Analysis
-
max time kernel
118s -
max time network
117s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-11-2020 14:39
Static task
static1
General
-
Target
tckkfl.exe
-
Size
1.0MB
-
MD5
124615ed2006110918b2de48e4122315
-
SHA1
4539552b63d1cab0492c8cdde93dbcffb13c5e43
-
SHA256
1a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef
-
SHA512
238eb6615138cddcabf2141d40627718f3f618b080d789b573cb698f3651d07eb681af34850f2179526bdafd544136f0882bbda902cb6c7ac865378adaa31cb9
Malware Config
Extracted
qakbot
notset
1604404534
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
67.6.55.77:443
89.136.39.108:443
2.50.58.76:443
188.25.158.61:443
45.63.107.192:995
45.32.154.10:443
94.52.160.116:443
45.63.107.192:2222
45.63.107.192:443
72.204.242.138:465
84.117.176.32:443
95.77.223.148:443
47.146.39.147:443
41.225.13.128:8443
80.14.209.42:2222
190.220.8.10:995
66.76.105.194:443
105.101.69.242:443
89.33.87.107:443
75.136.40.155:443
78.97.3.6:443
108.46.145.30:443
68.134.181.98:443
85.121.42.12:995
75.87.161.32:995
68.174.15.223:443
149.28.99.97:995
199.247.16.80:443
45.32.155.12:443
149.28.99.97:2222
149.28.99.97:443
70.168.130.172:995
93.86.252.177:995
50.244.112.10:995
59.99.36.238:443
185.246.9.69:995
208.99.100.129:443
41.97.25.63:443
72.186.1.237:443
59.99.36.241:443
45.32.155.12:2222
96.30.198.161:443
140.82.27.132:443
45.32.165.134:443
45.63.104.123:443
207.246.70.216:443
97.118.38.31:993
134.228.24.29:443
188.25.24.21:2222
2.89.17.127:995
72.82.15.220:443
174.62.13.151:443
120.150.60.189:995
80.195.103.146:2222
142.129.227.86:443
89.137.221.232:443
98.26.50.62:995
74.129.26.119:443
146.199.132.233:2222
77.27.174.49:995
172.114.116.226:995
95.179.247.224:443
189.231.189.64:443
45.32.155.12:995
45.32.162.253:443
199.247.22.145:443
35.134.202.234:443
184.98.97.227:995
85.122.141.42:995
89.137.211.239:443
72.16.56.171:443
72.28.255.159:995
47.44.217.98:443
189.183.206.170:995
64.185.5.157:443
202.141.244.118:995
72.209.191.27:443
86.122.18.250:443
141.158.47.123:443
203.198.96.164:443
173.245.152.231:443
95.77.144.238:443
41.228.227.124:443
67.78.151.218:2222
84.232.238.30:443
188.27.32.167:443
173.3.17.223:995
201.215.96.174:0
69.11.247.242:443
87.65.204.240:995
207.246.75.201:443
217.162.149.212:443
45.77.193.83:443
80.240.26.178:443
98.16.204.189:995
173.90.33.182:2222
103.206.112.234:443
72.36.59.46:2222
190.220.8.10:443
86.98.89.245:2222
39.36.35.237:995
217.165.96.127:990
151.73.112.197:443
79.113.119.125:443
2.50.110.49:2078
72.66.47.70:443
93.113.177.152:443
103.238.231.35:443
78.97.207.104:443
156.213.227.208:443
71.163.223.253:443
108.31.15.10:995
184.21.136.237:443
184.179.14.130:22
81.133.234.36:2222
74.75.216.202:443
2.51.247.69:995
96.243.35.201:443
46.53.16.93:443
217.165.2.92:995
37.106.7.143:443
203.106.195.67:443
172.91.19.192:443
2.7.202.106:2222
78.96.199.79:443
184.55.32.182:443
24.205.42.241:443
103.76.160.110:443
188.121.219.88:2222
79.113.208.68:443
85.204.189.105:443
50.96.234.132:995
31.5.21.66:443
66.215.32.224:443
81.97.154.100:443
47.185.140.236:80
108.30.125.94:443
188.247.252.243:443
69.47.26.41:443
74.195.88.59:443
95.76.27.6:443
68.46.142.48:995
73.200.219.143:443
173.173.1.164:443
24.40.173.134:443
173.21.10.71:2222
73.225.67.0:443
45.47.65.191:443
75.106.52.142:443
75.182.220.196:2222
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
geychiw.exegeychiw.exepid process 1660 geychiw.exe 1704 geychiw.exe -
Loads dropped DLL 2 IoCs
Processes:
tckkfl.exepid process 2028 tckkfl.exe 2028 tckkfl.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
tckkfl.exetckkfl.exegeychiw.exegeychiw.exeexplorer.exetckkfl.exepid process 2028 tckkfl.exe 1728 tckkfl.exe 1728 tckkfl.exe 1660 geychiw.exe 1704 geychiw.exe 1704 geychiw.exe 240 explorer.exe 240 explorer.exe 1920 tckkfl.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
geychiw.exepid process 1660 geychiw.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
