Analysis
-
max time kernel
139s -
max time network
150s -
resource
win10v191014
Task
task1
Sample
2.bin.exe
Resource
win7v191014
General
-
Target
2.bin
-
Sample
191111-mgrgp545yx
-
SHA256
7d4d207fb5258f504d3f9ef60d431332d1e7320d5849c0b0acf624612b01c8f0
Malware Config
Extracted
qakbot
1573123220
206.51.202.106:50003
173.3.132.17:995
75.131.72.82:443
68.238.144.55:443
100.4.185.8:443
5.182.39.156:443
24.201.68.105:2078
23.240.185.215:443
69.92.54.95:995
68.131.9.203:443
187.163.139.200:993
75.81.25.223:995
32.208.1.239:443
170.10.78.48:443
74.194.4.181:443
81.147.42.195:2222
71.30.56.170:443
174.16.234.171:993
66.214.75.176:443
47.153.115.154:443
75.175.209.163:995
72.213.98.233:443
173.22.120.11:2222
68.238.56.27:443
184.180.157.203:2222
24.203.64.26:2222
47.153.115.154:995
64.19.74.29:995
104.32.185.213:2222
104.3.91.20:995
107.12.140.181:443
67.5.33.229:2078
67.10.18.112:993
80.14.209.42:2222
184.74.101.234:995
172.78.45.13:995
181.14.188.8:443
106.51.0.228:443
67.246.16.250:995
75.110.250.89:443
50.78.93.74:995
104.175.193.24:443
209.182.122.217:443
47.23.101.26:993
12.5.37.3:995
24.30.71.200:443
72.29.181.77:2078
90.43.6.185:2222
81.149.189.61:8443
5.89.115.73:2222
71.93.60.90:443
72.46.151.196:995
105.246.77.129:995
50.246.229.50:443
65.16.241.150:443
197.86.194.53:995
75.142.59.167:443
107.12.131.249:443
70.74.159.126:2222
75.130.117.134:443
47.202.98.230:443
47.214.144.253:443
196.194.28.127:2222
182.56.87.205:995
2.50.41.185:443
217.162.149.212:443
76.116.128.81:443
107.184.252.92:443
69.170.237.82:995
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
108.45.183.59:443
67.87.38.242:2222
117.223.144.228:995
47.153.115.154:443
186.47.208.238:50000
108.5.34.128:443
67.77.162.13:443
65.30.12.240:443
76.80.66.226:443
111.125.70.30:2222
181.197.195.138:995
173.29.144.30:443
174.130.203.235:443
162.244.224.166:443
104.34.122.18:443
199.126.92.231:995
173.178.129.3:990
12.176.32.146:443
93.177.144.236:443
108.227.161.27:443
72.16.212.107:995
205.250.79.62:443
201.152.218.64:995
200.104.249.67:443
123.252.128.47:443
73.226.220.56:443
181.126.80.118:443
88.200.217.162:21
108.160.123.244:443
67.214.201.117:2222
173.247.186.90:443
50.247.230.33:443
75.165.181.122:443
68.174.15.223:443
96.59.11.86:443
71.77.231.251:443
24.184.6.58:2222
174.131.181.120:995
207.162.184.228:443
173.178.129.3:443
47.23.101.26:465
12.5.37.3:443
206.51.202.106:50002
75.131.72.82:995
172.251.77.230:443
174.48.72.160:443
2.177.101.143:443
70.120.151.69:443
47.146.169.85:443
24.93.168.38:443
75.70.218.193:443
162.244.225.30:443
168.245.228.71:443
72.29.181.77:2083
112.171.126.153:443
75.131.72.82:2087
96.35.170.82:2222
24.27.82.216:2222
2.50.170.151:443
73.202.121.222:0
98.155.154.220:443
98.148.177.77:443
24.180.7.155:443
47.155.19.205:443
67.160.63.127:443
201.188.17.26:443
75.165.132.69:443
24.182.53.191:443
137.25.72.175:443
116.58.100.130:443
73.37.61.237:443
76.169.19.193:443
203.83.20.209:995
76.174.122.204:443
83.79.2.218:2222
71.90.241.69:443
66.51.231.183:443
45.37.57.119:2222
Signatures
-
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4872 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4872 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" 2340 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" 1976 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 3392 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 5012 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 3168 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 4524 reg.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr = "0" 5108 reg.exe -
Qakbot persistence 1 IoCs
description ioc pid Process Event created 2ijsethyt4568 4568 explorer.exe -
Uses Task Scheduler COM API 1 TTPs 14 IoCs
description ioc pid Process Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 532 schtasks.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} 532 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs 532 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ 532 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 532 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32 532 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ 532 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel 532 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 532 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler 532 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 532 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID 532 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer 532 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation 532 schtasks.