Analysis
-
max time kernel
135s -
max time network
120s -
resource
win7v191014 -
submitted
11-11-2019 10:27
Task
task1
Sample
8.bin.exe
Resource
win7v191014
0 signatures
General
-
Target
8.bin.exe
-
Size
757KB
-
MD5
37bb4d9f1bd92067748c2d86dc487105
-
SHA1
aa8ccf3c1a22c3102c604f63964ccf4751d15288
-
SHA256
eb17935cf972d90be92c9b39fff8b3d760ecda78a6f602cb2b8bbaf3d87e6b61
-
SHA512
da67ef1ef3ddfc7c3a9bbc6d0bc42935ac737f2fbf98a102a0aef92358e20b94163701e21786447c56d772f5c0a16170834c1b34b0ce0ae93ac2d20f4ad7a4b4
Malware Config
Extracted
Family
qakbot
Campaign
1573401612
Credentials
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
[email protected] - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
[email protected] - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
[email protected] - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
[email protected] - Password:
eQyicNLzzqPN
C2
50.246.229.50:443
74.134.35.54:443
75.110.219.10:443
65.16.241.150:443
74.134.4.236:443
182.56.93.78:995
184.191.62.78:443
76.181.237.223:443
2.50.41.185:443
107.12.140.181:443
72.29.181.77:2078
73.137.187.150:443
71.93.60.90:443
72.46.151.196:995
173.233.182.249:443
67.10.18.112:993
181.47.60.21:995
97.83.66.143:443
184.74.101.234:995
181.1.204.139:443
71.58.21.235:443
107.12.131.249:443
76.169.19.193:443
168.245.228.71:443
96.244.38.23:443
71.197.126.250:443
67.246.16.250:995
75.110.250.89:443
50.78.93.74:995
47.23.101.26:993
73.79.10.31:443
12.5.37.3:995
24.30.71.200:443
172.78.45.13:995
68.225.250.136:443
75.142.59.167:443
96.35.170.82:2222
73.235.65.73:443
172.250.91.246:443
47.202.98.230:443
186.109.159.172:443
104.173.119.54:2222
73.232.165.200:995
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
108.45.183.59:443
47.153.115.154:443
108.5.34.128:443
76.116.128.81:443
107.184.252.92:443
24.180.7.155:443
72.28.255.159:443
71.77.231.251:443
74.73.27.35:443
186.90.187.252:443
67.214.201.117:2222
104.235.77.28:443
47.180.66.10:443
65.30.12.240:443
181.197.195.138:995
76.80.66.226:443
188.52.63.36:443
104.175.193.24:443
2.177.101.143:443
49.191.131.67:443
67.160.63.127:443
75.70.218.193:443
176.205.181.71:443
72.142.106.198:465
47.146.169.85:443
24.184.6.58:2222
24.93.168.38:443
162.244.225.30:443
67.200.146.98:2222
162.244.224.166:443
104.34.122.18:443
72.29.181.77:2083
12.5.37.3:443
112.171.126.153:443
75.131.72.82:2087
66.214.75.176:443
199.126.92.231:995
173.178.129.3:990
73.226.220.56:443
12.176.32.146:443
174.130.203.235:443
72.16.212.107:995
205.250.79.62:443
201.152.218.64:995
108.227.161.27:443
181.126.80.118:443
108.160.123.244:443
50.247.230.33:443
104.32.185.213:2222
68.174.15.223:443
96.59.11.86:443
174.131.181.120:995
207.162.184.228:443
75.165.181.122:443
173.178.129.3:443
47.23.101.26:465
206.51.202.106:50002
75.131.72.82:995
174.48.72.160:443
172.251.125.166:443
68.238.144.55:443
71.30.56.170:443
174.16.234.171:993
116.58.100.130:443
75.175.209.163:995
68.238.56.27:443
184.180.157.203:2222
173.22.120.11:2222
47.153.115.154:443
24.203.64.26:2222
64.19.74.29:995
104.3.91.20:995
75.130.117.134:443
173.3.132.17:995
75.131.72.82:443
100.4.185.8:443
47.153.115.154:995
5.182.39.156:443
97.84.226.90:443
23.240.185.215:443
68.131.9.203:443
75.81.25.223:995
24.201.68.105:2078
32.208.1.239:443
74.194.4.181:443
70.34.10.217:443
47.214.144.253:443
207.237.1.152:443
76.116.90.159:443
173.52.119.247:443
201.188.85.71:443
172.251.77.230:443
174.197.2.131:443
197.82.208.34:995
209.182.122.217:443
69.170.237.82:995
73.200.219.143:443
98.155.154.220:443
98.30.99.15:443
81.103.144.77:443
98.148.177.77:443
69.207.57.35:443
47.155.19.205:443
187.163.139.200:993
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vanqawu.exepid process 1168 vanqawu.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 1104 conhost.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\vjqfojr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Igniwjmeevrg\\vanqawu.exe\"" explorer.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Suspicious use of WriteProcessMemory 77 IoCs
Processes:
