Analysis

  • max time kernel
    11s
  • max time network
    105s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    24-11-2020 09:42

General

  • Target

    99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe

  • Size

    1.0MB

  • MD5

    b4c4124ef49eef7085d34ddab3b4ae9f

  • SHA1

    87e3ffc0b6274a3084d1b0f97af29037bcc317bf

  • SHA256

    99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39

  • SHA512

    20e0c48b4ada8916ef03cb92b92a9c3557327feaacb409bac648b8d50f1c7ae9d2ddc89ad931bfebaf5af8ac16b1a8a2012d2832facb015379748ad8d6946955

Malware Config

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
      C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe /C
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      PID:3232
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\SysWOW64\PING.EXE
        ping.exe -n 6 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/212-2-0x0000000000000000-mapping.dmp
  • memory/1016-3-0x0000000000000000-mapping.dmp
  • memory/3232-0-0x0000000000000000-mapping.dmp
  • memory/3232-1-0x0000000002870000-0x0000000002871000-memory.dmp
    Filesize

    4KB