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4996 wrote to memory of 5064 4996 2.bin.exe 73 PID 4188 wrote to memory of 1980 4188 SppExtComObj.exe 76 PID 4996 wrote to memory of 1004 4996 2.bin.exe 78 PID 4996 wrote to memory of 4452 4996 2.bin.exe 79 PID 1004 wrote to memory of 4056 1004 ijsethyt.exe 81 PID 1004 wrote to memory of 4568 1004 ijsethyt.exe 82 PID 5028 wrote to memory of 2340 5028 2.bin.exe 92 PID 5028 wrote to memory of 1976 5028 2.bin.exe 94 PID 5028 wrote to memory of 332 5028 2.bin.exe 96 PID 5028 wrote to memory of 3592 5028 2.bin.exe 98 PID 5028 wrote to memory of 3392 5028 2.bin.exe 100 PID 5028 wrote to memory of 5012 5028 2.bin.exe 102 PID 5028 wrote to memory of 3168 5028 2.bin.exe 104 PID 5028 wrote to memory of 4524 5028 2.bin.exe 106 PID 5028 wrote to memory of 5108 5028 2.bin.exe 108 PID 5028 wrote to memory of 3456 5028 2.bin.exe 110 PID 5028 wrote to memory of 540 5028 2.bin.exe 111 PID 5028 wrote to memory of 532 5028 2.bin.exe 112 PID 3456 wrote to memory of 636 3456 ijsethyt.exe 116 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1004 ijsethyt.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc pid Process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\jzzqfpdv = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Onjpsefhpr\\ijsethyt.exe\"" 4568 explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4996 2.bin.exe 5064 2.bin.exe 1004 ijsethyt.exe 4056 ijsethyt.exe 4568 explorer.exe 5028 2.bin.exe 3456 ijsethyt.exe 636 ijsethyt.exe -
Checks SCSI registry key(s) (likely anti-VM) 3 TTPs 18 IoCs
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 5064 2.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 5064 2.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 5064 2.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 5064 2.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 5064 2.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 5064 2.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 4056 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 4056 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 4056 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 4056 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 4056 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 4056 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 636 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 636 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 636 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 636 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 636 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 636 ijsethyt.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4104 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4104 svchost.exe -
pid Process 380 PING.EXE -
Executes dropped EXE 4 IoCs
pid Process 1004 ijsethyt.exe 4056 ijsethyt.exe 3456 ijsethyt.exe 636 ijsethyt.exe -
Drops file in system dir 5 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 4704 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4704 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4704 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4704 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4704 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.bin.exe"C:\Users\Admin\AppData\Local\Temp\2.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4996
-
C:\Users\Admin\AppData\Local\Temp\2.bin.exeC:\Users\Admin\AppData\Local\Temp\2.bin.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s) (likely anti-VM)
PID:5064
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4188
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:1980
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1004
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn aoguscr /tr "\"C:\Users\Admin\AppData\Local\Temp\2.bin.exe\" /I aoguscr" /SC ONCE /Z /ST 11:28 /ET 11:401⤵PID:4452
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s) (likely anti-VM)
- Executes dropped EXE
PID:4056
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Qakbot persistence
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
PID:4568
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:4704
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4776
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4104
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:4288
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:4872
-
C:\Users\Admin\AppData\Local\Temp\2.bin.exeC:\Users\Admin\AppData\Local\Temp\2.bin.exe /I aoguscr1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:2340
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1976
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵PID:332
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵PID:3592
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:3392
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:5012
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:3168
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:4524
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr" /d "0"1⤵
- Windows security bypass
PID:5108
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:3456
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\2.bin.exe"1⤵PID:540
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN aoguscr1⤵
- Uses Task Scheduler COM API
PID:532
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.11⤵
- Runs ping.exe
PID:380
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s) (likely anti-VM)
- Executes dropped EXE
PID:636
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089
- T1060