Analysis

  • max time kernel
    143s
  • max time network
    152s
  • resource
    win10v191014

General

  • Target

    jphxaul.exe

  • Sample

    191111-jzlt6rkwlj

  • SHA256

    e736cf964b998e582fd2c191a0c9865814b632a315435f80798dd2a239a5e5f5

Score
N/A

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Qakbot persistence 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs 14 IoCs
  • qakbot family
  • Drops file in system dir 5 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Checks SCSI registry key(s) (likely anti-VM) 3 TTPs 18 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
  • Windows security modification 2 TTPs 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jphxaul.exe
    "C:\Users\Admin\AppData\Local\Temp\jphxaul.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    PID:4872
  • C:\Users\Admin\AppData\Local\Temp\jphxaul.exe
    C:\Users\Admin\AppData\Local\Temp\jphxaul.exe /C
    1⤵
    • Checks SCSI registry key(s) (likely anti-VM)
    • Suspicious behavior: EnumeratesProcesses
    PID:4984
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5076
  • C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    1⤵
      PID:5108
    • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: EnumeratesProcesses
      PID:1780
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn udgnhbkwcb /tr "\"C:\Users\Admin\AppData\Local\Temp\jphxaul.exe\" /I udgnhbkwcb" /SC ONCE /Z /ST 12:04 /ET 12:16
      1⤵
        PID:1684
      • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C
        1⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s) (likely anti-VM)
        • Suspicious behavior: EnumeratesProcesses
        PID:1440
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:4276
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          1⤵
          • Qakbot persistence
          • Adds Run entry to start application
          • Suspicious behavior: EnumeratesProcesses
          PID:3976
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s BITS
          1⤵
          • Drops file in system dir
          PID:3848
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
          1⤵
            PID:4560
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
            1⤵
            • Checks system information in the registry (likely anti-VM)
            PID:4624
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k unistacksvcgroup
            1⤵
              PID:3784
            • \??\c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
              1⤵
              • Windows security modification
              PID:4500
            • C:\Users\Admin\AppData\Local\Temp\jphxaul.exe
              C:\Users\Admin\AppData\Local\Temp\jphxaul.exe /I udgnhbkwcb
              1⤵
              • Suspicious use of WriteProcessMemory
              • Suspicious behavior: EnumeratesProcesses
              PID:2876
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
              1⤵
              • Windows security modification
              PID:3468
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              1⤵
              • Windows security modification
              PID:3700
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
              1⤵
                PID:4824
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                1⤵
                  PID:596
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                  1⤵
                  • Windows security modification
                  PID:880
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                  1⤵
                  • Windows security modification
                  PID:392
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                  1⤵
                  • Windows security modification
                  PID:1160
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                  1⤵
                  • Windows security modification
                  PID:1376
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr" /d "0"
                  1⤵
                  • Windows security bypass
                  PID:1540
                • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
                  C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1620
                • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
                  C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C
                  1⤵
                  • Executes dropped EXE
                  • Checks SCSI registry key(s) (likely anti-VM)
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1876
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\jphxaul.exe"
                  1⤵
                    PID:980
                  • C:\Windows\system32\schtasks.exe
                    "C:\Windows\system32\schtasks.exe" /DELETE /F /TN udgnhbkwcb
                    1⤵
                    • Uses Task Scheduler COM API
                    PID:2104
                  • C:\Windows\system32\PING.EXE
                    ping.exe -n 6 127.0.0.1
                    1⤵
                    • Runs ping.exe
                    PID:2444

                  Network

                  MITRE ATT&CK Enterprise v15

                  MITRE ATT&CK Additional techniques

                  • T1089
                  • T1060

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1440-4-0x0000000004850000-0x0000000004851000-memory.dmp

                    Filesize

                    4KB

                  • memory/1780-5-0x0000000004870000-0x00000000048F1000-memory.dmp

                    Filesize

                    516KB

                  • memory/1780-6-0x0000000004870000-0x00000000048F1000-memory.dmp

                    Filesize

                    516KB

                  • memory/1876-21-0x0000000004B10000-0x0000000004B11000-memory.dmp

                    Filesize

                    4KB

                  • memory/4984-0-0x0000000004B90000-0x0000000004B91000-memory.dmp

                    Filesize

                    4KB