Analysis
-
max time kernel
137s -
resource
win10v191014 -
submitted
06-12-2019 16:08
Task
task1
Sample
update.bin.exe
Resource
win7v191014
General
Malware Config
Extracted
qakbot
1575272833
173.172.205.216:995
71.77.231.251:443
75.110.250.89:443
72.190.101.70:443
12.5.37.3:995
68.49.120.179:443
184.74.101.234:995
24.30.71.200:443
100.4.185.8:443
72.218.167.183:443
80.14.209.42:2222
187.206.88.42:995
104.34.122.18:443
81.103.144.77:443
75.110.219.10:443
12.5.37.3:443
74.134.35.54:443
70.183.3.199:443
64.250.55.239:443
75.142.59.167:443
72.29.181.77:2222
24.164.79.147:443
174.131.181.120:995
107.12.140.181:443
24.27.82.216:2222
197.89.42.74:995
198.72.193.198:2222
104.152.16.45:995
208.101.161.39:443
99.250.71.19:443
47.180.66.10:443
184.191.62.78:443
72.142.106.198:465
207.162.184.228:443
62.0.67.88:443
206.51.202.106:50002
2.179.34.174:443
67.174.112.185:443
96.37.137.42:443
47.23.101.26:993
67.10.18.112:993
74.71.216.1:443
5.182.39.156:443
50.78.93.74:995
162.244.224.166:443
75.130.117.134:443
75.110.90.106:443
196.194.65.30:443
96.35.170.82:2222
184.180.157.203:2222
98.173.34.212:995
74.134.4.236:443
71.84.5.114:995
24.111.196.195:443
75.131.72.82:443
72.16.212.107:465
24.184.6.58:2222
104.32.185.213:2222
47.153.115.154:995
73.226.220.56:443
68.174.15.223:443
68.238.144.55:443
75.131.72.82:995
72.224.159.224:2222
174.80.124.136:443
196.194.65.30:2222
95.67.239.102:21
103.120.189.218:443
62.103.70.217:995
201.152.199.66:995
71.30.56.170:443
107.12.131.249:443
70.164.39.91:443
23.240.185.215:443
201.188.77.21:443
172.78.87.180:995
47.23.101.26:465
166.62.180.194:2078
75.165.181.122:443
108.160.123.244:443
47.214.144.253:443
27.4.74.205:443
62.47.252.79:993
2.50.157.249:443
71.226.140.73:443
47.146.169.85:443
162.244.225.30:443
47.137.243.80:443
50.246.229.50:443
67.87.38.242:2222
173.22.120.11:2222
71.222.30.198:443
184.100.227.57:443
75.70.218.193:443
187.163.139.94:993
68.83.59.107:443
111.125.70.30:2222
70.124.29.226:443
76.174.122.204:443
74.194.4.181:443
24.201.68.105:2078
104.34.103.46:2222
64.33.68.198:443
172.242.9.118:995
63.230.11.140:995
104.3.91.20:995
45.45.105.94:443
47.202.98.230:443
173.3.132.17:995
64.19.74.29:995
123.252.128.47:443
75.182.214.87:443
116.58.100.130:443
47.144.93.71:443
181.126.80.118:443
12.176.32.146:443
117.204.239.12:995
174.48.72.160:443
68.100.248.78:443
75.166.74.158:443
65.30.12.240:443
68.225.250.136:443
50.247.230.33:995
205.250.79.62:443
66.214.75.176:443
104.175.240.29:443
24.202.42.48:2222
173.172.205.216:443
67.246.16.250:995
47.155.19.205:443
67.160.63.127:443
73.200.219.143:443
72.132.145.25:443
98.148.177.77:443
97.120.78.231:995
172.89.144.89:995
73.137.187.150:443
47.148.143.146:443
92.3.196.234:2222
174.82.131.155:995
73.104.218.229:0
75.165.162.10:443
67.245.56.108:443
97.84.226.90:443
75.165.162.33:443
97.83.66.143:443
24.196.158.28:443
68.39.177.147:995
67.250.76.135:443
96.236.196.34:443
Signatures
-
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn = "0" -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
