Analysis
-
max time kernel
142s -
max time network
120s -
resource
win7v191014
Task
task1
Sample
11.bin.exe
Resource
win7v191014
General
-
Target
11.bin
-
Sample
191111-7cpggrpxts
-
SHA256
13c2f4b6fb80500884a4ea9d2fe80774124f46ebfd80de3e1dfcfb9e167aee08
Malware Config
Extracted
qakbot
1573023013
107.12.140.181:443
67.5.33.229:2078
184.74.101.234:995
172.78.45.13:995
181.95.16.207:443
50.246.229.50:443
207.179.194.91:443
67.246.16.250:995
75.110.250.89:443
173.91.254.236:443
50.78.93.74:995
73.104.218.229:0
47.23.101.26:993
88.111.255.235:2222
12.5.37.3:995
24.30.71.200:443
72.29.181.77:2078
98.155.154.220:443
196.194.74.33:2222
47.214.144.253:443
67.10.18.112:993
73.232.165.200:995
115.132.97.136:443
47.202.98.230:443
71.93.60.90:443
72.46.151.196:995
137.25.72.175:443
67.160.63.127:443
197.86.194.53:995
75.142.59.167:443
47.155.19.205:443
182.56.89.221:995
2.90.219.43:443
105.246.75.20:995
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
107.12.131.249:443
98.186.155.8:443
47.153.115.154:443
108.5.34.128:443
76.169.19.193:443
45.37.57.119:2222
76.116.128.81:443
2.50.41.185:443
95.67.238.16:21
107.184.252.92:443
75.130.117.134:443
70.183.3.199:443
72.142.106.198:993
181.197.195.138:995
186.47.208.238:50000
71.77.231.251:443
93.177.144.236:443
12.176.32.146:443
72.16.212.107:995
200.104.249.67:443
73.226.220.56:443
181.126.80.118:443
67.214.201.117:2222
108.160.123.244:443
173.247.186.90:443
90.43.6.185:2222
66.51.231.183:443
50.247.230.33:443
108.227.161.27:443
96.59.11.86:443
24.184.6.58:2222
117.204.224.110:995
174.131.181.120:995
76.80.66.226:443
207.162.184.228:443
173.178.129.3:443
47.23.101.26:465
12.5.37.3:443
111.125.70.30:2222
206.51.202.106:50002
201.152.111.120:995
75.131.72.82:995
174.48.72.160:443
2.177.101.143:443
47.146.169.85:443
184.191.62.78:443
75.70.218.193:443
162.244.225.30:443
123.252.128.47:443
174.130.203.235:443
205.250.79.62:443
162.244.224.166:443
116.58.100.130:443
68.174.15.223:443
199.126.92.231:995
173.178.129.3:990
65.30.12.240:443
24.201.68.105:2087
5.182.39.156:443
24.201.68.105:2078
23.240.185.215:443
68.131.9.203:443
187.163.139.200:993
75.81.25.223:995
70.120.151.69:443
32.208.1.239:443
73.37.61.237:443
168.245.228.71:443
72.29.181.77:2083
112.171.126.153:443
75.131.72.82:2087
67.200.146.98:2222
96.35.170.82:2222
72.132.145.25:443
71.30.56.170:443
174.16.234.171:993
75.175.209.163:995
47.153.115.154:995
72.213.98.233:443
2.50.170.151:443
173.22.120.11:2222
184.180.157.203:2222
75.165.132.69:443
64.19.74.29:995
104.32.185.213:2222
104.3.91.20:995
64.72.102.10:2222
173.3.132.17:995
74.194.4.181:443
75.131.72.82:443
68.238.144.55:443
100.4.185.8:443
190.217.1.149:443
104.34.122.18:443
66.214.75.176:443
47.153.115.154:443
72.142.106.198:465
68.238.56.27:443
24.180.7.155:443
24.203.64.26:2222
24.196.158.28:443
69.92.54.95:995
83.79.2.218:2222
98.148.177.77:443
170.10.78.48:443
71.90.241.69:443
23.240.34.55:443
201.188.17.26:443
181.135.235.70:443
67.190.189.217:443
75.182.115.93:443
75.110.104.106:443
203.83.20.209:995
Signatures
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 836 11.bin.exe 1456 11.bin.exe 1320 vanqawu.exe 2028 vanqawu.exe 1096 explorer.exe 912 11.bin.exe 1748 vanqawu.exe 1928 vanqawu.exe -
pid Process 816 PING.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1320 vanqawu.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc pid Process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\lyffel = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Igniwjmeevrg\\vanqawu.exe\"" 1096 explorer.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" 1996 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" 1472 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" 580 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" 1764 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 628 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 1088 reg.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg = "0" 1348 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1344 conhost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 836 wrote to memory of 1456 836 11.bin.exe 26 PID 836 wrote to memory of 1320 836 11.bin.exe 27 PID 836 wrote to memory of 1416 836 11.bin.exe 28 PID 1320 wrote to memory of 2028 1320 vanqawu.exe 30 PID 1320 wrote to memory of 1096 1320 vanqawu.exe 31 PID 976 wrote to memory of 912 976 taskeng.exe 35 PID 912 wrote to memory of 1996 912 11.bin.exe 36 PID 912 wrote to memory of 1472 912 11.bin.exe 38 PID 912 wrote to memory of 1600 912 11.bin.exe 40 PID 912 wrote to memory of 1604 912 11.bin.exe 42 PID 912 wrote to memory of 580 912 11.bin.exe 44 PID 912 wrote to memory of 1764 912 11.bin.exe 46 PID 912 wrote to memory of 628 912 11.bin.exe 48 PID 912 wrote to memory of 1088 912 11.bin.exe 50 PID 912 wrote to memory of 1348 912 11.bin.exe 52 PID 912 wrote to memory of 1748 912 11.bin.exe 54 PID 1748 wrote to memory of 1928 1748 vanqawu.exe 55 PID 912 wrote to memory of 432 912 11.bin.exe 56 PID 912 wrote to memory of 1292 912 11.bin.exe 58 -
