Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • resource
    win10v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9.bin

  • Sample

    191111-hb6qpeaars

  • SHA256

    6b88260f4c4da4651a82bb62761cd23ee9ad6662a2a0abbec017e7193668397b

Score
N/A

Malware Config

Extracted

Family

qakbot

Campaign

1573198674

C2

173.3.132.17:995

75.131.72.82:443

68.238.144.55:443

100.4.185.8:443

80.14.209.42:2222

24.253.109.46:443

5.182.39.156:443

201.188.17.26:443

23.240.185.215:443

69.92.54.95:995

68.131.9.203:443

187.163.139.200:993

75.81.25.223:995

24.201.68.105:2078

32.208.1.239:443

170.10.78.48:443

74.194.4.181:443

71.30.56.170:443

174.16.234.171:993

47.153.115.154:443

Signatures

  • Drops file in system dir 5 IoCs
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Qakbot persistence 1 IoCs
    trojan
  • Uses Task Scheduler COM API 1 TTPs 14 IoCs
    persistence
  • Adds Run entry to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
    evasionspreading
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Checks SCSI registry key(s) (likely anti-VM) 3 TTPs 18 IoCs
  • qakbot family
    familyqakbot
  • Executes dropped EXE 4 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\9.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4924
  • C:\Users\Admin\AppData\Local\Temp\9.bin.exe
    C:\Users\Admin\AppData\Local\Temp\9.bin.exe /C
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Checks SCSI registry key(s) (likely anti-VM)
    PID:5020
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5092
  • C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    1⤵
      PID:4196
    • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
      1⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      PID:452
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tctcvismel /tr "\"C:\Users\Admin\AppData\Local\Temp\9.bin.exe\" /I tctcvismel" /SC ONCE /Z /ST 11:29 /ET 11:41
      1⤵
        PID:2108
      • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Checks SCSI registry key(s) (likely anti-VM)
        • Executes dropped EXE
        PID:4292
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
        • Qakbot persistence
        • Adds Run entry to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:4360
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s BITS
        1⤵
        • Drops file in system dir
        PID:3080
      • C:\Users\Admin\AppData\Local\Temp\9.bin.exe
        C:\Users\Admin\AppData\Local\Temp\9.bin.exe /I tctcvismel
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4612
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
        1⤵
          PID:4580
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          1⤵
          • Windows security modification
          PID:4644
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          1⤵
          • Windows security modification
          PID:4348
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          1⤵
            PID:4320
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            1⤵
              PID:4276
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
              1⤵
              • Windows security modification
              PID:4188
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              1⤵
              • Windows security modification
              PID:4116
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
              1⤵
              • Windows security modification
              PID:3716
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              1⤵
              • Windows security modification
              PID:4132
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr" /d "0"
              1⤵
              • Windows security bypass
              PID:3828
            • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
              1⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              • Executes dropped EXE
              PID:4128
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\9.bin.exe"
              1⤵
                PID:2592
              • C:\Windows\system32\schtasks.exe
                "C:\Windows\system32\schtasks.exe" /DELETE /F /TN tctcvismel
                1⤵
                • Uses Task Scheduler COM API
                PID:2604
              • C:\Windows\system32\PING.EXE
                ping.exe -n 6 127.0.0.1
                1⤵
                • Runs ping.exe
                PID:4836
              • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
                C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C
                1⤵
                • Suspicious behavior: EnumeratesProcesses
                • Checks SCSI registry key(s) (likely anti-VM)
                • Executes dropped EXE
                PID:4828
              • \??\c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
                1⤵
                • Checks system information in the registry (likely anti-VM)
                PID:4108
              • \??\c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
                1⤵
                • Windows security modification
                PID:1804
              • \??\c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k unistacksvcgroup
                1⤵
                  PID:520

                Network

                MITRE ATT&CK Enterprise v15

                MITRE ATT&CK Additional techniques

                • T1089
                • T1060

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.dat
                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
                  Download Submit

                • memory/452-5-0x00000000023F0000-0x0000000002482000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/4292-4-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4828-20-0x0000000002C00000-0x0000000002C01000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5020-0-0x0000000002C30000-0x0000000002C31000-memory.dmp

                  Filesize

                  4KB

                  Download