update.bin

General
Target

update.bin.exe

Filesize

N/A

Completed

06-12-2019 16:11

Score
10 /10
SHA256

983ea66816fa3e0a089be5ac33e8f3e2ff92b53e804389805fc591ea12cf09d0

Malware Config

Extracted

Family qakbot
Campaign 1575272833
C2

173.172.205.216:995

71.77.231.251:443

75.110.250.89:443

72.190.101.70:443

12.5.37.3:995

68.49.120.179:443

184.74.101.234:995

24.30.71.200:443

100.4.185.8:443

72.218.167.183:443

80.14.209.42:2222

187.206.88.42:995

104.34.122.18:443

81.103.144.77:443

75.110.219.10:443

12.5.37.3:443

74.134.35.54:443

70.183.3.199:443

64.250.55.239:443

75.142.59.167:443

72.29.181.77:2222

24.164.79.147:443

174.131.181.120:995

107.12.140.181:443

24.27.82.216:2222

197.89.42.74:995

198.72.193.198:2222

104.152.16.45:995

208.101.161.39:443

99.250.71.19:443

47.180.66.10:443

184.191.62.78:443

72.142.106.198:465

207.162.184.228:443

62.0.67.88:443

206.51.202.106:50002

2.179.34.174:443

67.174.112.185:443

96.37.137.42:443

47.23.101.26:993

67.10.18.112:993

74.71.216.1:443

5.182.39.156:443

50.78.93.74:995

162.244.224.166:443

75.130.117.134:443

75.110.90.106:443

196.194.65.30:443

96.35.170.82:2222

184.180.157.203:2222

Signatures 12

Filter: none

Defense Evasion
Discovery
Persistence
  • Suspicious use of WriteProcessMemory
    update.bin.exepayly.exetaskeng.exeupdate.bin.exepayly.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1620 wrote to memory of 11081620update.bin.exeupdate.bin.exe
    PID 1620 wrote to memory of 10921620update.bin.exepayly.exe
    PID 1620 wrote to memory of 13241620update.bin.exeschtasks.exe
    PID 1092 wrote to memory of 5481092payly.exepayly.exe
    PID 1092 wrote to memory of 20241092payly.exeexplorer.exe
    PID 1236 wrote to memory of 11201236taskeng.exeupdate.bin.exe
    PID 1120 wrote to memory of 16201120update.bin.exereg.exe
    PID 1120 wrote to memory of 12921120update.bin.exereg.exe
    PID 1120 wrote to memory of 14241120update.bin.exereg.exe
    PID 1120 wrote to memory of 15201120update.bin.exereg.exe
    PID 1120 wrote to memory of 18041120update.bin.exereg.exe
    PID 1120 wrote to memory of 11801120update.bin.exereg.exe
    PID 1120 wrote to memory of 3201120update.bin.exereg.exe
    PID 1120 wrote to memory of 7761120update.bin.exereg.exe
    PID 1120 wrote to memory of 11441120update.bin.exereg.exe
    PID 1120 wrote to memory of 17321120update.bin.exepayly.exe
    PID 1732 wrote to memory of 8641732payly.exepayly.exe
    PID 1120 wrote to memory of 19321120update.bin.execmd.exe
    PID 1120 wrote to memory of 16801120update.bin.exeschtasks.exe
  • Loads dropped DLL
    update.bin.exepayly.exepayly.exeupdate.bin.exepayly.exepayly.exe

    Reported IOCs

    pidprocess
    1620update.bin.exe
    1092payly.exe
    548payly.exe
    1120update.bin.exe
    1732payly.exe
    864payly.exe
  • Suspicious behavior: MapViewOfSection
    payly.exe

    Reported IOCs

    pidprocess
    1092payly.exe
  • Suspicious use of SetWindowsHookEx
    conhost.exe

    Reported IOCs

    pidprocess
    576conhost.exe
  • Adds Run entry to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptionioc
    Set value (str)\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\jdaxm = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Hbxryn\\payly.exe\""
  • Suspicious behavior: EnumeratesProcesses
    update.bin.exeupdate.bin.exepayly.exepayly.exeexplorer.exeupdate.bin.exepayly.exepayly.exe

