Analysis
-
max time kernel
137s -
resource
win10v191014 -
submitted
10-01-2020 13:41
Task
task1
Sample
1myPtKM47.exe
Resource
win7v191014
General
Malware Config
Extracted
qakbot
1578386545
72.218.167.183:443
74.33.69.22:443
181.197.195.138:995
47.23.101.26:465
74.194.117.185:443
66.214.75.176:443
45.45.105.94:995
71.30.56.170:443
50.247.230.33:995
67.10.18.112:993
72.224.159.224:2222
173.3.132.17:995
173.79.220.156:443
75.165.181.122:443
70.62.160.186:6883
130.93.11.211:443
104.191.66.184:443
73.142.81.221:443
184.191.62.78:443
47.153.115.154:443
98.252.150.180:443
188.61.134.98:2222
45.45.105.94:443
24.229.245.124:995
76.180.69.236:443
138.122.5.214:443
206.51.202.106:50002
67.233.124.33:995
71.77.231.251:443
59.93.193.101:995
24.32.119.146:443
96.35.170.82:2222
12.5.37.3:443
207.178.109.161:443
72.16.212.107:465
75.131.72.82:443
68.174.15.223:443
172.242.9.118:995
12.5.37.3:995
5.182.39.156:443
24.27.82.216:2222
71.29.187.201:22
162.244.225.30:443
108.227.161.27:443
67.200.146.98:2222
104.235.95.38:443
72.187.35.131:443
104.3.91.20:995
68.49.120.179:443
24.191.227.91:2222
24.184.6.58:2222
67.214.21.207:443
104.35.127.108:2222
184.167.2.251:2222
75.110.250.89:443
72.142.106.198:465
173.73.29.192:443
64.19.74.29:995
183.83.119.151:443
81.103.144.77:443
2.50.157.233:443
75.70.218.193:443
162.244.224.166:443
100.40.48.96:443
72.209.191.27:443
2.51.247.64:995
201.152.181.193:995
80.14.209.42:2222
2.88.235.60:443
130.93.11.211:995
65.30.12.240:443
130.93.11.211:995
98.237.120.65:995
108.160.123.244:443
64.203.122.88:995
86.169.244.41:2222
50.78.93.74:995
75.81.25.223:995
47.138.5.199:443
74.71.216.1:443
207.179.194.91:443
35.134.202.234:443
74.194.4.181:443
23.240.185.215:443
75.110.104.164:443
184.74.101.234:995
73.226.220.56:443
66.222.88.126:995
100.4.185.8:443
65.185.84.240:443
173.61.231.209:443
172.243.153.211:443
173.22.120.11:2222
75.90.230.120:995
24.189.222.222:2222
75.131.72.82:995
208.126.142.17:443
70.126.76.75:443
69.92.54.95:995
47.40.244.237:443
108.39.114.84:443
178.86.235.231:443
1.172.108.75:443
71.233.73.222:995
72.29.181.77:2078
47.227.198.155:443
184.180.157.203:2222
174.48.72.160:443
68.1.115.106:443
67.246.16.250:995
70.177.25.99:443
93.177.144.236:443
75.130.117.134:443
47.39.76.74:443
24.202.42.48:2222
71.80.227.238:443
50.246.229.50:443
47.146.169.85:443
107.12.131.249:443
78.13.212.163:2222
205.250.79.62:443
32.208.1.239:443
68.117.216.167:443
166.62.180.194:2078
75.131.239.76:995
47.153.115.154:995
108.5.34.92:443
76.176.28.156:2222
173.31.178.20:443
97.84.226.90:443
108.184.199.131:443
152.208.21.141:443
73.104.218.229:0
109.169.196.111:21
70.124.29.226:443
98.121.187.78:443
72.190.101.70:443
98.118.162.34:443
104.34.186.27:995
190.217.1.149:443
96.242.232.231:443
97.96.51.117:443
74.96.151.6:443
74.134.35.54:443
72.228.3.116:443
47.155.19.205:443
73.200.219.143:443
84.47.204.253:995
80.121.142.33:993
98.148.177.77:443
Signatures
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
iesbkg.exeiesbkg.exe1myPtKM47.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 iesbkg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc iesbkg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc iesbkg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc iesbkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 1myPtKM47.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 1myPtKM47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 iesbkg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 1myPtKM47.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service iesbkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 1myPtKM47.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc iesbkg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service iesbkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 iesbkg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 1myPtKM47.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 1myPtKM47.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service iesbkg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service iesbkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 iesbkg.exe -
