Analysis
-
max time kernel
134s -
resource
win7v191014 -
submitted
10-01-2020 13:41
Task
task1
Sample
1myPtKM47.exe
Resource
win7v191014
General
Malware Config
Extracted
qakbot
1578386545
72.218.167.183:443
74.33.69.22:443
181.197.195.138:995
47.23.101.26:465
74.194.117.185:443
66.214.75.176:443
45.45.105.94:995
71.30.56.170:443
50.247.230.33:995
67.10.18.112:993
72.224.159.224:2222
173.3.132.17:995
173.79.220.156:443
75.165.181.122:443
70.62.160.186:6883
130.93.11.211:443
104.191.66.184:443
73.142.81.221:443
184.191.62.78:443
47.153.115.154:443
98.252.150.180:443
188.61.134.98:2222
45.45.105.94:443
24.229.245.124:995
76.180.69.236:443
138.122.5.214:443
206.51.202.106:50002
67.233.124.33:995
71.77.231.251:443
59.93.193.101:995
24.32.119.146:443
96.35.170.82:2222
12.5.37.3:443
207.178.109.161:443
72.16.212.107:465
75.131.72.82:443
68.174.15.223:443
172.242.9.118:995
12.5.37.3:995
5.182.39.156:443
24.27.82.216:2222
71.29.187.201:22
162.244.225.30:443
108.227.161.27:443
67.200.146.98:2222
104.235.95.38:443
72.187.35.131:443
104.3.91.20:995
68.49.120.179:443
24.191.227.91:2222
24.184.6.58:2222
67.214.21.207:443
104.35.127.108:2222
184.167.2.251:2222
75.110.250.89:443
72.142.106.198:465
173.73.29.192:443
64.19.74.29:995
183.83.119.151:443
81.103.144.77:443
2.50.157.233:443
75.70.218.193:443
162.244.224.166:443
100.40.48.96:443
72.209.191.27:443
2.51.247.64:995
201.152.181.193:995
80.14.209.42:2222
2.88.235.60:443
130.93.11.211:995
65.30.12.240:443
130.93.11.211:995
98.237.120.65:995
108.160.123.244:443
64.203.122.88:995
86.169.244.41:2222
50.78.93.74:995
75.81.25.223:995
47.138.5.199:443
74.71.216.1:443
207.179.194.91:443
35.134.202.234:443
74.194.4.181:443
23.240.185.215:443
75.110.104.164:443
184.74.101.234:995
73.226.220.56:443
66.222.88.126:995
100.4.185.8:443
65.185.84.240:443
173.61.231.209:443
172.243.153.211:443
173.22.120.11:2222
75.90.230.120:995
24.189.222.222:2222
75.131.72.82:995
208.126.142.17:443
70.126.76.75:443
69.92.54.95:995
47.40.244.237:443
108.39.114.84:443
178.86.235.231:443
1.172.108.75:443
71.233.73.222:995
72.29.181.77:2078
47.227.198.155:443
184.180.157.203:2222
174.48.72.160:443
68.1.115.106:443
67.246.16.250:995
70.177.25.99:443
93.177.144.236:443
75.130.117.134:443
47.39.76.74:443
24.202.42.48:2222
71.80.227.238:443
50.246.229.50:443
47.146.169.85:443
107.12.131.249:443
78.13.212.163:2222
205.250.79.62:443
32.208.1.239:443
68.117.216.167:443
166.62.180.194:2078
75.131.239.76:995
47.153.115.154:995
108.5.34.92:443
76.176.28.156:2222
173.31.178.20:443
97.84.226.90:443
108.184.199.131:443
152.208.21.141:443
73.104.218.229:0
109.169.196.111:21
70.124.29.226:443
98.121.187.78:443
72.190.101.70:443
98.118.162.34:443
104.34.186.27:995
190.217.1.149:443
96.242.232.231:443
97.96.51.117:443
74.96.151.6:443
74.134.35.54:443
72.228.3.116:443
47.155.19.205:443
73.200.219.143:443
84.47.204.253:995
80.121.142.33:993
98.148.177.77:443
Signatures
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\oscwexj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Ujuhueuij\\tyfmyb.exe\"" explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
