Analysis

  • max time kernel
    142s
  • max time network
    120s
  • resource
    win7v191014

General

  • Target

    11.bin

  • Sample

    191111-7cpggrpxts

  • SHA256

    13c2f4b6fb80500884a4ea9d2fe80774124f46ebfd80de3e1dfcfb9e167aee08

Score
N/A

Malware Config

Extracted

Family

qakbot

Campaign

1573023013

C2

107.12.140.181:443

67.5.33.229:2078

184.74.101.234:995

172.78.45.13:995

181.95.16.207:443

50.246.229.50:443

207.179.194.91:443

67.246.16.250:995

75.110.250.89:443

173.91.254.236:443

50.78.93.74:995

73.104.218.229:0

47.23.101.26:993

88.111.255.235:2222

12.5.37.3:995

24.30.71.200:443

72.29.181.77:2078

98.155.154.220:443

196.194.74.33:2222

47.214.144.253:443

Signatures

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Windows security modification 2 TTPs 6 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Loads dropped DLL 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs 12 IoCs
  • qakbot family

Processes

  • C:\Users\Admin\AppData\Local\Temp\11.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\11.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    PID:836
  • C:\Users\Admin\AppData\Local\Temp\11.bin.exe
    C:\Users\Admin\AppData\Local\Temp\11.bin.exe /C
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1456
  • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    PID:1320
  • C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn pvsqstxw /tr "\"C:\Users\Admin\AppData\Local\Temp\11.bin.exe\" /I pvsqstxw" /SC ONCE /Z /ST 11:30 /ET 11:42
    1⤵
      PID:1416
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "1357304515-49625428213239389931465246131-418946311504728357825126170-1064745522"
      1⤵
        PID:1848
      • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Executes dropped EXE
        PID:2028
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Adds Run entry to start application
        PID:1096
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {2026FFD1-2CBF-40C0-A809-5CA885176134} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:976
      • C:\Users\Admin\AppData\Local\Temp\11.bin.exe
        C:\Users\Admin\AppData\Local\Temp\11.bin.exe /I pvsqstxw
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • Loads dropped DLL
        PID:912
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        1⤵
        • Windows security modification
        PID:1996
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "2114507193219279930-476467660-6906997431715368643788585791618214166-1318399759"
        1⤵
          PID:524
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          1⤵
          • Windows security modification
          PID:1472
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "-347602925-1017609409-124800625861537687295741028-607589570718231873963294119"
          1⤵
            PID:1528
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            1⤵
              PID:1600
            • C:\Windows\system32\conhost.exe
              \??\C:\Windows\system32\conhost.exe "-14523226271401973370338872636-550638922-63605209674095044-1358921468655515868"
              1⤵
                PID:1616
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                1⤵
                  PID:1604
                • C:\Windows\system32\conhost.exe
                  \??\C:\Windows\system32\conhost.exe "-1721353643-1011732141843006702-1920461121-174803789-1585809804-462053229-1450842461"
                  1⤵
                    PID:1372
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                    1⤵
                    • Windows security modification
                    PID:580
                  • C:\Windows\system32\conhost.exe
                    \??\C:\Windows\system32\conhost.exe "-97341255-1546817024-19055165111954910271-48327089-1238704385-1546350444-714782992"
                    1⤵
                      PID:1232
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                      1⤵
                      • Windows security modification
                      PID:1764
                    • C:\Windows\system32\conhost.exe
                      \??\C:\Windows\system32\conhost.exe "-1445524474-3308915161815763091-2057567622388865578-15847111584625774781967866691"
                      1⤵
                        PID:1048
                      • C:\Windows\system32\reg.exe
                        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                        1⤵
                        • Windows security modification
                        PID:628
                      • C:\Windows\system32\conhost.exe
                        \??\C:\Windows\system32\conhost.exe "-184529240957487446124276639714691956311002836303-1419088177269426805-1019170773"
                        1⤵
                          PID:1956
                        • C:\Windows\system32\reg.exe
                          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                          1⤵
                          • Windows security modification
                          PID:1088
                        • C:\Windows\system32\conhost.exe
                          \??\C:\Windows\system32\conhost.exe "157074129913557924202044000043-238679619119756632114549220691071677603553986429"
                          1⤵
                            PID:852
                          • C:\Windows\system32\reg.exe
                            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"
                            1⤵
                            • Windows security bypass
                            PID:1348
                          • C:\Windows\system32\conhost.exe
                            \??\C:\Windows\system32\conhost.exe "-21312481651734780967-312137178522453693-113931201610708378332057968779-1279840106"
                            1⤵
                              PID:1128
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                              C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                              1⤵
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of WriteProcessMemory
                              • Executes dropped EXE
                              PID:1748
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                              C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C
                              1⤵
                              • Suspicious behavior: EnumeratesProcesses
                              • Executes dropped EXE
                              PID:1928
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\11.bin.exe"
                              1⤵
                                PID:432
                              • C:\Windows\system32\conhost.exe
                                \??\C:\Windows\system32\conhost.exe "14109141571483413148-6025633631842678509-918674061258730249-405654191107294981"
                                1⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:1344
                              • C:\Windows\system32\schtasks.exe
                                "C:\Windows\system32\schtasks.exe" /DELETE /F /TN pvsqstxw
                                1⤵
                                • Uses Task Scheduler COM API
                                PID:1292
                              • C:\Windows\system32\conhost.exe
                                \??\C:\Windows\system32\conhost.exe "1605184671177318353473479521-706429454917755742866690576-1789798880202894291"
                                1⤵
                                  PID:1772
                                • C:\Windows\system32\PING.EXE
                                  ping.exe -n 6 127.0.0.1
                                  1⤵
                                  • Runs ping.exe
                                  PID:816

                                Network

                                MITRE ATT&CK Enterprise v15

                                MITRE ATT&CK Additional techniques

                                • T1060
                                • T1089

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/1320-7-0x0000000002240000-0x00000000022D2000-memory.dmp

                                  Filesize

                                  584KB

                                • memory/1456-0-0x0000000002580000-0x0000000002591000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/1928-12-0x00000000025C0000-0x00000000025D1000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/2028-6-0x0000000002600000-0x0000000002611000-memory.dmp

                                  Filesize

                                  68KB