Overview

overview

10

Static

static

9

8888888.png.exe

windows7_x64

10

8888888.png.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    11-11-2021 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8888888.png.exe

  • Size

    1.2MB

  • MD5

    136b9c85525ba66276b8c9f6b7014b0b

  • SHA1

    0cf5ba13d14c28c60586c7f4b9679925fa4d4172

  • SHA256

    a23ef053cccf6a35fda9adc5f1702ba99a7be695107d3ba5d1ea8c9c258299e4

  • SHA512

    0c02b116029a7d4f4c44988dc6220ed4050c94cab6e57f4aeb29d8edd0b8b59e74c89d6bd62e6e828826f44ebfb478280051ca289ea712c52d5fd113541e2590

Score
10/10
qakbotspx1331591267427bankercryptoneevasionpackerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

spx133

Campaign

1591267427

C2

49.144.84.21:443

189.159.133.162:995

173.245.152.231:443

77.237.181.212:995

207.255.161.8:2078

76.187.8.160:443

207.255.161.8:2087

98.219.77.197:443

66.222.88.126:995

207.255.161.8:32102

108.58.9.238:995

47.152.210.233:443

1.40.42.4:443

188.27.71.163:443

82.127.193.151:2222

104.50.141.139:995

67.83.54.76:2222

86.126.97.183:2222

73.94.229.115:443

47.35.182.97:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • CryptOne packer 5 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8888888.png.exe
    "C:\Users\Admin\AppData\Local\Temp\8888888.png.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Local\Temp\8888888.png.exe
      C:\Users\Admin\AppData\Local\Temp\8888888.png.exe /C
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      PID:3872
    • C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe /C
        3⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:3692
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2232
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nvdxiomonq /tr "\"C:\Users\Admin\AppData\Local\Temp\8888888.png.exe\" /I nvdxiomonq" /SC ONCE /Z /ST 06:23 /ET 06:35
      2⤵
      • Creates scheduled task(s)
      PID:420
  • C:\Users\Admin\AppData\Local\Temp\8888888.png.exe
    C:\Users\Admin\AppData\Local\Temp\8888888.png.exe /I nvdxiomonq
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      2⤵
        PID:3172
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        2⤵
          PID:404
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          2⤵
            PID:3588
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            2⤵
              PID:3144
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
              2⤵
                PID:2340
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                2⤵
                  PID:2704
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                  2⤵
                    PID:2312
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                    2⤵
                      PID:1712
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass" /d "0"
                      2⤵
                        PID:3028
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe
                        C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:2280
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe
                          C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe /C
                          3⤵
                          • Executes dropped EXE
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          PID:944
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\8888888.png.exe"
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3916
                        • C:\Windows\system32\PING.EXE
                          ping.exe -n 6 127.0.0.1
                          3⤵
                          • Runs ping.exe
                          PID:3712
                      • C:\Windows\system32\schtasks.exe
                        "C:\Windows\system32\schtasks.exe" /DELETE /F /TN nvdxiomonq
                        2⤵
                          PID:3320

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Scheduled Task

                      1
                      T1053

                      Persistence

                      Scheduled Task

                      1
                      T1053

                      Privilege Escalation

                      Scheduled Task

                      1
                      T1053

                      Defense Evasion

                      Disabling Security Tools

                      2
                      T1089

                      Modify Registry

                      2
                      T1112

                      Credential Access

                      Discovery

                      System Information Discovery

                      2
                      T1082

                      Query Registry

                      1
                      T1012

                      Peripheral Device Discovery

                      1
                      T1120

                      Remote System Discovery

                      1
                      T1018

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.dat
                        MD5

                        1548d165dc76646593a6b969c562ca83

                        SHA1

                        aadb410f4656aee593c3967616f4b6377d77d37c

                        SHA256

                        db5dd73fda762323bda672b2ecc10744cbfb27b95cbd8aa904c2df6c070de0dd

                        SHA512

                        97d6350fb8b77e2d48fe5df6b09767e54cfc67abb3b9e01003d7c090a984e6f4db1b5ebe4f945f60a948f31f861e54637a0a3ae505ad2aaabc992f84e8aba99e

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe
                        MD5

                        136b9c85525ba66276b8c9f6b7014b0b

                        SHA1

                        0cf5ba13d14c28c60586c7f4b9679925fa4d4172

                        SHA256

                        a23ef053cccf6a35fda9adc5f1702ba99a7be695107d3ba5d1ea8c9c258299e4

                        SHA512

                        0c02b116029a7d4f4c44988dc6220ed4050c94cab6e57f4aeb29d8edd0b8b59e74c89d6bd62e6e828826f44ebfb478280051ca289ea712c52d5fd113541e2590

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe
                        MD5

