Analysis
-
max time kernel
146s -
max time network
128s -
resource
win7v191014
Task
task1
Sample
jphxaul.exe
Resource
win7v191014
General
-
Target
jphxaul.exe
-
Sample
191111-jzlt6rkwlj
-
SHA256
e736cf964b998e582fd2c191a0c9865814b632a315435f80798dd2a239a5e5f5
Malware Config
Extracted
qakbot
spx22
1571043018
98.186.90.192:995
2.50.170.151:443
74.194.4.181:443
70.74.159.126:2222
75.70.218.193:443
96.59.11.86:443
168.245.228.71:443
173.22.120.11:2222
71.77.231.251:443
24.184.6.58:2222
108.5.32.66:443
64.19.74.29:995
68.83.59.107:443
104.3.91.20:995
100.4.185.8:443
96.20.238.2:2087
99.228.242.183:995
206.255.212.179:443
50.247.230.33:443
108.55.23.221:443
105.246.79.97:995
172.78.185.176:443
47.23.101.26:993
68.238.56.27:443
72.213.98.233:443
74.88.112.250:2222
174.16.234.171:993
173.161.148.169:995
50.78.93.74:995
111.125.70.30:2222
47.202.98.230:443
222.195.69.36:2078
217.162.149.212:443
47.23.101.26:465
98.186.155.8:443
70.183.177.71:443
96.20.238.2:2222
69.119.185.172:995
104.152.16.45:995
199.126.92.231:995
174.82.131.155:995
96.20.238.2:2083
24.180.7.155:443
187.202.57.9:995
67.214.8.102:443
123.252.128.47:443
108.160.123.244:443
66.214.75.176:443
96.20.238.2:61201
79.106.13.119:995
176.205.62.156:443
64.20.68.35:2083
76.80.66.226:443
181.90.124.162:443
96.22.239.27:2222
96.20.238.2:2078
108.184.57.213:8443
173.178.129.3:443
12.5.37.3:443
75.69.3.12:443
70.169.2.228:21
207.179.194.91:443
67.10.18.112:993
184.191.62.78:443
72.29.181.77:2083
207.162.184.228:443
206.51.202.106:50002
75.131.72.82:2087
190.120.196.18:443
65.30.12.240:995
71.30.56.170:443
47.214.144.253:443
172.78.45.13:995
110.12.60.117:443
173.247.186.90:990
173.247.186.90:995
174.131.181.120:995
80.14.209.42:2222
76.181.237.223:443
50.246.229.50:443
78.94.55.26:50003
71.197.126.250:443
24.30.69.9:443
68.225.250.136:443
174.48.72.160:443
107.12.140.181:443
75.110.250.89:443
166.62.180.194:2078
173.247.186.90:22
108.45.183.59:443
98.165.206.64:443
62.103.70.217:995
12.176.32.146:443
47.153.115.154:443
68.174.15.223:443
71.93.60.90:443
76.116.128.81:443
162.244.224.166:443
181.126.80.118:443
184.74.101.234:995
75.131.72.82:995
47.146.169.85:443
47.153.115.154:995
75.81.25.223:995
193.154.185.19:995
173.247.186.90:993
172.250.91.246:443
196.194.84.165:2222
2.177.115.198:443
159.118.173.115:995
197.82.208.249:995
192.24.181.185:443
72.16.212.107:995
203.192.232.72:443
86.98.7.248:443
162.244.225.30:443
65.116.179.83:443
70.120.151.69:443
184.180.157.203:2222
104.32.185.213:2222
72.142.106.198:465
23.240.185.215:443
196.194.84.165:0
117.208.254.113:995
104.34.122.18:443
75.110.90.155:443
179.36.9.109:443
47.180.66.10:443
73.137.187.150:443
64.201.125.172:443
47.180.66.10:995
73.138.178.6:443
187.156.73.46:995
69.245.144.167:443
76.174.122.204:443
68.206.128.75:443
75.165.132.69:443
75.165.181.122:443
35.136.74.103:443
96.29.219.77:443
64.150.136.45:443
1.173.254.97:443
72.218.137.100:443
50.46.139.220:443
201.152.122.180:995
200.104.40.85:443
75.110.101.34:443
24.196.158.28:443
190.120.196.18:1194
201.188.97.244:443
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
vanqawu.exevanqawu.exevanqawu.exevanqawu.exepid process 1056 vanqawu.exe 1992 vanqawu.exe 1416 vanqawu.exe 1188 vanqawu.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc pid process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\fourwrig = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Igniwjmeevrg\\vanqawu.exe\"" 2028 explorer.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" 628 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" 1768 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" 1676 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" 1976 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 1900 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 1500 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 1480 conhost.exe -
Uses Task Scheduler COM API 1 TTPs 12 IoCs
Processes:
schtasks.exedescription ioc pid process Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 452 schtasks.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 452 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 452 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 452 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 452 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 452 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 452 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 452 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 452 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 452 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 452 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 452 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
jphxaul.exejphxaul.exevanqawu.exevanqawu.exeexplorer.exejphxaul.exevanqawu.exevanqawu.exepid process 604 jphxaul.exe 1336 jphxaul.exe 1056 vanqawu.exe 1992 vanqawu.exe 2028 explorer.exe 1012 jphxaul.exe 1416 vanqawu.exe 1188 vanqawu.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
