Resubmissions

19-05-2020 20:18

200519-j522lppzqx 10

19-05-2020 20:14

200519-ahdbsfbx26 1

Analysis

  • max time kernel
    133s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    19-05-2020 20:18

General

  • Target

    http://lindentowncenter.com/xnvejyacq/2767/Darlehensvertrag_2767_18052020.zip

Malware Config

Extracted

Family

qakbot

Botnet

spx122

Campaign

1589882380

C2

72.183.129.56:443

72.190.101.70:443

74.75.216.202:443

47.40.244.237:443

209.182.121.133:2222

85.121.42.12:995

203.213.104.25:995

98.118.156.172:443

74.215.201.122:443

67.250.184.157:443

79.78.131.124:443

108.54.205.207:443

72.224.213.98:2222

24.27.82.216:2222

188.26.156.131:443

41.228.239.54:443

5.36.67.194:443

101.108.119.168:443

5.13.141.223:443

105.101.126.6:443

Signatures

  • Suspicious use of WriteProcessMemory 52 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Blacklisted process makes network request 3 IoCs
  • Executes dropped EXE 12 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Checks whether UAC is enabled 2 IoCs
  • Modifies system certificate store 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
  • Modifies registry class 1 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Checks SCSI registry key(s) 3 TTPs 36 IoCs

    SCSI information is often read in order to detect sandboxing environments.

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://lindentowncenter.com/xnvejyacq/2767/Darlehensvertrag_2767_18052020.zip
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    • Checks whether UAC is enabled
    • Modifies system certificate store
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    PID:1312
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:82945 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Checks whether UAC is enabled
      • Modifies Internet Explorer settings
      PID:1588
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2816
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Darlehensvertrag_2767_18052020.zip\Darlehensvertrag_243181159708_18052020.vbs"
      1⤵
      • Suspicious use of WriteProcessMemory
      • Blacklisted process makes network request
      PID:976
      • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
        C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:500
        • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
          C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Checks SCSI registry key(s)
          PID:3068
        • C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          • Executes dropped EXE
          • Suspicious behavior: MapViewOfSection
          • Suspicious behavior: EnumeratesProcesses
          PID:3508
          • C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe /C
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Checks SCSI registry key(s)
            PID:1268
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2236
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nrwjuqhdz /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I nrwjuqhdz" /SC ONCE /Z /ST 22:22 /ET 22:34
          3⤵
          • Creates scheduled task(s)
          PID:952
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Darlehensvertrag_243181159708_18052020.vbs"
      1⤵
      • Suspicious use of WriteProcessMemory
      • Blacklisted process makes network request
      PID:3076
      • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
        C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3196
        • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
          C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Checks SCSI registry key(s)
          PID:3760
        • C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1840
          • C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe /C
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Checks SCSI registry key(s)
            PID:2052
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bffgutc /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I bffgutc" /SC ONCE /Z /ST 22:22 /ET 22:34
          3⤵
          • Creates scheduled task(s)
          PID:2820
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Darlehensvertrag_243181159708_18052020.vbs"
      1⤵
      • Suspicious use of WriteProcessMemory
      • Blacklisted process makes network request
      PID:3996
      • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
        C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4036
        • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
          C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Checks SCSI registry key(s)
          PID:1348
        • C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2108
          • C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Woyyenob\deveaoo.exe /C
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Checks SCSI registry key(s)
            PID:2636
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fymqwgu /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I fymqwgu" /SC ONCE /Z /ST 22:22 /ET 22:34
          3⤵
          • Creates scheduled task(s)
          PID:2080

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1268-30-0x0000000002830000-0x0000000002831000-memory.dmp

      Filesize

      4KB

    • memory/1348-38-0x00000000028A0000-0x00000000028A1000-memory.dmp

      Filesize

      4KB

    • memory/2052-41-0x0000000002780000-0x0000000002781000-memory.dmp

      Filesize

      4KB

    • memory/2636-43-0x0000000002860000-0x0000000002861000-memory.dmp

      Filesize

      4KB

    • memory/3068-20-0x00000000026D0000-0x00000000026D1000-memory.dmp

      Filesize

      4KB

    • memory/3076-3-0x00000216ED0E0000-0x00000216ED0E4000-memory.dmp

      Filesize

      16KB

    • memory/3508-31-0x0000000002170000-0x00000000021AA000-memory.dmp

      Filesize

      232KB

    • memory/3760-33-0x0000000002730000-0x0000000002731000-memory.dmp

      Filesize

      4KB