Analysis
-
max time kernel
136s -
max time network
120s -
resource
win7v191014
Task
task1
Sample
7.bin.exe
Resource
win7v191014
General
-
Target
7.bin
-
Sample
191111-zl9l5y6lp2
-
SHA256
2b9ef4a9f47402d171eec28acadf3753cbb33c9bc6ec26d99aa060127a470e95
Malware Config
Extracted
qakbot
1573023013
107.12.140.181:443
67.5.33.229:2078
184.74.101.234:995
172.78.45.13:995
181.95.16.207:443
50.246.229.50:443
207.179.194.91:443
67.246.16.250:995
75.110.250.89:443
173.91.254.236:443
50.78.93.74:995
73.104.218.229:0
47.23.101.26:993
88.111.255.235:2222
12.5.37.3:995
24.30.71.200:443
72.29.181.77:2078
98.155.154.220:443
196.194.74.33:2222
47.214.144.253:443
67.10.18.112:993
73.232.165.200:995
115.132.97.136:443
47.202.98.230:443
71.93.60.90:443
72.46.151.196:995
137.25.72.175:443
67.160.63.127:443
197.86.194.53:995
75.142.59.167:443
47.155.19.205:443
182.56.89.221:995
2.90.219.43:443
105.246.75.20:995
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
107.12.131.249:443
98.186.155.8:443
47.153.115.154:443
108.5.34.128:443
76.169.19.193:443
45.37.57.119:2222
76.116.128.81:443
2.50.41.185:443
95.67.238.16:21
107.184.252.92:443
75.130.117.134:443
70.183.3.199:443
72.142.106.198:993
181.197.195.138:995
186.47.208.238:50000
71.77.231.251:443
93.177.144.236:443
12.176.32.146:443
72.16.212.107:995
200.104.249.67:443
73.226.220.56:443
181.126.80.118:443
67.214.201.117:2222
108.160.123.244:443
173.247.186.90:443
90.43.6.185:2222
66.51.231.183:443
50.247.230.33:443
108.227.161.27:443
96.59.11.86:443
24.184.6.58:2222
117.204.224.110:995
174.131.181.120:995
76.80.66.226:443
207.162.184.228:443
173.178.129.3:443
47.23.101.26:465
12.5.37.3:443
111.125.70.30:2222
206.51.202.106:50002
201.152.111.120:995
75.131.72.82:995
174.48.72.160:443
2.177.101.143:443
47.146.169.85:443
184.191.62.78:443
75.70.218.193:443
162.244.225.30:443
123.252.128.47:443
174.130.203.235:443
205.250.79.62:443
162.244.224.166:443
116.58.100.130:443
68.174.15.223:443
199.126.92.231:995
173.178.129.3:990
65.30.12.240:443
24.201.68.105:2087
5.182.39.156:443
24.201.68.105:2078
23.240.185.215:443
68.131.9.203:443
187.163.139.200:993
75.81.25.223:995
70.120.151.69:443
32.208.1.239:443
73.37.61.237:443
168.245.228.71:443
72.29.181.77:2083
112.171.126.153:443
75.131.72.82:2087
67.200.146.98:2222
96.35.170.82:2222
72.132.145.25:443
71.30.56.170:443
174.16.234.171:993
75.175.209.163:995
47.153.115.154:995
72.213.98.233:443
2.50.170.151:443
173.22.120.11:2222
184.180.157.203:2222
75.165.132.69:443
64.19.74.29:995
104.32.185.213:2222
104.3.91.20:995
64.72.102.10:2222
173.3.132.17:995
74.194.4.181:443
75.131.72.82:443
68.238.144.55:443
100.4.185.8:443
190.217.1.149:443
104.34.122.18:443
66.214.75.176:443
47.153.115.154:443
72.142.106.198:465
68.238.56.27:443
24.180.7.155:443
24.203.64.26:2222
24.196.158.28:443
69.92.54.95:995
83.79.2.218:2222
98.148.177.77:443
170.10.78.48:443
71.90.241.69:443
23.240.34.55:443
201.188.17.26:443
181.135.235.70:443
67.190.189.217:443
75.182.115.93:443
75.110.104.106:443
203.83.20.209:995
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1044 vanqawu.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1648 conhost.exe -
pid Process 464 PING.EXE -
Executes dropped EXE 4 IoCs
pid Process 1044 vanqawu.exe 1324 vanqawu.exe 1336 vanqawu.exe 1512 vanqawu.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1308 wrote to memory of 1112 1308 7.bin.exe 27 PID 1308 wrote to memory of 1044 1308 7.bin.exe 28 PID 1044 wrote to memory of 1324 1044 vanqawu.exe 30 PID 1308 wrote to memory of 1168 1308 7.bin.exe 29 PID 1044 wrote to memory of 1424 1044 vanqawu.exe 32 PID 1728 wrote to memory of 964 1728 taskeng.exe 36 PID 964 wrote to memory of 1956 964 7.bin.exe 37 PID 964 wrote to memory of 1632 964 7.bin.exe 39 PID 964 wrote to memory of 1684 964 7.bin.exe 41 PID 964 wrote to memory of 576 964 7.bin.exe 43 PID 964 wrote to memory of 1940 964 7.bin.exe 45 PID 964 wrote to memory of 1700 964 7.bin.exe 47 PID 964 wrote to memory of 1088 964 7.bin.exe 49 PID 964 wrote to memory of 1544 964 7.bin.exe 51 PID 964 wrote to memory of 2004 964 7.bin.exe 53 PID 964 wrote to memory of 1336 964 7.bin.exe 55 PID 1336 wrote to memory of 1512 1336 vanqawu.exe 56 PID 964 wrote to memory of 2040 964 7.bin.exe 57 PID 964 wrote to memory of 1948 964 7.bin.exe 59 -
Loads dropped DLL 2 IoCs
pid Process 1308 7.bin.exe 964 7.bin.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc pid Process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljvziodf = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Igniwjmeevrg\\vanqawu.exe\"" 1424 explorer.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" 1956 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" 1632 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" 1940 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" 1700 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 1088 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 1544 reg.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg = "0" 2004 reg.exe -
