuc.exe rakuuc.exe PID 612 wrote to memory of 1588 612 rakuuc.exe rakuuc.exe PID 612 wrote to memory of 1588 612 rakuuc.exe rakuuc.exe PID 612 wrote to memory of 1588 612 rakuuc.exe rakuuc.exe PID 612 wrote to memory of 1624 612 rakuuc.exe explorer.exe PID 612 wrote to memory of 1624 612 rakuuc.exe explorer.exe PID 612 wrote to memory of 1624 612 rakuuc.exe explorer.exe PID 612 wrote to memory of 1624 612 rakuuc.exe explorer.exe PID 612 wrote to memory of 1624 612 rakuuc.exe explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
PicturesViewer.exePicturesViewer.exerakuuc.exerakuuc.exepid process 648 PicturesViewer.exe 728 PicturesViewer.exe 612 rakuuc.exe 1588 rakuuc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
PicturesViewer.exePicturesViewer.exerakuuc.exerakuuc.exeexplorer.exepid process 648 PicturesViewer.exe 728 PicturesViewer.exe 728 PicturesViewer.exe 612 rakuuc.exe 1588 rakuuc.exe 1588 rakuuc.exe 1624 explorer.exe 1624 explorer.exe -
Loads dropped DLL 3 IoCs
Processes:
PicturesViewer.exepid process 648 PicturesViewer.exe 648 PicturesViewer.exe 648 PicturesViewer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rakuuc.exepid process 612 rakuuc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Kaufvertrag_335774592927_20052020.vbs"1⤵
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exeC:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
PID:648 -
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exeC:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:728 -
C:\Users\Admin\AppData\Roaming\Microsoft\Adsyoneeobk\rakuuc.exeC:\Users\Admin\AppData\Roaming\Microsoft\Adsyoneeobk\rakuuc.exe3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:612 -
C:\Users\Admin\AppData\Roaming\Microsoft\Adsyoneeobk\rakuuc.exeC:\Users\Admin\AppData\Roaming\Microsoft\Adsyoneeobk\rakuuc.exe /C4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1588 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wjtnrjsnuq /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I wjtnrjsnuq" /SC ONCE /Z /ST 16:09 /ET 16:213⤵
- Creates scheduled task(s)
PID:1672