update.bin.exeupdate.bin.exeldzgsvy.exeldzgsvy.exeexplorer.exeupdate.bin.exeldzgsvy.exeldzgsvy.exepid process 4984 update.bin.exe 5052 update.bin.exe 2904 ldzgsvy.exe 4008 ldzgsvy.exe 4048 explorer.exe 4564 update.bin.exe 4228 ldzgsvy.exe 4160 ldzgsvy.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
description ioc Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\ewenc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Tykyugvn\\ldzgsvy.exe\"" -
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ldzgsvy.exepid process 2904 ldzgsvy.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
update.bin.exeSppExtComObj.exeldzgsvy.exeupdate.bin.exeldzgsvy.exedescription pid process target process PID 4984 wrote to memory of 5052 4984 update.bin.exe update.bin.exe PID 5084 wrote to memory of 5112 5084 SppExtComObj.exe SLUI.exe PID 4984 wrote to memory of 2904 4984 update.bin.exe ldzgsvy.exe PID 4984 wrote to memory of 2896 4984 update.bin.exe schtasks.exe PID 2904 wrote to memory of 4008 2904 ldzgsvy.exe ldzgsvy.exe PID 2904 wrote to memory of 4048 2904 ldzgsvy.exe explorer.exe PID 4564 wrote to memory of 4624 4564 update.bin.exe reg.exe PID 4564 wrote to memory of 4636 4564 update.bin.exe reg.exe PID 4564 wrote to memory of 4604 4564 update.bin.exe reg.exe PID 4564 wrote to memory of 4712 4564 update.bin.exe reg.exe PID 4564 wrote to memory of 4724 4564 update.bin.exe reg.exe PID 4564 wrote to memory of 4384 4564 update.bin.exe reg.exe PID 4564 wrote to memory of 3688 4564 update.bin.exe reg.exe PID 4564 wrote to memory of 4840 4564 update.bin.exe reg.exe PID 4564 wrote to memory of 4324 4564 update.bin.exe reg.exe PID 4564 wrote to memory of 4228 4564 update.bin.exe ldzgsvy.exe PID 4564 wrote to memory of 4128 4564 update.bin.exe cmd.exe PID 4564 wrote to memory of 4152 4564 update.bin.exe schtasks.exe PID 4228 wrote to memory of 4160 4228 ldzgsvy.exe ldzgsvy.exe -
Executes dropped EXE 4 IoCs
Processes:
ldzgsvy.exeldzgsvy.exeldzgsvy.exeldzgsvy.exepid process 2904 ldzgsvy.exe 4008 ldzgsvy.exe 4228 ldzgsvy.exe 4160 ldzgsvy.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\update.bin.exe"C:\Users\Admin\AppData\Local\Temp\update.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\update.bin.exeC:\Users\Admin\AppData\Local\Temp\update.bin.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ctbnemtyqp /tr "\"C:\Users\Admin\AppData\Local\Temp\update.bin.exe\" /I ctbnemtyqp" /SC ONCE /Z /ST 17:10 /ET 17:222⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵
-
C:\Users\Admin\AppData\Local\Temp\update.bin.exeC:\Users\Admin\AppData\Local\Temp\update.bin.exe /I ctbnemtyqp1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn" /d "0"2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\update.bin.exe"2⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN ctbnemtyqp2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe
-
memory/2904-5-0x00000000029D0000-0x0000000002A62000-memory.dmpFilesize
584KB
-
memory/4008-4-0x0000000002A00000-0x0000000002A01000-memory.dmpFilesize
4KB
-
memory/4160-9-0x0000000002810000-0x0000000002811000-memory.dmpFilesize
4KB
-
memory/5052-0-0x00000000029A0000-0x00000000029A1000-memory.dmpFilesize
4KB