Analysis
-
max time kernel
117s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-02-2021 18:18
Static task
static1
Behavioral task
behavioral1
Sample
f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe
Resource
win10v20201028
General
-
Target
f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe
-
Size
265KB
-
MD5
ca1b3d2be61f764fd4685d9662a9d051
-
SHA1
921e6730b0fdaeab9313d1dfbbb0c006b4506233
-
SHA256
f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9
-
SHA512
2bdf6dd8f1129ee7af38cb05aef73c9f6416a73e94ec5efd7371f209378fef8123aace642151b3550fa74e6f331799c69e353df82b6af4e5f795f97f43ab5885
Malware Config
Extracted
qakbot
tr01
1604404428
89.136.39.108:443
2.50.58.76:443
188.25.158.61:443
45.63.107.192:995
45.32.154.10:443
94.52.160.116:443
45.63.107.192:2222
45.63.107.192:443
72.204.242.138:465
84.117.176.32:443
95.77.223.148:443
47.146.39.147:443
41.225.13.128:8443
80.14.209.42:2222
190.220.8.10:995
66.76.105.194:443
105.101.69.242:443
89.33.87.107:443
75.136.40.155:443
78.97.3.6:443
108.46.145.30:443
68.134.181.98:443
85.121.42.12:995
75.87.161.32:995
68.174.15.223:443
149.28.99.97:995
199.247.16.80:443
45.32.155.12:443
149.28.99.97:2222
149.28.99.97:443
70.168.130.172:995
93.86.252.177:995
50.244.112.10:995
59.99.36.238:443
185.246.9.69:995
208.99.100.129:443
41.97.25.63:443
72.186.1.237:443
59.99.36.241:443
45.32.155.12:2222
96.30.198.161:443
140.82.27.132:443
45.32.165.134:443
45.63.104.123:443
207.246.70.216:443
97.118.38.31:993
134.228.24.29:443
188.25.24.21:2222
2.89.17.127:995
72.82.15.220:443
174.62.13.151:443
120.150.60.189:995
80.195.103.146:2222
142.129.227.86:443
89.137.221.232:443
98.26.50.62:995
74.129.26.119:443
146.199.132.233:2222
77.27.174.49:995
172.114.116.226:995
95.179.247.224:443
189.231.189.64:443
45.32.155.12:995
45.32.162.253:443
199.247.22.145:443
35.134.202.234:443
184.98.97.227:995
85.122.141.42:995
89.137.211.239:443
72.16.56.171:443
72.28.255.159:995
47.44.217.98:443
189.183.206.170:995
64.185.5.157:443
202.141.244.118:995
72.209.191.27:443
86.122.18.250:443
141.158.47.123:443
203.198.96.164:443
173.245.152.231:443
95.77.144.238:443
41.228.227.124:443
67.78.151.218:2222
84.232.238.30:443
188.27.32.167:443
173.3.17.223:995
24.213.191.38:0
69.11.247.242:443
87.65.204.240:995
207.246.75.201:443
217.162.149.212:443
45.77.193.83:443
80.240.26.178:443
98.16.204.189:995
173.90.33.182:2222
103.206.112.234:443
72.36.59.46:2222
190.220.8.10:443
86.98.89.245:2222
39.36.35.237:995
217.165.96.127:990
151.73.112.197:443
79.113.119.125:443
2.50.110.49:2078
72.66.47.70:443
93.113.177.152:443
103.238.231.35:443
78.97.207.104:443
156.213.227.208:443
71.163.223.253:443
108.31.15.10:995
184.21.136.237:443
184.179.14.130:22
81.133.234.36:2222
74.75.216.202:443
2.51.247.69:995
96.243.35.201:443
46.53.16.93:443
217.165.2.92:995
37.106.7.143:443
203.106.195.67:443
172.91.19.192:443
2.7.202.106:2222
78.96.199.79:443
184.55.32.182:443
24.205.42.241:443
103.76.160.110:443
188.121.219.88:2222
79.113.208.68:443
85.204.189.105:443
50.96.234.132:995
31.5.21.66:443
66.215.32.224:443
81.97.154.100:443
47.185.140.236:80
108.30.125.94:443
188.247.252.243:443
69.47.26.41:443
74.195.88.59:443
95.76.27.6:443
68.46.142.48:995
73.200.219.143:443
173.173.1.164:443
67.6.55.77:443
24.40.173.134:443
173.21.10.71:2222
73.225.67.0:443
45.47.65.191:443
75.106.52.142:443
75.182.220.196:2222
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdzpoz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Ucfwyduamhir\\qitrz.exe\"" f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exef2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exef2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exepid process 1160 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe 1160 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe 2740 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe 2740 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe 2740 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe 2740 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe 3340 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe 3340 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exedescription pid process target process PID 1160 wrote to memory of 2740 1160 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe PID 1160 wrote to memory of 2740 1160 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe PID 1160 wrote to memory of 2740 1160 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe PID 1160 wrote to memory of 2248 1160 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe schtasks.exe PID 1160 wrote to memory of 2248 1160 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe schtasks.exe PID 1160 wrote to memory of 2248 1160 f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe"C:\Users\Admin\AppData\Local\Temp\f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exeC:\Users\Admin\AppData\Local\Temp\f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2740
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn zntldxztb /tr "\"C:\Users\Admin\AppData\Local\Temp\f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe\" /I zntldxztb" /SC ONCE /Z /ST 19:17 /ET 19:292⤵
- Creates scheduled task(s)
PID:2248
-
-
C:\Users\Admin\AppData\Local\Temp\f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exeC:\Users\Admin\AppData\Local\Temp\f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9.exe /I zntldxztb1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3340