Analysis
-
max time kernel
134s -
resource
win7v191014 -
submitted
06-12-2019 16:08
Task
task1
Sample
update.bin.exe
Resource
win7v191014
General
Malware Config
Extracted
qakbot
1575272833
173.172.205.216:995
71.77.231.251:443
75.110.250.89:443
72.190.101.70:443
12.5.37.3:995
68.49.120.179:443
184.74.101.234:995
24.30.71.200:443
100.4.185.8:443
72.218.167.183:443
80.14.209.42:2222
187.206.88.42:995
104.34.122.18:443
81.103.144.77:443
75.110.219.10:443
12.5.37.3:443
74.134.35.54:443
70.183.3.199:443
64.250.55.239:443
75.142.59.167:443
72.29.181.77:2222
24.164.79.147:443
174.131.181.120:995
107.12.140.181:443
24.27.82.216:2222
197.89.42.74:995
198.72.193.198:2222
104.152.16.45:995
208.101.161.39:443
99.250.71.19:443
47.180.66.10:443
184.191.62.78:443
72.142.106.198:465
207.162.184.228:443
62.0.67.88:443
206.51.202.106:50002
2.179.34.174:443
67.174.112.185:443
96.37.137.42:443
47.23.101.26:993
67.10.18.112:993
74.71.216.1:443
5.182.39.156:443
50.78.93.74:995
162.244.224.166:443
75.130.117.134:443
75.110.90.106:443
196.194.65.30:443
96.35.170.82:2222
184.180.157.203:2222
98.173.34.212:995
74.134.4.236:443
71.84.5.114:995
24.111.196.195:443
75.131.72.82:443
72.16.212.107:465
24.184.6.58:2222
104.32.185.213:2222
47.153.115.154:995
73.226.220.56:443
68.174.15.223:443
68.238.144.55:443
75.131.72.82:995
72.224.159.224:2222
174.80.124.136:443
196.194.65.30:2222
95.67.239.102:21
103.120.189.218:443
62.103.70.217:995
201.152.199.66:995
71.30.56.170:443
107.12.131.249:443
70.164.39.91:443
23.240.185.215:443
201.188.77.21:443
172.78.87.180:995
47.23.101.26:465
166.62.180.194:2078
75.165.181.122:443
108.160.123.244:443
47.214.144.253:443
27.4.74.205:443
62.47.252.79:993
2.50.157.249:443
71.226.140.73:443
47.146.169.85:443
162.244.225.30:443
47.137.243.80:443
50.246.229.50:443
67.87.38.242:2222
173.22.120.11:2222
71.222.30.198:443
184.100.227.57:443
75.70.218.193:443
187.163.139.94:993
68.83.59.107:443
111.125.70.30:2222
70.124.29.226:443
76.174.122.204:443
74.194.4.181:443
24.201.68.105:2078
104.34.103.46:2222
64.33.68.198:443
172.242.9.118:995
63.230.11.140:995
104.3.91.20:995
45.45.105.94:443
47.202.98.230:443
173.3.132.17:995
64.19.74.29:995
123.252.128.47:443
75.182.214.87:443
116.58.100.130:443
47.144.93.71:443
181.126.80.118:443
12.176.32.146:443
117.204.239.12:995
174.48.72.160:443
68.100.248.78:443
75.166.74.158:443
65.30.12.240:443
68.225.250.136:443
50.247.230.33:995
205.250.79.62:443
66.214.75.176:443
104.175.240.29:443
24.202.42.48:2222
173.172.205.216:443
67.246.16.250:995
47.155.19.205:443
67.160.63.127:443
73.200.219.143:443
72.132.145.25:443
98.148.177.77:443
97.120.78.231:995
172.89.144.89:995
73.137.187.150:443
47.148.143.146:443
92.3.196.234:2222
174.82.131.155:995
73.104.218.229:0
75.165.162.10:443
67.245.56.108:443
97.84.226.90:443
75.165.162.33:443
97.83.66.143:443
24.196.158.28:443
68.39.177.147:995
67.250.76.135:443
96.236.196.34:443
Signatures
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
update.bin.exepayly.exetaskeng.exeupdate.bin.exepayly.exedescription pid process target process PID 1620 wrote to memory of 1108 1620 update.bin.exe update.bin.exe PID 1620 wrote to memory of 1092 1620 update.bin.exe payly.exe PID 1620 wrote to memory of 1324 1620 update.bin.exe schtasks.exe PID 1092 wrote to memory of 548 1092 payly.exe payly.exe PID 1092 wrote to memory of 2024 1092 payly.exe explorer.exe PID 1236 wrote to memory of 1120 1236 taskeng.exe update.bin.exe PID 1120 wrote to memory of 1620 1120 update.bin.exe reg.exe PID 1120 wrote to memory of 1292 1120 update.bin.exe reg.exe PID 1120 wrote to memory of 1424 1120 update.bin.exe reg.exe PID 1120 wrote to memory of 1520 1120 update.bin.exe reg.exe PID 1120 wrote to memory of 1804 1120 update.bin.exe reg.exe PID 1120 wrote to memory of 1180 1120 update.bin.exe reg.exe PID 1120 wrote to memory of 320 1120 update.bin.exe reg.exe PID 1120 wrote to memory of 776 1120 update.bin.exe reg.exe PID 1120 wrote to memory of 1144 1120 update.bin.exe reg.exe PID 1120 wrote to memory of 1732 1120 update.bin.exe payly.exe PID 1732 wrote to memory of 864 1732 payly.exe payly.exe PID 1120 wrote to memory of 1932 1120 update.bin.exe cmd.exe PID 1120 wrote to memory of 1680 1120 update.bin.exe schtasks.exe -
