Overview

overview

10

Static

static

8

300 seconds - Win. 10

windows10_x64

10

Analysis

  • max time kernel
    272s
  • max time network
    256s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01-02-2021 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    instrument indenture-02.01.2021.doc

  • Size

    96KB

  • MD5

    c7fc5be51f654e57565433c27e21ebdf

  • SHA1

    8c22bbc802f4642e3288c6fe86a0effd05999648

  • SHA256

    b725a95dcff65cabaf87a5fe095bd762da131230289d08d9f8a82738b7f08221

  • SHA512

    5a48447f1903dd8a32709579877eb7927c03559a965e36c2a7f16584ff0bf5724f6b28d0e091e895e9fe8d63f9c642b4751938de27e86bd34c4b0340ef679385

Score
10/10
qakbotkrk011611569149bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

krk01

Campaign

1611569149

C2

31.5.21.66:995

89.3.198.238:443

202.188.138.162:443

188.24.128.253:443

175.141.219.71:443

151.60.15.183:443

184.189.122.72:443

80.227.5.70:443

140.82.49.12:443

89.211.241.100:995

81.97.154.100:443

77.27.174.49:995

92.154.83.96:2078

42.3.8.54:443

71.187.170.235:443

46.153.36.53:995

71.182.142.63:443

105.186.102.16:443

50.244.112.106:443

78.63.226.32:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\instrument indenture-02.01.2021.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4760
    • \??\c:\programdata\xml.com
      c:\programdata\xml.com process list /format : ".xsl"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Windows\SYSTEM32\regsvr32.exe
        regsvr32 c:\programdata\28564.jpg
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:672
        • C:\Windows\SysWOW64\regsvr32.exe
          c:\programdata\28564.jpg
          4⤵
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:880
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3524
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn afgpdgpmi /tr "regsvr32.exe -s \"c:\programdata\28564.jpg\"" /SC ONCE /Z /ST 21:33 /ET 21:45
              6⤵
              • Creates scheduled task(s)
              PID:4552
  • \??\c:\windows\system32\regsvr32.exe
    regsvr32.exe -s "c:\programdata\28564.jpg"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4544
    • C:\Windows\SysWOW64\regsvr32.exe
      -s "c:\programdata\28564.jpg"
      2⤵
      • Loads dropped DLL
      PID:4628
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 596
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\xml.com
    MD5

    4191f61f2449ccc2bc2f2ac6d8898ce7

    SHA1

    d49936fc8a03561214ce4bf9791ca59e94ab8fe9

    SHA256

    74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

    SHA512

    fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\.xsl
    MD5

    b9b97c1cc306daa8a39d668d1f8b5158

    SHA1

    3ec3686e1cf1b125e8d38b8be73d20497a407238

    SHA256

    6ba0f78abe26841497ddfae7582b83a5347b87380b3586c6f860776e6b7fd247

    SHA512

    296d2b3f05bf21de6f149c368819c873ec504cb4fd160835348d0769aebdaef02acff8350c517bad3c330bc20848ef1cf706636596bade07b332e113e0fad1e3

    Download Submit
  • \??\c:\programdata\28564.jpg
    MD5

    b474b3bdc26525cb9ac34a141e752458

    SHA1

    d6381af58431b93bef86cb9ece43aa6d2f5222ed

    SHA256

    8890d48399514e0cb9d03a4182163e09ca7c489e0961a8b893d3f1f3c6780963

    SHA512

    5f89291a241ee8b739c2a12248b5e0fb866125ecaff0a43f4f919acb73766acd445237e7dfd3cf8339c32b1076dd47a803477f4c29ff58863a2d8495ed3813e8

