Qakbot evolves to OneNote Malware Distribution
Tags
cmtmf-attack-pattern: Application Layer Protocol Boot Or Logon Autostart Execution Process Injection System Network Connections Discovery
country: Germany India South Korea Thailand United States Of America
maec-delivery-vectors: Watering Hole
attack-pattern: Data Direct Application Layer Protocol - T1437 Boot Or Logon Autostart Execution - T1547 Credentials - T1589.001 Domain Trust Discovery - T1482 Domains - T1583.001 Domains - T1584.001 Hooking - T1617 Ingress Tool Transfer - T1544 System Network Connections Discovery - T1421 Malicious File - T1204.002 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 System Information Discovery - T1426 Mshta - T1218.005 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Right-To-Left Override - T1036.002 Rundll32 - T1218.011 Scheduled Task - T1053.005 Security Software Discovery - T1418.001 Security Software Discovery - T1518.001 Software - T1592.002 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Vnc - T1021.005 Windows Command Shell - T1059.003 Web Protocols - T1071.001 Web Protocols - T1437.001 Tool - T1588.002 Vulnerabilities - T1588.006 Standard Application Layer Protocol - T1071 Connection Proxy - T1090 Hooking - T1179 Remote File Copy - T1105 Mshta - T1170 Powershell - T1086 Process Hollowing - T1093 Process Injection - T1055 Registry Run Keys / Start Folder - T1060 Rundll32 - T1085 Scheduled Task - T1053 Security Software Discovery - T1063 Signed Binary Proxy Execution - T1218 Spearphishing Attachment - T1193 System Information Discovery - T1082 System Network Connections Discovery - T1049 System Owner/User Discovery - T1033 Windows Management Instrumentation - T1047 User Execution - T1204 Hooking Spearphishing Attachment User Execution
Show in Graph
Common Information
Type Value
UUID f93cc688-964a-47ad-863a-8425005df277
Fingerprint ac940d5dadb68fc8
Analysis status DONE
Considered CTI value 2
Text language
Published Oct. 11, 2023, midnight
Added to db Oct. 24, 2023, 1:27 p.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Blogs
Title Qakbot evolves to OneNote Malware Distribution
Detected Hints/Tags/Attributes 186/4/99
Source URLs
Redirection Url
Details Source https://www.trellix.com/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution/
Details Redirection https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html
URL Provider
Details Provider Source level domain
Details trellix.com www.trellix.com
Attributes
Details Type #Events CTI Value
Details Domain 9 
onedump.py
Details Domain 339 
system.net
Details Domain 2 
tempath.one
Details Domain 1 
xxxsthebagsxxx.mywire.org
Details File 9 
onedump.py
Details File 1208 
powershell.exe
Details File 1 
60852.dat
Details File 1 
c:\programdata\gb.jpg
Details File 1 
gb.jpg
Details File 249 
schtasks.exe
Details File 51 
wermgr.exe
Details File 5 
%systemroot%\syswow64\onedrivesetup.exe
Details File 4 
%systemroot%\system32\xwizard.exe
Details File 6 
%systemroot%\system32\msra.exe
Details File 3 
%systemroot%\system32\dxdiag.exe
Details File 4 
%systemroot%\syswow64\xwizard.exe
Details File 2 
%systemroot%\system32\atbroker.exe
Details File 8 
%systemroot%\syswow64\mobsync.exe
Details File 4 
%systemroot%\syswow64\wermgr.exe
Details File 2 
%systemroot%\syswow64\atbroker.exe
Details File 11 
%systemroot%\explorer.exe
Details File 5 
%systemroot%\system32\onedrivesetup.exe
Details File 2 
%systemroot%\syswow64\certenrollctrl.exe
Details File 5 
%systemroot%\syswow64\msra.exe
Details File 3 
%systemroot%\syswow64\dxdiag.exe
Details File 2 
%systemroot%\system32\certenrollctrl.exe
Details File 9 
%systemroot%\system32\mobsync.exe
Details File 8 
%systemroot%\syswow64\explorer.exe
Details File 2 
cyneteps.exe
Details File 2 
cynetms.exe
Details File 2 
cynetconsole.exe
Details File 119 
avp.exe
Details File 8 
kavtray.exe
Details File 6 
sentinelservicehost.exe
Details File 5 
sentinelstaticengine.exe
Details File 7 
sentinelagent.exe
Details File 6 
sentinelstaticenginescanner.exe
Details File 4 
sentinelui.exe
Details File 35 
ccsvchst.exe
Details File 15 
nortonsecurity.exe
Details File 7 
nswscsvc.exe
Details File 16 
coreserviceshell.exe
Details File 29 
pccntmon.exe
Details File 29 
ntrtscan.exe
Details File 12 
vkise.exe
Details File 8 
isesrv.exe
Details File 23 
cmdagent.exe
Details File 28 
mbamservice.exe
Details File 11 
mbamgui.exe
Details File 13 
avgcsrvx.exe
Details File 9 
avgsvcx.exe
Details File 10 
avgcsrva.exe
Details File 5 
csfalconservice.exe
Details File 3 
csfalconcontainer.exe
Details File 42 
bdagent.exe
Details File 22 
vsserv.exe
Details File 9 
vsservppl.exe
Details File 3 
xagtnotif.exe
Details File 2 
appuimonitor.exe
Details File 36 
egui.exe
Details File 53 
ekrn.exe
Details File 5 
sophosui.exe
Details File 19 
savadminservice.exe
Details File 25 
savservice.exe
Details File 23 
dwengine.exe
Details File 11 
dwarkdaemon.exe
Details File 7 
dwwatcher.exe
Details File 2126 
cmd.exe
Details File 456 
mshta.exe
Details File 1018 
rundll32.exe
Details File 1 
87084.dat
Details md5 1 
83feba178d0097929e6efeb27719d5db
Details md5 1 
5d44a2b0d85aa1a4dd3f218be6422c66
Details sha256 1 
1dc133f24649611277716350f9d63ccd7c30cec27b9b4b7c62f6bbfe395acfac
Details sha256 1 
1ff8e47def1e557b14470f95215d8763876f28411d4cf4fc7319c077733acd63
Details IPv4 1 
216.120.201.100
Details IPv4 3 
207.244.236.205
Details IPv4 3 
209.126.83.213
Details IPv4 1 
185.104.195.9
Details MITRE ATT&CK Techniques 310 
T1566.001
Details MITRE ATT&CK Techniques 365 
T1204.002
Details MITRE ATT&CK Techniques 106 
T1204.001
Details MITRE ATT&CK Techniques 59 
T1218.005
Details MITRE ATT&CK Techniques 492 
T1105
Details MITRE ATT&CK Techniques 119 
T1218.011
Details MITRE ATT&CK Techniques 86 
T1055.012
Details MITRE ATT&CK Techniques 1006 
T1082
Details MITRE ATT&CK Techniques 141 
T1518.001
Details MITRE ATT&CK Techniques 310 
T1047
Details MITRE ATT&CK Techniques 230 
T1033
Details MITRE ATT&CK Techniques 124 
T1482
Details MITRE ATT&CK Techniques 119 
T1049
Details MITRE ATT&CK Techniques 333 
T1059.003
Details MITRE ATT&CK Techniques 480 
T1053
Details MITRE ATT&CK Techniques 380 
T1547.001
Details MITRE ATT&CK Techniques 442 
T1071.001
Details Url 1 
http://216.120.201.100/60852.dat
Details Url 1 
http://185.104.195.9/87084.dat
Details Windows Registry Key 22 
HKEY_CURRENT_USER\Software\Microsoft