Uses Task Scheduler COM API 1 TTPs 12 IoCs
description ioc pid Process Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1948 schtasks.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 1948 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs 1948 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid 1948 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\ 1948 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ 1948 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 1948 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32 1948 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ 1948 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel 1948 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32 1948 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler 1948 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1308 7.bin.exe 1112 7.bin.exe 1044 vanqawu.exe 1324 vanqawu.exe 1424 explorer.exe 964 7.bin.exe 1336 vanqawu.exe 1512 vanqawu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7.bin.exe"C:\Users\Admin\AppData\Local\Temp\7.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1308
-
C:\Users\Admin\AppData\Local\Temp\7.bin.exeC:\Users\Admin\AppData\Local\Temp\7.bin.exe /C1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1112
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe1⤵
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1044
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn njmklivdx /tr "\"C:\Users\Admin\AppData\Local\Temp\7.bin.exe\" /I njmklivdx" /SC ONCE /Z /ST 11:29 /ET 11:411⤵PID:1168
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1324
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-115038910015188956801145298583-1479397551652332624-1907009593-191511810289101129"1⤵PID:108
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
PID:1424
-
C:\Windows\system32\taskeng.exetaskeng.exe {B1866A8A-BCF4-4C7F-B6A3-9E39BAAEA58B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1728
-
C:\Users\Admin\AppData\Local\Temp\7.bin.exeC:\Users\Admin\AppData\Local\Temp\7.bin.exe /I njmklivdx1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:964
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1956
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "451656596-1925243903-645866099-5161765021112258752111358910316401049581759920760"1⤵PID:1652
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1632
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "40183899112916302-2052623171358655346-263077944-1916912612-1167357930-451754932"1⤵PID:1932
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵PID:1684
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2127619852-993235986-2124241645-2014570527182190344861042296414491064932144229937"1⤵PID:544
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵PID:576
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "20796817916818620601826458542558577722160017407-144638398-3307046602017900169"1⤵PID:648
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1940
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-802413980570330605193772083-9101082131045606861-1156282892-188116258779215992"1⤵PID:2000
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1700
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-397546529-843389547-26192131516565029721734074481465266374-1136034080-1528723127"1⤵PID:1080
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1088
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1093646579-753333997-834972694351459840-29995796194628937-717529946-1630728220"1⤵PID:1480
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1544
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "54791355-15971780071381366702-874518089207314609-1464189978-1729963198-176995842"1⤵PID:188
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"1⤵
- Windows security bypass
PID:2004
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1815132818-1953088679925573803193258476-906623908-147630298-1809685621-1518219910"1⤵PID:1912
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1336
-
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1512
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\7.bin.exe"1⤵PID:2040
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1712915126-803470768-17878711391490629660-1524325652584447468698073616-532713363"1⤵
- Suspicious use of SetWindowsHookEx
PID:1648
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN njmklivdx1⤵
- Uses Task Scheduler COM API
PID:1948
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-242508293-1843648881-984437349157175798510335580471990534043-2089615384-1250511796"1⤵PID:1548
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.11⤵
- Runs ping.exe
PID:464
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1060
- T1089