Analysis
-
max time kernel
133s -
max time network
122s -
resource
win7v191014
Task
task1
Sample
10.bin.exe
Resource
win7v191014
General
-
Target
10.bin
-
Sample
191111-m8tm8zqbrs
-
SHA256
256967605423fea1e00368078eea1cdb52d391aa0091e0798db797ab337d1567
Malware Config
Extracted
qakbot
1573023013
107.12.140.181:443
67.5.33.229:2078
184.74.101.234:995
172.78.45.13:995
181.95.16.207:443
50.246.229.50:443
207.179.194.91:443
67.246.16.250:995
75.110.250.89:443
173.91.254.236:443
50.78.93.74:995
73.104.218.229:0
47.23.101.26:993
88.111.255.235:2222
12.5.37.3:995
24.30.71.200:443
72.29.181.77:2078
98.155.154.220:443
196.194.74.33:2222
47.214.144.253:443
67.10.18.112:993
73.232.165.200:995
115.132.97.136:443
47.202.98.230:443
71.93.60.90:443
72.46.151.196:995
137.25.72.175:443
67.160.63.127:443
197.86.194.53:995
75.142.59.167:443
47.155.19.205:443
182.56.89.221:995
2.90.219.43:443
105.246.75.20:995
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
107.12.131.249:443
98.186.155.8:443
47.153.115.154:443
108.5.34.128:443
76.169.19.193:443
45.37.57.119:2222
76.116.128.81:443
2.50.41.185:443
95.67.238.16:21
107.184.252.92:443
75.130.117.134:443
70.183.3.199:443
72.142.106.198:993
181.197.195.138:995
186.47.208.238:50000
71.77.231.251:443
93.177.144.236:443
12.176.32.146:443
72.16.212.107:995
200.104.249.67:443
73.226.220.56:443
181.126.80.118:443
67.214.201.117:2222
108.160.123.244:443
173.247.186.90:443
90.43.6.185:2222
66.51.231.183:443
50.247.230.33:443
108.227.161.27:443
96.59.11.86:443
24.184.6.58:2222
117.204.224.110:995
174.131.181.120:995
76.80.66.226:443
207.162.184.228:443
173.178.129.3:443
47.23.101.26:465
12.5.37.3:443
111.125.70.30:2222
206.51.202.106:50002
201.152.111.120:995
75.131.72.82:995
174.48.72.160:443
2.177.101.143:443
47.146.169.85:443
184.191.62.78:443
75.70.218.193:443
162.244.225.30:443
123.252.128.47:443
174.130.203.235:443
205.250.79.62:443
162.244.224.166:443
116.58.100.130:443
68.174.15.223:443
199.126.92.231:995
173.178.129.3:990
65.30.12.240:443
24.201.68.105:2087
5.182.39.156:443
24.201.68.105:2078
23.240.185.215:443
68.131.9.203:443
187.163.139.200:993
75.81.25.223:995
70.120.151.69:443
32.208.1.239:443
73.37.61.237:443
168.245.228.71:443
72.29.181.77:2083
112.171.126.153:443
75.131.72.82:2087
67.200.146.98:2222
96.35.170.82:2222
72.132.145.25:443
71.30.56.170:443
174.16.234.171:993
75.175.209.163:995
47.153.115.154:995
72.213.98.233:443
2.50.170.151:443
173.22.120.11:2222
184.180.157.203:2222
75.165.132.69:443
64.19.74.29:995
104.32.185.213:2222
104.3.91.20:995
64.72.102.10:2222
173.3.132.17:995
74.194.4.181:443
75.131.72.82:443
68.238.144.55:443
100.4.185.8:443
190.217.1.149:443
104.34.122.18:443
66.214.75.176:443
47.153.115.154:443
72.142.106.198:465
68.238.56.27:443
24.180.7.155:443
24.203.64.26:2222
24.196.158.28:443
69.92.54.95:995
83.79.2.218:2222
98.148.177.77:443
170.10.78.48:443
71.90.241.69:443
23.240.34.55:443
201.188.17.26:443
181.135.235.70:443
67.190.189.217:443
75.182.115.93:443
75.110.104.106:443
203.83.20.209:995
Signatures
-
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" 744 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" 1800 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" 1340 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" 2028 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 1924 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 2024 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 1896 conhost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
10.bin.exe10.bin.exevanqawu.exevanqawu.exeexplorer.exe10.bin.exevanqawu.exevanqawu.exepid process 1700 10.bin.exe 1108 10.bin.exe 1096 vanqawu.exe 848 vanqawu.exe 1372 explorer.exe 1612 10.bin.exe 1304 vanqawu.exe 672 vanqawu.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
10.bin.exevanqawu.exetaskeng.exe10.bin.exevanqawu.exedescription pid process target process PID 1700 wrote to memory of 1108 1700 10.bin.exe 10.bin.exe PID 1700 wrote to memory of 1096 1700 10.bin.exe vanqawu.exe PID 1700 wrote to memory of 896 1700 10.bin.exe schtasks.exe PID 1096 wrote to memory of 848 1096 vanqawu.exe vanqawu.exe PID 1096 wrote to memory of 1372 1096 vanqawu.exe explorer.exe PID 1400 wrote to memory of 1612 1400 taskeng.exe 10.bin.exe PID 1612 wrote to memory of 744 1612 10.bin.exe reg.exe PID 1612 wrote to memory of 1800 1612 10.bin.exe reg.exe PID 1612 wrote to memory of 1092 1612 10.bin.exe reg.exe PID 1612 wrote to memory of 1952 1612 10.bin.exe reg.exe PID 1612 wrote to memory of 1340 1612 10.bin.exe reg.exe PID 1612 wrote to memory of 2028 1612 10.bin.exe reg.exe PID 1612 wrote to memory of 1924 1612 10.bin.exe reg.exe PID 1612 wrote to memory of 2024 1612 10.bin.exe reg.exe PID 1612 wrote to memory of 1192 1612 10.bin.exe reg.exe PID 1612 wrote to memory of 1304 1612 10.bin.exe vanqawu.exe PID 1304 wrote to memory of 672 1304 vanqawu.exe vanqawu.exe PID 1612 wrote to memory of 1552 1612 10.bin.exe cmd.exe PID 1612 wrote to memory of 568 1612 10.bin.exe schtasks.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vanqawu.exepid process 1096 vanqawu.exe -
Processes:
