Analysis
-
max time kernel
138s -
max time network
121s -
resource
win7v191014
Task
task1
Sample
9.bin.exe
Resource
win7v191014
General
-
Target
9.bin
-
Sample
191111-hb6qpeaars
-
SHA256
6b88260f4c4da4651a82bb62761cd23ee9ad6662a2a0abbec017e7193668397b
Malware Config
Extracted
qakbot
1573198674
173.3.132.17:995
75.131.72.82:443
68.238.144.55:443
100.4.185.8:443
80.14.209.42:2222
24.253.109.46:443
5.182.39.156:443
201.188.17.26:443
23.240.185.215:443
69.92.54.95:995
68.131.9.203:443
187.163.139.200:993
75.81.25.223:995
24.201.68.105:2078
32.208.1.239:443
170.10.78.48:443
74.194.4.181:443
71.30.56.170:443
174.16.234.171:993
47.153.115.154:443
75.175.209.163:995
68.238.56.27:443
173.22.120.11:2222
184.180.157.203:2222
24.203.64.26:2222
99.228.5.106:443
47.153.115.154:995
64.19.74.29:995
104.3.91.20:995
72.214.25.227:995
73.37.61.237:443
76.181.237.223:443
107.12.140.181:443
67.5.33.229:2078
50.246.229.50:443
67.246.16.250:995
75.130.117.134:443
75.110.250.89:443
173.91.254.236:443
50.78.93.74:995
197.89.78.71:995
5.89.115.73:2222
47.23.101.26:993
12.5.37.3:995
24.30.71.200:443
72.29.181.77:2078
71.93.60.90:443
72.46.151.196:995
173.233.182.249:443
67.10.18.112:993
98.148.177.77:443
184.74.101.234:995
172.78.45.13:995
181.14.188.8:443
168.245.228.71:443
186.47.208.238:50000
96.244.38.23:443
74.134.35.54:443
105.246.79.153:995
70.74.159.126:2222
172.250.91.246:443
47.202.98.230:443
47.214.144.253:443
70.187.124.135:443
186.109.159.172:443
75.142.59.167:443
107.12.131.249:443
96.35.170.82:2222
65.16.241.150:443
107.184.252.92:443
47.155.19.205:443
98.155.154.220:443
69.170.237.82:995
75.110.90.155:443
75.165.181.122:443
166.62.180.194:2078
62.103.70.217:995
108.45.183.59:443
83.79.2.218:2222
47.153.115.154:443
108.5.34.128:443
76.116.128.81:443
185.219.83.73:443
76.169.19.193:443
104.235.94.7:443
65.30.12.240:443
76.80.66.226:443
111.125.70.30:2222
181.197.195.138:995
2.177.101.143:443
24.196.158.28:443
123.252.128.47:443
199.126.92.231:995
173.178.129.3:990
12.5.37.3:443
184.191.62.78:443
71.77.231.251:443
12.176.32.146:443
72.16.212.107:995
108.227.161.27:443
205.250.79.62:443
201.152.218.64:995
73.226.220.56:443
181.126.80.118:443
108.160.123.244:443
67.214.201.117:2222
173.247.186.90:443
50.247.230.33:443
104.32.185.213:2222
68.174.15.223:443
96.59.11.86:443
174.131.181.120:995
207.162.184.228:443
173.178.129.3:443
47.23.101.26:465
206.51.202.106:50002
75.131.72.82:995
174.48.72.160:443
70.120.151.69:443
47.146.169.85:443
24.184.6.58:2222
24.93.168.38:443
75.70.218.193:443
162.244.225.30:443
106.51.0.228:443
174.130.203.235:443
67.200.146.98:2222
109.169.204.115:21
162.244.224.166:443
104.34.122.18:443
72.29.181.77:2083
112.171.126.153:443
75.131.72.82:2087
73.195.20.237:443
66.214.75.176:443
137.25.72.175:443
24.180.7.155:443
67.160.63.127:443
24.203.221.252:2222
73.209.113.58:443
74.78.77.189:443
71.57.230.51:50000
75.165.132.69:443
200.104.40.85:443
97.84.226.90:443
73.137.187.150:443
75.165.162.33:443
74.134.4.236:443
1.172.91.243:443
181.47.60.21:995
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vanqawu.exepid process 988 vanqawu.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" 1304 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" 2016 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" 944 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" 516 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 1004 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 1620 reg.exe -
Processes:
reg.exedescription ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg = "0" 1640 reg.exe -
Uses Task Scheduler COM API 1 TTPs 12 IoCs
Processes:
schtasks.exedescription ioc pid process Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1648 schtasks.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1648 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 1648 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 1648 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 1648 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 1648 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 1648 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 1648 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 1648 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 1648 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 1648 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 1648 schtasks.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 1680 conhost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
9.bin.exe9.bin.exevanqawu.exevanqawu.exeexplorer.exe9.bin.exevanqawu.exevanqawu.exepid process 1068 9.bin.exe 1368 9.bin.exe 988 vanqawu.exe 1000 vanqawu.exe 1744 explorer.exe 984 9.bin.exe 1704 vanqawu.exe 1536 vanqawu.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
