Analysis
-
max time kernel
152s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
26-05-2020 16:05
Static task
static1
Behavioral task
behavioral1
Sample
444444.png.exe
Resource
win7v200430
General
-
Target
444444.png.exe
-
Size
2.3MB
-
MD5
f8849261a9db65164958d8c99ebc1f13
-
SHA1
004818f4c927ba99a0694fd94cc754dd4df731fd
-
SHA256
ec38eb6ee133958ef6cc3bfa257d9368c615b3182d22282f63d12ca7f2b2c5be
-
SHA512
7532e2943353bc7c38b54c7c128f27cccc41cfc2e5dfc86cd899de5c50b1af102f2dbd6648086a9d2d8b38797c27b6555fb2803594e2b7d1de266418e0b86bde
Malware Config
Extracted
qakbot
spx96
1586873043
72.209.191.27:443
173.22.120.11:2222
108.227.161.27:995
172.87.134.226:443
181.197.195.138:995
98.21.52.194:443
76.180.69.236:443
68.98.142.248:443
68.52.164.175:443
39.59.63.142:995
35.142.126.181:443
96.35.170.82:2222
75.111.145.5:443
47.214.144.253:443
74.105.139.160:443
67.8.103.21:443
50.108.212.180:443
83.25.7.201:2222
188.25.237.208:443
184.167.2.251:2222
75.110.250.89:443
84.232.216.243:443
188.27.17.115:443
93.113.91.129:443
71.74.12.34:443
71.182.142.63:443
86.189.181.83:443
72.190.124.29:443
70.183.127.6:995
98.121.187.78:443
97.81.255.189:443
93.114.89.119:995
98.190.24.81:443
68.224.192.39:443
50.244.112.106:443
5.182.39.156:443
97.96.51.117:443
67.209.195.198:3389
181.126.86.223:443
47.146.169.85:443
2.190.144.230:443
67.131.59.17:443
71.11.209.101:443
72.218.167.183:995
66.26.160.37:443
94.52.160.218:443
173.3.132.17:995
66.225.65.155:32101
24.229.245.124:995
100.38.123.22:443
47.205.231.60:443
72.16.212.107:465
100.40.48.96:443
65.131.79.162:995
24.202.42.48:2222
73.169.47.57:443
24.37.178.158:995
108.54.103.234:443
68.116.183.68:443
151.205.102.42:443
66.208.105.6:443
80.11.10.151:990
73.226.220.56:443
75.182.220.196:2222
96.232.203.15:443
69.206.6.71:2222
188.27.67.221:443
70.62.160.186:6883
47.41.3.40:443
49.191.9.180:995
65.116.179.83:443
71.172.110.236:443
47.153.115.154:443
24.158.103.220:443
71.220.222.169:443
108.27.217.44:443
98.197.254.40:443
64.19.74.29:995
71.58.21.235:443
89.34.231.30:443
24.37.178.158:443
70.174.3.241:443
76.170.77.99:443
72.224.213.98:2222
47.136.224.60:443
68.174.15.223:443
72.29.181.77:2078
50.29.181.193:995
69.92.54.95:995
47.180.66.10:443
79.117.9.144:443
184.180.157.203:2222
80.14.209.42:2222
189.163.185.56:443
184.57.17.74:443
98.244.249.165:995
94.52.151.23:443
137.99.224.198:443
120.147.67.62:2222
67.250.184.157:443
206.169.163.147:995
201.146.122.138:443
24.46.40.189:2222
108.34.131.96:443
94.53.113.91:443
50.91.171.137:443
100.1.239.189:443
86.106.126.31:443
86.120.98.221:443
62.121.78.22:443
74.33.70.30:443
78.97.119.189:443
63.230.2.205:2083
79.118.168.203:443
31.5.189.71:443
104.235.60.13:443
173.175.29.210:443
84.117.30.222:443
86.123.130.104:443
81.103.144.77:443
82.210.154.111:443
95.77.237.115:443
121.139.184.226:443
35.143.248.234:443
72.80.137.215:443
98.11.113.199:443
206.183.190.53:995
216.16.178.115:443
79.113.193.29:443
207.255.18.67:443
46.153.95.116:995
71.77.231.251:443
72.36.59.46:2222
188.173.185.139:443
95.77.223.148:443
50.247.230.33:995
89.43.136.239:443
84.247.55.190:443
23.240.76.67:443
98.243.187.85:443
5.14.253.163:443
152.32.80.37:443
79.115.211.4:2222
47.40.244.237:443
67.197.97.144:443
193.23.5.134:443
72.183.129.56:443
85.204.189.105:443
71.77.252.14:2222
95.77.144.238:443
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
wbtdi.exepid process 1048 wbtdi.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 77 IoCs
Processes:
444444.png.exewbtdi.exetaskeng.exe444444.png.exedescription pid process target process PID 272 wrote to memory of 824 272 444444.png.exe 444444.png.exe PID 272 wrote to memory of 824 272 444444.png.exe 444444.png.exe PID 272 wrote to memory of 824 272 444444.png.exe 444444.png.exe PID 272 wrote to memory of 824 272 444444.png.exe 444444.png.exe PID 272 wrote to memory of 1048 272 444444.png.exe wbtdi.exe PID 272 wrote to memory of 1048 272 444444.png.exe wbtdi.exe PID 272 wrote to memory of 1048 272 444444.png.exe wbtdi.exe PID 272 wrote to memory of 1048 272 444444.png.exe wbtdi.exe PID 1048 wrote to memory of 1028 1048 wbtdi.exe wbtdi.exe PID 1048 wrote to memory of 1028 1048 wbtdi.exe wbtdi.exe PID 1048 wrote to memory of 1028 1048 wbtdi.exe wbtdi.exe PID 1048 wrote to memory of 1028 1048 wbtdi.exe wbtdi.exe PID 272 wrote to memory of 1512 272 444444.png.exe schtasks.exe PID 272 wrote to memory of 1512 272 444444.png.exe schtasks.exe PID 272 wrote to memory of 1512 272 444444.png.exe schtasks.exe PID 272 wrote to memory of 1512 272 444444.png.exe schtasks.exe PID 1048 wrote to memory of 1764 1048 wbtdi.exe explorer.exe PID 1048 wrote to memory of 1764 1048 wbtdi.exe explorer.exe PID 1048 wrote to memory of 1764 1048 wbtdi.exe explorer.exe PID 1048 wrote to memory of 1764 1048 wbtdi.exe explorer.exe PID 1048 wrote to memory of 1764 1048 wbtdi.exe explorer.exe PID 480 wrote to memory of 1516 480 taskeng.exe 444444.png.exe PID 480 wrote to memory of 1516 480 taskeng.exe 444444.png.exe PID 480 wrote to memory of 1516 480 taskeng.exe 444444.png.exe PID 480 wrote to memory of 1516 480 taskeng.exe 444444.png.exe PID 1516 wrote to memory of 1656 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1656 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1656 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1656 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1608 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1608 