Analysis
-
max time kernel
130s -
max time network
66s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-06-2020 15:34
Static task
static1
Behavioral task
behavioral1
Sample
8888888.exe
Resource
win7v200430
General
-
Target
8888888.exe
-
Size
1.1MB
-
MD5
699cf093ec4d952ba1e65c6bfa479954
-
SHA1
1af411ab00addbd9004561ed3b317e1894736038
-
SHA256
c499664ef142e70f6d2fc01580ce180ebf2438ff9a2df4d609854138510d60fd
-
SHA512
f1ba6c5699ed9b164c2447c8d1eff5d701743a81d980f07604cdcc26ae98c031f3da0ab313b256386d2f9787a14a6c9e7a594da2c834f95264bc2cff4cf15465
Malware Config
Extracted
qakbot
spx135
1591627649
89.32.216.156:443
74.222.204.82:443
24.183.39.93:443
97.93.211.17:443
80.14.209.42:2222
96.35.170.82:2222
151.73.124.242:443
98.110.231.63:443
108.227.161.27:995
173.3.132.17:995
31.5.41.52:443
24.122.228.88:443
5.107.208.94:2222
76.185.136.58:443
50.29.166.232:995
73.210.114.187:443
92.114.107.193:995
24.43.22.220:993
50.247.230.33:995
72.142.106.198:465
102.41.122.185:995
67.131.59.17:443
184.98.104.7:995
69.11.247.242:443
201.127.4.70:443
72.204.242.138:50003
189.231.198.212:443
5.14.44.173:2222
5.14.76.156:443
151.205.102.42:443
179.51.23.31:443
72.190.101.70:443
73.76.47.127:443
80.240.26.178:443
72.36.59.46:2222
73.209.113.58:443
68.49.120.179:443
69.92.54.95:995
187.19.151.218:995
50.244.112.10:443
66.222.88.126:995
207.255.161.8:32102
108.58.9.238:995
105.98.154.57:443
98.219.77.197:443
216.163.4.91:443
47.152.210.233:443
178.223.17.74:995
72.204.242.138:20
82.127.193.151:2222
50.91.171.137:443
172.242.80.243:443
189.163.110.244:443
108.30.125.94:443
104.50.141.139:995
73.94.229.115:443
67.83.54.76:2222
72.29.181.77:2078
188.24.102.178:443
66.68.22.151:443
24.122.157.93:443
72.204.242.138:53
172.87.134.226:443
118.160.164.140:443
173.49.122.160:995
71.187.170.235:443
134.0.196.46:995
75.81.25.223:443
92.17.167.87:2222
185.246.9.69:995
70.123.92.175:2222
82.37.242.8:443
108.51.73.186:443
137.99.222.152:443
100.38.164.182:443
75.137.239.211:443
24.43.22.220:995
24.99.180.247:443
96.56.237.174:993
72.204.242.138:80
79.114.196.97:443
72.204.242.138:443
72.240.245.253:443
24.202.42.48:2222
46.102.60.186:443
200.113.201.83:993
98.27.176.35:443
47.201.1.210:443
50.78.93.74:443
68.60.221.169:465
66.26.160.37:443
190.198.124.212:2078
65.131.83.170:995
50.244.112.106:443
72.204.242.138:32102
77.159.149.74:443
184.96.155.4:993
72.16.212.108:465
47.153.115.154:995
72.240.200.181:2222
24.46.40.189:2222
68.82.125.234:443
188.173.70.18:443
47.40.244.237:443
5.13.105.2:443
76.30.66.244:443
5.14.188.235:443
72.204.242.138:995
5.69.56.255:443
5.14.248.119:443
188.192.75.8:443
24.27.82.216:2222
98.118.156.172:443
189.236.218.181:443
72.204.242.138:2078
47.41.3.40:443
108.28.90.129:443
184.89.71.68:443
31.50.210.205:2222
95.76.27.89:443
207.255.161.8:443
149.71.50.158:443
98.222.23.221:443
96.56.237.174:32103
68.116.193.239:443
100.38.123.22:443
47.24.47.218:443
24.110.96.149:443
181.91.254.1:443
96.18.240.158:443
67.165.206.193:995
69.28.222.54:443
98.243.187.85:443
184.180.157.203:2222
47.136.224.60:443
73.90.4.146:443
207.255.161.8:2222
203.33.139.134:443
104.221.4.11:2222
72.228.3.116:443
72.209.191.27:443
97.127.136.28:0
108.45.29.12:443
2.89.100.34:443
64.19.74.29:995
208.82.44.203:443
199.247.16.80:443
199.247.22.145:443
89.43.108.19:443
71.182.142.63:443
Signatures
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
8888888.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 8888888.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 8888888.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 8888888.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 8888888.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 8888888.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe -
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi = "0" reg.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
8888888.execvskw.exe8888888.execvskw.exedescription pid process target process PID 2536 wrote to memory of 420 2536 8888888.exe 8888888.exe PID 2536 wrote to memory of 420 2536 8888888.exe 8888888.exe PID 2536 wrote to memory of 420 2536 8888888.exe 8888888.exe PID 2536 wrote to memory of 1636 2536 8888888.exe cvskw.exe PID 2536 wrote to memory of 1636 2536 8888888.exe cvskw.exe PID 2536 wrote to memory of 1636 2536 8888888.exe cvskw.exe PID 2536 wrote to memory of 1732 2536 8888888.exe schtasks.exe PID 2536 wrote to memory of 1732 2536 8888888.exe schtasks.exe PID 2536 wrote to memory of 1732 2536 8888888.exe schtasks.exe PID 1636 wrote to memory of 2772 1636 cvskw.exe cvskw.exe PID 1636 wrote to memory of 2772 1636 cvskw.exe cvskw.exe PID 1636 wrote to memory of 2772 1636 cvskw.exe cvskw.exe PID 1636 wrote to memory of 3876 1636 cvskw.exe explorer.exe PID 1636 wrote to memory of 3876 1636 cvskw.exe explorer.exe PID 1636 wrote to memory of 