Overview

overview

10

Static

static

444444.png.exe

windows7_x64

10

444444.png.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    44s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    26-05-2020 16:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    444444.png.exe

  • Size

    2.3MB

  • MD5

    f8849261a9db65164958d8c99ebc1f13

  • SHA1

    004818f4c927ba99a0694fd94cc754dd4df731fd

  • SHA256

    ec38eb6ee133958ef6cc3bfa257d9368c615b3182d22282f63d12ca7f2b2c5be

  • SHA512

    7532e2943353bc7c38b54c7c128f27cccc41cfc2e5dfc86cd899de5c50b1af102f2dbd6648086a9d2d8b38797c27b6555fb2803594e2b7d1de266418e0b86bde

Score
10/10
evasiontrojanpersistencebankerstealerqakbot

Malware Config

Extracted

Family

qakbot

Botnet

spx96

Campaign

1586873043

C2

72.209.191.27:443

173.22.120.11:2222

108.227.161.27:995

172.87.134.226:443

181.197.195.138:995

98.21.52.194:443

76.180.69.236:443

68.98.142.248:443

68.52.164.175:443

39.59.63.142:995

35.142.126.181:443

96.35.170.82:2222

75.111.145.5:443

47.214.144.253:443

74.105.139.160:443

67.8.103.21:443

50.108.212.180:443

83.25.7.201:2222

188.25.237.208:443

184.167.2.251:2222

Signatures

  • Adds Run entry to start application 2 TTPs 1 IoCs
    persistence
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Turns off Windows Defender SpyNet reporting 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot

Processes

  • C:\Users\Admin\AppData\Local\Temp\444444.png.exe
    "C:\Users\Admin\AppData\Local\Temp\444444.png.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Local\Temp\444444.png.exe
      C:\Users\Admin\AppData\Local\Temp\444444.png.exe /C
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      PID:3788
    • C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe /C
        3⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:2580
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Adds Run entry to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:2732
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dtbrujrnly /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.png.exe\" /I dtbrujrnly" /SC ONCE /Z /ST 18:07 /ET 18:19
      2⤵
      • Creates scheduled task(s)
      PID:2172
  • C:\Users\Admin\AppData\Local\Temp\444444.png.exe
    C:\Users\Admin\AppData\Local\Temp\444444.png.exe /I dtbrujrnly
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      2⤵
      • Windows security modification
      • Turns off Windows Defender SpyNet reporting
      PID:3888
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
      2⤵
      • Windows security modification
      • Turns off Windows Defender SpyNet reporting
      PID:3448
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      2⤵
        PID:3544
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        2⤵
          PID:3616
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          2⤵
          • Windows security modification
          • Turns off Windows Defender SpyNet reporting
          PID:728
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          2⤵
          • Windows security modification
          • Turns off Windows Defender SpyNet reporting
          PID:1576
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          2⤵
          • Windows security modification
          • Turns off Windows Defender SpyNet reporting
          PID:1584
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          2⤵
          • Windows security modification
          • Turns off Windows Defender SpyNet reporting
          PID:1872
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye" /d "0"
          2⤵
          • Windows security bypass
          PID:3736
        • C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe /C
            3⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            PID:516
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\444444.png.exe"
          2⤵
            PID:3404
            • C:\Windows\system32\PING.EXE
              ping.exe -n 6 127.0.0.1
              3⤵
              • Runs ping.exe
              PID:2132
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /DELETE /F /TN dtbrujrnly
            2⤵
              PID:2036

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.dat
            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe
            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe
            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe
            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe
            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Yxxoye\zjxbasuk.exe
            Download Submit

          • memory/516-9-0x00000000029C0000-0x00000000029C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2116-5-0x0000000002400000-0x000000000243C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2580-4-0x00000000028E0000-0x00000000028E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3788-0-0x0000000002870000-0x0000000002871000-memory.dmp

            Filesize

            4KB

            Download