Analysis
-
max time kernel
137s -
resource
win10v191014 -
submitted
18-12-2019 10:38
Task
task1
Sample
11552-QA-F-CTI.exe
Resource
win7v191014
General
Malware Config
Extracted
qakbot
1571042641
98.186.90.192:995
2.50.170.151:443
74.194.4.181:443
70.74.159.126:2222
75.70.218.193:443
96.59.11.86:443
168.245.228.71:443
173.22.120.11:2222
71.77.231.251:443
24.184.6.58:2222
108.5.32.66:443
64.19.74.29:995
68.83.59.107:443
104.3.91.20:995
100.4.185.8:443
96.20.238.2:2087
99.228.242.183:995
206.255.212.179:443
50.247.230.33:443
108.55.23.221:443
105.246.79.97:995
172.78.185.176:443
47.23.101.26:993
68.238.56.27:443
72.213.98.233:443
74.88.112.250:2222
174.16.234.171:993
173.161.148.169:995
50.78.93.74:995
111.125.70.30:2222
47.202.98.230:443
222.195.69.36:2078
217.162.149.212:443
47.23.101.26:465
98.186.155.8:443
70.183.177.71:443
96.20.238.2:2222
69.119.185.172:995
104.152.16.45:995
199.126.92.231:995
174.82.131.155:995
96.20.238.2:2083
24.180.7.155:443
187.202.57.9:995
67.214.8.102:443
123.252.128.47:443
108.160.123.244:443
66.214.75.176:443
96.20.238.2:61201
79.106.13.119:995
176.205.62.156:443
64.20.68.35:2083
76.80.66.226:443
181.90.124.162:443
96.22.239.27:2222
96.20.238.2:2078
108.184.57.213:8443
173.178.129.3:443
12.5.37.3:443
75.69.3.12:443
70.169.2.228:21
207.179.194.91:443
67.10.18.112:993
184.191.62.78:443
72.29.181.77:2083
207.162.184.228:443
206.51.202.106:50002
75.131.72.82:2087
190.120.196.18:443
65.30.12.240:995
71.30.56.170:443
47.214.144.253:443
172.78.45.13:995
110.12.60.117:443
173.247.186.90:990
173.247.186.90:995
174.131.181.120:995
80.14.209.42:2222
76.181.237.223:443
50.246.229.50:443
78.94.55.26:50003
71.197.126.250:443
24.30.69.9:443
68.225.250.136:443
174.48.72.160:443
107.12.140.181:443
75.110.250.89:443
166.62.180.194:2078
173.247.186.90:22
108.45.183.59:443
98.165.206.64:443
62.103.70.217:995
12.176.32.146:443
47.153.115.154:443
68.174.15.223:443
71.93.60.90:443
76.116.128.81:443
162.244.224.166:443
181.126.80.118:443
184.74.101.234:995
75.131.72.82:995
47.146.169.85:443
47.153.115.154:995
75.81.25.223:995
193.154.185.19:995
173.247.186.90:993
172.250.91.246:443
196.194.84.165:2222
2.177.115.198:443
159.118.173.115:995
197.82.208.249:995
192.24.181.185:443
72.16.212.107:995
203.192.232.72:443
86.98.7.248:443
162.244.225.30:443
65.116.179.83:443
70.120.151.69:443
184.180.157.203:2222
104.32.185.213:2222
72.142.106.198:465
23.240.185.215:443
196.194.84.165:0
117.208.254.113:995
104.34.122.18:443
75.110.90.155:443
179.36.9.109:443
47.180.66.10:443
73.137.187.150:443
64.201.125.172:443
47.180.66.10:995
73.138.178.6:443
187.156.73.46:995
69.245.144.167:443
76.174.122.204:443
68.206.128.75:443
75.165.132.69:443
75.165.181.122:443
35.136.74.103:443
96.29.219.77:443
64.150.136.45:443
1.173.254.97:443
72.218.137.100:443
50.46.139.220:443
201.152.122.180:995
200.104.40.85:443
75.110.101.34:443
24.196.158.28:443
190.120.196.18:1194
201.188.97.244:443
Signatures
-
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq = "0" -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc -
Executes dropped EXE 4 IoCs
Processes:
iaaaqoa.exeiaaaqoa.exeiaaaqoa.exeiaaaqoa.exepid process 1536 iaaaqoa.exe 1700 iaaaqoa.exe 1912 iaaaqoa.exe 3356 iaaaqoa.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
