Analysis
-
max time kernel
141s -
max time network
150s -
resource
win10v191014
Task
task1
Sample
11.bin.exe
Resource
win7v191014
General
-
Target
11.bin
-
Sample
191111-7cpggrpxts
-
SHA256
13c2f4b6fb80500884a4ea9d2fe80774124f46ebfd80de3e1dfcfb9e167aee08
Malware Config
Extracted
qakbot
1573023013
107.12.140.181:443
67.5.33.229:2078
184.74.101.234:995
172.78.45.13:995
181.95.16.207:443
50.246.229.50:443
207.179.194.91:443
67.246.16.250:995
75.110.250.89:443
173.91.254.236:443
50.78.93.74:995
73.104.218.229:0
47.23.101.26:993
88.111.255.235:2222
12.5.37.3:995
24.30.71.200:443
72.29.181.77:2078
98.155.154.220:443
196.194.74.33:2222
47.214.144.253:443
67.10.18.112:993
73.232.165.200:995
115.132.97.136:443
47.202.98.230:443
71.93.60.90:443
72.46.151.196:995
137.25.72.175:443
67.160.63.127:443
197.86.194.53:995
75.142.59.167:443
47.155.19.205:443
182.56.89.221:995
2.90.219.43:443
105.246.75.20:995
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
107.12.131.249:443
98.186.155.8:443
47.153.115.154:443
108.5.34.128:443
76.169.19.193:443
45.37.57.119:2222
76.116.128.81:443
2.50.41.185:443
95.67.238.16:21
107.184.252.92:443
75.130.117.134:443
70.183.3.199:443
72.142.106.198:993
181.197.195.138:995
186.47.208.238:50000
71.77.231.251:443
93.177.144.236:443
12.176.32.146:443
72.16.212.107:995
200.104.249.67:443
73.226.220.56:443
181.126.80.118:443
67.214.201.117:2222
108.160.123.244:443
173.247.186.90:443
90.43.6.185:2222
66.51.231.183:443
50.247.230.33:443
108.227.161.27:443
96.59.11.86:443
24.184.6.58:2222
117.204.224.110:995
174.131.181.120:995
76.80.66.226:443
207.162.184.228:443
173.178.129.3:443
47.23.101.26:465
12.5.37.3:443
111.125.70.30:2222
206.51.202.106:50002
201.152.111.120:995
75.131.72.82:995
174.48.72.160:443
2.177.101.143:443
47.146.169.85:443
184.191.62.78:443
75.70.218.193:443
162.244.225.30:443
123.252.128.47:443
174.130.203.235:443
205.250.79.62:443
162.244.224.166:443
116.58.100.130:443
68.174.15.223:443
199.126.92.231:995
173.178.129.3:990
65.30.12.240:443
24.201.68.105:2087
5.182.39.156:443
24.201.68.105:2078
23.240.185.215:443
68.131.9.203:443
187.163.139.200:993
75.81.25.223:995
70.120.151.69:443
32.208.1.239:443
73.37.61.237:443
168.245.228.71:443
72.29.181.77:2083
112.171.126.153:443
75.131.72.82:2087
67.200.146.98:2222
96.35.170.82:2222
72.132.145.25:443
71.30.56.170:443
174.16.234.171:993
75.175.209.163:995
47.153.115.154:995
72.213.98.233:443
2.50.170.151:443
173.22.120.11:2222
184.180.157.203:2222
75.165.132.69:443
64.19.74.29:995
104.32.185.213:2222
104.3.91.20:995
64.72.102.10:2222
173.3.132.17:995
74.194.4.181:443
75.131.72.82:443
68.238.144.55:443
100.4.185.8:443
190.217.1.149:443
104.34.122.18:443
66.214.75.176:443
47.153.115.154:443
72.142.106.198:465
68.238.56.27:443
24.180.7.155:443
24.203.64.26:2222
24.196.158.28:443
69.92.54.95:995
83.79.2.218:2222
98.148.177.77:443
170.10.78.48:443
71.90.241.69:443
23.240.34.55:443
201.188.17.26:443
181.135.235.70:443
67.190.189.217:443
75.182.115.93:443
75.110.104.106:443
203.83.20.209:995
Signatures
-
Qakbot persistence 1 IoCs
description ioc pid Process Event created 2ijsethyt3024 3024 explorer.exe -
Drops file in system dir 5 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 4516 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4516 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4516 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4516 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4516 svchost.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4164 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4164 svchost.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc pid Process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\qgfykoy = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Onjpsefhpr\\ijsethyt.exe\"" 3024 explorer.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr = "0" 3400 reg.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4920 wrote to memory of 4988 4920 11.bin.exe 73 PID 5076 wrote to memory of 5104 5076 SppExtComObj.exe 76 PID 4920 wrote to memory of 1696 4920 11.bin.exe 78 PID 4920 wrote to memory of 1668 4920 11.bin.exe 79 PID 1696 wrote to memory of 1784 1696 ijsethyt.exe 81 PID 1696 wrote to memory of 3024 1696 ijsethyt.exe 82 PID 784 wrote to memory of 2392 784 11.bin.exe 92 PID 784 wrote to memory of 3540 784 11.bin.exe 94 PID 784 wrote to memory of 5000 784 11.bin.exe 96 PID 784 wrote to memory of 3804 784 11.bin.exe 98 PID 784 wrote to memory of 1080 784 11.bin.exe 100 PID 784 wrote to memory of 360 784 11.bin.exe 102 PID 784 wrote to memory of 4932 784 11.bin.exe 104 PID 784 wrote to memory of 332 784 11.bin.exe 106 PID 784 wrote to memory of 3400 784 11.bin.exe 108 PID 784 wrote to memory of 4060 784 11.bin.exe 110 PID 784 wrote to memory of 3516 784 11.bin.exe 111 PID 784 wrote to memory of 564 784 11.bin.exe 112 PID 4060 wrote to memory of 712 4060 ijsethyt.exe 116 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1696 ijsethyt.exe -
Uses Task Scheduler COM API 1 TTPs 14 IoCs