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym = "0" reg.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\aaglwlzcl = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Ngqezym\\iesbkg.exe\"" explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
1myPtKM47.exe1myPtKM47.exeiesbkg.exeiesbkg.exeexplorer.exe1myPtKM47.exeiesbkg.exeiesbkg.exepid process 4956 1myPtKM47.exe 5020 1myPtKM47.exe 1780 iesbkg.exe 4404 iesbkg.exe 4476 explorer.exe 4660 1myPtKM47.exe 4852 iesbkg.exe 4916 iesbkg.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
1myPtKM47.exeiesbkg.exe1myPtKM47.exeiesbkg.exedescription pid process target process PID 4956 wrote to memory of 5020 4956 1myPtKM47.exe 1myPtKM47.exe PID 4956 wrote to memory of 1780 4956 1myPtKM47.exe iesbkg.exe PID 4956 wrote to memory of 2088 4956 1myPtKM47.exe schtasks.exe PID 1780 wrote to memory of 4404 1780 iesbkg.exe iesbkg.exe PID 1780 wrote to memory of 4476 1780 iesbkg.exe explorer.exe PID 4660 wrote to memory of 4388 4660 1myPtKM47.exe reg.exe PID 4660 wrote to memory of 4276 4660 1myPtKM47.exe reg.exe PID 4660 wrote to memory of 4172 4660 1myPtKM47.exe reg.exe PID 4660 wrote to memory of 4160 4660 1myPtKM47.exe reg.exe PID 4660 wrote to memory of 4256 4660 1myPtKM47.exe reg.exe PID 4660 wrote to memory of 4204 4660 1myPtKM47.exe reg.exe PID 4660 wrote to memory of 4288 4660 1myPtKM47.exe reg.exe PID 4660 wrote to memory of 2676 4660 1myPtKM47.exe reg.exe PID 4660 wrote to memory of 4940 4660 1myPtKM47.exe reg.exe PID 4660 wrote to memory of 4852 4660 1myPtKM47.exe iesbkg.exe PID 4660 wrote to memory of 4608 4660 1myPtKM47.exe cmd.exe PID 4660 wrote to memory of 4568 4660 1myPtKM47.exe schtasks.exe PID 4852 wrote to memory of 4916 4852 iesbkg.exe iesbkg.exe -
Executes dropped EXE 4 IoCs
Processes:
iesbkg.exeiesbkg.exeiesbkg.exeiesbkg.exepid process 1780 iesbkg.exe 4404 iesbkg.exe 4852 iesbkg.exe 4916 iesbkg.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
iesbkg.exepid process 1780 iesbkg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1myPtKM47.exe"C:\Users\Admin\AppData\Local\Temp\1myPtKM47.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1myPtKM47.exeC:\Users\Admin\AppData\Local\Temp\1myPtKM47.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exe /C3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rdtnjhea /tr "\"C:\Users\Admin\AppData\Local\Temp\1myPtKM47.exe\" /I rdtnjhea" /SC ONCE /Z /ST 14:43 /ET 14:552⤵
-
C:\Users\Admin\AppData\Local\Temp\1myPtKM47.exeC:\Users\Admin\AppData\Local\Temp\1myPtKM47.exe /I rdtnjhea1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym" /d "0"2⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exeC:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exe /C3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\1myPtKM47.exe"2⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN rdtnjhea2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Ngqezym\iesbkg.exe
-
memory/1780-6-0x0000000002250000-0x00000000022E2000-memory.dmpFilesize
584KB
-
memory/4404-5-0x0000000002A90000-0x0000000002A91000-memory.dmpFilesize
4KB
-
memory/4916-10-0x0000000002AD0000-0x0000000002AD1000-memory.dmpFilesize
4KB
-
memory/5020-1-0x0000000002BF0000-0x0000000002BF1000-memory.dmpFilesize
4KB