Overview

overview

10

Static

static

10

quak.exe

windows7-x64

10

quak.exe

windows10-2004-x64

10

Resubmissions

20-03-2023 20:10

230320-yx3gcafc24 10

20-03-2023 10:43

230320-msm1bafa5t 10

20-03-2023 10:23

230320-me3hvach68 10

18-03-2023 10:19

230318-mcwyaaea3z 10

Analysis

  • max time kernel
    144s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    18-03-2023 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    quak.exe

  • Size

    216KB

  • MD5

    58e1c32eeb0130da19625e55ee48cf1e

  • SHA1

    00ae1c5066f67e5e71285de99bea8d8b67085743

  • SHA256

    f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790

  • SHA512

    31ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2

  • SSDEEP

    3072:4FCXMfyhFPZ8H7kJiIceKozOMeNJwOUJCfUfWcxQvAKChQztvWZZOtyFb8e:lXPFP6HWriMeN2rJCyWVDhM55

Score
10/10
qakbotspx1431592482956bankerevasionstealertrojan

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

spx143

Campaign

1592482956

C2

39.36.254.179:995

24.139.132.70:443

24.202.42.48:2222

72.204.242.138:443

172.242.156.50:995

72.204.242.138:20

68.174.15.223:443

74.193.197.246:443

96.56.237.174:990

64.19.74.29:995

70.168.130.172:443

189.236.166.167:443

68.4.137.211:443

76.187.8.160:443

76.86.57.179:2222

73.226.220.56:443

67.250.184.157:443

75.183.171.155:3389

173.172.205.216:443

173.3.132.17:995

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\quak.exe
    "C:\Users\Admin\AppData\Local\Temp\quak.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\AppData\Local\Temp\quak.exe
      C:\Users\Admin\AppData\Local\Temp\quak.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1760
    • C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe /C
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:516
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1812
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:996
      • C:\Windows\SysWOW64\mobsync.exe
        C:\Windows\SysWOW64\mobsync.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1620
      • C:\Windows\SysWOW64\mobsync.exe
        C:\Windows\SysWOW64\mobsync.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:788
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1932
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1956
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn kcphrjzvc /tr "\"C:\Users\Admin\AppData\Local\Temp\quak.exe\" /I kcphrjzvc" /SC ONCE /Z /ST 11:22 /ET 11:34
      2⤵
      • Creates scheduled task(s)
      PID:1628
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {9E60D40D-3C41-4C4D-9723-DCF9CE88560A} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:304
    • C:\Users\Admin\AppData\Local\Temp\quak.exe
      C:\Users\Admin\AppData\Local\Temp\quak.exe /I kcphrjzvc
      2⤵
      • Loads dropped DLL
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:392
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        3⤵
          PID:2040
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          3⤵
            PID:1732
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            3⤵
              PID:540
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              3⤵
                PID:1688
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                3⤵
                  PID:1500
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                  3⤵
                    PID:672
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                    3⤵
                      PID:2044
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                      3⤵
                        PID:640
                      • C:\Windows\system32\reg.exe
                        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl" /d "0"
                        3⤵
                        • Windows security bypass
                        PID:1896
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
                        C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
                        3⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1964
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
                          C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe /C
                          4⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          PID:656
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\quak.exe"
                        3⤵
                          PID:1604
                          • C:\Windows\system32\PING.EXE
                            ping.exe -n 6 127.0.0.1
                            4⤵
                            • Runs ping.exe
                            PID:1468
                        • C:\Windows\system32\schtasks.exe
                          "C:\Windows\system32\schtasks.exe" /DELETE /F /TN kcphrjzvc
                          3⤵
                            PID:1612

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Scheduled Task

                      1
                      T1053

                      Persistence

                      Scheduled Task

                      1
                      T1053

                      Privilege Escalation

                      Scheduled Task

                      1
                      T1053

                      Defense Evasion

                      Disabling Security Tools

                      2
                      T1089

                      Modify Registry

                      2
                      T1112

                      Credential Access

                      Discovery

                      System Information Discovery

                      1
                      T1082

                      Remote System Discovery

                      1
                      T1018

                      Query Registry

                      1
                      T1012

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
                        Filesize