jphxaul.exevanqawu.exetaskeng.exejphxaul.exevanqawu.exedescription pid process target process PID 604 wrote to memory of 1336 604 jphxaul.exe jphxaul.exe PID 604 wrote to memory of 1056 604 jphxaul.exe vanqawu.exe PID 1056 wrote to memory of 1992 1056 vanqawu.exe vanqawu.exe PID 604 wrote to memory of 1984 604 jphxaul.exe schtasks.exe PID 1056 wrote to memory of 2028 1056 vanqawu.exe explorer.exe PID 1876 wrote to memory of 1012 1876 taskeng.exe jphxaul.exe PID 1012 wrote to memory of 628 1012 jphxaul.exe reg.exe PID 1012 wrote to memory of 1768 1012 jphxaul.exe reg.exe PID 1012 wrote to memory of 1612 1012 jphxaul.exe reg.exe PID 1012 wrote to memory of 1108 1012 jphxaul.exe reg.exe PID 1012 wrote to memory of 1676 1012 jphxaul.exe reg.exe PID 1012 wrote to memory of 1976 1012 jphxaul.exe reg.exe PID 1012 wrote to memory of 1900 1012 jphxaul.exe reg.exe PID 1012 wrote to memory of 1500 1012 jphxaul.exe reg.exe PID 1012 wrote to memory of 272 1012 jphxaul.exe reg.exe PID 1012 wrote to memory of 1416 1012 jphxaul.exe vanqawu.exe PID 1416 wrote to memory of 1188 1416 vanqawu.exe vanqawu.exe PID 1012 wrote to memory of 676 1012 jphxaul.exe cmd.exe PID 1012 wrote to memory of 452 1012 jphxaul.exe schtasks.exe -
Loads dropped DLL 1 IoCs
Processes:
jphxaul.exepid process 604 jphxaul.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vanqawu.exepid process 1056 vanqawu.exe -
Processes:
reg.exedescription ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg = "0" 272 reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jphxaul.exe"C:\Users\Admin\AppData\Local\Temp\jphxaul.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:604
-
C:\Users\Admin\AppData\Local\Temp\jphxaul.exeC:\Users\Admin\AppData\Local\Temp\jphxaul.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1056
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1992
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ybkwvyp /tr "\"C:\Users\Admin\AppData\Local\Temp\jphxaul.exe\" /I ybkwvyp" /SC ONCE /Z /ST 12:04 /ET 12:161⤵PID:1984
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-157650051713137425221453828682-563269393-1814647841-3748403121025691665-1290155868"1⤵PID:2044
-
C:\Windows\system32\taskeng.exetaskeng.exe {1AE7CC52-16E2-435F-8AA8-A4B4DB0A0554} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1876
-
C:\Users\Admin\AppData\Local\Temp\jphxaul.exeC:\Users\Admin\AppData\Local\Temp\jphxaul.exe /I ybkwvyp1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:628
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1892214418734038116676880603-2137211342-308514979182202094-461706840-1487895787"1⤵PID:612
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1768
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1846539307698988202-238783652153604435811161975561485628372-419960300-1081086740"1⤵PID:1140
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵PID:1612
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2126700597-602023511128598347849220666273907675-328767046396593165-326507657"1⤵PID:560
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵PID:1108
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-606524404-181378488530644363952042838812760679151749668165-18039188781780139046"1⤵PID:1620
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1676
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "799598720-4585887122113176603-37574688818585980171283037461-1302307596-1461329481"1⤵PID:2036
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1976
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1983942131-374682485-46233501511305139828282098101893507780815200459-939955542"1⤵PID:544
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1900
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1791600109-7803021491146773662-1161290176-161497089574223498112537878141249239330"1⤵PID:1884
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1500
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1089751983-525903941-249769264-168215960-435520847157815833714707576351568596061"1⤵PID:1176
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"1⤵
- Windows security bypass
PID:272
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-360807716-11146400941947254962-1483829431233470080-1161846694-864639113-1948200342"1⤵PID:680
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1188
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\jphxaul.exe"1⤵PID:676
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN ybkwvyp1⤵
- Uses Task Scheduler COM API
PID:452
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1423582248-20683251921505893686-1893163185701489153-660625641-113038603712220540"1⤵PID:1324
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "756413891761225442-19044948953447337471732737356755198706-428919612-1025494924"1⤵
- Suspicious use of SetWindowsHookEx
PID:1480
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.11⤵
- Runs ping.exe
PID:1136
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1060
- T1089
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
-
memory/1056-5-0x0000000001FB0000-0x0000000002042000-memory.dmpFilesize
584KB
-
memory/1188-9-0x00000000024C0000-0x00000000024D1000-memory.dmpFilesize
68KB
-
memory/1336-0-0x0000000002430000-0x0000000002441000-memory.dmpFilesize
68KB
-
memory/1992-4-0x00000000024A0000-0x00000000024B1000-memory.dmpFilesize
68KB