Analysis
-
max time kernel
138s -
max time network
151s -
resource
win10v191014 -
submitted
11-11-2019 10:27
Task
task1
Sample
8.bin.exe
Resource
win7v191014
0 signatures
General
-
Target
8.bin.exe
-
Size
757KB
-
MD5
37bb4d9f1bd92067748c2d86dc487105
-
SHA1
aa8ccf3c1a22c3102c604f63964ccf4751d15288
-
SHA256
eb17935cf972d90be92c9b39fff8b3d760ecda78a6f602cb2b8bbaf3d87e6b61
-
SHA512
da67ef1ef3ddfc7c3a9bbc6d0bc42935ac737f2fbf98a102a0aef92358e20b94163701e21786447c56d772f5c0a16170834c1b34b0ce0ae93ac2d20f4ad7a4b4
Malware Config
Extracted
Family
qakbot
Campaign
1573401612
Credentials
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
C2
50.246.229.50:443
74.134.35.54:443
75.110.219.10:443
65.16.241.150:443
74.134.4.236:443
182.56.93.78:995
184.191.62.78:443
76.181.237.223:443
2.50.41.185:443
107.12.140.181:443
72.29.181.77:2078
73.137.187.150:443
71.93.60.90:443
72.46.151.196:995
173.233.182.249:443
67.10.18.112:993
181.47.60.21:995
97.83.66.143:443
184.74.101.234:995
181.1.204.139:443
71.58.21.235:443
107.12.131.249:443
76.169.19.193:443
168.245.228.71:443
96.244.38.23:443
71.197.126.250:443
67.246.16.250:995
75.110.250.89:443
50.78.93.74:995
47.23.101.26:993
73.79.10.31:443
12.5.37.3:995
24.30.71.200:443
172.78.45.13:995
68.225.250.136:443
75.142.59.167:443
96.35.170.82:2222
73.235.65.73:443
172.250.91.246:443
47.202.98.230:443
186.109.159.172:443
104.173.119.54:2222
73.232.165.200:995
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
108.45.183.59:443
47.153.115.154:443
108.5.34.128:443
76.116.128.81:443
107.184.252.92:443
24.180.7.155:443
72.28.255.159:443
71.77.231.251:443
74.73.27.35:443
186.90.187.252:443
67.214.201.117:2222
104.235.77.28:443
47.180.66.10:443
65.30.12.240:443
181.197.195.138:995
76.80.66.226:443
188.52.63.36:443
104.175.193.24:443
2.177.101.143:443
49.191.131.67:443
67.160.63.127:443
75.70.218.193:443
176.205.181.71:443
72.142.106.198:465
47.146.169.85:443
24.184.6.58:2222
24.93.168.38:443
162.244.225.30:443
67.200.146.98:2222
162.244.224.166:443
104.34.122.18:443
72.29.181.77:2083
12.5.37.3:443
112.171.126.153:443
75.131.72.82:2087
66.214.75.176:443
199.126.92.231:995
173.178.129.3:990
73.226.220.56:443
12.176.32.146:443
174.130.203.235:443
72.16.212.107:995
205.250.79.62:443
201.152.218.64:995
108.227.161.27:443
181.126.80.118:443
108.160.123.244:443
50.247.230.33:443
104.32.185.213:2222
68.174.15.223:443
96.59.11.86:443
174.131.181.120:995
207.162.184.228:443
75.165.181.122:443
173.178.129.3:443
47.23.101.26:465
206.51.202.106:50002
75.131.72.82:995
174.48.72.160:443
172.251.125.166:443
68.238.144.55:443
71.30.56.170:443
174.16.234.171:993
116.58.100.130:443
75.175.209.163:995
68.238.56.27:443
184.180.157.203:2222
173.22.120.11:2222
47.153.115.154:443
24.203.64.26:2222
64.19.74.29:995
104.3.91.20:995
75.130.117.134:443
173.3.132.17:995
75.131.72.82:443
100.4.185.8:443
47.153.115.154:995
5.182.39.156:443
97.84.226.90:443
23.240.185.215:443
68.131.9.203:443
75.81.25.223:995
24.201.68.105:2078
32.208.1.239:443
74.194.4.181:443
70.34.10.217:443
47.214.144.253:443
207.237.1.152:443
76.116.90.159:443
173.52.119.247:443
201.188.85.71:443
172.251.77.230:443
174.197.2.131:443
197.82.208.34:995
209.182.122.217:443
69.170.237.82:995
73.200.219.143:443
98.155.154.220:443
98.30.99.15:443
81.103.144.77:443
98.148.177.77:443
69.207.57.35:443
47.155.19.205:443
187.163.139.200:993
Signatures
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName svchost.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
8.bin.exe8.bin.exeijsethyt.exeijsethyt.exeexplorer.exe8.bin.exeijsethyt.exeijsethyt.exepid process 4864 8.bin.exe 4864 8.bin.exe 4928 8.bin.exe 4928 8.bin.exe 4928 8.bin.exe 4928 8.bin.exe 1728 ijsethyt.exe 1728 ijsethyt.exe 1340 ijsethyt.exe 1340 ijsethyt.exe 1340 ijsethyt.exe 1340 ijsethyt.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 796 8.bin.exe 796 8.bin.exe 1020 ijsethyt.exe 1020 ijsethyt.exe 68 ijsethyt.exe 68 ijsethyt.exe 68 ijsethyt.exe 68 ijsethyt.exe -
Executes dropped EXE 4 IoCs
Processes:
ijsethyt.exeijsethyt.exeijsethyt.exeijsethyt.exepid process 1728 ijsethyt.exe 1340 ijsethyt.exe 1020 ijsethyt.exe 68 ijsethyt.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch2 svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\BITS Writer svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr = "0" reg.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Turns off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
8.bin.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 8.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 8.bin.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\15\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 8.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 8.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 8.bin.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ijsethyt.exepid process 1728 ijsethyt.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ijsethyt.exe8.bin.exeijsethyt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 8.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 8.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 8.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 8.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 8.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 8.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc ijsethyt.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