    Download Submit
  • \??\c:\programdata\28564.jpg
    MD5

    ab335c2a416383c748615aed31707260

    SHA1

    6afaf5458cd0caef19db7755d5ef8aa7a6f39474

    SHA256

    060fd250d8ef9ae8a143790cbd787ac09516c58ba60eda57aa68b412d58ef2cd

    SHA512

    1acb60cbcb5ecd9280395567670ed965267e7ca5f42df5bac889457d10d122b650c267252e9520b76be814c4414f320ca7cc5eb62bbf7cd970ec2b88cbf161fd

    Download Submit
  • \??\c:\programdata\xml.com
    MD5

    4191f61f2449ccc2bc2f2ac6d8898ce7

    SHA1

    d49936fc8a03561214ce4bf9791ca59e94ab8fe9

    SHA256

    74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

    SHA512

    fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

    Download Submit
  • \ProgramData\28564.jpg
    MD5

    b474b3bdc26525cb9ac34a141e752458

    SHA1

    d6381af58431b93bef86cb9ece43aa6d2f5222ed

    SHA256

    8890d48399514e0cb9d03a4182163e09ca7c489e0961a8b893d3f1f3c6780963

    SHA512

    5f89291a241ee8b739c2a12248b5e0fb866125ecaff0a43f4f919acb73766acd445237e7dfd3cf8339c32b1076dd47a803477f4c29ff58863a2d8495ed3813e8

    Download Submit
  • \ProgramData\28564.jpg
    MD5

    ab335c2a416383c748615aed31707260

    SHA1

    6afaf5458cd0caef19db7755d5ef8aa7a6f39474

    SHA256

    060fd250d8ef9ae8a143790cbd787ac09516c58ba60eda57aa68b412d58ef2cd

    SHA512

    1acb60cbcb5ecd9280395567670ed965267e7ca5f42df5bac889457d10d122b650c267252e9520b76be814c4414f320ca7cc5eb62bbf7cd970ec2b88cbf161fd

    Download Submit
  • memory/672-12-0x0000000000000000-mapping.dmp
    Download
  • memory/880-19-0x00000000006F0000-0x00000000006F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/880-17-0x0000000010000000-0x0000000010035000-memory.dmp
    Filesize

    212KB

    Download
  • memory/880-14-0x0000000000000000-mapping.dmp
    Download
  • memory/3524-26-0x0000000000000000-mapping.dmp
    Download
  • memory/3524-27-0x0000000000600000-0x0000000000635000-memory.dmp
    Filesize

    212KB

    Download
  • memory/3524-29-0x0000000000600000-0x0000000000635000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4272-7-0x0000000000000000-mapping.dmp
    Download
  • memory/4552-28-0x0000000000000000-mapping.dmp
    Download
  • memory/4628-31-0x0000000000000000-mapping.dmp
    Download
  • memory/4736-33-0x0000000000730000-0x0000000000731000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4760-18-0x00007FFAEBE00000-0x00007FFAEE923000-memory.dmp
    Filesize

    43.1MB

    Download
  • memory/4760-20-0x00007FFAEBE00000-0x00007FFAEE923000-memory.dmp
    Filesize

    43.1MB

    Download
  • memory/4760-22-0x00007FFACA170000-0x00007FFACA180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4760-23-0x00007FFACA170000-0x00007FFACA180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4760-24-0x00007FFACA170000-0x00007FFACA180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4760-25-0x00007FFACA170000-0x00007FFACA180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4760-2-0x00007FFACA170000-0x00007FFACA180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4760-21-0x00007FFAEBE00000-0x00007FFAEE923000-memory.dmp
    Filesize

    43.1MB

    Download
  • memory/4760-10-0x0000028FEDBE0000-0x0000028FEDBE4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/4760-5-0x0000028FDF240000-0x0000028FDF877000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4760-4-0x00007FFACA170000-0x00007FFACA180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4760-6-0x00007FFACA170000-0x00007FFACA180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4760-3-0x00007FFACA170000-0x00007FFACA180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4760-16-0x00007FFAEBE00000-0x00007FFAEE923000-memory.dmp
    Filesize

    43.1MB

    Download