Analysis
-
max time kernel
122s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-11-2020 14:39
Static task
static1
General
-
Target
hlsyro.exe
-
Size
1.0MB
-
MD5
5ba4e87c65ca68df74d9b04f0c1c914d
-
SHA1
97f6dd6b6c79e2552ab773893fe0762532f7aa7b
-
SHA256
5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c
-
SHA512
ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3
Malware Config
Extracted
qakbot
notset
1604404534
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
67.6.55.77:443
89.136.39.108:443
2.50.58.76:443
188.25.158.61:443
45.63.107.192:995
45.32.154.10:443
94.52.160.116:443
45.63.107.192:2222
45.63.107.192:443
72.204.242.138:465
84.117.176.32:443
95.77.223.148:443
47.146.39.147:443
41.225.13.128:8443
80.14.209.42:2222
190.220.8.10:995
66.76.105.194:443
105.101.69.242:443
89.33.87.107:443
75.136.40.155:443
78.97.3.6:443
108.46.145.30:443
68.134.181.98:443
85.121.42.12:995
75.87.161.32:995
68.174.15.223:443
149.28.99.97:995
199.247.16.80:443
45.32.155.12:443
149.28.99.97:2222
149.28.99.97:443
70.168.130.172:995
93.86.252.177:995
50.244.112.10:995
59.99.36.238:443
185.246.9.69:995
208.99.100.129:443
41.97.25.63:443
72.186.1.237:443
59.99.36.241:443
45.32.155.12:2222
96.30.198.161:443
140.82.27.132:443
45.32.165.134:443
45.63.104.123:443
207.246.70.216:443
97.118.38.31:993
134.228.24.29:443
188.25.24.21:2222
2.89.17.127:995
72.82.15.220:443
174.62.13.151:443
120.150.60.189:995
80.195.103.146:2222
142.129.227.86:443
89.137.221.232:443
98.26.50.62:995
74.129.26.119:443
146.199.132.233:2222
77.27.174.49:995
172.114.116.226:995
95.179.247.224:443
189.231.189.64:443
45.32.155.12:995
45.32.162.253:443
199.247.22.145:443
35.134.202.234:443
184.98.97.227:995
85.122.141.42:995
89.137.211.239:443
72.16.56.171:443
72.28.255.159:995
47.44.217.98:443
189.183.206.170:995
64.185.5.157:443
202.141.244.118:995
72.209.191.27:443
86.122.18.250:443
141.158.47.123:443
203.198.96.164:443
173.245.152.231:443
95.77.144.238:443
41.228.227.124:443
67.78.151.218:2222
84.232.238.30:443
188.27.32.167:443
173.3.17.223:995
201.215.96.174:0
69.11.247.242:443
87.65.204.240:995
207.246.75.201:443
217.162.149.212:443
45.77.193.83:443
80.240.26.178:443
98.16.204.189:995
173.90.33.182:2222
103.206.112.234:443
72.36.59.46:2222
190.220.8.10:443
86.98.89.245:2222
39.36.35.237:995
217.165.96.127:990
151.73.112.197:443
79.113.119.125:443
2.50.110.49:2078
72.66.47.70:443
93.113.177.152:443
103.238.231.35:443
78.97.207.104:443
156.213.227.208:443
71.163.223.253:443
108.31.15.10:995
184.21.136.237:443
184.179.14.130:22
81.133.234.36:2222
74.75.216.202:443
2.51.247.69:995
96.243.35.201:443
46.53.16.93:443
217.165.2.92:995
37.106.7.143:443
203.106.195.67:443
172.91.19.192:443
2.7.202.106:2222
78.96.199.79:443
184.55.32.182:443
24.205.42.241:443
103.76.160.110:443
188.121.219.88:2222
79.113.208.68:443
85.204.189.105:443
50.96.234.132:995
31.5.21.66:443
66.215.32.224:443
81.97.154.100:443
47.185.140.236:80
108.30.125.94:443
188.247.252.243:443
69.47.26.41:443
74.195.88.59:443
95.76.27.6:443
68.46.142.48:995
73.200.219.143:443
173.173.1.164:443
24.40.173.134:443
173.21.10.71:2222
73.225.67.0:443
45.47.65.191:443
75.106.52.142:443
75.182.220.196:2222
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
leaeye.exeleaeye.exepid process 1588 leaeye.exe 432 leaeye.exe -
Loads dropped DLL 2 IoCs
Processes:
hlsyro.exepid process 1068 hlsyro.exe 1068 hlsyro.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
hlsyro.exehlsyro.exeleaeye.exeleaeye.exeexplorer.exehlsyro.exepid process 1068 hlsyro.exe 1572 hlsyro.exe 1572 hlsyro.exe 1588 leaeye.exe 432 leaeye.exe 432 leaeye.exe 572 explorer.exe 572 explorer.exe 928 hlsyro.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
leaeye.exepid process 1588 leaeye.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
