update.bin

General
Target

update.bin.exe

Filesize

N/A

Completed

06-12-2019 16:11

Score
10 /10
SHA256

983ea66816fa3e0a089be5ac33e8f3e2ff92b53e804389805fc591ea12cf09d0

Malware Config

Extracted

Family qakbot
Campaign 1575272833
C2

173.172.205.216:995

71.77.231.251:443

75.110.250.89:443

72.190.101.70:443

12.5.37.3:995

68.49.120.179:443

184.74.101.234:995

24.30.71.200:443

100.4.185.8:443

72.218.167.183:443

80.14.209.42:2222

187.206.88.42:995

104.34.122.18:443

81.103.144.77:443

75.110.219.10:443

12.5.37.3:443

74.134.35.54:443

70.183.3.199:443

64.250.55.239:443

75.142.59.167:443

72.29.181.77:2222

24.164.79.147:443

174.131.181.120:995

107.12.140.181:443

24.27.82.216:2222

197.89.42.74:995

198.72.193.198:2222

104.152.16.45:995

208.101.161.39:443

99.250.71.19:443

47.180.66.10:443

184.191.62.78:443

72.142.106.198:465

207.162.184.228:443

62.0.67.88:443

206.51.202.106:50002

2.179.34.174:443

67.174.112.185:443

96.37.137.42:443

47.23.101.26:993

67.10.18.112:993

74.71.216.1:443

5.182.39.156:443

50.78.93.74:995

162.244.224.166:443

75.130.117.134:443

75.110.90.106:443

196.194.65.30:443

96.35.170.82:2222

184.180.157.203:2222

Signatures 14

Filter: none

Defense Evasion
Discovery
Persistence
  • Windows security bypass

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptionioc
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn = "0"
  • Suspicious behavior: EnumeratesProcesses
    update.bin.exeupdate.bin.exeldzgsvy.exeldzgsvy.exeexplorer.exeupdate.bin.exeldzgsvy.exeldzgsvy.exe

    Reported IOCs

    pidprocess
    4984update.bin.exe
    5052update.bin.exe
    2904ldzgsvy.exe
    4008ldzgsvy.exe
    4048explorer.exe
    4564update.bin.exe
    4228ldzgsvy.exe
    4160ldzgsvy.exe
  • Checks system information in the registry

    Description

    System information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptionioc
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
  • Adds Run entry to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptionioc
    Set value (str)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\ewenc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Tykyugvn\\ldzgsvy.exe\""
  • Windows security modification

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptionioc
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    4136PING.EXE
  • Suspicious behavior: MapViewOfSection
    ldzgsvy.exe

    Reported IOCs

    pidprocess
    2904ldzgsvy.exe
  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities

  • Drops file in Windows directory
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Debug\ESE.TXTsvchost.exe
  • Turn off Windows Defender SpyNet reporting

    Reported IOCs

    descriptionioc
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0"
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2"
  • Checks SCSI registry key(s)

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptionioc
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service
  • Suspicious use of WriteProcessMemory
    update.bin.exeSppExtComObj.exeldzgsvy.exeupdate.bin.exeldzgsvy.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4984 wrote to memory of 50524984update.bin.exeupdate.bin.exe
    PID 5084 wrote to memory of 51125084SppExtComObj.exeSLUI.exe
    PID 4984 wrote to memory of 29044984update.bin.exeldzgsvy.exe
    PID 4984 wrote to memory of 28964984update.bin.exeschtasks.exe
    PID 2904 wrote to memory of 40082904ldzgsvy.exeldzgsvy.exe
    PID 2904 wrote to memory of 40482904ldzgsvy.exeexplorer.exe
    PID 4564 wrote to memory of 46244564update.bin.exereg.exe
    PID 4564 wrote to memory of 46364564update.bin.exereg.exe
    PID 4564 wrote to memory of 46044564update.bin.exereg.exe
    PID 4564 wrote to memory of 47124564update.bin.exereg.exe
    PID 4564 wrote to memory of 47244564update.bin.exereg.exe
    PID 4564 wrote to memory of 43844564update.bin.exereg.exe
    PID 4564 wrote to memory of 36884564update.bin.exereg.exe
    PID 4564 wrote to memory of 48404564update.bin.exereg.exe
    PID 4564 wrote to memory of 43244564update.bin.exereg.exe
    PID 4564 wrote to memory of 42284564update.bin.exeldzgsvy.exe
    PID 4564 wrote to memory of 41284564update.bin.execmd.exe
    PID 4564 wrote to memory of 41524564update.bin.exeschtasks.exe
    PID 4228 wrote to memory of 41604228ldzgsvy.exeldzgsvy.exe
  • Executes dropped EXE
    ldzgsvy.exeldzgsvy.exeldzgsvy.exeldzgsvy.exe

    Reported IOCs

    pidprocess
    2904ldzgsvy.exe
    4008ldzgsvy.exe
    4228ldzgsvy.exe
    4160ldzgsvy.exe
  • Uses Task Scheduler COM API

    Description

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    TTPs

    Query Registry
Processes 28
  • C:\Users\Admin\AppData\Local\Temp\update.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\update.bin.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Local\Temp\update.bin.exe
      C:\Users\Admin\AppData\Local\Temp\update.bin.exe /C
      Suspicious behavior: EnumeratesProcesses
      PID:5052
    • C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      Executes dropped EXE
      PID:2904
      • C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe /C
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        PID:4008
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        Suspicious behavior: EnumeratesProcesses
        PID:4048
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ctbnemtyqp /tr "\"C:\Users\Admin\AppData\Local\Temp\update.bin.exe\" /I ctbnemtyqp" /SC ONCE /Z /ST 17:10 /ET 17:22
      PID:2896
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      PID:5112
  • C:\Users\Admin\AppData\Local\Temp\update.bin.exe
    C:\Users\Admin\AppData\Local\Temp\update.bin.exe /I ctbnemtyqp
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      PID:4624
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
      PID:4636
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      PID:4604
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
      PID:4712
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      PID:4724
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
      PID:4384
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      PID:3688
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
      PID:4840
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn" /d "0"
      PID:4324
    • C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      Executes dropped EXE
      PID:4228
      • C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe /C
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        PID:4160
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\update.bin.exe"
      PID:4128
      • C:\Windows\system32\PING.EXE
        ping.exe -n 6 127.0.0.1
        Runs ping.exe
        PID:4136
    • C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /DELETE /F /TN ctbnemtyqp
      PID:4152
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    Drops file in Windows directory
    PID:2652
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
    PID:4888
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
    PID:4012
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup
    PID:3444
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
    PID:668
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.dat

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Tykyugvn\ldzgsvy.exe

                    • memory/2904-5-0x00000000029D0000-0x0000000002A62000-memory.dmp

                    • memory/4008-4-0x0000000002A00000-0x0000000002A01000-memory.dmp

                    • memory/4160-9-0x0000000002810000-0x0000000002811000-memory.dmp

                    • memory/5052-0-0x00000000029A0000-0x00000000029A1000-memory.dmp