8.bin.exevanqawu.exetaskeng.exe8.bin.exedescription pid process target process PID 308 wrote to memory of 272 308 8.bin.exe 8.bin.exe PID 308 wrote to memory of 272 308 8.bin.exe 8.bin.exe PID 308 wrote to memory of 272 308 8.bin.exe 8.bin.exe PID 308 wrote to memory of 272 308 8.bin.exe 8.bin.exe PID 308 wrote to memory of 1168 308 8.bin.exe vanqawu.exe PID 308 wrote to memory of 1168 308 8.bin.exe vanqawu.exe PID 308 wrote to memory of 1168 308 8.bin.exe vanqawu.exe PID 308 wrote to memory of 1168 308 8.bin.exe vanqawu.exe PID 308 wrote to memory of 1280 308 8.bin.exe schtasks.exe PID 308 wrote to memory of 1280 308 8.bin.exe schtasks.exe PID 308 wrote to memory of 1280 308 8.bin.exe schtasks.exe PID 308 wrote to memory of 1280 308 8.bin.exe schtasks.exe PID 1168 wrote to memory of 1996 1168 vanqawu.exe vanqawu.exe PID 1168 wrote to memory of 1996 1168 vanqawu.exe vanqawu.exe PID 1168 wrote to memory of 1996 1168 vanqawu.exe vanqawu.exe PID 1168 wrote to memory of 1996 1168 vanqawu.exe vanqawu.exe PID 1168 wrote to memory of 832 1168 vanqawu.exe explorer.exe PID 1168 wrote to memory of 832 1168 vanqawu.exe explorer.exe PID 1168 wrote to memory of 832 1168 vanqawu.exe explorer.exe PID 1168 wrote to memory of 832 1168 vanqawu.exe explorer.exe PID 1168 wrote to memory of 832 1168 vanqawu.exe explorer.exe PID 1560 wrote to memory of 836 1560 taskeng.exe 8.bin.exe PID 1560 wrote to memory of 836 1560 taskeng.exe 8.bin.exe PID 1560 wrote to memory of 836 1560 taskeng.exe 8.bin.exe PID 1560 wrote to memory of 836 1560 taskeng.exe 8.bin.exe PID 836 wrote to memory of 1528 836 8.bin.exe reg.exe PID 836 wrote to memory of 1528 836 8.bin.exe reg.exe PID 836 wrote to memory of 1528 836 8.bin.exe reg.exe PID 836 wrote to memory of 1528 836 8.bin.exe reg.exe PID 836 wrote to memory of 1952 836 8.bin.exe reg.exe PID 836 wrote to memory of 1952 836 8.bin.exe reg.exe PID 836 wrote to memory of 1952 836 8.bin.exe reg.exe PID 836 wrote to memory of 1952 836 8.bin.exe reg.exe PID 836 wrote to memory of 652 836 8.bin.exe reg.exe PID 836 wrote to memory of 652 836 8.bin.exe reg.exe PID 836 wrote to memory of 652 836 8.bin.exe reg.exe PID 836 wrote to memory of 652 836 8.bin.exe reg.exe PID 836 wrote to memory of 1584 836 8.bin.exe reg.exe PID 836 wrote to memory of 1584 836 8.bin.exe reg.exe PID 836 wrote to memory of 1584 836 8.bin.exe reg.exe PID 836 wrote to memory of 1584 836 8.bin.exe reg.exe PID 836 wrote to memory of 1688 836 8.bin.exe reg.exe PID 836 wrote to memory of 1688 836 8.bin.exe reg.exe PID 836 wrote to memory of 1688 836 8.bin.exe reg.exe PID 836 wrote to memory of 1688 836 8.bin.exe reg.exe PID 836 wrote to memory of 1776 836 8.bin.exe reg.exe PID 836 wrote to memory of 1776 836 8.bin.exe reg.exe PID 836 wrote to memory of 1776 836 8.bin.exe reg.exe PID 836 wrote to memory of 1776 836 8.bin.exe reg.exe PID 836 wrote to memory of 620 836 8.bin.exe reg.exe PID 836 wrote to memory of 620 836 8.bin.exe reg.exe PID 836 wrote to memory of 620 836 8.bin.exe reg.exe PID 836 wrote to memory of 620 836 8.bin.exe reg.exe PID 836 wrote to memory of 1484 836 8.bin.exe reg.exe PID 836 wrote to memory of 1484 836 8.bin.exe reg.exe PID 836 wrote to memory of 1484 836 8.bin.exe reg.exe PID 836 wrote to memory of 1484 836 8.bin.exe reg.exe PID 836 wrote to memory of 2016 836 8.bin.exe reg.exe PID 836 wrote to memory of 2016 836 8.bin.exe reg.exe PID 836 wrote to memory of 2016 836 8.bin.exe reg.exe PID 836 wrote to memory of 2016 836 8.bin.exe reg.exe PID 836 wrote to memory of 1640 836 8.bin.exe vanqawu.exe PID 836 wrote to memory of 1640 836 8.bin.exe vanqawu.exe PID 836 wrote to memory of 1640 836 8.bin.exe vanqawu.exe -
Executes dropped EXE 4 IoCs
Processes:
vanqawu.exevanqawu.exevanqawu.exevanqawu.exepid process 1168 vanqawu.exe 1996 vanqawu.exe 1640 vanqawu.exe 1568 vanqawu.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
8.bin.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 8.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 8.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 8.bin.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