    Reported IOCs

    pidprocess
    1620update.bin.exe
    1108update.bin.exe
    1092payly.exe
    548payly.exe
    2024explorer.exe
    1120update.bin.exe
    1732payly.exe
    864payly.exe
  • Executes dropped EXE
    payly.exepayly.exepayly.exepayly.exe

    Reported IOCs

    pidprocess
    1092payly.exe
    548payly.exe
    1732payly.exe
    864payly.exe
  • Uses Task Scheduler COM API

    Description

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    TTPs

    Query Registry
  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities

  • Turn off Windows Defender SpyNet reporting

    Reported IOCs

    descriptionioc
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2"
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0"
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2"
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0"
  • Windows security bypass

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptionioc
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn = "0"
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1716PING.EXE
Processes 34
  • C:\Users\Admin\AppData\Local\Temp\update.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\update.bin.exe"
    Suspicious use of WriteProcessMemory
    Loads dropped DLL
    Suspicious behavior: EnumeratesProcesses
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\update.bin.exe
      C:\Users\Admin\AppData\Local\Temp\update.bin.exe /C
      Suspicious behavior: EnumeratesProcesses
      PID:1108
    • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
      Suspicious use of WriteProcessMemory
      Loads dropped DLL
      Suspicious behavior: MapViewOfSection
      Suspicious behavior: EnumeratesProcesses
      Executes dropped EXE
      PID:1092
      • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe /C
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        PID:548
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        Suspicious behavior: EnumeratesProcesses
        PID:2024
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn krtbzyfwy /tr "\"C:\Users\Admin\AppData\Local\Temp\update.bin.exe\" /I krtbzyfwy" /SC ONCE /Z /ST 17:10 /ET 17:22
      PID:1324
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-115038910015188956801145298583-1479397551652332624-1907009593-191511810289101129"
    PID:796
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {1B7528C7-3971-41D9-82F6-2A1D9447D177} S-1-5-18:NT AUTHORITY\System:Service:
    Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Users\Admin\AppData\Local\Temp\update.bin.exe
      C:\Users\Admin\AppData\Local\Temp\update.bin.exe /I krtbzyfwy
      Suspicious use of WriteProcessMemory
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1120
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        PID:1620
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        PID:1292
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        PID:1424
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        PID:1520
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        PID:1804
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        PID:1180
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        PID:320
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        PID:776
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn" /d "0"
        PID:1144
      • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
        Suspicious use of WriteProcessMemory
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        PID:1732
        • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe /C
          Loads dropped DLL
          Suspicious behavior: EnumeratesProcesses
          Executes dropped EXE
          PID:864
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\update.bin.exe"
        PID:1932
        • C:\Windows\system32\PING.EXE
          ping.exe -n 6 127.0.0.1
          Runs ping.exe
          PID:1716
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /DELETE /F /TN krtbzyfwy
        PID:1680
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "1925843867-1252870584-153587140418042367762066435233-97244725714215768374936589"
    PID:792
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "5991945751477317584481580963-28244590631661012-26451545-1512751781211705908"
    PID:1452
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "1217975599-26466555014628137673306857831265789172-1018989508-318191391-743193213"
    PID:1904
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1125423169122185108510964049223639841713832155-343241470-2115370341245017430"
    PID:1016
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-802413980570330605193772083-9101082131045606861-1156282892-188116258779215992"
    PID:1344
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-397546529-843389547-26192131516565029721734074481465266374-1136034080-1528723127"
    PID:1860
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "77852560294720291500936098-465784873-2122278567-1481228945-9190777731422459859"
    PID:656
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "4916208491596549119997024938-6061279751786413012-5610594391857924242-1377142757"
    PID:1084
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "1436907015-1852971359145929777513809988051237679605208291478816425429341522235461"
    PID:1724
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "134596354628802124-977017570-1107757775740560907-1244859459-1860076521674221769"
    PID:544
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "13618150012014722858873317201-354127923-1032783271-15507425611090549047-1012148730"
    Suspicious use of SetWindowsHookEx
    PID:576
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.dat

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Hbxryn\payly.exe

                    • memory/548-13-0x0000000002650000-0x0000000002661000-memory.dmp

                    • memory/864-27-0x0000000002460000-0x0000000002471000-memory.dmp

                    • memory/1092-14-0x00000000020A0000-0x0000000002132000-memory.dmp

                    • memory/1108-0-0x0000000002520000-0x0000000002531000-memory.dmp