Analysis
-
max time kernel
135s -
max time network
122s -
resource
win7v191014
Task
task1
Sample
1.bin.exe
Resource
win7v191014
General
-
Target
1.bin
-
Sample
191111-ypg95xvrwj
-
SHA256
f614a06748251107a34fa7e44c7652fd88e61fd958df724455e14ec88040abf9
Malware Config
Extracted
qakbot
1573123220
206.51.202.106:50003
173.3.132.17:995
75.131.72.82:443
68.238.144.55:443
100.4.185.8:443
5.182.39.156:443
24.201.68.105:2078
23.240.185.215:443
69.92.54.95:995
68.131.9.203:443
187.163.139.200:993
75.81.25.223:995
32.208.1.239:443
170.10.78.48:443
74.194.4.181:443
81.147.42.195:2222
71.30.56.170:443
174.16.234.171:993
66.214.75.176:443
47.153.115.154:443
75.175.209.163:995
72.213.98.233:443
173.22.120.11:2222
68.238.56.27:443
184.180.157.203:2222
24.203.64.26:2222
47.153.115.154:995
64.19.74.29:995
104.32.185.213:2222
104.3.91.20:995
107.12.140.181:443
67.5.33.229:2078
67.10.18.112:993
80.14.209.42:2222
184.74.101.234:995
172.78.45.13:995
181.14.188.8:443
106.51.0.228:443
67.246.16.250:995
75.110.250.89:443
50.78.93.74:995
104.175.193.24:443
209.182.122.217:443
47.23.101.26:993
12.5.37.3:995
24.30.71.200:443
72.29.181.77:2078
90.43.6.185:2222
81.149.189.61:8443
5.89.115.73:2222
71.93.60.90:443
72.46.151.196:995
105.246.77.129:995
50.246.229.50:443
65.16.241.150:443
197.86.194.53:995
75.142.59.167:443
107.12.131.249:443
70.74.159.126:2222
75.130.117.134:443
47.202.98.230:443
47.214.144.253:443
196.194.28.127:2222
182.56.87.205:995
2.50.41.185:443
217.162.149.212:443
76.116.128.81:443
107.184.252.92:443
69.170.237.82:995
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
108.45.183.59:443
67.87.38.242:2222
117.223.144.228:995
47.153.115.154:443
186.47.208.238:50000
108.5.34.128:443
67.77.162.13:443
65.30.12.240:443
76.80.66.226:443
111.125.70.30:2222
181.197.195.138:995
173.29.144.30:443
174.130.203.235:443
162.244.224.166:443
104.34.122.18:443
199.126.92.231:995
173.178.129.3:990
12.176.32.146:443
93.177.144.236:443
108.227.161.27:443
72.16.212.107:995
205.250.79.62:443
201.152.218.64:995
200.104.249.67:443
123.252.128.47:443
73.226.220.56:443
181.126.80.118:443
88.200.217.162:21
108.160.123.244:443
67.214.201.117:2222
173.247.186.90:443
50.247.230.33:443
75.165.181.122:443
68.174.15.223:443
96.59.11.86:443
71.77.231.251:443
24.184.6.58:2222
174.131.181.120:995
207.162.184.228:443
173.178.129.3:443
47.23.101.26:465
12.5.37.3:443
206.51.202.106:50002
75.131.72.82:995
172.251.77.230:443
174.48.72.160:443
2.177.101.143:443
70.120.151.69:443
47.146.169.85:443
24.93.168.38:443
75.70.218.193:443
162.244.225.30:443
168.245.228.71:443
72.29.181.77:2083
112.171.126.153:443
75.131.72.82:2087
96.35.170.82:2222
24.27.82.216:2222
2.50.170.151:443
73.202.121.222:0
98.155.154.220:443
98.148.177.77:443
24.180.7.155:443
47.155.19.205:443
67.160.63.127:443
201.188.17.26:443
75.165.132.69:443
24.182.53.191:443
137.25.72.175:443
116.58.100.130:443
73.37.61.237:443
76.169.19.193:443
203.83.20.209:995
76.174.122.204:443
83.79.2.218:2222
71.90.241.69:443
66.51.231.183:443
45.37.57.119:2222
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vanqawu.exepid process 1500 vanqawu.exe -
Processes:
reg.exedescription ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg = "0" 1088 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 1860 conhost.exe -
Uses Task Scheduler COM API 1 TTPs 12 IoCs
Processes:
schtasks.exedescription ioc pid process Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1676 schtasks.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1676 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 1676 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 1676 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 1676 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 1676 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 1676 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 1676 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 1676 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 1676 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 1676 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 1676 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
1.bin.exe1.bin.exevanqawu.exevanqawu.exeexplorer.exe1.bin.exevanqawu.exevanqawu.exepid process 1204 1.bin.exe 844 1.bin.exe 1500 vanqawu.exe 1908 vanqawu.exe 544 explorer.exe 1728 1.bin.exe 1208 vanqawu.exe 2024 vanqawu.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
1.bin.exevanqawu.exetaskeng.exe1.bin.exevanqawu.exedescription pid process target process PID 1204 wrote to memory of 844 1204 1.bin.exe 1.bin.exe PID 1204 wrote to memory of 1500 1204 1.bin.exe vanqawu.exe PID 1204 wrote to memory of 1508 1204 1.bin.exe schtasks.exe PID 1500 wrote to memory of 1908 1500 vanqawu.exe vanqawu.exe PID 1500 wrote to memory of 544 1500 vanqawu.exe explorer.exe PID 1572 wrote to memory of 1728 1572 taskeng.exe 1.bin.exe PID 1728 wrote to memory of 1472 1728 1.bin.exe reg.exe PID 1728 wrote to memory of 1652 1728 1.bin.exe reg.exe PID 1728 wrote to memory of 1668 1728 1.bin.exe reg.exe PID 1728 wrote to memory of 1532 1728 1.bin.exe reg.exe PID 1728 wrote to memory of 1664 1728 1.bin.exe reg.exe PID 1728 wrote to memory of 968 1728 1.bin.exe reg.exe PID 1728 wrote to memory of 1996 1728 1.bin.exe reg.exe PID 1728 wrote to memory of 880 1728 1.bin.exe reg.exe PID 1728 wrote to memory of 1088 1728 1.bin.exe reg.exe PID 1728 wrote to memory of 1208 1728 1.bin.exe vanqawu.exe PID 1208 wrote to memory of 2024 1208 vanqawu.exe vanqawu.exe PID 1728 wrote to memory of 1492 1728 1.bin.exe cmd.exe PID 1728 wrote to memory of 1676 1728 1.bin.exe schtasks.exe -
