Resubmissions
28-12-2022 20:37
221228-zea5taef5v 1013-07-2021 12:27
210713-cvc55ag4yn 1025-02-2021 06:56
210225-dwftz9jkjn 1004-11-2019 11:15
191104-athqk1tjxn 10Analysis
-
max time kernel
18s -
max time network
18s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-07-2021 12:27
Static task
static1
Behavioral task
behavioral1
Sample
update2.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
update2.exe
Resource
win10v20210408
General
-
Target
update2.exe
-
Size
746KB
-
MD5
0bfb4a1efbb20a7291fcc022dec7d58b
-
SHA1
faec2a0afe296224f980ac059cf63f18eba800ce
-
SHA256
73ae67036a0d291c18208037010de359520cd613dda2f9eabfde3fec5558324f
-
SHA512
eae0e585ef29f56f27da897783ec582b228124437a6355cfd7b56be229558913dfd87d3005482c0fe54ba8f5e79fb1d50f869bd0e619b0ca7318ac055c62b425
Malware Config
Extracted
qakbot
323.91
1572863946
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
[email protected] - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
[email protected] - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
[email protected] - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
[email protected] - Password:
eQyicNLzzqPN
112.171.126.153:443
67.200.146.98:2222
174.16.234.171:993
71.30.56.170:443
71.77.231.251:443
72.213.98.233:443
2.50.170.151:443
184.180.157.203:2222
96.35.170.82:2222
64.19.74.29:995
104.32.185.213:2222
104.3.91.20:995
173.22.120.11:2222
173.3.132.17:995
74.194.4.181:443
75.131.72.82:443
68.238.144.55:443
100.4.185.8:443
104.34.122.18:443
65.30.12.240:443
24.201.68.105:2087
32.208.1.239:443
168.245.228.71:443
47.153.115.154:995
24.201.68.105:2078
23.240.185.215:443
72.47.115.182:443
187.163.139.200:993
75.81.25.223:995
5.182.39.156:443
75.130.117.134:443
73.145.189.17:443
181.47.60.21:995
72.29.181.77:2083
81.147.42.195:2222
68.238.56.27:443
116.72.208.166:2222
78.94.55.26:50003
50.246.229.50:443
98.186.90.192:995
185.219.83.73:443
108.45.183.59:443
66.214.75.176:443
67.10.18.112:993
184.74.101.234:995
107.12.140.181:443
172.78.45.13:995
50.78.93.74:995
67.246.16.250:995
47.148.143.146:443
67.5.33.229:2078
47.23.101.26:993
12.5.37.3:995
24.30.71.200:443
72.29.181.77:2078
65.16.241.150:443
190.120.196.18:443
182.56.27.125:995
71.93.60.90:443
72.46.151.196:995
137.25.72.175:443
196.194.76.68:2222
76.116.128.81:443
105.246.75.20:995
197.89.140.129:995
62.0.67.88:995
190.217.1.149:443
188.52.115.139:443
47.180.66.10:443
107.12.131.249:443
75.142.59.167:443
181.94.163.26:443
98.186.155.8:443
61.98.155.61:443
47.202.98.230:443
2.50.41.185:443
217.162.149.212:443
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
108.227.161.27:443
47.146.169.85:443
181.126.80.118:443
12.5.37.3:443
162.244.225.30:443
174.130.203.235:443
205.250.79.62:443
162.244.224.166:443
104.235.94.7:443
106.51.0.228:443
123.252.128.47:443
96.59.11.86:443
174.131.181.120:995
207.162.184.228:443
76.80.66.226:443
173.178.129.3:443
47.23.101.26:465
206.51.202.106:50002
201.152.111.120:995
75.131.72.82:995
174.48.72.160:443
75.70.218.193:443
12.176.32.146:443
68.174.15.223:443
199.126.92.231:995
173.178.129.3:990
72.16.212.107:995
200.104.249.67:443
207.179.194.91:443
75.110.250.89:443
108.160.123.244:443
50.247.230.33:443
47.214.144.253:443
99.228.242.183:995
72.142.106.198:465
73.226.220.56:443
45.37.57.119:2222
67.214.201.117:2222
173.247.186.90:443
98.148.177.77:443
111.125.70.30:2222
80.14.209.42:2222
2.177.101.143:443
67.160.63.127:443
70.185.229.3:443
184.191.62.78:443
47.155.19.205:443
88.111.255.235:2222
75.110.219.10:443
76.169.19.193:443
116.58.100.130:443
173.91.254.236:443
72.132.145.25:443
73.137.187.150:443
24.180.7.155:443
75.165.132.69:443
71.197.126.250:443
75.165.162.33:443
65.189.49.227:443
100.38.164.182:443
36.236.235.213:443
76.174.122.204:443
70.180.100.156:443
75.174.33.205:443
174.82.131.155:995
200.104.40.85:443
172.116.85.178:443
75.182.115.93:443
24.42.250.18:443
179.36.62.217:443
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1252 umvur.exe 2096 umvur.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc update2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service update2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 umvur.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc umvur.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc umvur.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service umvur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 update2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc update2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service update2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service umvur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 umvur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 update2.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2152 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 532 update2.exe 532 update2.exe 2848 update2.exe 2848 update2.exe 2848 update2.exe 2848 update2.exe 1252 umvur.exe 1252 umvur.exe 2096 umvur.exe 2096 umvur.exe 2096 umvur.exe 2096 umvur.exe 3920 explorer.exe 3920 explorer.exe 3920 explorer.exe 3920 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1252 umvur.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 532 wrote to memory of 2848 532 update2.exe 75 PID 532 wrote to memory of 2848 532 update2.exe 75 PID 532 wrote to memory of 2848 532 update2.exe 75 PID 532 wrote to memory of 1252 532 update2.exe 78 PID 532 wrote to memory of 1252 532 update2.exe 78 PID 532 wrote to memory of 1252 532 update2.exe 78 PID 532 wrote to memory of 2152 532 update2.exe 79 PID 532 wrote to memory of 2152 532 update2.exe 79 PID 532 wrote to memory of 2152 532 update2.exe 79 PID 1252 wrote to memory of 2096 1252 umvur.exe 81 PID 1252 wrote to memory of 2096 1252 umvur.exe 81 PID 1252 wrote to memory of 2096 1252 umvur.exe 81 PID 1252 wrote to memory of 3920 1252 umvur.exe 83 PID 1252 wrote to memory of 3920 1252 umvur.exe 83 PID 1252 wrote to memory of 3920 1252 umvur.exe 83 PID 1252 wrote to memory of 3920 1252 umvur.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\update2.exe"C:\Users\Admin\AppData\Local\Temp\update2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\update2.exeC:\Users\Admin\AppData\Local\Temp\update2.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2848
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Fbanaruzwge\umvur.exeC:\Users\Admin\AppData\Roaming\Microsoft\Fbanaruzwge\umvur.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Roaming\Microsoft\Fbanaruzwge\umvur.exeC:\Users\Admin\AppData\Roaming\Microsoft\Fbanaruzwge\umvur.exe /C3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2096
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3920
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jzyymajt /tr "\"C:\Users\Admin\AppData\Local\Temp\update2.exe\" /I jzyymajt" /SC ONCE /Z /ST 14:34 /ET 14:462⤵
- Creates scheduled task(s)
PID:2152
-