Analysis

  • max time kernel
    133s
  • max time network
    122s
  • resource
    win7v191014

General

  • Target

    10.bin

  • Sample

    191111-m8tm8zqbrs

  • SHA256

    256967605423fea1e00368078eea1cdb52d391aa0091e0798db797ab337d1567

Score
N/A

Malware Config

Extracted

Family

qakbot

Campaign

1573023013

C2

107.12.140.181:443

67.5.33.229:2078

184.74.101.234:995

172.78.45.13:995

181.95.16.207:443

50.246.229.50:443

207.179.194.91:443

67.246.16.250:995

75.110.250.89:443

173.91.254.236:443

50.78.93.74:995

73.104.218.229:0

47.23.101.26:993

88.111.255.235:2222

12.5.37.3:995

24.30.71.200:443

72.29.181.77:2078

98.155.154.220:443

196.194.74.33:2222

47.214.144.253:443

Signatures

  • Windows security modification 2 TTPs 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • qakbot family
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs 12 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Executes dropped EXE 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\10.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    PID:1700
  • C:\Users\Admin\AppData\Local\Temp\10.bin.exe
    C:\Users\Admin\AppData\Local\Temp\10.bin.exe /C
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1108
  • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: MapViewOfSection
    • Executes dropped EXE
    PID:1096
  • C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn cjcmvzpzy /tr "\"C:\Users\Admin\AppData\Local\Temp\10.bin.exe\" /I cjcmvzpzy" /SC ONCE /Z /ST 11:29 /ET 11:41
    1⤵
      PID:896
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "-1333835286-1054468390-1472936826-787043865-20918172221881988614-2562341841526789034"
      1⤵
        PID:1948
      • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Executes dropped EXE
        PID:848
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Adds Run entry to start application
        PID:1372
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {6E4CDC97-0D08-4EC0-84D3-5A87FF9F6C24} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1400
      • C:\Users\Admin\AppData\Local\Temp\10.bin.exe
        C:\Users\Admin\AppData\Local\Temp\10.bin.exe /I cjcmvzpzy
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • Loads dropped DLL
        PID:1612
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        1⤵
        • Windows security modification
        PID:744
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-1052770411-1987472653-225266097818664515-1159266142-1893983121-170782614567823169"
        1⤵
          PID:1816
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          1⤵
          • Windows security modification
          PID:1800
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "1363024916341690273417984769571040961538434901-464123561352423962-1677658315"
          1⤵
            PID:1692
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            1⤵
              PID:1092
            • C:\Windows\system32\conhost.exe
              \??\C:\Windows\system32\conhost.exe "-5892775512107634937-1428385552-11917698441232555143438052884-804782238353676248"
              1⤵
                PID:1080
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                1⤵
                  PID:1952
                • C:\Windows\system32\conhost.exe
                  \??\C:\Windows\system32\conhost.exe "1007385672-1741799339-9377674951281321575327590850-1161200306119349869422307751"
                  1⤵
                    PID:1980
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                    1⤵
                    • Windows security modification
                    PID:1340
                  • C:\Windows\system32\conhost.exe
                    \??\C:\Windows\system32\conhost.exe "-164458087539790320817021096901442415827609806654-1541309447-226484685833162598"
                    1⤵
                      PID:1264
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                      1⤵
                      • Windows security modification
                      PID:2028
                    • C:\Windows\system32\conhost.exe
                      \??\C:\Windows\system32\conhost.exe "13339727956972212373237002013051941544524146701368172119-831479021496215352"
                      1⤵
                        PID:2004
                      • C:\Windows\system32\reg.exe
                        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                        1⤵
                        • Windows security modification
                        PID:1924
                      • C:\Windows\system32\conhost.exe
                        \??\C:\Windows\system32\conhost.exe "-13909344721170310475-1751485756971210792-1861976870204265434-1460481585-1181747663"
                        1⤵
                          PID:1308
                        • C:\Windows\system32\reg.exe
                          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                          1⤵
                          • Windows security modification
                          PID:2024
                        • C:\Windows\system32\conhost.exe
                          \??\C:\Windows\system32\conhost.exe "1552982290-671418799-350161016-214332083910690683622143646492-963486984-767524722"
                          1⤵
                            PID:1972
                          • C:\Windows\system32\reg.exe
                            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"
                            1⤵
                            • Windows security bypass
                            PID:1192
                          • C:\Windows\system32\conhost.exe
                            \??\C:\Windows\system32\conhost.exe "-5671187391944664047-174941902520198122441360160448-778412476-2358584102147328926"
                            1⤵
                              PID:540
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                              C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                              1⤵
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of WriteProcessMemory
                              • Executes dropped EXE
                              PID:1304
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\10.bin.exe"
                              1⤵
                                PID:1552
                              • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                                C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C
                                1⤵
                                • Suspicious behavior: EnumeratesProcesses
                                • Executes dropped EXE
                                PID:672
                              • C:\Windows\system32\schtasks.exe
                                "C:\Windows\system32\schtasks.exe" /DELETE /F /TN cjcmvzpzy
                                1⤵
                                • Uses Task Scheduler COM API
                                PID:568
                              • C:\Windows\system32\conhost.exe
                                \??\C:\Windows\system32\conhost.exe "1707226247392109420715040863-1435351490-191354434921430137141086314943555134572"
                                1⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:1896
                              • C:\Windows\system32\conhost.exe
                                \??\C:\Windows\system32\conhost.exe "-597329610257884963-185016083345871971945822752-1580030364-1475347718-1175167934"
                                1⤵
                                  PID:1164
                                • C:\Windows\system32\PING.EXE
                                  ping.exe -n 6 127.0.0.1
                                  1⤵
                                  • Runs ping.exe
                                  PID:800

                                Network

                                MITRE ATT&CK Enterprise v15

                                MITRE ATT&CK Additional techniques

                                • T1089
                                • T1060

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/672-12-0x0000000002700000-0x0000000002711000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/848-6-0x0000000002620000-0x0000000002631000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/1096-7-0x0000000002630000-0x00000000026C2000-memory.dmp

                                  Filesize

                                  584KB

                                • memory/1108-0-0x0000000002630000-0x0000000002641000-memory.dmp

                                  Filesize

                                  68KB