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1608 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1608 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1644 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1644 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1644 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1644 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1588 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1588 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1588 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1588 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1008 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1008 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1008 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1008 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 2024 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 2024 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 2024 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 2024 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1996 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1996 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1996 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1996 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1256 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1256 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1256 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 1256 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 2044 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 2044 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 2044 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 2044 1516 444444.png.exe reg.exe PID 1516 wrote to memory of 836 1516 444444.png.exe wbtdi.exe PID 1516 wrote to memory of 836 1516 444444.png.exe wbtdi.exe PID 1516 wrote to memory of 836 1516 444444.png.exe wbtdi.exe -
Loads dropped DLL 3 IoCs
Processes:
444444.png.exe444444.png.exepid process 272 444444.png.exe 272 444444.png.exe 1516 444444.png.exe -
Turns off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
444444.png.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 444444.png.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 444444.png.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 444444.png.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\mmpjxkrc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Pwxnkejim\\wbtdi.exe\"" explorer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
444444.png.exe444444.png.exewbtdi.exewbtdi.exeexplorer.exe444444.png.exewbtdi.exewbtdi.exepid process 272 444444.png.exe 824 444444.png.exe 824 444444.png.exe 1048 wbtdi.exe 1028 wbtdi.exe 1028 wbtdi.exe 1764 explorer.exe 1764 explorer.exe 1516 444444.png.exe 836 wbtdi.exe 1432 wbtdi.exe 1432 wbtdi.exe -
Executes dropped EXE 4 IoCs
Processes:
wbtdi.exewbtdi.exewbtdi.exewbtdi.exepid process 1048 wbtdi.exe 1028 wbtdi.exe 836 wbtdi.exe 1432 wbtdi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\444444.png.exe"C:\Users\Admin\AppData\Local\Temp\444444.png.exe"1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:272 -
C:\Users\Admin\AppData\Local\Temp\444444.png.exeC:\Users\Admin\AppData\Local\Temp\444444.png.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
PID:824 -
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exeC:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1048 -
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exeC:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
PID:1764 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nsvwuptm /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.png.exe\" /I nsvwuptm" /SC ONCE /Z /ST 18:07 /ET 18:192⤵
- Creates scheduled task(s)
PID:1512
-
C:\Windows\system32\taskeng.exetaskeng.exe {F5566AAA-8FDB-4FDC-86A7-70F89B5ACB48} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Users\Admin\AppData\Local\Temp\444444.png.exeC:\Users\Admin\AppData\Local\Temp\444444.png.exe /I nsvwuptm2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1516 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1656 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1608 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵PID:1644
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵PID:1588
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1008 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:2024 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1996 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1256 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim" /d "0"3⤵
- Windows security bypass
PID:2044 -
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exeC:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:836 -
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exeC:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe /C4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\444444.png.exe"3⤵PID:1788
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
PID:1488 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN nsvwuptm3⤵PID:1308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
-
memory/824-0-0x0000000002490000-0x00000000024A1000-memory.dmpFilesize
68KB
-
memory/1028-6-0x0000000002510000-0x0000000002521000-memory.dmpFilesize
68KB
-
memory/1048-7-0x0000000000390000-0x00000000003CC000-memory.dmpFilesize
240KB