description ioc pid Process Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 564 schtasks.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} 564 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs 564 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ 564 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 564 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32 564 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ 564 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel 564 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 564 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler 564 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 564 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID 564 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer 564 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation 564 schtasks.exe -
pid Process 928 PING.EXE -
Checks SCSI registry key(s) (likely anti-VM) 3 TTPs 18 IoCs
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 4988 11.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 4988 11.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 4988 11.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 4988 11.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 4988 11.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 4988 11.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 1784 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 1784 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 1784 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 1784 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 1784 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 1784 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 712 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 712 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 712 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 712 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 712 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 712 ijsethyt.exe -
Executes dropped EXE 4 IoCs
pid Process 1696 ijsethyt.exe 1784 ijsethyt.exe 4060 ijsethyt.exe 712 ijsethyt.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4920 11.bin.exe 4988 11.bin.exe 1696 ijsethyt.exe 1784 ijsethyt.exe 3024 explorer.exe 784 11.bin.exe 4060 ijsethyt.exe 712 ijsethyt.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4832 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4832 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" 2392 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" 3540 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 1080 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 360 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 4932 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 332 reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11.bin.exe"C:\Users\Admin\AppData\Local\Temp\11.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4920
-
C:\Users\Admin\AppData\Local\Temp\11.bin.exeC:\Users\Admin\AppData\Local\Temp\11.bin.exe /C1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Suspicious behavior: EnumeratesProcesses
PID:4988
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:5076
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:5104
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1696
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hvducxxoxa /tr "\"C:\Users\Admin\AppData\Local\Temp\11.bin.exe\" /I hvducxxoxa" /SC ONCE /Z /ST 11:30 /ET 11:421⤵PID:1668
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1784
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Qakbot persistence
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:4516
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:1656
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4164
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:4740
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:4832
-
C:\Users\Admin\AppData\Local\Temp\11.bin.exeC:\Users\Admin\AppData\Local\Temp\11.bin.exe /I hvducxxoxa1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:784
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:2392
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:3540
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵PID:5000
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵PID:3804
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1080
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:360
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:4932
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:332
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr" /d "0"1⤵
- Windows security bypass
PID:3400
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4060
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\11.bin.exe"1⤵PID:3516
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN hvducxxoxa1⤵
- Uses Task Scheduler COM API
PID:564
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.11⤵
- Runs ping.exe
PID:928
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:712
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1060
- T1089