reg.exedescription ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg = "0" 1192 reg.exe -
Uses Task Scheduler COM API 1 TTPs 12 IoCs
Processes:
schtasks.exedescription ioc pid process Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 568 schtasks.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 568 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 568 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 568 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 568 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 568 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 568 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 568 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 568 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 568 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 568 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 568 schtasks.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc pid process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\ujrege = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Igniwjmeevrg\\vanqawu.exe\"" 1372 explorer.exe -
Loads dropped DLL 2 IoCs
Processes:
10.bin.exe10.bin.exepid process 1700 10.bin.exe 1612 10.bin.exe -
Executes dropped EXE 4 IoCs
Processes:
vanqawu.exevanqawu.exevanqawu.exevanqawu.exepid process 1096 vanqawu.exe 848 vanqawu.exe 1304 vanqawu.exe 672 vanqawu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10.bin.exe"C:\Users\Admin\AppData\Local\Temp\10.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1700
-
C:\Users\Admin\AppData\Local\Temp\10.bin.exeC:\Users\Admin\AppData\Local\Temp\10.bin.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1108
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
PID:1096
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn cjcmvzpzy /tr "\"C:\Users\Admin\AppData\Local\Temp\10.bin.exe\" /I cjcmvzpzy" /SC ONCE /Z /ST 11:29 /ET 11:411⤵PID:896
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1333835286-1054468390-1472936826-787043865-20918172221881988614-2562341841526789034"1⤵PID:1948
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:848
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
PID:1372
-
C:\Windows\system32\taskeng.exetaskeng.exe {6E4CDC97-0D08-4EC0-84D3-5A87FF9F6C24} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1400
-
C:\Users\Admin\AppData\Local\Temp\10.bin.exeC:\Users\Admin\AppData\Local\Temp\10.bin.exe /I cjcmvzpzy1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1612
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:744
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1052770411-1987472653-225266097818664515-1159266142-1893983121-170782614567823169"1⤵PID:1816
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1800
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1363024916341690273417984769571040961538434901-464123561352423962-1677658315"1⤵PID:1692
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵PID:1092
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-5892775512107634937-1428385552-11917698441232555143438052884-804782238353676248"1⤵PID:1080
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵PID:1952
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1007385672-1741799339-9377674951281321575327590850-1161200306119349869422307751"1⤵PID:1980
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1340
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-164458087539790320817021096901442415827609806654-1541309447-226484685833162598"1⤵PID:1264
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:2028
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "13339727956972212373237002013051941544524146701368172119-831479021496215352"1⤵PID:2004
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1924
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13909344721170310475-1751485756971210792-1861976870204265434-1460481585-1181747663"1⤵PID:1308
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:2024
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1552982290-671418799-350161016-214332083910690683622143646492-963486984-767524722"1⤵PID:1972
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"1⤵
- Windows security bypass
PID:1192
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-5671187391944664047-174941902520198122441360160448-778412476-2358584102147328926"1⤵PID:540
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1304
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\10.bin.exe"1⤵PID:1552
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:672
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN cjcmvzpzy1⤵
- Uses Task Scheduler COM API
PID:568
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1707226247392109420715040863-1435351490-191354434921430137141086314943555134572"1⤵
- Suspicious use of SetWindowsHookEx
PID:1896
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-597329610257884963-185016083345871971945822752-1580030364-1475347718-1175167934"1⤵PID:1164
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.11⤵
- Runs ping.exe
PID:800
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089
- T1060