3876 1636 cvskw.exe explorer.exe PID 1636 wrote to memory of 3876 1636 cvskw.exe explorer.exe PID 3912 wrote to memory of 3968 3912 8888888.exe reg.exe PID 3912 wrote to memory of 3968 3912 8888888.exe reg.exe PID 3912 wrote to memory of 720 3912 8888888.exe reg.exe PID 3912 wrote to memory of 720 3912 8888888.exe reg.exe PID 3912 wrote to memory of 2992 3912 8888888.exe reg.exe PID 3912 wrote to memory of 2992 3912 8888888.exe reg.exe PID 3912 wrote to memory of 760 3912 8888888.exe reg.exe PID 3912 wrote to memory of 760 3912 8888888.exe reg.exe PID 3912 wrote to memory of 3652 3912 8888888.exe reg.exe PID 3912 wrote to memory of 3652 3912 8888888.exe reg.exe PID 3912 wrote to memory of 3784 3912 8888888.exe reg.exe PID 3912 wrote to memory of 3784 3912 8888888.exe reg.exe PID 3912 wrote to memory of 2532 3912 8888888.exe reg.exe PID 3912 wrote to memory of 2532 3912 8888888.exe reg.exe PID 3912 wrote to memory of 8 3912 8888888.exe reg.exe PID 3912 wrote to memory of 8 3912 8888888.exe reg.exe PID 3912 wrote to memory of 3828 3912 8888888.exe reg.exe PID 3912 wrote to memory of 3828 3912 8888888.exe reg.exe PID 3912 wrote to memory of 3768 3912 8888888.exe cvskw.exe PID 3912 wrote to memory of 3768 3912 8888888.exe cvskw.exe PID 3912 wrote to memory of 3768 3912 8888888.exe cvskw.exe PID 3912 wrote to memory of 3148 3912 8888888.exe cmd.exe PID 3912 wrote to memory of 3148 3912 8888888.exe cmd.exe PID 3912 wrote to memory of 1132 3912 8888888.exe schtasks.exe PID 3912 wrote to memory of 1132 3912 8888888.exe schtasks.exe PID 3768 wrote to memory of 1344 3768 cvskw.exe cvskw.exe PID 3768 wrote to memory of 1344 3768 cvskw.exe cvskw.exe PID 3768 wrote to memory of 1344 3768 cvskw.exe cvskw.exe -
Executes dropped EXE 4 IoCs
Processes:
cvskw.execvskw.execvskw.execvskw.exepid process 1636 cvskw.exe 2772 cvskw.exe 3768 cvskw.exe 1344 cvskw.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cvskw.exepid process 1636 cvskw.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Turns off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
8888888.exe8888888.execvskw.execvskw.exeexplorer.exe8888888.execvskw.execvskw.exepid process 2536 8888888.exe 2536 8888888.exe 420 8888888.exe 420 8888888.exe 420 8888888.exe 420 8888888.exe 1636 cvskw.exe 1636 cvskw.exe 2772 cvskw.exe 2772 cvskw.exe 2772 cvskw.exe 2772 cvskw.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 3876 explorer.exe 3912 8888888.exe 3912 8888888.exe 3768 cvskw.exe 3768 cvskw.exe 1344 cvskw.exe 1344 cvskw.exe 1344 cvskw.exe 1344 cvskw.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
8888888.execvskw.execvskw.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 8888888.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 8888888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 cvskw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc cvskw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service cvskw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 cvskw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc cvskw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc cvskw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc cvskw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service cvskw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 cvskw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service cvskw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 8888888.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service 8888888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 8888888.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service 8888888.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service cvskw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 cvskw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8888888.exe"C:\Users\Admin\AppData\Local\Temp\8888888.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8888888.exeC:\Users\Admin\AppData\Local\Temp\8888888.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dtvghing /tr "\"C:\Users\Admin\AppData\Local\Temp\8888888.exe\" /I dtvghing" /SC ONCE /Z /ST 17:36 /ET 17:482⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\8888888.exeC:\Users\Admin\AppData\Local\Temp\8888888.exe /I dtvghing1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi" /d "0"2⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\8888888.exe"2⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN dtvghing2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aijhihi\cvskw.exe
-
memory/420-0-0x0000000002800000-0x0000000002801000-memory.dmpFilesize
4KB
-
memory/1344-9-0x0000000002880000-0x0000000002881000-memory.dmpFilesize
4KB
-
memory/1636-5-0x0000000002190000-0x00000000021CA000-memory.dmpFilesize
232KB
-
memory/2772-4-0x00000000026B0000-0x00000000026B1000-memory.dmpFilesize
4KB