Overview

overview

10

Static

static

9

PicturesViewer.exe

windows7_x64

10

PicturesViewer.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    03-05-2021 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PicturesViewer.exe

  • Size

    673KB

  • MD5

    c8f1fdd8dd3724f89cef6d9ea9ec85fd

  • SHA1

    30d5e006337e17b512ff5ed878cc1beb1664abb0

  • SHA256

    7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

  • SHA512

    0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

Score
10/10
qakbotspx1251590138228bankercryptoneevasionpackerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

324.141

Botnet

spx125

Campaign

1590138228

C2

190.75.168.108:2078

93.114.192.211:2222

47.39.76.74:443

182.56.134.44:995

24.201.79.208:2078

207.246.71.122:443

50.244.112.10:443

88.207.27.144:443

72.204.242.138:443

72.204.242.138:2078

72.204.242.138:990

76.187.8.160:443

220.135.31.140:2222

86.126.97.183:2222

86.126.112.153:995

68.49.120.179:443

101.108.125.44:443

203.101.163.187:443

197.165.212.10:443

207.255.161.8:2078

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • CryptOne packer 8 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
    "C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
      C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2012
    • C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe /C
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:896
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1328
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jlwgxtb /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I jlwgxtb" /SC ONCE /Z /ST 13:37 /ET 13:49
      2⤵
      • Creates scheduled task(s)
      PID:316
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1784
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {1FDE8F07-C4DF-4444-9147-2BC9B00B8F40} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:564
    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
      C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /I jlwgxtb
      2⤵
      • Loads dropped DLL
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        3⤵
          PID:1004
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          3⤵
            PID:2020
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            3⤵
              PID:1316
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              3⤵
                PID:1444
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                3⤵
                  PID:1660
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                  3⤵
                    PID:1696
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                    3⤵
                      PID:332
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                      3⤵
                        PID:540
                      • C:\Windows\system32\reg.exe
                        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae" /d "0"
                        3⤵
                          PID:1416
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
                          C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          PID:896
                          • C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
                            C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe /C
                            4⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            PID:764
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe"
                          3⤵
                            PID:928
                            • C:\Windows\system32\PING.EXE
                              ping.exe -n 6 127.0.0.1
                              4⤵
                              • Runs ping.exe
                              PID:1368
                          • C:\Windows\system32\schtasks.exe
                            "C:\Windows\system32\schtasks.exe" /DELETE /F /TN jlwgxtb
                            3⤵
                              PID:624

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Scheduled Task

                        1
                        T1053

                        Persistence

                        Scheduled Task

                        1
                        T1053

                        Privilege Escalation

                        Scheduled Task

                        1
                        T1053

                        Defense Evasion

                        Disabling Security Tools

                        2
                        T1089

                        Modify Registry

                        2
                        T1112

                        Credential Access

                        Discovery

                        System Information Discovery

                        1
                        T1082

                        Remote System Discovery

                        1
                        T1018

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.dat
                          MD5

                          19cc5f6f1bcd117dc1696a63970da921

                          SHA1

                          b6dab230a16fea8d9c36607b6e1b138f421b5a42

                          SHA256

                          203cb2041b8ec3b7df26da8f8559da07a41865de2136ea88f86ce82c6e0284fc

                          SHA512

                          4fa016f095fe9b3edea9e62c41436bef190b26ee71c4ae6ba6aee83f240ce7dea8ab0df05e092b526d3d869be8e0670c0695919d8664ec12b8b218a6d336596f

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
                          MD5

                          c8f1fdd8dd3724f89cef6d9ea9ec85fd

                          SHA1

                          30d5e006337e17b512ff5ed878cc1beb1664abb0

                          SHA256

                          7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                          SHA512

                          0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
                          MD5

                          c8f1fdd8dd3724f89cef6d9ea9ec85fd

                          SHA1

                          30d5e006337e17b512ff5ed878cc1beb1664abb0

                          SHA256

                          7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                          SHA512

                          0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
                          MD5

                          c8f1fdd8dd3724f89cef6d9ea9ec85fd

                          SHA1

                          30d5e006337e17b512ff5ed878cc1beb1664abb0

                          SHA256

                          7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                          SHA512

                          0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
                          MD5

                          c8f1fdd8dd3724f89cef6d9ea9ec85fd

                          SHA1

                          30d5e006337e17b512ff5ed878cc1beb1664abb0

                          SHA256

                          7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                          SHA512

                          0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
                          MD5

                          c8f1fdd8dd3724f89cef6d9ea9ec85fd

                          SHA1

                          30d5e006337e17b512ff5ed878cc1beb1664abb0

                          SHA256

                          7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                          SHA512

                          0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                          Download Submit
                        • \Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
                          MD5

                          c8f1fdd8dd3724f89cef6d9ea9ec85fd

                          SHA1

                          30d5e006337e17b512ff5ed878cc1beb1664abb0

                          SHA256

                          7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                          SHA512

                          0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                          Download Submit
                        • \Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
                          MD5

                          c8f1fdd8dd3724f89cef6d9ea9ec85fd

                          SHA1

                          30d5e006337e17b512ff5ed878cc1beb1664abb0

                          SHA256

                          7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                          SHA512

                          0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                          Download Submit
                        • \Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
                          MD5

                          c8f1fdd8dd3724f89cef6d9ea9ec85fd

                          SHA1

                          30d5e006337e17b512ff5ed878cc1beb1664abb0

                          SHA256

                          7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                          SHA512

                          0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                          Download Submit
                        • memory/304-90-0x0000000000400000-0x00000000004AB000-memory.dmp
                          Filesize

                          684KB

                          Download
                        • memory/304-87-0x0000000000000000-mapping.dmp
                          Download
                        • memory/316-73-0x0000000000000000-mapping.dmp
                          Download
                        • memory/332-97-0x0000000000000000-mapping.dmp
                          Download
                        • memory/540-98-0x0000000000000000-mapping.dmp
                          Download
                        • memory/624-107-0x0000000000000000-mapping.dmp
                          Download
                        • memory/764-109-0x0000000000000000-mapping.dmp
                          Download
                        • memory/896-79-0x0000000000400000-0x00000000004AB000-memory.dmp
                          Filesize

                          684KB

                          Download
                        • memory/896-75-0x0000000000000000-mapping.dmp
                          Download
                        • memory/896-101-0x0000000000000000-mapping.dmp
                          Download
                        • memory/928-106-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1004-91-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1272-72-0x0000000000400000-0x00000000004AB000-memory.dmp
                          Filesize

                          684KB

                          Download
                        • memory/1272-68-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1316-93-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1328-84-0x0000000000440000-0x0000000000472000-memory.dmp
                          Filesize

                          200KB

                          Download
                        • memory/1328-83-0x0000000000080000-0x00000000000BA000-memory.dmp
                          Filesize

                          232KB

                          Download
                        • memory/1328-82-0x0000000074CF1000-0x0000000074CF3000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1328-80-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1368-108-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1416-99-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1444-94-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1660-95-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1672-61-0x0000000000400000-0x00000000004AB000-memory.dmp
                          Filesize

                          684KB

                          Download
                        • memory/1672-59-0x0000000075971000-0x0000000075973000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1672-60-0x0000000000220000-0x0000000000257000-memory.dmp
                          Filesize

                          220KB

                          Download
                        • memory/1696-96-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1784-86-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2012-62-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2020-92-0x0000000000000000-mapping.dmp
                          Download