Overview

overview

10

Static

static

9

88888888.exe

windows7_x64

10

88888888.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88888888.exe

  • Size

    1.2MB

  • MD5

    086a4a65d3ea48a2e4e069ae1002335b

  • SHA1

    ae0751887692ce6537f05c37dbe811eaa2f56a75

  • SHA256

    f392fec11d15f4c5ca3f5c340c28e99bd19f99d59422b5598fd818be653502bb

  • SHA512

    1655b6bd0b9a6047f6ba60fab8c37515b70b2b039129033ad3452cadeb6f4b05bf7b750ba7e39392b53daf4cb145ab9fdee863dc981c5121dafa3564dcb847bc

Score
10/10
qakbotspx1371591786935bankercryptoneevasionpackerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

spx137

Campaign

1591786935

C2

31.5.116.167:443

69.40.17.142:443

151.73.124.242:443

193.248.44.2:2222

188.26.249.181:443

96.41.93.96:443

46.214.86.217:443

62.121.123.57:443

66.76.105.152:443

197.165.229.113:443

173.175.29.210:443

172.242.156.50:995

5.15.237.243:443

80.240.26.178:443

209.59.86.138:443

31.5.21.66:443

105.100.59.144:443

108.30.125.94:443

67.250.184.157:443

47.146.169.85:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • CryptOne packer 4 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Executes dropped EXE 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88888888.exe
    "C:\Users\Admin\AppData\Local\Temp\88888888.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Users\Admin\AppData\Local\Temp\88888888.exe
      C:\Users\Admin\AppData\Local\Temp\88888888.exe /C
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      PID:2576
    • C:\Users\Admin\AppData\Roaming\Microsoft\Eunxhmagmugy\ixibiu.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Eunxhmagmugy\ixibiu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Users\Admin\AppData\Roaming\Microsoft\Eunxhmagmugy\ixibiu.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Eunxhmagmugy\ixibiu.exe /C
        3⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:2640
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1332
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ypwovwnuz /tr "\"C:\Users\Admin\AppData\Local\Temp\88888888.exe\" /I ypwovwnuz" /SC ONCE /Z /ST 03:14 /ET 03:26
      2⤵
      • Creates scheduled task(s)
      PID:4064
  • C:\Users\Admin\AppData\Local\Temp\88888888.exe
    C:\Users\Admin\AppData\Local\Temp\88888888.exe /I ypwovwnuz
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      2⤵
        PID:2876
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        2⤵
          PID:3836
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          2⤵
            PID:1652
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            2⤵
              PID:3980
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
              2⤵
                PID:2884
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                2⤵
                  PID:500
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                  2⤵
                    PID:1788
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                    2⤵
                      PID:3892
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Eunxhmagmugy" /d "0"
                      2⤵
                        PID:3164
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Eunxhmagmugy\ixibiu.exe
                        C:\Users\Admin\AppData\Roaming\Microsoft\Eunxhmagmugy\ixibiu.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:184
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\88888888.exe"
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3352
                        • C:\Windows\system32\PING.EXE
                          ping.exe -n 6 127.0.0.1
                          3⤵
                          • Runs ping.exe
                          PID:2868
                      • C:\Windows\system32\schtasks.exe
                        "C:\Windows\system32\schtasks.exe" /DELETE /F /TN ypwovwnuz
                        2⤵
                          PID:3568

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Scheduled Task

                      1
                      T1053

                      Persistence

                      Scheduled Task

                      1
                      T1053

                      Privilege Escalation

                      Scheduled Task

                      1
                      T1053

                      Defense Evasion

                      Disabling Security Tools

                      2
                      T1089

                      Modify Registry

                      2
                      T1112

                      Credential Access

                      Discovery

                      Query Registry

                      1
                      T1012

                      Peripheral Device Discovery

                      1
                      T1120

                      System Information Discovery

                      1
                      T1082

                      Remote System Discovery

                      1
                      T1018

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Eunxhmagmugy\ixibiu.dat
                        MD5

                        6df061d7ff09efac96f908bad209e32e

                        SHA1

                        e885d475fbb2e871e0c66e01ee752bfe47349d23

                        SHA256

                        ab0de5cfec34e85e13624434add5625aeb6e0e195374cd905e7849dd3ef47509

                        SHA512

                        3f6f1346147bbf14328cfd59a0aab8aa8e3ad645cf85cd97388f931a1e78758a836c34424b8daa1e1fc920383dc297da92bba89f4fe29d4d959fdff73f610600

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Eunxhmagmugy\ixibiu.exe
                        MD5

                        086a4a65d3ea48a2e4e069ae1002335b

                        SHA1

                        ae0751887692ce6537f05c37dbe811eaa2f56a75

                        SHA256

                        f392fec11d15f4c5ca3f5c340c28e99bd19f99d59422b5598fd818be653502bb

                        SHA512

                        1655b6bd0b9a6047f6ba60fab8c37515b70b2b039129033ad3452cadeb6f4b05bf7b750ba7e39392b53daf4cb145ab9fdee863dc981c5121dafa3564dcb847bc

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Eunxhmagmugy\ixibiu.exe
                        MD5

                        086a4a65d3ea48a2e4e069ae1002335b

                        SHA1

                        ae0751887692ce6537f05c37dbe811eaa2f56a75

                        SHA256

                        f392fec11d15f4c5ca3f5c340c28e99bd19f99d59422b5598fd818be653502bb

                        SHA512

                        1655b6bd0b9a6047f6ba60fab8c37515b70b2b039129033ad3452cadeb6f4b05bf7b750ba7e39392b53daf4cb145ab9fdee863dc981c5121dafa3564dcb847bc

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Eunxhmagmugy\ixibiu.exe
                        MD5

                        086a4a65d3ea48a2e4e069ae1002335b

                        SHA1

                        ae0751887692ce6537f05c37dbe811eaa2f56a75

                        SHA256

                        f392fec11d15f4c5ca3f5c340c28e99bd19f99d59422b5598fd818be653502bb

                        SHA512

                        1655b6bd0b9a6047f6ba60fab8c37515b70b2b039129033ad3452cadeb6f4b05bf7b750ba7e39392b53daf4cb145ab9fdee863dc981c5121dafa3564dcb847bc

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Eunxhmagmugy\ixibiu.exe
                        MD5

                        086a4a65d3ea48a2e4e069ae1002335b

                        SHA1

                        ae0751887692ce6537f05c37dbe811eaa2f56a75

                        SHA256

                        f392fec11d15f4c5ca3f5c340c28e99bd19f99d59422b5598fd818be653502bb

                        SHA512

                        1655b6bd0b9a6047f6ba60fab8c37515b70b2b039129033ad3452cadeb6f4b05bf7b750ba7e39392b53daf4cb145ab9fdee863dc981c5121dafa3564dcb847bc

                        Download Submit
                      • memory/184-21-0x0000000000000000-mapping.dmp
                        Download
                      • memory/208-9-0x00000000026E0000-0x000000000271A000-memory.dmp
                        Filesize

                        232KB

                        Download
                      • memory/208-2-0x0000000000000000-mapping.dmp
                        Download
                      • memory/500-17-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1332-10-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1652-14-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1788-18-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2576-0-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2576-1-0x00000000026E0000-0x00000000026E1000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/2640-6-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2640-8-0x0000000002730000-0x0000000002731000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/2868-25-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2876-12-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2884-16-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3164-20-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3352-23-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3568-24-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3836-13-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3892-19-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3980-15-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4064-5-0x0000000000000000-mapping.dmp
                        Download