Analysis
-
max time kernel
149s -
resource
win10v191014 -
submitted
16-12-2019 17:39
Task
task1
Sample
b5b4.exe
Resource
win7v191014
General
Malware Config
Extracted
qakbot
1576221125
72.187.35.131:443
188.61.134.98:2222
47.153.115.154:995
75.130.117.134:443
174.131.181.120:995
24.32.119.146:443
184.101.230.153:443
70.124.29.226:443
47.227.198.155:443
12.176.32.146:443
172.89.144.89:995
66.214.75.176:443
99.228.5.106:443
98.237.120.65:995
206.51.202.106:50002
50.247.230.33:995
96.37.137.42:443
73.226.220.56:443
70.164.39.91:443
104.152.16.45:995
24.184.6.58:2222
201.152.199.156:995
72.183.255.148:443
5.182.39.156:443
72.16.212.107:465
162.244.224.166:443
63.230.17.215:995
75.131.72.82:995
67.10.18.112:993
75.131.72.82:443
196.194.66.31:2222
197.82.208.68:995
181.126.80.118:443
67.214.21.207:443
32.208.1.239:8443
72.47.115.182:443
47.40.244.237:443
173.31.178.20:443
2.187.66.157:995
66.169.209.201:443
181.197.195.138:995
201.188.10.16:443
67.246.180.90:443
74.134.35.54:443
70.174.21.130:443
207.178.109.161:443
75.182.214.87:443
24.189.222.222:2222
104.34.186.27:995
23.240.185.215:443
107.144.199.177:443
138.122.5.214:443
69.21.112.118:2222
67.160.63.127:443
96.227.138.53:443
184.167.2.251:2222
50.78.93.74:995
71.77.231.251:443
73.179.178.78:443
68.134.181.98:443
117.204.227.13:995
108.46.22.47:443
67.190.189.217:443
73.200.219.143:443
62.47.252.79:993
173.81.22.235:443
74.33.70.219:443
111.125.70.30:2222
73.104.218.229:0
68.100.248.78:443
123.252.128.47:443
100.38.123.22:443
98.148.177.77:443
108.55.23.221:443
72.29.181.77:2078
90.91.93.28:2222
75.81.25.223:995
75.110.250.89:443
184.180.157.203:2222
162.244.225.30:443
104.235.114.14:443
2.50.157.249:443
187.163.139.94:993
68.49.120.179:443
47.214.144.253:443
97.93.211.17:443
76.101.26.55:443
24.196.158.28:443
45.45.105.94:995
71.30.56.170:443
174.48.72.160:443
75.70.218.193:443
12.5.37.3:995
108.227.161.27:443
75.131.239.76:995
67.246.16.250:995
166.62.180.194:2078
72.224.159.224:2222
173.3.132.17:995
24.229.245.124:995
45.45.105.94:443
67.223.197.156:443
72.218.167.183:443
108.27.217.44:443
64.33.68.198:443
108.160.123.244:443
184.191.62.78:443
192.40.225.168:443
74.71.216.1:443
65.30.12.240:443
24.202.42.48:2222
107.12.140.181:443
75.170.56.34:995
74.194.4.181:443
96.35.170.82:2222
173.172.205.216:443
24.201.79.208:2078
107.12.131.249:443
98.121.187.78:443
68.39.177.147:995
68.83.59.107:443
122.164.142.91:443
100.4.185.8:443
70.120.151.69:443
173.22.120.11:2222
12.5.37.3:443
64.250.55.239:443
98.252.150.180:443
72.211.97.57:443
47.146.169.85:443
71.226.140.73:443
104.3.91.20:995
207.162.184.228:443
173.61.231.209:443
116.58.100.130:443
176.205.63.149:995
64.19.74.29:995
172.242.9.118:995
70.177.25.99:443
208.126.142.17:443
47.23.101.26:465
184.74.101.234:995
97.122.229.88:993
174.82.131.155:995
172.78.87.180:995
108.45.183.59:443
68.174.15.223:443
73.137.187.150:443
68.238.56.27:443
181.135.235.70:443
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
vrjuunk.exevrjuunk.exevrjuunk.exevrjuunk.exepid process 364 vrjuunk.exe 3060 vrjuunk.exe 3044 vrjuunk.exe 68 vrjuunk.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vrjuunk.exepid process 364 vrjuunk.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
description ioc Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhcfjmy = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Ahaeti\\vrjuunk.exe\"" -
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
b5b4.exeSppExtComObj.exevrjuunk.exeb5b4.exevrjuunk.exedescription pid process target process PID 4916 wrote to memory of 4972 4916 b5b4.exe b5b4.exe PID 5016 wrote to memory of 5048 5016 SppExtComObj.exe SLUI.exe PID 4916 wrote to memory of 364 4916 b5b4.exe vrjuunk.exe PID 4916 wrote to memory of 1016 4916 b5b4.exe schtasks.exe PID 364 wrote to memory of 3060 364 vrjuunk.exe vrjuunk.exe PID 364 wrote to memory of 3052 364 vrjuunk.exe explorer.exe PID 4204 wrote to memory of 4956 4204 b5b4.exe reg.exe PID 4204 wrote to memory of 804 4204 b5b4.exe reg.exe PID 4204 wrote to memory of 5008 4204 b5b4.exe reg.exe PID 4204 wrote to memory of 1676 4204 b5b4.exe reg.exe PID 4204 wrote to memory of 5060 4204 b5b4.exe reg.exe PID 4204 wrote to memory of 3536 4204 b5b4.exe reg.exe PID 4204 wrote to memory of 2972 4204 b5b4.exe reg.exe PID 4204 wrote to memory of 4928 4204 b5b4.exe reg.exe PID 4204 wrote to memory of 1784 4204 b5b4.exe reg.exe PID 4204 wrote to memory of 3044 4204 b5b4.exe vrjuunk.exe PID 4204 wrote to memory of 3632 4204 b5b4.exe cmd.exe PID 4204 wrote to memory of 3560 4204 b5b4.exe schtasks.exe PID 3044 wrote to memory of 68 3044 vrjuunk.exe vrjuunk.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti = "0" -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
b5b4.exeb5b4.exevrjuunk.exevrjuunk.exeexplorer.exeb5b4.exevrjuunk.exevrjuunk.exepid process 4916 b5b4.exe 4972 b5b4.exe 364 vrjuunk.exe 3060 vrjuunk.exe 3052 explorer.exe 4204 b5b4.exe 3044 vrjuunk.exe 68 vrjuunk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5b4.exe"C:\Users\Admin\AppData\Local\Temp\b5b4.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b5b4.exeC:\Users\Admin\AppData\Local\Temp\b5b4.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wptxwaijpz /tr "\"C:\Users\Admin\AppData\Local\Temp\b5b4.exe\" /I wptxwaijpz" /SC ONCE /Z /ST 18:41 /ET 18:532⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Users\Admin\AppData\Local\Temp\b5b4.exeC:\Users\Admin\AppData\Local\Temp\b5b4.exe /I wptxwaijpz1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti" /d "0"2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\b5b4.exe"2⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN wptxwaijpz2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ahaeti\vrjuunk.exe
-
memory/68-20-0x0000000002A70000-0x0000000002A71000-memory.dmpFilesize
4KB
-
memory/364-5-0x0000000002B00000-0x0000000002B92000-memory.dmpFilesize
584KB
-
memory/3060-4-0x0000000002A00000-0x0000000002A01000-memory.dmpFilesize
4KB
-
memory/4972-0-0x0000000002A30000-0x0000000002A31000-memory.dmpFilesize
4KB