                        136b9c85525ba66276b8c9f6b7014b0b

                        SHA1

                        0cf5ba13d14c28c60586c7f4b9679925fa4d4172

                        SHA256

                        a23ef053cccf6a35fda9adc5f1702ba99a7be695107d3ba5d1ea8c9c258299e4

                        SHA512

                        0c02b116029a7d4f4c44988dc6220ed4050c94cab6e57f4aeb29d8edd0b8b59e74c89d6bd62e6e828826f44ebfb478280051ca289ea712c52d5fd113541e2590

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe
                        MD5

                        136b9c85525ba66276b8c9f6b7014b0b

                        SHA1

                        0cf5ba13d14c28c60586c7f4b9679925fa4d4172

                        SHA256

                        a23ef053cccf6a35fda9adc5f1702ba99a7be695107d3ba5d1ea8c9c258299e4

                        SHA512

                        0c02b116029a7d4f4c44988dc6220ed4050c94cab6e57f4aeb29d8edd0b8b59e74c89d6bd62e6e828826f44ebfb478280051ca289ea712c52d5fd113541e2590

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe
                        MD5

                        136b9c85525ba66276b8c9f6b7014b0b

                        SHA1

                        0cf5ba13d14c28c60586c7f4b9679925fa4d4172

                        SHA256

                        a23ef053cccf6a35fda9adc5f1702ba99a7be695107d3ba5d1ea8c9c258299e4

                        SHA512

                        0c02b116029a7d4f4c44988dc6220ed4050c94cab6e57f4aeb29d8edd0b8b59e74c89d6bd62e6e828826f44ebfb478280051ca289ea712c52d5fd113541e2590

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Pxhsowskass\ihyoay.exe
                        MD5

                        136b9c85525ba66276b8c9f6b7014b0b

                        SHA1

                        0cf5ba13d14c28c60586c7f4b9679925fa4d4172

                        SHA256

                        a23ef053cccf6a35fda9adc5f1702ba99a7be695107d3ba5d1ea8c9c258299e4

                        SHA512

                        0c02b116029a7d4f4c44988dc6220ed4050c94cab6e57f4aeb29d8edd0b8b59e74c89d6bd62e6e828826f44ebfb478280051ca289ea712c52d5fd113541e2590

                        Download Submit
                      • memory/404-138-0x0000000000000000-mapping.dmp
                        Download
                      • memory/420-124-0x0000000000000000-mapping.dmp
                        Download
                      • memory/944-155-0x0000000000400000-0x000000000052D000-memory.dmp
                        Filesize

                        1.2MB

                        Download
                      • memory/944-153-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1712-144-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2232-131-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2232-132-0x00000000025C0000-0x00000000025FA000-memory.dmp
                        Filesize

                        232KB

                        Download
                      • memory/2232-133-0x0000000002C60000-0x0000000002D31000-memory.dmp
                        Filesize

                        836KB

                        Download
                      • memory/2280-146-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2280-152-0x0000000000400000-0x000000000052D000-memory.dmp
                        Filesize

                        1.2MB

                        Download
                      • memory/2280-151-0x0000000000630000-0x000000000077A000-memory.dmp
                        Filesize

                        1.3MB

                        Download
                      • memory/2312-143-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2340-141-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2452-117-0x0000000000400000-0x000000000052D000-memory.dmp
                        Filesize

                        1.2MB

                        Download
                      • memory/2452-116-0x0000000002280000-0x00000000022B7000-memory.dmp
                        Filesize

                        220KB

                        Download
                      • memory/2704-142-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2820-126-0x0000000000400000-0x000000000052D000-memory.dmp
                        Filesize

                        1.2MB

                        Download
                      • memory/2820-121-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2820-125-0x0000000000580000-0x000000000062E000-memory.dmp
                        Filesize

                        696KB

                        Download
                      • memory/3028-145-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3144-140-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3172-137-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3320-149-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3576-136-0x0000000000400000-0x000000000052D000-memory.dmp
                        Filesize

                        1.2MB

                        Download
                      • memory/3576-135-0x0000000000530000-0x00000000005DE000-memory.dmp
                        Filesize

                        696KB

                        Download
                      • memory/3588-139-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3692-130-0x0000000000400000-0x000000000052D000-memory.dmp
                        Filesize

                        1.2MB

                        Download
                      • memory/3692-127-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3692-129-0x0000000000630000-0x000000000077A000-memory.dmp
                        Filesize

                        1.3MB

                        Download
                      • memory/3712-150-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3872-120-0x0000000000400000-0x000000000052D000-memory.dmp
                        Filesize

                        1.2MB

                        Download
                      • memory/3872-119-0x0000000000660000-0x00000000007AA000-memory.dmp
                        Filesize

                        1.3MB

                        Download
                      • memory/3872-118-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3916-148-0x0000000000000000-mapping.dmp
                        Download