                        216KB

                        MD5

                        58e1c32eeb0130da19625e55ee48cf1e

                        SHA1

                        00ae1c5066f67e5e71285de99bea8d8b67085743

                        SHA256

                        f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790

                        SHA512

                        31ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
                        Filesize

                        216KB

                        MD5

                        58e1c32eeb0130da19625e55ee48cf1e

                        SHA1

                        00ae1c5066f67e5e71285de99bea8d8b67085743

                        SHA256

                        f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790

                        SHA512

                        31ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
                        Filesize

                        216KB

                        MD5

                        58e1c32eeb0130da19625e55ee48cf1e

                        SHA1

                        00ae1c5066f67e5e71285de99bea8d8b67085743

                        SHA256

                        f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790

                        SHA512

                        31ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
                        Filesize

                        216KB

                        MD5

                        58e1c32eeb0130da19625e55ee48cf1e

                        SHA1

                        00ae1c5066f67e5e71285de99bea8d8b67085743

                        SHA256

                        f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790

                        SHA512

                        31ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
                        Filesize

                        216KB

                        MD5

                        58e1c32eeb0130da19625e55ee48cf1e

                        SHA1

                        00ae1c5066f67e5e71285de99bea8d8b67085743

                        SHA256

                        f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790

                        SHA512

                        31ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
                        Filesize

                        216KB

                        MD5

                        58e1c32eeb0130da19625e55ee48cf1e

                        SHA1

                        00ae1c5066f67e5e71285de99bea8d8b67085743

                        SHA256

                        f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790

                        SHA512

                        31ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2

                        Download Submit
                      • \Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
                        Filesize

                        216KB

                        MD5

                        58e1c32eeb0130da19625e55ee48cf1e

                        SHA1

                        00ae1c5066f67e5e71285de99bea8d8b67085743

                        SHA256

                        f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790

                        SHA512

                        31ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2

                        Download Submit
                      • \Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
                        Filesize

                        216KB

                        MD5

                        58e1c32eeb0130da19625e55ee48cf1e

                        SHA1

                        00ae1c5066f67e5e71285de99bea8d8b67085743

                        SHA256

                        f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790

                        SHA512

                        31ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2

                        Download Submit
                      • \Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe
                        Filesize

                        216KB

                        MD5

                        58e1c32eeb0130da19625e55ee48cf1e

                        SHA1

                        00ae1c5066f67e5e71285de99bea8d8b67085743

                        SHA256

                        f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790

                        SHA512

                        31ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2

                        Download Submit
                      • memory/788-72-0x0000000000080000-0x00000000000BA000-memory.dmp
                        Filesize

                        232KB

                        Download
                      • memory/788-73-0x0000000000120000-0x0000000000153000-memory.dmp
                        Filesize

                        204KB

                        Download
                      • memory/996-69-0x00000000001C0000-0x00000000001F3000-memory.dmp
                        Filesize

                        204KB

                        Download
                      • memory/996-68-0x00000000000F0000-0x000000000012A000-memory.dmp
                        Filesize

                        232KB

                        Download
                      • memory/1244-77-0x00000000025D0000-0x0000000002603000-memory.dmp
                        Filesize

                        204KB

                        Download
                      • memory/1620-70-0x0000000000100000-0x000000000013A000-memory.dmp
                        Filesize

                        232KB

                        Download
                      • memory/1620-71-0x0000000000440000-0x0000000000473000-memory.dmp
                        Filesize

                        204KB

                        Download
                      • memory/1812-67-0x0000000000190000-0x00000000001C3000-memory.dmp
                        Filesize

                        204KB

                        Download
                      • memory/1812-66-0x0000000000080000-0x00000000000BA000-memory.dmp
                        Filesize

                        232KB

                        Download