Overview

overview

10

Static

static

8

600 seconds - Win. 10

windows10_x64

10

Analysis

  • max time kernel
    546s
  • max time network
    597s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-02-2021 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bid,02.21.doc

  • Size

    95KB

  • MD5

    8d4ca32c865cbc75fb529bc64730c453

  • SHA1

    334c4352dbda3759ca503a6118bc2ddb09b6f9d7

  • SHA256

    53b9aaed11c3bff95b8baeef19467b11ab6ef362e2f8b550ee531babbddd9e0f

  • SHA512

    3bd039c6d748008d76d5095be0130763e74dd68929e1f8878c557e92bff5742731fdfddbb38171b4f6c13ed42e7339ea4bd54c975d6f36015ea6f7b2bfb66f50

Score
10/10
qakbotkrk011611569149bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

krk01

Campaign

1611569149

C2

31.5.21.66:995

89.3.198.238:443

202.188.138.162:443

188.24.128.253:443

175.141.219.71:443

151.60.15.183:443

184.189.122.72:443

80.227.5.70:443

140.82.49.12:443

89.211.241.100:995

81.97.154.100:443

77.27.174.49:995

92.154.83.96:2078

42.3.8.54:443

71.187.170.235:443

46.153.36.53:995

71.182.142.63:443

105.186.102.16:443

50.244.112.106:443

78.63.226.32:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 10 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Control Panel 1 IoCs
    evasion
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 79 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid,02.21.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\programdata\xml.com
      "C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\SYSTEM32\regsvr32.exe
        regsvr32 c:\programdata\1271.jpg
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Windows\SysWOW64\regsvr32.exe
          c:\programdata\1271.jpg
          4⤵
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:3780
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rxnrcabmk /tr "regsvr32.exe -s \"c:\programdata\1271.jpg\"" /SC ONCE /Z /ST 19:30 /ET 19:42
              6⤵
              • Creates scheduled task(s)
              PID:3632
            • C:\Windows\SysWOW64\whoami.exe
              whoami /all
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:956
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c set
              6⤵
                PID:1776
              • C:\Windows\SysWOW64\arp.exe
                arp -a
                6⤵
                  PID:1096
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig /all
                  6⤵
                  • Gathers network information
                  PID:4008
                • C:\Windows\SysWOW64\net.exe
                  net view /all
                  6⤵
                  • Discovers systems in the same network
                  PID:492
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
                  6⤵
                    PID:848
                  • C:\Windows\SysWOW64\net.exe
                    net share
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1264
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 share
                      7⤵
                        PID:1388
                    • C:\Windows\SysWOW64\route.exe
                      route print
                      6⤵
                        PID:2964
                      • C:\Windows\SysWOW64\netstat.exe
                        netstat -nao
                        6⤵
                        • Gathers network information
                        PID:424
                      • C:\Windows\SysWOW64\net.exe
                        net localgroup
                        6⤵
                        • Suspicious use of WriteProcessMemory
                        PID:852
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 localgroup
                          7⤵
                            PID:2180
                        • C:\Windows\SysWOW64\explorer.exe
                          C:\Windows\SysWOW64\explorer.exe
                          6⤵
                            PID:1984
                • \??\c:\windows\system32\regsvr32.exe
                  regsvr32.exe -s "c:\programdata\1271.jpg"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3552
                  • C:\Windows\SysWOW64\regsvr32.exe
                    -s "c:\programdata\1271.jpg"
                    2⤵
                    • Loads dropped DLL
                    PID:3732
                • C:\Windows\ImmersiveControlPanel\SystemSettings.exe
                  "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
                  1⤵
                  • Checks SCSI registry key(s)
                  • Modifies Control Panel
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:1664
                • C:\Windows\system32\msiexec.exe
                  C:\Windows\system32\msiexec.exe /V
                  1⤵
                    PID:60

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Scheduled Task

                  1
                  T1053

                  Command-Line Interface

                  1
                  T1059

                  Persistence

                  Scheduled Task

                  1
                  T1053

                  Privilege Escalation

                  Scheduled Task

                  1
                  T1053

                  Defense Evasion

                  Credential Access

                  Discovery

                  Query Registry

                  3
                  T1012

                  Peripheral Device Discovery

                  1
                  T1120

                  System Information Discovery

                  4
                  T1082

                  Remote System Discovery

                  1
                  T1018

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\xml.com
                    MD5

                    4191f61f2449ccc2bc2f2ac6d8898ce7

                    SHA1

                    d49936fc8a03561214ce4bf9791ca59e94ab8fe9

                    SHA256

                    74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

                    SHA512

                    fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

                    Download Submit
                  • C:\programdata\xml.com
                    MD5

                    4191f61f2449ccc2bc2f2ac6d8898ce7

                    SHA1

                    d49936fc8a03561214ce4bf9791ca59e94ab8fe9

                    SHA256

                    74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

                    SHA512

                    fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

                    Download Submit
                  • \??\c:\programdata\1271.jpg
                    MD5

                    9ceaf757400b02d2564db76c5ee72100

                    SHA1

                    86e6abdb76e29a64ca6adf1c32b449d4602a93ea

                    SHA256

                    e2887a017165076e46262e8b40b02b356dcd44509628151c4662dd5704efe145

                    SHA512

                    c448201e7c43cf47e475e29fc79a003795862fe98c7e0c600efc9bc9498bf256b4db9b05a64e7f3fb55869c17073ef1ac5690a9710a9ff3b0562b3b089edc333