8.bin.exe8.bin.exevanqawu.exevanqawu.exeexplorer.exe8.bin.exevanqawu.exevanqawu.exepid process 308 8.bin.exe 272 8.bin.exe 272 8.bin.exe 1168 vanqawu.exe 1996 vanqawu.exe 1996 vanqawu.exe 832 explorer.exe 832 explorer.exe 836 8.bin.exe 1640 vanqawu.exe 1568 vanqawu.exe 1568 vanqawu.exe -
Loads dropped DLL 3 IoCs
Processes:
8.bin.exe8.bin.exepid process 308 8.bin.exe 308 8.bin.exe 836 8.bin.exe -
Turns off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8.bin.exe"C:\Users\Admin\AppData\Local\Temp\8.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
PID:308 -
C:\Users\Admin\AppData\Local\Temp\8.bin.exeC:\Users\Admin\AppData\Local\Temp\8.bin.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
PID:272
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1168 -
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
PID:832
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qyosvlkbc /tr "\"C:\Users\Admin\AppData\Local\Temp\8.bin.exe\" /I qyosvlkbc" /SC ONCE /Z /ST 11:29 /ET 11:412⤵
- Creates scheduled task(s)
PID:1280
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-753189588-1433744804-486626420-1397814957-218450254-446217199561556025-1941111257"1⤵PID:1336
-
C:\Windows\system32\taskeng.exetaskeng.exe {188FC226-9056-4D6C-A3A8-5882E8BDDDB0} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\8.bin.exeC:\Users\Admin\AppData\Local\Temp\8.bin.exe /I qyosvlkbc2⤵
- Suspicious use of WriteProcessMemory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
PID:836 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1528
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1952
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵PID:652
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵PID:1584
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1688
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1776
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:620
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1484
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"3⤵
- Windows security bypass
PID:2016
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1640 -
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\8.bin.exe"3⤵PID:1048
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
PID:1540
-
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN qyosvlkbc3⤵PID:1664
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1671446471-2037385987-1140784385126369297312567265411497322815299921975-1478713595"1⤵PID:1216
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1457601482-50010969616252969501206959705-43783807412731539041005709108824411234"1⤵PID:1104
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-17526811061136906217746980482-1858782577-1941344338-1450511440377808577-1299226579"1⤵PID:764
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2051421556-1768601563-179844851613047578241032240784-27941858611366245811989015846"1⤵PID:1692
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18628929981036384981289770374-592101373874816334848378359-5474200671398081469"1⤵PID:552
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "48136951127891193820515399772487042417692925492137894716-381493031146472321"1⤵PID:1064
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1117043257-931031499-189124403-788969650-1276567511139210119019100226451924642530"1⤵PID:1864
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1020732364-1821753985107230995-530521536-1323652505510088639-938965762-1170773399"1⤵PID:916
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-21125538161955100281-406316728-88167273511630569021698010008996422218962015025"1⤵PID:1492
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-105008731-213402967614852888081533679973311870333-734709778-19130329741741808855"1⤵
- Suspicious use of SetWindowsHookEx
PID:1104
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-270271495521929493-14138004632135141465-395872238-47218011213449466789263706"1⤵PID:908