hlsyro.exeleaeye.exetaskeng.exedescription pid process target process PID 1068 wrote to memory of 1572 1068 hlsyro.exe hlsyro.exe PID 1068 wrote to memory of 1572 1068 hlsyro.exe hlsyro.exe PID 1068 wrote to memory of 1572 1068 hlsyro.exe hlsyro.exe PID 1068 wrote to memory of 1572 1068 hlsyro.exe hlsyro.exe PID 1068 wrote to memory of 1588 1068 hlsyro.exe leaeye.exe PID 1068 wrote to memory of 1588 1068 hlsyro.exe leaeye.exe PID 1068 wrote to memory of 1588 1068 hlsyro.exe leaeye.exe PID 1068 wrote to memory of 1588 1068 hlsyro.exe leaeye.exe PID 1068 wrote to memory of 1652 1068 hlsyro.exe schtasks.exe PID 1068 wrote to memory of 1652 1068 hlsyro.exe schtasks.exe PID 1068 wrote to memory of 1652 1068 hlsyro.exe schtasks.exe PID 1068 wrote to memory of 1652 1068 hlsyro.exe schtasks.exe PID 1588 wrote to memory of 432 1588 leaeye.exe leaeye.exe PID 1588 wrote to memory of 432 1588 leaeye.exe leaeye.exe PID 1588 wrote to memory of 432 1588 leaeye.exe leaeye.exe PID 1588 wrote to memory of 432 1588 leaeye.exe leaeye.exe PID 1588 wrote to memory of 572 1588 leaeye.exe explorer.exe PID 1588 wrote to memory of 572 1588 leaeye.exe explorer.exe PID 1588 wrote to memory of 572 1588 leaeye.exe explorer.exe PID 1588 wrote to memory of 572 1588 leaeye.exe explorer.exe PID 1588 wrote to memory of 572 1588 leaeye.exe explorer.exe PID 1308 wrote to memory of 928 1308 taskeng.exe hlsyro.exe PID 1308 wrote to memory of 928 1308 taskeng.exe hlsyro.exe PID 1308 wrote to memory of 928 1308 taskeng.exe hlsyro.exe PID 1308 wrote to memory of 928 1308 taskeng.exe hlsyro.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hlsyro.exe"C:\Users\Admin\AppData\Local\Temp\hlsyro.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hlsyro.exeC:\Users\Admin\AppData\Local\Temp\hlsyro.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exeC:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exeC:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nhyxqom /tr "\"C:\Users\Admin\AppData\Local\Temp\hlsyro.exe\" /I nhyxqom" /SC ONCE /Z /ST 14:38 /ET 14:502⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {4D381985-E6AC-461E-A3C4-D047ABDDC5C1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hlsyro.exeC:\Users\Admin\AppData\Local\Temp\hlsyro.exe /I nhyxqom2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.datMD5
1baf990dcfc7303217eae8237610a2ea
SHA11830862d31423610c2b182b9d27a9c688bdd78ca
SHA25618192d022cf723b68d673ef73e4043dba98275d78028b15d3e331e15d2c332b8
SHA5122c0bed55568149167a4a9aabe7762cf8fcd12db191933c5507587550f11cf3da591c1e05ddd09bb1f7285a356d41782def61616a9a3eceddbd7707d14cf4c282
-
C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exeMD5
5ba4e87c65ca68df74d9b04f0c1c914d
SHA197f6dd6b6c79e2552ab773893fe0762532f7aa7b
SHA2565182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c
SHA512ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exeMD5
5ba4e87c65ca68df74d9b04f0c1c914d
SHA197f6dd6b6c79e2552ab773893fe0762532f7aa7b
SHA2565182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c
SHA512ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exeMD5
5ba4e87c65ca68df74d9b04f0c1c914d
SHA197f6dd6b6c79e2552ab773893fe0762532f7aa7b
SHA2565182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c
SHA512ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exeMD5
5ba4e87c65ca68df74d9b04f0c1c914d
SHA197f6dd6b6c79e2552ab773893fe0762532f7aa7b
SHA2565182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c
SHA512ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3
-
\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exeMD5
5ba4e87c65ca68df74d9b04f0c1c914d
SHA197f6dd6b6c79e2552ab773893fe0762532f7aa7b
SHA2565182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c
SHA512ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3
-
memory/432-8-0x0000000000000000-mapping.dmp
-
memory/432-11-0x0000000002490000-0x00000000024A1000-memory.dmpFilesize
68KB
-
memory/572-13-0x0000000000000000-mapping.dmp
-
memory/928-15-0x0000000000000000-mapping.dmp
-
memory/1572-0-0x0000000000000000-mapping.dmp
-
memory/1572-1-0x00000000024E0000-0x00000000024F1000-memory.dmpFilesize
68KB
-
memory/1588-4-0x0000000000000000-mapping.dmp
-
memory/1588-12-0x00000000003B0000-0x00000000003EA000-memory.dmpFilesize
232KB
-
memory/1652-6-0x0000000000000000-mapping.dmp