                    Download Submit
                  • \??\c:\programdata\1271.jpg
                    MD5

                    f59947ac6215cd2494fed1197aef030f

                    SHA1

                    ebc5b88172ffc9a3c50e5782df253d9c8aee2882

                    SHA256

                    7699fb4fcd6bbc12757623fc62b42a76fe0b0c89529656aaff9c020795dd0ad3

                    SHA512

                    f92175a331b7af5b71870bd5cf80d33ac8317480922d4547621e3a970a723acbf25f73453837b0ed53259ee83720af53d89e977fd9d8e170502c2e93c7f1fd0d

                    Download Submit
                  • \??\c:\programdata\i.xsl
                    MD5

                    3bfe49781b0c5ebfce69bf1815076111

                    SHA1

                    12af9552ed24477939ad337973643ec758e62721

                    SHA256

                    5243d6b20c66df6fb8e02b17b4963a8b33d4b907209fa08bf024becb341628a3

                    SHA512

                    65a8535574bad660a9b4bc8b1bbcb0e479a40843c51432f8313248064bb6457bd2a9846c5a6fc382090942efb3b6ac9860a67a3876ff40a20923347ab45c0e3c

                    Download Submit
                  • \ProgramData\1271.jpg
                    MD5

                    9ceaf757400b02d2564db76c5ee72100

                    SHA1

                    86e6abdb76e29a64ca6adf1c32b449d4602a93ea

                    SHA256

                    e2887a017165076e46262e8b40b02b356dcd44509628151c4662dd5704efe145

                    SHA512

                    c448201e7c43cf47e475e29fc79a003795862fe98c7e0c600efc9bc9498bf256b4db9b05a64e7f3fb55869c17073ef1ac5690a9710a9ff3b0562b3b089edc333

                    Download Submit
                  • \ProgramData\1271.jpg
                    MD5

                    f59947ac6215cd2494fed1197aef030f

                    SHA1

                    ebc5b88172ffc9a3c50e5782df253d9c8aee2882

                    SHA256

                    7699fb4fcd6bbc12757623fc62b42a76fe0b0c89529656aaff9c020795dd0ad3

                    SHA512

                    f92175a331b7af5b71870bd5cf80d33ac8317480922d4547621e3a970a723acbf25f73453837b0ed53259ee83720af53d89e977fd9d8e170502c2e93c7f1fd0d

                    Download Submit
                  • memory/424-42-0x0000000000000000-mapping.dmp
                    Download
                  • memory/492-37-0x0000000000000000-mapping.dmp
                    Download
                  • memory/744-24-0x0000000074330000-0x0000000074365000-memory.dmp
                    Filesize

                    212KB

                    Download
                  • memory/744-14-0x0000000000000000-mapping.dmp
                    Download
                  • memory/744-25-0x00000000010B0000-0x00000000010B1000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/848-38-0x0000000000000000-mapping.dmp
                    Download
                  • memory/852-43-0x0000000000000000-mapping.dmp
                    Download
                  • memory/956-33-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1096-35-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1264-39-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1388-40-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1572-8-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1776-34-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1984-46-0x0000000003470000-0x00000000034A5000-memory.dmp
                    Filesize

                    212KB

                    Download
                  • memory/1984-45-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1984-47-0x0000000005050000-0x00000000050C5000-memory.dmp
                    Filesize

                    468KB

                    Download
                  • memory/2180-44-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2632-21-0x00007FF967810000-0x00007FF967820000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2632-4-0x00007FF967810000-0x00007FF967820000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2632-7-0x0000022FC3600000-0x0000022FC3604000-memory.dmp
                    Filesize

                    16KB

                    Download
                  • memory/2632-16-0x00007FF988D40000-0x00007FF98B863000-memory.dmp
                    Filesize

                    43.1MB

                    Download
                  • memory/2632-6-0x00007FF9870E0000-0x00007FF987717000-memory.dmp
                    Filesize

                    6.2MB

                    Download
                  • memory/2632-17-0x00007FF988D40000-0x00007FF98B863000-memory.dmp
                    Filesize

                    43.1MB

                    Download
                  • memory/2632-5-0x00007FF967810000-0x00007FF967820000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2632-18-0x00007FF988D40000-0x00007FF98B863000-memory.dmp
                    Filesize

                    43.1MB

                    Download
                  • memory/2632-2-0x00007FF967810000-0x00007FF967820000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2632-22-0x00007FF967810000-0x00007FF967820000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2632-19-0x00007FF988D40000-0x00007FF98B863000-memory.dmp
                    Filesize

                    43.1MB

                    Download
                  • memory/2632-3-0x00007FF967810000-0x00007FF967820000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2632-23-0x00007FF967810000-0x00007FF967820000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2632-20-0x00007FF967810000-0x00007FF967820000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2964-41-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3012-12-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3632-28-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3732-31-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3780-27-0x0000000000400000-0x0000000000435000-memory.dmp
                    Filesize

                    212KB

                    Download
                  • memory/3780-26-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3780-29-0x0000000000400000-0x0000000000435000-memory.dmp
                    Filesize

                    212KB

                    Download
                  • memory/4008-36-0x0000000000000000-mapping.dmp
                    Download