Overview

overview

10

Static

static

9

PicturesViewer.exe

windows7_x64

10

PicturesViewer.exe

windows10_x64

10

Analysis

  • max time kernel
    124s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    03-05-2021 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PicturesViewer.exe

  • Size

    673KB

  • MD5

    c8f1fdd8dd3724f89cef6d9ea9ec85fd

  • SHA1

    30d5e006337e17b512ff5ed878cc1beb1664abb0

  • SHA256

    7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

  • SHA512

    0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

Score
10/10
qakbotspx1251590138228bankercryptoneevasionpackerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

324.141

Botnet

spx125

Campaign

1590138228

C2

190.75.168.108:2078

93.114.192.211:2222

47.39.76.74:443

182.56.134.44:995

24.201.79.208:2078

207.246.71.122:443

50.244.112.10:443

88.207.27.144:443

72.204.242.138:443

72.204.242.138:2078

72.204.242.138:990

76.187.8.160:443

220.135.31.140:2222

86.126.97.183:2222

86.126.112.153:995

68.49.120.179:443

101.108.125.44:443

203.101.163.187:443

197.165.212.10:443

207.255.161.8:2078

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • CryptOne packer 5 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
    "C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
      C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      PID:1948
    • C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3076
      • C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe /C
        3⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:3168
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2120
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn iuwxvar /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I iuwxvar" /SC ONCE /Z /ST 13:37 /ET 13:49
      2⤵
      • Creates scheduled task(s)
      PID:3360
  • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
    C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /I iuwxvar
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      2⤵
        PID:520
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        2⤵
          PID:660
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          2⤵
            PID:3356
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            2⤵
              PID:4048
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
              2⤵
                PID:3740
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                2⤵
                  PID:4052
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                  2⤵
                    PID:3652
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                    2⤵
                      PID:3724
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf" /d "0"
                      2⤵
                        PID:1536
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe
                        C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:1660
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe
                          C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe /C
                          3⤵
                          • Executes dropped EXE
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1308
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe"
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:528
                        • C:\Windows\system32\PING.EXE
                          ping.exe -n 6 127.0.0.1
                          3⤵
                          • Runs ping.exe
                          PID:1896
                      • C:\Windows\system32\schtasks.exe
                        "C:\Windows\system32\schtasks.exe" /DELETE /F /TN iuwxvar
                        2⤵
                          PID:2116

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Scheduled Task

                      1
                      T1053

                      Persistence

                      Scheduled Task

                      1
                      T1053

                      Privilege Escalation

                      Scheduled Task

                      1
                      T1053

                      Defense Evasion

                      Disabling Security Tools

                      2
                      T1089

                      Modify Registry

                      2
                      T1112

                      Credential Access

                      Discovery

                      System Information Discovery

                      2
                      T1082

                      Query Registry

                      1
                      T1012

                      Peripheral Device Discovery

                      1
                      T1120

                      Remote System Discovery

                      1
                      T1018

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.dat
                        MD5

                        98a8418a19660b653ab680fa8a107272

                        SHA1

                        6586979617db1361927dab714d529491965794af

                        SHA256

                        e88814ad9f37728260899df261e4deb7b0e66f6615efdee845e6d6e4c4261e07

                        SHA512

                        0192744b423bc00a86bb5083955ba368ccdd390dadcd935ec57384385dfe1ff6bdcd4dbba35c587050b5d147c67120a2ce18ded704fb6a56400812c817a41f0e

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe
                        MD5

                        c8f1fdd8dd3724f89cef6d9ea9ec85fd

                        SHA1

                        30d5e006337e17b512ff5ed878cc1beb1664abb0

                        SHA256

                        7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                        SHA512

                        0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe
                        MD5

                        c8f1fdd8dd3724f89cef6d9ea9ec85fd

                        SHA1

                        30d5e006337e17b512ff5ed878cc1beb1664abb0

                        SHA256

                        7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                        SHA512

                        0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe
                        MD5

                        c8f1fdd8dd3724f89cef6d9ea9ec85fd

                        SHA1

                        30d5e006337e17b512ff5ed878cc1beb1664abb0

                        SHA256

                        7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                        SHA512

                        0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe
                        MD5

                        c8f1fdd8dd3724f89cef6d9ea9ec85fd

                        SHA1

                        30d5e006337e17b512ff5ed878cc1beb1664abb0

                        SHA256

                        7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                        SHA512

                        0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Wluynlwlgf\exotku.exe
                        MD5

                        c8f1fdd8dd3724f89cef6d9ea9ec85fd

                        SHA1

                        30d5e006337e17b512ff5ed878cc1beb1664abb0

                        SHA256

                        7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

                        SHA512

                        0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

                        Download Submit
                      • memory/520-135-0x0000000000000000-mapping.dmp
                        Download
                      • memory/528-146-0x0000000000000000-mapping.dmp
                        Download
                      • memory/660-136-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1308-151-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1308-154-0x0000000000400000-0x00000000004AB000-memory.dmp
                        Filesize

                        684KB

                        Download
                      • memory/1536-143-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1644-134-0x0000000000400000-0x00000000004AB000-memory.dmp
                        Filesize

                        684KB

                        Download
                      • memory/1660-149-0x00000000004B0000-0x00000000005FA000-memory.dmp
                        Filesize

                        1.3MB

                        Download
                      • memory/1660-150-0x0000000000400000-0x00000000004AB000-memory.dmp
                        Filesize

                        684KB

                        Download
                      • memory/1660-144-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1896-148-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1948-116-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1948-118-0x0000000000400000-0x00000000004AB000-memory.dmp
                        Filesize

                        684KB

                        Download
                      • memory/1948-117-0x00000000020A0000-0x00000000020D7000-memory.dmp
                        Filesize

                        220KB

                        Download
                      • memory/2116-147-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2120-129-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2120-130-0x0000000003270000-0x00000000032AA000-memory.dmp
                        Filesize

                        232KB

                        Download
                      • memory/2120-131-0x0000000004E30000-0x0000000004E62000-memory.dmp
                        Filesize

                        200KB

                        Download
                      • memory/3076-123-0x00000000004B0000-0x000000000055E000-memory.dmp
                        Filesize

                        696KB

                        Download
                      • memory/3076-124-0x0000000000400000-0x00000000004AB000-memory.dmp
                        Filesize

                        684KB

                        Download
                      • memory/3076-119-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3168-128-0x0000000000400000-0x00000000004AB000-memory.dmp
                        Filesize

                        684KB

                        Download
                      • memory/3168-127-0x00000000004B0000-0x00000000005FA000-memory.dmp
                        Filesize

                        1.3MB

                        Download
                      • memory/3168-125-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3232-114-0x00000000004B0000-0x00000000005FA000-memory.dmp
                        Filesize

                        1.3MB

                        Download
                      • memory/3232-115-0x0000000000400000-0x00000000004AB000-memory.dmp
                        Filesize

                        684KB

                        Download
                      • memory/3356-137-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3360-122-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3652-141-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3724-142-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3740-139-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4048-138-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4052-140-0x0000000000000000-mapping.dmp
                        Download