Analysis
-
max time kernel
135s -
resource
win7v191014 -
submitted
16-12-2019 17:39
Task
task1
Sample
b5b4.exe
Resource
win7v191014
General
Malware Config
Extracted
qakbot
1576221125
72.187.35.131:443
188.61.134.98:2222
47.153.115.154:995
75.130.117.134:443
174.131.181.120:995
24.32.119.146:443
184.101.230.153:443
70.124.29.226:443
47.227.198.155:443
12.176.32.146:443
172.89.144.89:995
66.214.75.176:443
99.228.5.106:443
98.237.120.65:995
206.51.202.106:50002
50.247.230.33:995
96.37.137.42:443
73.226.220.56:443
70.164.39.91:443
104.152.16.45:995
24.184.6.58:2222
201.152.199.156:995
72.183.255.148:443
5.182.39.156:443
72.16.212.107:465
162.244.224.166:443
63.230.17.215:995
75.131.72.82:995
67.10.18.112:993
75.131.72.82:443
196.194.66.31:2222
197.82.208.68:995
181.126.80.118:443
67.214.21.207:443
32.208.1.239:8443
72.47.115.182:443
47.40.244.237:443
173.31.178.20:443
2.187.66.157:995
66.169.209.201:443
181.197.195.138:995
201.188.10.16:443
67.246.180.90:443
74.134.35.54:443
70.174.21.130:443
207.178.109.161:443
75.182.214.87:443
24.189.222.222:2222
104.34.186.27:995
23.240.185.215:443
107.144.199.177:443
138.122.5.214:443
69.21.112.118:2222
67.160.63.127:443
96.227.138.53:443
184.167.2.251:2222
50.78.93.74:995
71.77.231.251:443
73.179.178.78:443
68.134.181.98:443
117.204.227.13:995
108.46.22.47:443
67.190.189.217:443
73.200.219.143:443
62.47.252.79:993
173.81.22.235:443
74.33.70.219:443
111.125.70.30:2222
73.104.218.229:0
68.100.248.78:443
123.252.128.47:443
100.38.123.22:443
98.148.177.77:443
108.55.23.221:443
72.29.181.77:2078
90.91.93.28:2222
75.81.25.223:995
75.110.250.89:443
184.180.157.203:2222
162.244.225.30:443
104.235.114.14:443
2.50.157.249:443
187.163.139.94:993
68.49.120.179:443
47.214.144.253:443
97.93.211.17:443
76.101.26.55:443
24.196.158.28:443
45.45.105.94:995
71.30.56.170:443
174.48.72.160:443
75.70.218.193:443
12.5.37.3:995
108.227.161.27:443
75.131.239.76:995
67.246.16.250:995
166.62.180.194:2078
72.224.159.224:2222
173.3.132.17:995
24.229.245.124:995
45.45.105.94:443
67.223.197.156:443
72.218.167.183:443
108.27.217.44:443
64.33.68.198:443
108.160.123.244:443
184.191.62.78:443
192.40.225.168:443
74.71.216.1:443
65.30.12.240:443
24.202.42.48:2222
107.12.140.181:443
75.170.56.34:995
74.194.4.181:443
96.35.170.82:2222
173.172.205.216:443
24.201.79.208:2078
107.12.131.249:443
98.121.187.78:443
68.39.177.147:995
68.83.59.107:443
122.164.142.91:443
100.4.185.8:443
70.120.151.69:443
173.22.120.11:2222
12.5.37.3:443
64.250.55.239:443
98.252.150.180:443
72.211.97.57:443
47.146.169.85:443
71.226.140.73:443
104.3.91.20:995
207.162.184.228:443
173.61.231.209:443
116.58.100.130:443
176.205.63.149:995
64.19.74.29:995
172.242.9.118:995
70.177.25.99:443
208.126.142.17:443
47.23.101.26:465
184.74.101.234:995
97.122.229.88:993
174.82.131.155:995
172.78.87.180:995
108.45.183.59:443
68.174.15.223:443
73.137.187.150:443
68.238.56.27:443
181.135.235.70:443
Signatures
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 1512 conhost.exe -
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv = "0" -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
description ioc Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\kqbcvmk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Pmzeovsv\\qopabey.exe\"" -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
b5b4.exeqopabey.exetaskeng.exeb5b4.exeqopabey.exedescription pid process target process PID 1264 wrote to memory of 1852 1264 b5b4.exe b5b4.exe PID 1264 wrote to memory of 1892 1264 b5b4.exe qopabey.exe PID 1264 wrote to memory of 640 1264 b5b4.exe schtasks.exe PID 1892 wrote to memory of 1124 1892 qopabey.exe qopabey.exe PID 1892 wrote to memory of 2044 1892 qopabey.exe explorer.exe PID 1940 wrote to memory of 1216 1940 taskeng.exe b5b4.exe PID 1216 wrote to memory of 1264 1216 b5b4.exe reg.exe PID 1216 wrote to memory of 1168 1216 b5b4.exe reg.exe PID 1216 wrote to memory of 1992 1216 b5b4.exe reg.exe PID 1216 wrote to memory of 1924 1216 b5b4.exe reg.exe PID 1216 wrote to memory of 1792 1216 b5b4.exe reg.exe PID 1216 wrote to memory of 840 1216 b5b4.exe reg.exe PID 1216 wrote to memory of 268 1216 b5b4.exe reg.exe PID 1216 wrote to memory of 1456 1216 b5b4.exe reg.exe PID 1216 wrote to memory of 1616 1216 b5b4.exe reg.exe PID 1216 wrote to memory of 1544 1216 b5b4.exe qopabey.exe PID 1544 wrote to memory of 1788 1544 qopabey.exe qopabey.exe PID 1216 wrote to memory of 1460 1216 b5b4.exe cmd.exe PID 1216 wrote to memory of 576 1216 b5b4.exe schtasks.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