Loads dropped DLL 2 IoCs
Processes:
1.bin.exe1.bin.exepid process 1204 1.bin.exe 1728 1.bin.exe -
Executes dropped EXE 4 IoCs
Processes:
vanqawu.exevanqawu.exevanqawu.exevanqawu.exepid process 1500 vanqawu.exe 1908 vanqawu.exe 1208 vanqawu.exe 2024 vanqawu.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc pid process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\burcz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Igniwjmeevrg\\vanqawu.exe\"" 544 explorer.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" 1472 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" 1652 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" 1664 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" 968 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 1996 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 880 reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.bin.exe"C:\Users\Admin\AppData\Local\Temp\1.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1204
-
C:\Users\Admin\AppData\Local\Temp\1.bin.exeC:\Users\Admin\AppData\Local\Temp\1.bin.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
PID:844
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1500
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn zgsafwwni /tr "\"C:\Users\Admin\AppData\Local\Temp\1.bin.exe\" /I zgsafwwni" /SC ONCE /Z /ST 11:28 /ET 11:401⤵PID:1508
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1145494900162369655018148990691529387095-157741661026531389279276841363457141"1⤵PID:612
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1908
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
PID:544
-
C:\Windows\system32\taskeng.exetaskeng.exe {87ACBCDC-925C-4F53-952B-F555E8AABB5A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1572
-
C:\Users\Admin\AppData\Local\Temp\1.bin.exeC:\Users\Admin\AppData\Local\Temp\1.bin.exe /I zgsafwwni1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1728
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1472
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1406313433-1530864569519609677-705302584-1500799793-5199142197903621681759910617"1⤵PID:624
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1652
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1551933128-1525725019-10320820171217585874-169158702-8560017176541703131164877167"1⤵PID:1148
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵PID:1668
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "403923372311359084-2040021384-1025363167925403790369564238-221676643-1672045181"1⤵PID:1648
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵PID:1532
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "451162256-110950027190325757-13534369272003641146-6369925181765965255-1036975443"1⤵PID:1880
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1664
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-5009445111862015467-527595877-99434270-1566036058-1550694241-1283816431-263241761"1⤵PID:1672
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:968
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "832569135121626201114734216849506863-231077563-4350211161603927488-1036462420"1⤵PID:1692
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1996
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "463035802-1587806763836584688-10846187741164755848-2003775354-786235876304572848"1⤵PID:1660
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:880
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1856452837-1497279061932382967-1787162605-17492614712069044631-1065060359-222478447"1⤵PID:816
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"1⤵
- Windows security bypass
PID:1088
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1881455668-5697654081047749110-14625017416798282791246362084-954285542-1885418726"1⤵PID:1872
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1208
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:2024
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\1.bin.exe"1⤵PID:1492
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "493277126-1586195262107872175499420068-1001445692-1642266361-1526996851625561821"1⤵
- Suspicious use of SetWindowsHookEx
PID:1860
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN zgsafwwni1⤵
- Uses Task Scheduler COM API
PID:1676
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1490566853-13306418891392000251680450547-914205156-14614947281055232838-483371628"1⤵PID:1552
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.11⤵
- Runs ping.exe
PID:1636
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089
- T1060