reg.exesvchost.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring svchost.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylnws = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Onjpsefhpr\\ijsethyt.exe\"" explorer.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System svchost.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
8.bin.exeSppExtComObj.exeijsethyt.exe8.bin.exeijsethyt.exedescription pid process target process PID 4864 wrote to memory of 4928 4864 8.bin.exe 8.bin.exe PID 4864 wrote to memory of 4928 4864 8.bin.exe 8.bin.exe PID 4864 wrote to memory of 4928 4864 8.bin.exe 8.bin.exe PID 5040 wrote to memory of 5072 5040 SppExtComObj.exe SLUI.exe PID 5040 wrote to memory of 5072 5040 SppExtComObj.exe SLUI.exe PID 4864 wrote to memory of 1728 4864 8.bin.exe ijsethyt.exe PID 4864 wrote to memory of 1728 4864 8.bin.exe ijsethyt.exe PID 4864 wrote to memory of 1728 4864 8.bin.exe ijsethyt.exe PID 4864 wrote to memory of 364 4864 8.bin.exe schtasks.exe PID 4864 wrote to memory of 364 4864 8.bin.exe schtasks.exe PID 4864 wrote to memory of 364 4864 8.bin.exe schtasks.exe PID 1728 wrote to memory of 1340 1728 ijsethyt.exe ijsethyt.exe PID 1728 wrote to memory of 1340 1728 ijsethyt.exe ijsethyt.exe PID 1728 wrote to memory of 1340 1728 ijsethyt.exe ijsethyt.exe PID 1728 wrote to memory of 64 1728 ijsethyt.exe explorer.exe PID 1728 wrote to memory of 64 1728 ijsethyt.exe explorer.exe PID 1728 wrote to memory of 64 1728 ijsethyt.exe explorer.exe PID 1728 wrote to memory of 64 1728 ijsethyt.exe explorer.exe PID 796 wrote to memory of 720 796 8.bin.exe reg.exe PID 796 wrote to memory of 720 796 8.bin.exe reg.exe PID 796 wrote to memory of 5028 796 8.bin.exe reg.exe PID 796 wrote to memory of 5028 796 8.bin.exe reg.exe PID 796 wrote to memory of 3528 796 8.bin.exe reg.exe PID 796 wrote to memory of 3528 796 8.bin.exe reg.exe PID 796 wrote to memory of 1972 796 8.bin.exe reg.exe PID 796 wrote to memory of 1972 796 8.bin.exe reg.exe PID 796 wrote to memory of 5080 796 8.bin.exe reg.exe PID 796 wrote to memory of 5080 796 8.bin.exe reg.exe PID 796 wrote to memory of 3180 796 8.bin.exe reg.exe PID 796 wrote to memory of 3180 796 8.bin.exe reg.exe PID 796 wrote to memory of 4880 796 8.bin.exe reg.exe PID 796 wrote to memory of 4880 796 8.bin.exe reg.exe PID 796 wrote to memory of 4232 796 8.bin.exe reg.exe PID 796 wrote to memory of 4232 796 8.bin.exe reg.exe PID 796 wrote to memory of 4260 796 8.bin.exe reg.exe PID 796 wrote to memory of 4260 796 8.bin.exe reg.exe PID 796 wrote to memory of 1020 796 8.bin.exe ijsethyt.exe PID 796 wrote to memory of 1020 796 8.bin.exe ijsethyt.exe PID 796 wrote to memory of 1020 796 8.bin.exe ijsethyt.exe PID 796 wrote to memory of 3568 796 8.bin.exe cmd.exe PID 796 wrote to memory of 3568 796 8.bin.exe cmd.exe PID 796 wrote to memory of 3512 796 8.bin.exe schtasks.exe PID 796 wrote to memory of 3512 796 8.bin.exe schtasks.exe PID 1020 wrote to memory of 68 1020 ijsethyt.exe ijsethyt.exe PID 1020 wrote to memory of 68 1020 ijsethyt.exe ijsethyt.exe PID 1020 wrote to memory of 68 1020 ijsethyt.exe ijsethyt.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8.bin.exe"C:\Users\Admin\AppData\Local\Temp\8.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8.bin.exeC:\Users\Admin\AppData\Local\Temp\8.bin.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jncrkib /tr "\"C:\Users\Admin\AppData\Local\Temp\8.bin.exe\" /I jncrkib" /SC ONCE /Z /ST 11:29 /ET 11:412⤵
- Creates scheduled task(s)
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Modifies service
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
- Modifies service
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Modifies service
- Windows security modification
- System policy modification
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\8.bin.exeC:\Users\Admin\AppData\Local\Temp\8.bin.exe /I jncrkib1⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr" /d "0"2⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\8.bin.exe"2⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN jncrkib2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
-
memory/68-20-0x0000000002BF0000-0x0000000002BF1000-memory.dmpFilesize
4KB
-
memory/1340-4-0x0000000002BF0000-0x0000000002BF1000-memory.dmpFilesize
4KB
-
memory/1728-5-0x0000000002BC0000-0x0000000002C52000-memory.dmpFilesize
584KB
-
memory/4928-0-0x0000000002C30000-0x0000000002C31000-memory.dmpFilesize
4KB