Analysis

  • max time kernel
    136s
  • max time network
    120s
  • resource
    win7v191014

General

  • Target

    7.bin

  • Sample

    191111-zl9l5y6lp2

  • SHA256

    2b9ef4a9f47402d171eec28acadf3753cbb33c9bc6ec26d99aa060127a470e95

Score
N/A

Malware Config

Extracted

Family

qakbot

Campaign

1573023013

C2

107.12.140.181:443

67.5.33.229:2078

184.74.101.234:995

172.78.45.13:995

181.95.16.207:443

50.246.229.50:443

207.179.194.91:443

67.246.16.250:995

75.110.250.89:443

173.91.254.236:443

50.78.93.74:995

73.104.218.229:0

47.23.101.26:993

88.111.255.235:2222

12.5.37.3:995

24.30.71.200:443

72.29.181.77:2078

98.155.154.220:443

196.194.74.33:2222

47.214.144.253:443

Signatures

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • qakbot family
  • Executes dropped EXE 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Windows security modification 2 TTPs 6 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\7.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1308
  • C:\Users\Admin\AppData\Local\Temp\7.bin.exe
    C:\Users\Admin\AppData\Local\Temp\7.bin.exe /C
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1112
  • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    PID:1044
  • C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn njmklivdx /tr "\"C:\Users\Admin\AppData\Local\Temp\7.bin.exe\" /I njmklivdx" /SC ONCE /Z /ST 11:29 /ET 11:41
    1⤵
      PID:1168
    • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1324
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "-115038910015188956801145298583-1479397551652332624-1907009593-191511810289101129"
      1⤵
        PID:108
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
        • Adds Run entry to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:1424
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {B1866A8A-BCF4-4C7F-B6A3-9E39BAAEA58B} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1728
      • C:\Users\Admin\AppData\Local\Temp\7.bin.exe
        C:\Users\Admin\AppData\Local\Temp\7.bin.exe /I njmklivdx
        1⤵
        • Suspicious use of WriteProcessMemory
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:964
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        1⤵
        • Windows security modification
        PID:1956
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "451656596-1925243903-645866099-5161765021112258752111358910316401049581759920760"
        1⤵
          PID:1652
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          1⤵
          • Windows security modification
          PID:1632
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "40183899112916302-2052623171358655346-263077944-1916912612-1167357930-451754932"
          1⤵
            PID:1932
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            1⤵
              PID:1684
            • C:\Windows\system32\conhost.exe
              \??\C:\Windows\system32\conhost.exe "2127619852-993235986-2124241645-2014570527182190344861042296414491064932144229937"
              1⤵
                PID:544
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                1⤵
                  PID:576
                • C:\Windows\system32\conhost.exe
                  \??\C:\Windows\system32\conhost.exe "20796817916818620601826458542558577722160017407-144638398-3307046602017900169"
                  1⤵
                    PID:648
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                    1⤵
                    • Windows security modification
                    PID:1940
                  • C:\Windows\system32\conhost.exe
                    \??\C:\Windows\system32\conhost.exe "-802413980570330605193772083-9101082131045606861-1156282892-188116258779215992"
                    1⤵
                      PID:2000
                    • C:\Windows\system32\reg.exe
                      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                      1⤵
                      • Windows security modification
                      PID:1700
                    • C:\Windows\system32\conhost.exe
                      \??\C:\Windows\system32\conhost.exe "-397546529-843389547-26192131516565029721734074481465266374-1136034080-1528723127"
                      1⤵
                        PID:1080
                      • C:\Windows\system32\reg.exe
                        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
                        1⤵
                        • Windows security modification
                        PID:1088
                      • C:\Windows\system32\conhost.exe
                        \??\C:\Windows\system32\conhost.exe "-1093646579-753333997-834972694351459840-29995796194628937-717529946-1630728220"
                        1⤵
                          PID:1480
                        • C:\Windows\system32\reg.exe
                          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
                          1⤵
                          • Windows security modification
                          PID:1544
                        • C:\Windows\system32\conhost.exe
                          \??\C:\Windows\system32\conhost.exe "54791355-15971780071381366702-874518089207314609-1464189978-1729963198-176995842"
                          1⤵
                            PID:188
                          • C:\Windows\system32\reg.exe
                            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"
                            1⤵
                            • Windows security bypass
                            PID:2004
                          • C:\Windows\system32\conhost.exe
                            \??\C:\Windows\system32\conhost.exe "-1815132818-1953088679925573803193258476-906623908-147630298-1809685621-1518219910"
                            1⤵
                              PID:1912
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                              C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                              1⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1336
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
                              C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C
                              1⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1512
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\7.bin.exe"
                              1⤵
                                PID:2040
                              • C:\Windows\system32\conhost.exe
                                \??\C:\Windows\system32\conhost.exe "-1712915126-803470768-17878711391490629660-1524325652584447468698073616-532713363"
                                1⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:1648
                              • C:\Windows\system32\schtasks.exe
                                "C:\Windows\system32\schtasks.exe" /DELETE /F /TN njmklivdx
                                1⤵
                                • Uses Task Scheduler COM API
                                PID:1948
                              • C:\Windows\system32\conhost.exe
                                \??\C:\Windows\system32\conhost.exe "-242508293-1843648881-984437349157175798510335580471990534043-2089615384-1250511796"
                                1⤵
                                  PID:1548
                                • C:\Windows\system32\PING.EXE
                                  ping.exe -n 6 127.0.0.1
                                  1⤵
                                  • Runs ping.exe
                                  PID:464

                                Network

                                MITRE ATT&CK Enterprise v15

                                MITRE ATT&CK Additional techniques

                                • T1060
                                • T1089

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/1044-7-0x0000000002300000-0x0000000002392000-memory.dmp

                                  Filesize

                                  584KB

                                • memory/1112-0-0x0000000002640000-0x0000000002651000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/1324-6-0x00000000025E0000-0x00000000025F1000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/1512-13-0x00000000026C0000-0x00000000026D1000-memory.dmp

                                  Filesize

                                  68KB