Loads dropped DLL 2 IoCs
pid Process 836 11.bin.exe 912 11.bin.exe -
Executes dropped EXE 4 IoCs
pid Process 1320 vanqawu.exe 2028 vanqawu.exe 1748 vanqawu.exe 1928 vanqawu.exe -
Uses Task Scheduler COM API 1 TTPs 12 IoCs
description ioc pid Process Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1292 schtasks.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1292 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 1292 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 1292 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 1292 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 1292 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 1292 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 1292 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 1292 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 1292 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 1292 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 1292 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11.bin.exe"C:\Users\Admin\AppData\Local\Temp\11.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:836
-
C:\Users\Admin\AppData\Local\Temp\11.bin.exeC:\Users\Admin\AppData\Local\Temp\11.bin.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1456
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1320
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn pvsqstxw /tr "\"C:\Users\Admin\AppData\Local\Temp\11.bin.exe\" /I pvsqstxw" /SC ONCE /Z /ST 11:30 /ET 11:421⤵PID:1416
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1357304515-49625428213239389931465246131-418946311504728357825126170-1064745522"1⤵PID:1848
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:2028
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
PID:1096
-
C:\Windows\system32\taskeng.exetaskeng.exe {2026FFD1-2CBF-40C0-A809-5CA885176134} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:976
-
C:\Users\Admin\AppData\Local\Temp\11.bin.exeC:\Users\Admin\AppData\Local\Temp\11.bin.exe /I pvsqstxw1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:912
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1996
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2114507193219279930-476467660-6906997431715368643788585791618214166-1318399759"1⤵PID:524
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1472
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-347602925-1017609409-124800625861537687295741028-607589570718231873963294119"1⤵PID:1528
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵PID:1600
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-14523226271401973370338872636-550638922-63605209674095044-1358921468655515868"1⤵PID:1616
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵PID:1604
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1721353643-1011732141843006702-1920461121-174803789-1585809804-462053229-1450842461"1⤵PID:1372
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:580
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-97341255-1546817024-19055165111954910271-48327089-1238704385-1546350444-714782992"1⤵PID:1232
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1764
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1445524474-3308915161815763091-2057567622388865578-15847111584625774781967866691"1⤵PID:1048
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:628
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-184529240957487446124276639714691956311002836303-1419088177269426805-1019170773"1⤵PID:1956
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1088
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "157074129913557924202044000043-238679619119756632114549220691071677603553986429"1⤵PID:852
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"1⤵
- Windows security bypass
PID:1348
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-21312481651734780967-312137178522453693-113931201610708378332057968779-1279840106"1⤵PID:1128
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1748
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1928
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\11.bin.exe"1⤵PID:432
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "14109141571483413148-6025633631842678509-918674061258730249-405654191107294981"1⤵
- Suspicious use of SetWindowsHookEx
PID:1344
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN pvsqstxw1⤵
- Uses Task Scheduler COM API
PID:1292
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1605184671177318353473479521-706429454917755742866690576-1789798880202894291"1⤵PID:1772
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.11⤵
- Runs ping.exe
PID:816
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1060
- T1089