Analysis

  • max time kernel
    146s
  • max time network
    128s
  • resource
    win7v191014

General

  • Target

    jphxaul.exe

  • Sample

    191111-jzlt6rkwlj

  • SHA256

    e736cf964b998e582fd2c191a0c9865814b632a315435f80798dd2a239a5e5f5

Score
N/A

Malware Config

Extracted

Family

qakbot

Botnet

spx22

Campaign

1571043018

C2

98.186.90.192:995

2.50.170.151:443

74.194.4.181:443

70.74.159.126:2222

75.70.218.193:443

96.59.11.86:443

168.245.228.71:443

173.22.120.11:2222

71.77.231.251:443

24.184.6.58:2222

108.5.32.66:443

64.19.74.29:995

68.83.59.107:443

104.3.91.20:995

100.4.185.8:443

96.20.238.2:2087

99.228.242.183:995

206.255.212.179:443

50.247.230.33:443

108.55.23.221:443

Signatures

  • Executes dropped EXE 4 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Windows security modification 2 TTPs 6 IoCs
  • qakbot family
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jphxaul.exe
    "C:\Users\Admin\AppData\Local\Temp\jphxaul.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    PID:604
  • C:\Users\Admin\AppData\Local\Temp\jphxaul.exe
    C:\Users\Admin\AppData\Local\Temp\jphxaul.exe /C
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1336
  • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: MapViewOfSection
    PID:1056
  • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:1992
  • C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ybkwvyp /tr "\"C:\Users\Admin\AppData\Local\Temp\jphxaul.exe\" /I ybkwvyp" /SC ONCE /Z /ST 12:04 /ET 12:16
    1⤵
      PID:1984
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      1⤵
      • Adds Run entry to start application
      • Suspicious behavior: EnumeratesProcesses
      PID:2028
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "-157650051713137425221453828682-563269393-1814647841-3748403121025691665-1290155868"
      1⤵
        PID:2044
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {1AE7CC52-16E2-435F-8AA8-A4B4DB0A0554} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1876
      • C:\Users\Admin\AppData\Local\Temp\jphxaul.exe
        C:\Users\Admin\AppData\Local\Temp\jphxaul.exe /I ybkwvyp
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1012
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        1⤵
        • Windows security modification
        PID:628
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "1892214418734038116676880603-2137211342-308514979182202094-461706840-1487895787"
        1⤵
          PID:612
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          1⤵
          • Windows security modification
          PID:1768
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "-1846539307698988202-238783652153604435811161975561485628372-419960300-1081086740"
          1⤵
            PID:1140
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            1⤵
              PID:1612
            • C:\Windows\system32\conhost.exe
              \??\C:\Windows\system32\conhost.exe "2126700597-602023511128598347849220666273907675-328767046396593165-326507657"
              1⤵
                PID:560
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                1⤵
                  PID:1108
                • C:\Windows\system32\conhost.exe
                  \??\C:\Windows\system32\conhost.exe "-606524404-181378488530644363952042838812760679151749668165-18039188781780139046"
                  1⤵
                    PID:1620
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                    1⤵
                    • Windows security modification
                    PID:1676
                  • C:\Windows\system32\conhost.exe
                    \??\C:\Windows\system32\conhost.exe "799598720-4585887122113176603-37574688818585980171283037461-1302307596-1461329481"
                    1⤵
                      PID:2036
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                      1⤵
                      • Windows security modification
                      PID:1976
                    • C:\Windows\system32\conhost.exe
                      \??\C:\Windows\system32\conhost.exe "1983942131-374682485-46233501511305139828282098101893507780815200459-939955542"
                      1⤵
                        PID:544
                      • C:\Windows\system32\reg.exe
                        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                        1⤵
                        • Windows security modification
                        PID:1900
                      • C:\Windows\system32\conhost.exe
                        \??\C:\Windows\system32\conhost.exe "-1791600109-7803021491146773662-1161290176-161497089574223498112537878141249239330"
                        1⤵
                          PID:1884
                        • C:\Windows\system32\reg.exe
                          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                          1⤵
                          • Windows security modification
                          PID:1500
                        • C:\Windows\system32\conhost.exe
                          \??\C:\Windows\system32\conhost.exe "-1089751983-525903941-249769264-168215960-435520847157815833714707576351568596061"
                          1⤵
                            PID:1176
                          • C:\Windows\system32\reg.exe
                            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"
                            1⤵
                            • Windows security bypass
                            PID:272
                          • C:\Windows\system32\conhost.exe
                            \??\C:\Windows\system32\conhost.exe "-360807716-11146400941947254962-1483829431233470080-1161846694-864639113-1948200342"
                            1⤵
                              PID:680
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                              C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                              1⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of WriteProcessMemory
                              PID:1416
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                              C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C
                              1⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1188
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\jphxaul.exe"
                              1⤵
                                PID:676
                              • C:\Windows\system32\schtasks.exe
                                "C:\Windows\system32\schtasks.exe" /DELETE /F /TN ybkwvyp
                                1⤵
                                • Uses Task Scheduler COM API
                                PID:452
                              • C:\Windows\system32\conhost.exe
                                \??\C:\Windows\system32\conhost.exe "-1423582248-20683251921505893686-1893163185701489153-660625641-113038603712220540"
                                1⤵
                                  PID:1324
                                • C:\Windows\system32\conhost.exe
                                  \??\C:\Windows\system32\conhost.exe "756413891761225442-19044948953447337471732737356755198706-428919612-1025494924"
                                  1⤵
                                  • Suspicious use of SetWindowsHookEx
                                  PID:1480
                                • C:\Windows\system32\PING.EXE
                                  ping.exe -n 6 127.0.0.1
                                  1⤵
                                  • Runs ping.exe
                                  PID:1136

                                Network

                                MITRE ATT&CK Enterprise v15

                                MITRE ATT&CK Additional techniques

                                • T1060
                                • T1089

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.dat
                                • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                                • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                                • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                                • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                                • \Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                                • memory/1056-5-0x0000000001FB0000-0x0000000002042000-memory.dmp
                                  Filesize

                                  584KB

                                • memory/1188-9-0x00000000024C0000-0x00000000024D1000-memory.dmp
                                  Filesize

                                  68KB

                                • memory/1336-0-0x0000000002430000-0x0000000002441000-memory.dmp
                                  Filesize

                                  68KB

                                • memory/1992-4-0x00000000024A0000-0x00000000024B1000-memory.dmp
                                  Filesize

                                  68KB