Overview

overview

10

Static

static

8888888.exe

windows7_x64

10

8888888.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    66s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    09-06-2020 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8888888.exe

  • Size

    1.1MB

  • MD5

    699cf093ec4d952ba1e65c6bfa479954

  • SHA1

    1af411ab00addbd9004561ed3b317e1894736038

  • SHA256

    c499664ef142e70f6d2fc01580ce180ebf2438ff9a2df4d609854138510d60fd

  • SHA512

    f1ba6c5699ed9b164c2447c8d1eff5d701743a81d980f07604cdcc26ae98c031f3da0ab313b256386d2f9787a14a6c9e7a594da2c834f95264bc2cff4cf15465

Score
10/10
trojanbankerstealerqakbotevasion

Malware Config

Extracted

Family

qakbot

Botnet

spx135

Campaign

1591627649

C2

89.32.216.156:443

74.222.204.82:443

24.183.39.93:443

97.93.211.17:443

80.14.209.42:2222

96.35.170.82:2222

151.73.124.242:443

98.110.231.63:443

108.227.161.27:995

173.3.132.17:995

31.5.41.52:443

24.122.228.88:443

5.107.208.94:2222

76.185.136.58:443

50.29.166.232:995

73.210.114.187:443

92.114.107.193:995

24.43.22.220:993

50.247.230.33:995

72.142.106.198:465

Signatures

  • Modifies data under HKEY_USERS 5 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Turns off Windows Defender SpyNet reporting 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8888888.exe
    "C:\Users\Admin\AppData\Local\Temp\8888888.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    PID:2536
    • C:\Users\Admin\AppData\Local\Temp\8888888.exe
      C:\Users\Admin\AppData\Local\Temp\8888888.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Checks SCSI registry key(s)
      PID:420
    • C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: EnumeratesProcesses
      PID:1636
      • C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe /C
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Checks SCSI registry key(s)
        PID:2772
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3876
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dtvghing /tr "\"C:\Users\Admin\AppData\Local\Temp\8888888.exe\" /I dtvghing" /SC ONCE /Z /ST 17:36 /ET 17:48
      2⤵
      • Creates scheduled task(s)
      PID:1732
  • C:\Users\Admin\AppData\Local\Temp\8888888.exe
    C:\Users\Admin\AppData\Local\Temp\8888888.exe /I dtvghing
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    PID:3912
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      2⤵
      • Windows security modification
      • Turns off Windows Defender SpyNet reporting
      PID:3968
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
      2⤵
      • Windows security modification
      • Turns off Windows Defender SpyNet reporting
      PID:720
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      2⤵
        PID:2992
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        2⤵
          PID:760
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          2⤵
          • Windows security modification
          • Turns off Windows Defender SpyNet reporting
          PID:3652
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          2⤵
          • Windows security modification
          • Turns off Windows Defender SpyNet reporting
          PID:3784
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          2⤵
          • Windows security modification
          • Turns off Windows Defender SpyNet reporting
          PID:2532
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          2⤵
          • Windows security modification
          • Turns off Windows Defender SpyNet reporting
          PID:8
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi" /d "0"
          2⤵
          • Windows security bypass
          PID:3828
        • C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3768
          • C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe /C
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Checks SCSI registry key(s)
            PID:1344
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\8888888.exe"
          2⤵
            PID:3148
            • C:\Windows\system32\PING.EXE
              ping.exe -n 6 127.0.0.1
              3⤵
              • Runs ping.exe
              PID:1228
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /DELETE /F /TN dtvghing
            2⤵
              PID:1132

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Disabling Security Tools

          2
          T1089

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          Remote System Discovery

          1
          T1018

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.dat
            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
            Download Submit
          • memory/420-0-0x0000000002800000-0x0000000002801000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1344-9-0x0000000002880000-0x0000000002881000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1636-5-0x0000000002190000-0x00000000021CA000-memory.dmp
            Filesize

            232KB

            Download
          • memory/2772-4-0x00000000026B0000-0x00000000026B1000-memory.dmp
            Filesize

            4KB

            Download