Resubmissions

19-05-2020 13:04

200519-7d9ja2krwe 10

19-05-2020 12:28

200519-4h8rvftfme 8

Analysis

  • max time kernel
    255s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    19-05-2020 13:04

General

  • Target

    Darlehensvertrag_42816504192_15052020.vbs

  • Size

    36.2MB

  • MD5

    e44fb6c9a050ae7ef4b55cce6a71cdcd

  • SHA1

    dd77b217e503fddaf28bb60b6e3280a692807976

  • SHA256

    c888b058cd85352ec803eb2a6e78bef567b844e9982176efbcd7074982a760de

  • SHA512

    9524cdd296cb89eb1cc8a160a62337a908990aa1e6d84b0e51c1827bec705331f458c0713d64cfe221a55ad32331db74a8e9ff4a356d6b2fb515b464e3804ab5

Malware Config

Extracted

Family

qakbot

Botnet

spx121

Campaign

1589802571

C2

72.209.191.27:443

72.204.242.138:443

47.202.98.230:443

72.204.242.138:465

96.35.170.82:2222

96.56.237.174:465

65.60.228.130:443

76.187.8.160:443

79.101.206.85:995

64.19.74.29:995

84.117.60.157:443

94.176.128.176:443

72.204.242.138:32102

187.155.61.44:443

72.204.242.138:443

73.163.242.114:443

86.127.7.148:21

76.187.97.98:2222

82.178.63.31:443

174.52.64.212:443

Signatures

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Windows security modification 2 TTPs 6 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Executes dropped EXE 7 IoCs
  • Suspicious use of WriteProcessMemory 81 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Loads dropped DLL 4 IoCs
  • Turns off Windows Defender SpyNet reporting 6 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Blacklisted process makes network request 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Darlehensvertrag_42816504192_15052020.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Blacklisted process makes network request
    PID:1068
    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
      C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Loads dropped DLL
      PID:1884
      • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
        C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1608
      • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
        3⤵
        • Suspicious behavior: MapViewOfSection
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        PID:1572
        • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe /C
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1964
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1956
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vibhuwyoc /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I vibhuwyoc" /SC ONCE /Z /ST 15:09 /ET 15:21
        3⤵
        • Creates scheduled task(s)
        PID:1936
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {993A98C4-DF39-4597-990B-D65ECEADDFDC} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
      C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /I vibhuwyoc
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Loads dropped DLL
      • Modifies data under HKEY_USERS
      PID:1028
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        3⤵
        • Windows security modification
        • Turns off Windows Defender SpyNet reporting
        PID:1692
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        3⤵
        • Windows security modification
        • Turns off Windows Defender SpyNet reporting
        PID:516
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        3⤵
          PID:1448
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          3⤵
            PID:1512
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            3⤵
            • Windows security modification
            • Turns off Windows Defender SpyNet reporting
            PID:1020
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            3⤵
            • Windows security modification
            • Turns off Windows Defender SpyNet reporting
            PID:2008
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            3⤵
            • Windows security modification
            • Turns off Windows Defender SpyNet reporting
            PID:1764
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            3⤵
            • Windows security modification
            • Turns off Windows Defender SpyNet reporting
            PID:1180
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue" /d "0"
            3⤵
            • Windows security bypass
            PID:1456
          • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:484
            • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe /C
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:952
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe"
            3⤵
              PID:1824
              • C:\Windows\system32\PING.EXE
                ping.exe -n 6 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:864
            • C:\Windows\system32\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /DELETE /F /TN vibhuwyoc
              3⤵
                PID:1760

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

          • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

          • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

          • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

          • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.dat

          • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

          • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

          • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

          • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

          • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

          • \Users\Admin\AppData\Local\Temp\PicturesViewer.exe

          • \Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

          • \Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

          • \Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe

          • memory/952-18-0x00000000022E0000-0x00000000022F1000-memory.dmp

            Filesize

            68KB

          • memory/1068-1-0x0000000002FB0000-0x0000000002FB4000-memory.dmp

            Filesize

            16KB

          • memory/1572-12-0x00000000002F0000-0x000000000032A000-memory.dmp

            Filesize

            232KB

          • memory/1608-5-0x0000000002350000-0x0000000002361000-memory.dmp

            Filesize

            68KB

          • memory/1964-11-0x0000000002320000-0x0000000002331000-memory.dmp

            Filesize

            68KB