qopabey.exepid process 1892 qopabey.exe -
Executes dropped EXE 4 IoCs
Processes:
qopabey.exeqopabey.exeqopabey.exeqopabey.exepid process 1892 qopabey.exe 1124 qopabey.exe 1544 qopabey.exe 1788 qopabey.exe -
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
b5b4.exeb5b4.exeqopabey.exeqopabey.exeexplorer.exeb5b4.exeqopabey.exeqopabey.exepid process 1264 b5b4.exe 1852 b5b4.exe 1892 qopabey.exe 1124 qopabey.exe 2044 explorer.exe 1216 b5b4.exe 1544 qopabey.exe 1788 qopabey.exe -
Loads dropped DLL 2 IoCs
Processes:
b5b4.exeb5b4.exepid process 1264 b5b4.exe 1216 b5b4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5b4.exe"C:\Users\Admin\AppData\Local\Temp\b5b4.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\b5b4.exeC:\Users\Admin\AppData\Local\Temp\b5b4.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exeC:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exe2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exeC:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tcjhvmzz /tr "\"C:\Users\Admin\AppData\Local\Temp\b5b4.exe\" /I tcjhvmzz" /SC ONCE /Z /ST 18:41 /ET 18:532⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2063053404-2854132222099762677-45583753-1949206537-75580183817319469623359341"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {8D511600-DB2F-492B-9EE5-D670D7FF52BA} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b5b4.exeC:\Users\Admin\AppData\Local\Temp\b5b4.exe /I tcjhvmzz2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv" /d "0"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exeC:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exe3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exeC:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exe /C4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\b5b4.exe"3⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN tcjhvmzz3⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1365882836-1110800745-7801866851380731011113141736411320799631137361410-557005805"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-384530487-719684403-6971714381231329196-206039184250439643325348139-569546736"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-875471951-189328531221931831-708082501-13365813741130860039929593856-1804527250"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "194973843082524135214779199022607934281944071045-3259787391683764858-697140228"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1904317397-16851386041491544489462358033985863903436148395-431719124-771391700"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-191079676-1101064405-16346412851492502769-1686655768-646940616974144668-806571140"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-743888919-1584181610125198254695408328790441678-632671024529608171779644799"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "15502433311259804779-5438740861779981695-18383386311070321465-1710798376902325144"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "725504720689926228-19575337191734287601-1615831929-1459951738-7727513911320410018"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1548437458-154748918-17143604371787543675206105472-4768703452091858199577594281"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-773849690-187762793294557656920751508203383772682040431442-21428941761235425851"1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Pmzeovsv\qopabey.exe
-
memory/1124-6-0x0000000002550000-0x0000000002561000-memory.dmpFilesize
68KB
-
memory/1788-12-0x00000000024A0000-0x00000000024B1000-memory.dmpFilesize
68KB
-
memory/1852-0-0x0000000002560000-0x0000000002571000-memory.dmpFilesize
68KB
-
memory/1892-7-0x0000000001E70000-0x0000000001F02000-memory.dmpFilesize
584KB