Analysis

  • max time kernel
    137s
  • max time network
    151s
  • resource
    win10v191014

General

  • Target

    10.bin

  • Sample

    191111-m8tm8zqbrs

  • SHA256

    256967605423fea1e00368078eea1cdb52d391aa0091e0798db797ab337d1567

Score
N/A

Malware Config

Extracted

Family

qakbot

Campaign

1573023013

C2

107.12.140.181:443

67.5.33.229:2078

184.74.101.234:995

172.78.45.13:995

181.95.16.207:443

50.246.229.50:443

207.179.194.91:443

67.246.16.250:995

75.110.250.89:443

173.91.254.236:443

50.78.93.74:995

73.104.218.229:0

47.23.101.26:993

88.111.255.235:2222

12.5.37.3:995

24.30.71.200:443

72.29.181.77:2078

98.155.154.220:443

196.194.74.33:2222

47.214.144.253:443

Signatures

  • Drops file in system dir 5 IoCs
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
  • qakbot family
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Windows security modification 2 TTPs 8 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Qakbot persistence 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Checks SCSI registry key(s) (likely anti-VM) 3 TTPs 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\10.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    PID:4996
  • C:\Users\Admin\AppData\Local\Temp\10.bin.exe
    C:\Users\Admin\AppData\Local\Temp\10.bin.exe /C
    1⤵
    • Checks SCSI registry key(s) (likely anti-VM)
    • Suspicious behavior: EnumeratesProcesses
    PID:5064
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1528
  • C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    1⤵
      PID:1708
    • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
      1⤵
      • Suspicious behavior: MapViewOfSection
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      PID:2448
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn uoqptcmwec /tr "\"C:\Users\Admin\AppData\Local\Temp\10.bin.exe\" /I uoqptcmwec" /SC ONCE /Z /ST 11:30 /ET 11:42
      1⤵
        PID:4388
      • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C
        1⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s) (likely anti-VM)
        • Suspicious behavior: EnumeratesProcesses
        PID:3176
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
        • Adds Run entry to start application
        • Qakbot persistence
        • Suspicious behavior: EnumeratesProcesses
        PID:4476
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s BITS
        1⤵
        • Drops file in system dir
        PID:4676
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
        1⤵
          PID:4756
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
          1⤵
          • Checks system information in the registry (likely anti-VM)
          PID:3536
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k unistacksvcgroup
          1⤵
            PID:3384
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
            1⤵
            • Windows security modification
            PID:4972
          • C:\Users\Admin\AppData\Local\Temp\10.bin.exe
            C:\Users\Admin\AppData\Local\Temp\10.bin.exe /I uoqptcmwec
            1⤵
            • Suspicious use of WriteProcessMemory
            • Suspicious behavior: EnumeratesProcesses
            PID:4920
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            1⤵
            • Windows security modification
            PID:1756
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            1⤵
            • Windows security modification
            PID:3568
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            1⤵
              PID:3796
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              1⤵
                PID:1008
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                1⤵
                • Windows security modification
                PID:2084
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                1⤵
                • Windows security modification
                PID:5004
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                1⤵
                • Windows security modification
                PID:3092
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                1⤵
                • Windows security modification
                PID:4072
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr" /d "0"
                1⤵
                • Windows security bypass
                PID:3136
              • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
                C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                • Suspicious behavior: EnumeratesProcesses
                PID:4640
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\10.bin.exe"
                1⤵
                  PID:604
                • C:\Windows\system32\schtasks.exe
                  "C:\Windows\system32\schtasks.exe" /DELETE /F /TN uoqptcmwec
                  1⤵
                  • Uses Task Scheduler COM API
                  PID:656
                • C:\Windows\system32\PING.EXE
                  ping.exe -n 6 127.0.0.1
                  1⤵
                  • Runs ping.exe
                  PID:376
                • C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
                  C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C
                  1⤵
                  • Executes dropped EXE
                  • Checks SCSI registry key(s) (likely anti-VM)
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1028

                Network

                MITRE ATT&CK Enterprise v15

                MITRE ATT&CK Additional techniques

                • T1060
                • T1089

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/1028-20-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

                  Filesize

                  4KB

                • memory/2448-5-0x0000000002B40000-0x0000000002BD2000-memory.dmp

                  Filesize

                  584KB

                • memory/3176-4-0x0000000002B10000-0x0000000002B11000-memory.dmp

                  Filesize

                  4KB

                • memory/5064-0-0x0000000002C70000-0x0000000002C71000-memory.dmp

                  Filesize

                  4KB