Analysis
-
max time kernel
138s -
max time network
151s -
resource
win10v191014
Task
task1
Sample
7.bin.exe
Resource
win7v191014
General
-
Target
7.bin
-
Sample
191111-zl9l5y6lp2
-
SHA256
2b9ef4a9f47402d171eec28acadf3753cbb33c9bc6ec26d99aa060127a470e95
Malware Config
Extracted
qakbot
1573023013
107.12.140.181:443
67.5.33.229:2078
184.74.101.234:995
172.78.45.13:995
181.95.16.207:443
50.246.229.50:443
207.179.194.91:443
67.246.16.250:995
75.110.250.89:443
173.91.254.236:443
50.78.93.74:995
73.104.218.229:0
47.23.101.26:993
88.111.255.235:2222
12.5.37.3:995
24.30.71.200:443
72.29.181.77:2078
98.155.154.220:443
196.194.74.33:2222
47.214.144.253:443
67.10.18.112:993
73.232.165.200:995
115.132.97.136:443
47.202.98.230:443
71.93.60.90:443
72.46.151.196:995
137.25.72.175:443
67.160.63.127:443
197.86.194.53:995
75.142.59.167:443
47.155.19.205:443
182.56.89.221:995
2.90.219.43:443
105.246.75.20:995
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
107.12.131.249:443
98.186.155.8:443
47.153.115.154:443
108.5.34.128:443
76.169.19.193:443
45.37.57.119:2222
76.116.128.81:443
2.50.41.185:443
95.67.238.16:21
107.184.252.92:443
75.130.117.134:443
70.183.3.199:443
72.142.106.198:993
181.197.195.138:995
186.47.208.238:50000
71.77.231.251:443
93.177.144.236:443
12.176.32.146:443
72.16.212.107:995
200.104.249.67:443
73.226.220.56:443
181.126.80.118:443
67.214.201.117:2222
108.160.123.244:443
173.247.186.90:443
90.43.6.185:2222
66.51.231.183:443
50.247.230.33:443
108.227.161.27:443
96.59.11.86:443
24.184.6.58:2222
117.204.224.110:995
174.131.181.120:995
76.80.66.226:443
207.162.184.228:443
173.178.129.3:443
47.23.101.26:465
12.5.37.3:443
111.125.70.30:2222
206.51.202.106:50002
201.152.111.120:995
75.131.72.82:995
174.48.72.160:443
2.177.101.143:443
47.146.169.85:443
184.191.62.78:443
75.70.218.193:443
162.244.225.30:443
123.252.128.47:443
174.130.203.235:443
205.250.79.62:443
162.244.224.166:443
116.58.100.130:443
68.174.15.223:443
199.126.92.231:995
173.178.129.3:990
65.30.12.240:443
24.201.68.105:2087
5.182.39.156:443
24.201.68.105:2078
23.240.185.215:443
68.131.9.203:443
187.163.139.200:993
75.81.25.223:995
70.120.151.69:443
32.208.1.239:443
73.37.61.237:443
168.245.228.71:443
72.29.181.77:2083
112.171.126.153:443
75.131.72.82:2087
67.200.146.98:2222
96.35.170.82:2222
72.132.145.25:443
71.30.56.170:443
174.16.234.171:993
75.175.209.163:995
47.153.115.154:995
72.213.98.233:443
2.50.170.151:443
173.22.120.11:2222
184.180.157.203:2222
75.165.132.69:443
64.19.74.29:995
104.32.185.213:2222
104.3.91.20:995
64.72.102.10:2222
173.3.132.17:995
74.194.4.181:443
75.131.72.82:443
68.238.144.55:443
100.4.185.8:443
190.217.1.149:443
104.34.122.18:443
66.214.75.176:443
47.153.115.154:443
72.142.106.198:465
68.238.56.27:443
24.180.7.155:443
24.203.64.26:2222
24.196.158.28:443
69.92.54.95:995
83.79.2.218:2222
98.148.177.77:443
170.10.78.48:443
71.90.241.69:443
23.240.34.55:443
201.188.17.26:443
181.135.235.70:443
67.190.189.217:443
75.182.115.93:443
75.110.104.106:443
203.83.20.209:995
Signatures
-
Checks SCSI registry key(s) (likely anti-VM) 3 TTPs 18 IoCs
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 5032 7.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 5032 7.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 5032 7.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 5032 7.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 5032 7.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 5032 7.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 1016 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 1016 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 1016 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 1016 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 1016 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 1016 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 1080 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 1080 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 1080 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 1080 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 1080 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 1080 ijsethyt.exe -
Executes dropped EXE 4 IoCs
pid Process 404 ijsethyt.exe 1016 ijsethyt.exe 4604 ijsethyt.exe 1080 ijsethyt.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4944 wrote to memory of 5032 4944 7.bin.exe 73 PID 5100 wrote to memory of 1980 5100 SppExtComObj.exe 76 PID 4944 wrote to memory of 404 4944 7.bin.exe 78 PID 4944 wrote to memory of 384 4944 7.bin.exe 79 PID 404 wrote to memory of 1016 404 ijsethyt.exe 81 PID 404 wrote to memory of 4480 404 ijsethyt.exe 82 PID 4900 wrote to memory of 5048 4900 7.bin.exe 92 PID 4900 wrote to memory of 1700 4900 7.bin.exe 94 PID 4900 wrote to memory of 2568 4900 7.bin.exe 96 PID 4900 wrote to memory of 3544 4900 7.bin.exe 98 PID 4900 wrote to memory of 2968 4900 7.bin.exe 100 PID 4900 wrote to memory of 4956 4900 7.bin.exe 102 PID 4900 wrote to memory of 2104 4900 7.bin.exe 104 PID 4900 wrote to memory of 4416 4900 7.bin.exe 106 PID 4900 wrote to memory of 4772 4900 7.bin.exe 108 PID 4900 wrote to memory of 4604 4900 7.bin.exe 110 PID 4900 wrote to memory of 608 4900 7.bin.exe 111 PID 4900 wrote to memory of 672 4900 7.bin.exe 112 PID 4604 wrote to memory of 1080 4604 ijsethyt.exe 116 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 404 ijsethyt.exe -