9.bin.exevanqawu.exetaskeng.exe9.bin.exevanqawu.exedescription pid process target process PID 1068 wrote to memory of 1368 1068 9.bin.exe 9.bin.exe PID 1068 wrote to memory of 988 1068 9.bin.exe vanqawu.exe PID 988 wrote to memory of 1000 988 vanqawu.exe vanqawu.exe PID 1068 wrote to memory of 836 1068 9.bin.exe schtasks.exe PID 988 wrote to memory of 1744 988 vanqawu.exe explorer.exe PID 1856 wrote to memory of 984 1856 taskeng.exe 9.bin.exe PID 984 wrote to memory of 1304 984 9.bin.exe reg.exe PID 984 wrote to memory of 2016 984 9.bin.exe reg.exe PID 984 wrote to memory of 1824 984 9.bin.exe reg.exe PID 984 wrote to memory of 1488 984 9.bin.exe reg.exe PID 984 wrote to memory of 944 984 9.bin.exe reg.exe PID 984 wrote to memory of 516 984 9.bin.exe reg.exe PID 984 wrote to memory of 1004 984 9.bin.exe reg.exe PID 984 wrote to memory of 1620 984 9.bin.exe reg.exe PID 984 wrote to memory of 1640 984 9.bin.exe reg.exe PID 984 wrote to memory of 1704 984 9.bin.exe vanqawu.exe PID 1704 wrote to memory of 1536 1704 vanqawu.exe vanqawu.exe PID 984 wrote to memory of 108 984 9.bin.exe cmd.exe PID 984 wrote to memory of 1648 984 9.bin.exe schtasks.exe -
Loads dropped DLL 2 IoCs
Processes:
9.bin.exe9.bin.exepid process 1068 9.bin.exe 984 9.bin.exe -
Executes dropped EXE 4 IoCs
Processes:
vanqawu.exevanqawu.exevanqawu.exevanqawu.exepid process 988 vanqawu.exe 1000 vanqawu.exe 1704 vanqawu.exe 1536 vanqawu.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc pid process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\ivqgpzton = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Igniwjmeevrg\\vanqawu.exe\"" 1744 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9.bin.exe"C:\Users\Admin\AppData\Local\Temp\9.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1068
-
C:\Users\Admin\AppData\Local\Temp\9.bin.exeC:\Users\Admin\AppData\Local\Temp\9.bin.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:988
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn msyrrgcgw /tr "\"C:\Users\Admin\AppData\Local\Temp\9.bin.exe\" /I msyrrgcgw" /SC ONCE /Z /ST 11:29 /ET 11:411⤵PID:836
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1000
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "322372338-141076211-1503080421-146637913-1448740906-34692126-16420535131527021419"1⤵PID:1488
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
PID:1744
-
C:\Windows\system32\taskeng.exetaskeng.exe {E0912928-CD26-439B-8A6F-3644D19A69A1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1856
-
C:\Users\Admin\AppData\Local\Temp\9.bin.exeC:\Users\Admin\AppData\Local\Temp\9.bin.exe /I msyrrgcgw1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:984
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1304
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "159784847215302478901444747921-8759441932107997832-15426954249808815181694801680"1⤵PID:1068
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:2016
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1824081671-480084155-2457461851158208955-276904902-688095400680972078-874157041"1⤵PID:1168
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵PID:1824
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-166333336818133165711028591587-144885423-2039616236-3374075-2138482729-1775090754"1⤵PID:772
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵PID:1488
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-786887709-10773463571798620607-893976037-113987458-1456132681749324291651796796"1⤵PID:292
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:944
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-720873196-1074168279-2102534170310131711-1428837361-424657572677407915-2078332666"1⤵PID:1360
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:516
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "634585357-1319880307-276155433-1355494435129431958-770482322596249574-466662250"1⤵PID:268
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1004
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-291618475-112054480515916984412019425356-200256315286524012012616147841579890489"1⤵PID:1372
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1620
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18306002051093117597-17118754292004856311809297308-20619413191726755578614256822"1⤵PID:1700
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"1⤵
- Windows security bypass
PID:1640
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-349202552-1717288555-169992492730358363212989610571521637028-12655307131315409892"1⤵PID:1188
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1704
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1536
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\9.bin.exe"1⤵PID:108
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-905387687962373636-533429285-1113650763-2000523073593542530-547280415-1711464369"1⤵
- Suspicious use of SetWindowsHookEx
PID:1680
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN msyrrgcgw1⤵
- Uses Task Scheduler COM API
PID:1648
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "442855206-209648769-482403907-331447856-1785606082165370316312782502492380409"1⤵PID:1664
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.11⤵
- Runs ping.exe
PID:1568
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089
- T1060