Loads dropped DLL 6 IoCs
Processes:
update.bin.exepayly.exepayly.exeupdate.bin.exepayly.exepayly.exepid process 1620 update.bin.exe 1092 payly.exe 548 payly.exe 1120 update.bin.exe 1732 payly.exe 864 payly.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
payly.exepid process 1092 payly.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 576 conhost.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
description ioc Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\jdaxm = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Hbxryn\\payly.exe\"" -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
update.bin.exeupdate.bin.exepayly.exepayly.exeexplorer.exeupdate.bin.exepayly.exepayly.exepid process 1620 update.bin.exe 1108 update.bin.exe 1092 payly.exe 548 payly.exe 2024 explorer.exe 1120 update.bin.exe 1732 payly.exe 864 payly.exe -
Executes dropped EXE 4 IoCs
Processes:
payly.exepayly.exepayly.exepayly.exepid process 1092 payly.exe 548 payly.exe 1732 payly.exe 864 payly.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" -
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn = "0"
Processes
-
C:\Users\Admin\AppData\Local\Temp\update.bin.exe"C:\Users\Admin\AppData\Local\Temp\update.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\update.bin.exeC:\Users\Admin\AppData\Local\Temp\update.bin.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exeC:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exeC:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe /C3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn krtbzyfwy /tr "\"C:\Users\Admin\AppData\Local\Temp\update.bin.exe\" /I krtbzyfwy" /SC ONCE /Z /ST 17:10 /ET 17:222⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-115038910015188956801145298583-1479397551652332624-1907009593-191511810289101129"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {1B7528C7-3971-41D9-82F6-2A1D9447D177} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\update.bin.exeC:\Users\Admin\AppData\Local\Temp\update.bin.exe /I krtbzyfwy2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn" /d "0"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exeC:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exeC:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe /C4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\update.bin.exe"3⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN krtbzyfwy3⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1925843867-1252870584-153587140418042367762066435233-97244725714215768374936589"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "5991945751477317584481580963-28244590631661012-26451545-1512751781211705908"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1217975599-26466555014628137673306857831265789172-1018989508-318191391-743193213"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1125423169122185108510964049223639841713832155-343241470-2115370341245017430"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-802413980570330605193772083-9101082131045606861-1156282892-188116258779215992"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-397546529-843389547-26192131516565029721734074481465266374-1136034080-1528723127"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "77852560294720291500936098-465784873-2122278567-1481228945-9190777731422459859"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "4916208491596549119997024938-6061279751786413012-5610594391857924242-1377142757"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1436907015-1852971359145929777513809988051237679605208291478816425429341522235461"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "134596354628802124-977017570-1107757775740560907-1244859459-1860076521674221769"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "13618150012014722858873317201-354127923-1032783271-15507425611090549047-1012148730"1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
-
memory/548-13-0x0000000002650000-0x0000000002661000-memory.dmpFilesize
68KB
-
memory/864-27-0x0000000002460000-0x0000000002471000-memory.dmpFilesize
68KB
-
memory/1092-14-0x00000000020A0000-0x0000000002132000-memory.dmpFilesize
584KB
-
memory/1108-0-0x0000000002520000-0x0000000002531000-memory.dmpFilesize
68KB