Uses Task Scheduler COM API 1 TTPs 14 IoCs
description ioc pid Process Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 672 schtasks.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} 672 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs 672 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ 672 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 672 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32 672 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ 672 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel 672 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 672 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler 672 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 672 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID 672 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer 672 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation 672 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4944 7.bin.exe 5032 7.bin.exe 404 ijsethyt.exe 1016 ijsethyt.exe 4480 explorer.exe 4900 7.bin.exe 4604 ijsethyt.exe 1080 ijsethyt.exe -
Drops file in system dir 5 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 4608 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4608 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4608 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4608 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4608 svchost.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3532 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3532 svchost.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr = "0" 4772 reg.exe -
pid Process 716 PING.EXE -
Qakbot persistence 1 IoCs
description ioc pid Process Event created 2ijsethyt4480 4480 explorer.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4864 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4864 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" 5048 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" 1700 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 2968 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 4956 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 2104 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 4416 reg.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc pid Process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\rugffwdk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Onjpsefhpr\\ijsethyt.exe\"" 4480 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7.bin.exe"C:\Users\Admin\AppData\Local\Temp\7.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4944
-
C:\Users\Admin\AppData\Local\Temp\7.bin.exeC:\Users\Admin\AppData\Local\Temp\7.bin.exe /C1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Suspicious behavior: EnumeratesProcesses
PID:5032
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:5100
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:1980
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:404
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn zknnqsi /tr "\"C:\Users\Admin\AppData\Local\Temp\7.bin.exe\" /I zknnqsi" /SC ONCE /Z /ST 11:29 /ET 11:411⤵PID:384
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1016
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Qakbot persistence
- Adds Run entry to start application
PID:4480
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:4608
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4612
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:3532
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:4892
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:4864
-
C:\Users\Admin\AppData\Local\Temp\7.bin.exeC:\Users\Admin\AppData\Local\Temp\7.bin.exe /I zknnqsi1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:5048
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1700
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵PID:2568
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵PID:3544
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:2968
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:4956
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:2104
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:4416
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr" /d "0"1⤵
- Windows security bypass
PID:4772
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4604
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\7.bin.exe"1⤵PID:608
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN zknnqsi1⤵
- Uses Task Scheduler COM API
PID:672
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.11⤵
- Runs ping.exe
PID:716
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1080
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089
- T1060