1myPtKM47.exe1myPtKM47.exetyfmyb.exetyfmyb.exeexplorer.exe1myPtKM47.exetyfmyb.exetyfmyb.exepid process 1508 1myPtKM47.exe 1384 1myPtKM47.exe 1128 tyfmyb.exe 1148 tyfmyb.exe 1100 explorer.exe 1844 1myPtKM47.exe 728 tyfmyb.exe 1304 tyfmyb.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
1myPtKM47.exetyfmyb.exetaskeng.exe1myPtKM47.exetyfmyb.exedescription pid process target process PID 1508 wrote to memory of 1384 1508 1myPtKM47.exe 1myPtKM47.exe PID 1508 wrote to memory of 1128 1508 1myPtKM47.exe tyfmyb.exe PID 1508 wrote to memory of 1688 1508 1myPtKM47.exe schtasks.exe PID 1128 wrote to memory of 1148 1128 tyfmyb.exe tyfmyb.exe PID 1128 wrote to memory of 1100 1128 tyfmyb.exe explorer.exe PID 1968 wrote to memory of 1844 1968 taskeng.exe 1myPtKM47.exe PID 1844 wrote to memory of 1848 1844 1myPtKM47.exe reg.exe PID 1844 wrote to memory of 1860 1844 1myPtKM47.exe reg.exe PID 1844 wrote to memory of 1688 1844 1myPtKM47.exe reg.exe PID 1844 wrote to memory of 1876 1844 1myPtKM47.exe reg.exe PID 1844 wrote to memory of 1320 1844 1myPtKM47.exe reg.exe PID 1844 wrote to memory of 1408 1844 1myPtKM47.exe reg.exe PID 1844 wrote to memory of 520 1844 1myPtKM47.exe reg.exe PID 1844 wrote to memory of 1008 1844 1myPtKM47.exe reg.exe PID 1844 wrote to memory of 1628 1844 1myPtKM47.exe reg.exe PID 1844 wrote to memory of 728 1844 1myPtKM47.exe tyfmyb.exe PID 728 wrote to memory of 1304 728 tyfmyb.exe tyfmyb.exe PID 1844 wrote to memory of 1576 1844 1myPtKM47.exe cmd.exe PID 1844 wrote to memory of 524 1844 1myPtKM47.exe schtasks.exe -
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij = "0" reg.exe -
Loads dropped DLL 2 IoCs
Processes:
1myPtKM47.exe1myPtKM47.exepid process 1508 1myPtKM47.exe 1844 1myPtKM47.exe -
Executes dropped EXE 4 IoCs
Processes:
tyfmyb.exetyfmyb.exetyfmyb.exetyfmyb.exepid process 1128 tyfmyb.exe 1148 tyfmyb.exe 728 tyfmyb.exe 1304 tyfmyb.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
tyfmyb.exepid process 1128 tyfmyb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1myPtKM47.exe"C:\Users\Admin\AppData\Local\Temp\1myPtKM47.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1myPtKM47.exeC:\Users\Admin\AppData\Local\Temp\1myPtKM47.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fqdemihgz /tr "\"C:\Users\Admin\AppData\Local\Temp\1myPtKM47.exe\" /I fqdemihgz" /SC ONCE /Z /ST 14:43 /ET 14:552⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {8A9907A9-3019-43F4-94F1-2FD4AFFCC9AD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1myPtKM47.exeC:\Users\Admin\AppData\Local\Temp\1myPtKM47.exe /I fqdemihgz2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij" /d "0"3⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exe /C4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\1myPtKM47.exe"3⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN fqdemihgz3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Ujuhueuij\tyfmyb.exe
-
memory/1128-7-0x0000000001FE0000-0x0000000002072000-memory.dmpFilesize
584KB
-
memory/1148-6-0x00000000023F0000-0x0000000002401000-memory.dmpFilesize
68KB
-
memory/1304-12-0x0000000002570000-0x0000000002581000-memory.dmpFilesize
68KB
-
memory/1384-0-0x0000000002490000-0x00000000024A1000-memory.dmpFilesize
68KB