iaaaqoa.exepid process 1536 iaaaqoa.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
description ioc Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\mfsmydj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Euvkpvncq\\iaaaqoa.exe\"" -
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
11552-QA-F-CTI.exe11552-QA-F-CTI.exeiaaaqoa.exeiaaaqoa.exeexplorer.exe11552-QA-F-CTI.exeiaaaqoa.exeiaaaqoa.exepid process 4928 11552-QA-F-CTI.exe 4988 11552-QA-F-CTI.exe 1536 iaaaqoa.exe 1700 iaaaqoa.exe 4448 explorer.exe 4540 11552-QA-F-CTI.exe 1912 iaaaqoa.exe 3356 iaaaqoa.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
11552-QA-F-CTI.exeiaaaqoa.exe11552-QA-F-CTI.exeiaaaqoa.exedescription pid process target process PID 4928 wrote to memory of 4988 4928 11552-QA-F-CTI.exe 11552-QA-F-CTI.exe PID 4928 wrote to memory of 1536 4928 11552-QA-F-CTI.exe iaaaqoa.exe PID 4928 wrote to memory of 4232 4928 11552-QA-F-CTI.exe schtasks.exe PID 1536 wrote to memory of 1700 1536 iaaaqoa.exe iaaaqoa.exe PID 1536 wrote to memory of 4448 1536 iaaaqoa.exe explorer.exe PID 4540 wrote to memory of 3352 4540 11552-QA-F-CTI.exe reg.exe PID 4540 wrote to memory of 808 4540 11552-QA-F-CTI.exe reg.exe PID 4540 wrote to memory of 4876 4540 11552-QA-F-CTI.exe reg.exe PID 4540 wrote to memory of 1744 4540 11552-QA-F-CTI.exe reg.exe PID 4540 wrote to memory of 5076 4540 11552-QA-F-CTI.exe reg.exe PID 4540 wrote to memory of 3480 4540 11552-QA-F-CTI.exe reg.exe PID 4540 wrote to memory of 1680 4540 11552-QA-F-CTI.exe reg.exe PID 4540 wrote to memory of 3696 4540 11552-QA-F-CTI.exe reg.exe PID 4540 wrote to memory of 3368 4540 11552-QA-F-CTI.exe reg.exe PID 4540 wrote to memory of 1912 4540 11552-QA-F-CTI.exe iaaaqoa.exe PID 1912 wrote to memory of 3356 1912 iaaaqoa.exe iaaaqoa.exe PID 4540 wrote to memory of 3512 4540 11552-QA-F-CTI.exe cmd.exe PID 4540 wrote to memory of 432 4540 11552-QA-F-CTI.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe"C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exeC:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exeC:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exe2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exeC:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn cgykqboisy /tr "\"C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe\" /I cgykqboisy" /SC ONCE /Z /ST 11:40 /ET 11:522⤵
-
C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exeC:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe /I cgykqboisy1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq" /d "0"2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exeC:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exeC:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe"2⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN cgykqboisy2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Euvkpvncq\iaaaqoa.exe
-
memory/1536-5-0x0000000000600000-0x0000000000692000-memory.dmpFilesize
584KB
-
memory/1700-4-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB
-
memory/3356-9-0x00000000028A0000-0x00000000028A1000-memory.dmpFilesize
4KB
-
memory/4988-0-0x00000000029B0000-0x00000000029B1000-memory.dmpFilesize
4KB