qakbot | 29754f0caa9576eba6b9c351d20549e7e19216c6e72c2963da33450719a51277

General

Target

4.bin
Sample

191111-57yf3bdh4j
SHA256

29754f0caa9576eba6b9c351d20549e7e19216c6e72c2963da33450719a51277

Score

N/A

Malware Config

Extracted

Family

qakbot

Campaign

1573123220

C2

206.51.202.106:50003

173.3.132.17:995

75.131.72.82:443

68.238.144.55:443

100.4.185.8:443

5.182.39.156:443

24.201.68.105:2078

23.240.185.215:443

69.92.54.95:995

68.131.9.203:443

187.163.139.200:993

75.81.25.223:995

32.208.1.239:443

170.10.78.48:443

74.194.4.181:443

81.147.42.195:2222

71.30.56.170:443

174.16.234.171:993

66.214.75.176:443

47.153.115.154:443

Signatures

Uses Task Scheduler COM API 1 TTPs 12 IoCs

persistence

Query Registry

T1012

Processes:

schtasks.exe

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1912	schtasks.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	1912	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	1912	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	1912	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	1912	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	1912	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	1912	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	1912	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	1912	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	1912	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	1912	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	1912	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

conhost.exe

pid	Process
1540	conhost.exe

Executes dropped EXE 4 IoCs

Processes:

vanqawu.exevanqawu.exevanqawu.exevanqawu.exe

pid	Process
1744	vanqawu.exe
2036	vanqawu.exe
1664	vanqawu.exe
1076	vanqawu.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0"	1884	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2"	1808	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0"	1960	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2"	1880	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	1028	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	520	reg.exe

Loads dropped DLL 2 IoCs

Processes:

4.bin.exe4.bin.exe

pid	Process
1272	4.bin.exe
1116	4.bin.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vanqawu.exe

pid	Process
1744	vanqawu.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Processes:

reg.exe

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg = "0"	1000	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

evasion spreading

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1644	PING.EXE

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	pid	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\anobxhk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Igniwjmeevrg\\vanqawu.exe\""	1932	explorer.exe

qakbot family
family qakbot

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

4.bin.exe4.bin.exevanqawu.exevanqawu.exeexplorer.exe4.bin.exevanqawu.exevanqawu.exe

pid	Process
1272	4.bin.exe
1292	4.bin.exe
1744	vanqawu.exe
2036	vanqawu.exe
1932	explorer.exe
1116	4.bin.exe
1664	vanqawu.exe
1076	vanqawu.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

4.bin.exevanqawu.exetaskeng.exe4.bin.exevanqawu.exe

description	pid	Process	procid_target
PID 1272 wrote to memory of 1292	1272	4.bin.exe	26
PID 1272 wrote to memory of 1744	1272	4.bin.exe	27
PID 1272 wrote to memory of 1092	1272	4.bin.exe	28
PID 1744 wrote to memory of 2036	1744	vanqawu.exe	30
PID 1744 wrote to memory of 1932	1744	vanqawu.exe	31
PID 740 wrote to memory of 1116	740	taskeng.exe	33
PID 1116 wrote to memory of 1884	1116	4.bin.exe	34
PID 1116 wrote to memory of 1808	1116	4.bin.exe	36
PID 1116 wrote to memory of 388	1116	4.bin.exe	38
PID 1116 wrote to memory of 2012	1116	4.bin.exe	40
PID 1116 wrote to memory of 1960	1116	4.bin.exe	42
PID 1116 wrote to memory of 1880	1116	4.bin.exe	44
PID 1116 wrote to memory of 1028	1116	4.bin.exe	46
PID 1116 wrote to memory of 520	1116	4.bin.exe	48
PID 1116 wrote to memory of 1000	1116	4.bin.exe	50
PID 1116 wrote to memory of 1664	1116	4.bin.exe	52
PID 1664 wrote to memory of 1076	1664	vanqawu.exe	53
PID 1116 wrote to memory of 1548	1116	4.bin.exe	54
PID 1116 wrote to memory of 1912	1116	4.bin.exe	55

C:\Users\Admin\AppData\Local\Temp\4.bin.exe
"C:\Users\Admin\AppData\Local\Temp\4.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\4.bin.exe
C:\Users\Admin\AppData\Local\Temp\4.bin.exe /C
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1292

C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bdadlxhyo /tr "\"C:\Users\Admin\AppData\Local\Temp\4.bin.exe\" /I bdadlxhyo" /SC ONCE /Z /ST 11:28 /ET 11:40
1⤵
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2597591398348209951629390757-20837680671281542962-272171816-1368649592-2099165143"
1⤵
PID:1704

C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\system32\taskeng.exe
taskeng.exe {61F11096-A4CA-41E6-AB61-5091EE62140C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\4.bin.exe
C:\Users\Admin\AppData\Local\Temp\4.bin.exe /I bdadlxhyo
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
- Windows security modification
PID:1884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "454223412-5150921471267314816971419469-320043876187068563-9496390491679250568"
1⤵
PID:1108

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
- Windows security modification
PID:1808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2144050515-389075933-1508972097-173549143419327725941434069226-1501936006-520507919"
1⤵
PID:1640

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
PID:388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1533849828-300728876-5139443641488150060-813119979-795185563116803031361243198"
1⤵
PID:1156

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14326235771269299388394215760-1441725228474106955522311275-1329707027-510705780"
1⤵
PID:1092

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
- Windows security modification
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1362646698679134613-1646037335-1637149667-1728267804-6314402491359913413-1924700415"
1⤵
PID:1864

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
- Windows security modification
PID:1880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1552625258-855583776-347031575-546263353-1388342382-712799299114535281-1437648811"
1⤵
PID:1364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
- Windows security modification
PID:1028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "130610099-34859375020190171027635789191422629631579713398-73928855-240523436"
1⤵
PID:1248

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
- Windows security modification
PID:520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11722155763968883212001056621-1499077304-10604749351649227884674288798-25225224"
1⤵
PID:268

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"
1⤵
- Windows security bypass
PID:1000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1475751690-914987179-849248526-1376750572-1231355956-1273077536-522229928-1075185013"
1⤵
PID:560

C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\4.bin.exe"
1⤵
PID:1548

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /DELETE /F /TN bdadlxhyo
1⤵
- Uses Task Scheduler COM API
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9727120541908570174-1643056064503861097-1069490950-1499688098-1970724049-453199473"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2024361766-138375663415415781951794486084-1781180518285315062-14977885021195648683"
1⤵
PID:1008

C:\Windows\system32\PING.EXE
ping.exe -n 6 127.0.0.1
1⤵
- Runs ping.exe
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1089
T1060

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
memory/1076-12-0x0000000002610000-0x0000000002621000-memory.dmp

Filesize
68KB

Download
memory/1292-0-0x00000000027A0000-0x00000000027B1000-memory.dmp

Filesize
68KB

Download
memory/1744-7-0x00000000026F0000-0x0000000002782000-memory.dmp

Filesize
584KB

Download
memory/2036-6-0x00000000025E0000-0x00000000025F1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads