Overview

overview

10

Static

static

9

8888888.exe

windows7_x64

10

8888888.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8888888.exe

  • Size

    1.0MB

  • MD5

    187f43c716b1f67efa2e3e98027f497e

  • SHA1

    2076d9ecbcec60b0b4fc181917fd85246037f1cc

  • SHA256

    760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809

  • SHA512

    ce53dc168c27f7359ba5f2fe14dd0852bb2dc7193dd1d8990cf42c22920253088d8ed0f0e0f314f6dc0bdbd0851826e30f9efdcd9eee4ba4afa8a20720ce0ee2

Score
10/10
qakbotspx1401592218484bankercryptonepackerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

spx140

Campaign

1592218484

C2

141.126.10.226:443

96.35.170.82:2222

67.250.184.157:443

24.42.14.241:995

72.173.20.55:443

173.172.205.216:443

173.3.132.17:995

172.78.30.215:443

207.255.161.8:32103

206.51.202.106:50003

24.152.219.253:995

207.255.161.8:2222

80.14.209.42:2222

72.142.106.198:465

207.255.161.8:2087

142.129.227.86:443

98.219.77.197:443

166.62.180.194:2078

82.127.193.151:2222

24.229.245.124:995

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • CryptOne packer 3 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Executes dropped EXE 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8888888.exe
    "C:\Users\Admin\AppData\Local\Temp\8888888.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Users\Admin\AppData\Local\Temp\8888888.exe
      C:\Users\Admin\AppData\Local\Temp\8888888.exe /C
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      PID:3580
    • C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe /C
        3⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:3756
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3616
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn iryfoqewci /tr "\"C:\Users\Admin\AppData\Local\Temp\8888888.exe\" /I iryfoqewci" /SC ONCE /Z /ST 05:22 /ET 05:34
      2⤵
      • Creates scheduled task(s)
      PID:2312
  • C:\Users\Admin\AppData\Local\Temp\8888888.exe
    C:\Users\Admin\AppData\Local\Temp\8888888.exe /I iryfoqewci
    1⤵
      PID:1264

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.dat
      MD5

      084502570adeeae65213debd59c90bd5

      SHA1

      e0ed26351fb443ecfdc0d6006319eb26689d7b53

      SHA256

      e277e6ca70ec1358d043ab3360538ad84c391636d68ce5ff0c8ded44446b09d4

      SHA512

      db2e8f36925d88602ff6f90e26a7f97bef4ad7d00b1850283e74ef57cac3dd6aeca49a67c53842874d8d16f452cadaeb5d9f813304f703d4bf3497d2abfc81cd

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe
      MD5

      187f43c716b1f67efa2e3e98027f497e

      SHA1

      2076d9ecbcec60b0b4fc181917fd85246037f1cc

      SHA256

      760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809

      SHA512

      ce53dc168c27f7359ba5f2fe14dd0852bb2dc7193dd1d8990cf42c22920253088d8ed0f0e0f314f6dc0bdbd0851826e30f9efdcd9eee4ba4afa8a20720ce0ee2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe
      MD5

      187f43c716b1f67efa2e3e98027f497e

      SHA1

      2076d9ecbcec60b0b4fc181917fd85246037f1cc

      SHA256

      760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809

      SHA512

      ce53dc168c27f7359ba5f2fe14dd0852bb2dc7193dd1d8990cf42c22920253088d8ed0f0e0f314f6dc0bdbd0851826e30f9efdcd9eee4ba4afa8a20720ce0ee2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe
      MD5

      187f43c716b1f67efa2e3e98027f497e

      SHA1

      2076d9ecbcec60b0b4fc181917fd85246037f1cc

      SHA256

      760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809

      SHA512

      ce53dc168c27f7359ba5f2fe14dd0852bb2dc7193dd1d8990cf42c22920253088d8ed0f0e0f314f6dc0bdbd0851826e30f9efdcd9eee4ba4afa8a20720ce0ee2

      Download Submit
    • memory/2312-5-0x0000000000000000-mapping.dmp
      Download
    • memory/3048-2-0x0000000000000000-mapping.dmp
      Download
    • memory/3048-9-0x00000000021C0000-0x00000000021FA000-memory.dmp
      Filesize

      232KB

      Download
    • memory/3580-0-0x0000000000000000-mapping.dmp
      Download
    • memory/3580-1-0x00000000026C0000-0x00000000026C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3616-10-0x0000000000000000-mapping.dmp
      Download
    • memory/3756-6-0x0000000000000000-mapping.dmp
      Download
    • memory/3756-8-0x0000000002750000-0x0000000002751000-memory.dmp
      Filesize

      4KB

      Download