tckkfl.exegeychiw.exetaskeng.exedescription pid process target process PID 2028 wrote to memory of 1728 2028 tckkfl.exe tckkfl.exe PID 2028 wrote to memory of 1728 2028 tckkfl.exe tckkfl.exe PID 2028 wrote to memory of 1728 2028 tckkfl.exe tckkfl.exe PID 2028 wrote to memory of 1728 2028 tckkfl.exe tckkfl.exe PID 2028 wrote to memory of 1660 2028 tckkfl.exe geychiw.exe PID 2028 wrote to memory of 1660 2028 tckkfl.exe geychiw.exe PID 2028 wrote to memory of 1660 2028 tckkfl.exe geychiw.exe PID 2028 wrote to memory of 1660 2028 tckkfl.exe geychiw.exe PID 2028 wrote to memory of 1932 2028 tckkfl.exe schtasks.exe PID 2028 wrote to memory of 1932 2028 tckkfl.exe schtasks.exe PID 2028 wrote to memory of 1932 2028 tckkfl.exe schtasks.exe PID 2028 wrote to memory of 1932 2028 tckkfl.exe schtasks.exe PID 1660 wrote to memory of 1704 1660 geychiw.exe geychiw.exe PID 1660 wrote to memory of 1704 1660 geychiw.exe geychiw.exe PID 1660 wrote to memory of 1704 1660 geychiw.exe geychiw.exe PID 1660 wrote to memory of 1704 1660 geychiw.exe geychiw.exe PID 1660 wrote to memory of 240 1660 geychiw.exe explorer.exe PID 1660 wrote to memory of 240 1660 geychiw.exe explorer.exe PID 1660 wrote to memory of 240 1660 geychiw.exe explorer.exe PID 1660 wrote to memory of 240 1660 geychiw.exe explorer.exe PID 1660 wrote to memory of 240 1660 geychiw.exe explorer.exe PID 1464 wrote to memory of 1920 1464 taskeng.exe tckkfl.exe PID 1464 wrote to memory of 1920 1464 taskeng.exe tckkfl.exe PID 1464 wrote to memory of 1920 1464 taskeng.exe tckkfl.exe PID 1464 wrote to memory of 1920 1464 taskeng.exe tckkfl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tckkfl.exe"C:\Users\Admin\AppData\Local\Temp\tckkfl.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tckkfl.exeC:\Users\Admin\AppData\Local\Temp\tckkfl.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fvhkpbjxly /tr "\"C:\Users\Admin\AppData\Local\Temp\tckkfl.exe\" /I fvhkpbjxly" /SC ONCE /Z /ST 14:45 /ET 14:572⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {C5DB33EE-7E1A-4FEC-B301-43F5E85CB54A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tckkfl.exeC:\Users\Admin\AppData\Local\Temp\tckkfl.exe /I fvhkpbjxly2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.datMD5
f20696ab98cdcdf3232b2c8a179b9fef
SHA108eef9538e195599b624b2f6ba1645fba59d04e1
SHA25604cd691bebf7b55df9c60ab2789c28ccb45f53a3536fd0927ee9c89bae8d6c98
SHA512f0c503ca84185e7052fb482170642eb582b5e1a63aff74500ad8988b4193ca3cc95acaf0a161976ded312c0d26e75a362402afaffc67527f7928a463c34e2a35
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exeMD5
124615ed2006110918b2de48e4122315
SHA14539552b63d1cab0492c8cdde93dbcffb13c5e43
SHA2561a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef
SHA512238eb6615138cddcabf2141d40627718f3f618b080d789b573cb698f3651d07eb681af34850f2179526bdafd544136f0882bbda902cb6c7ac865378adaa31cb9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exeMD5
124615ed2006110918b2de48e4122315
SHA14539552b63d1cab0492c8cdde93dbcffb13c5e43
SHA2561a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef
SHA512238eb6615138cddcabf2141d40627718f3f618b080d789b573cb698f3651d07eb681af34850f2179526bdafd544136f0882bbda902cb6c7ac865378adaa31cb9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exeMD5
124615ed2006110918b2de48e4122315
SHA14539552b63d1cab0492c8cdde93dbcffb13c5e43
SHA2561a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef
SHA512238eb6615138cddcabf2141d40627718f3f618b080d789b573cb698f3651d07eb681af34850f2179526bdafd544136f0882bbda902cb6c7ac865378adaa31cb9
-
\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exeMD5
124615ed2006110918b2de48e4122315
SHA14539552b63d1cab0492c8cdde93dbcffb13c5e43
SHA2561a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef
SHA512238eb6615138cddcabf2141d40627718f3f618b080d789b573cb698f3651d07eb681af34850f2179526bdafd544136f0882bbda902cb6c7ac865378adaa31cb9
-
\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exeMD5
124615ed2006110918b2de48e4122315
SHA14539552b63d1cab0492c8cdde93dbcffb13c5e43
SHA2561a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef
SHA512238eb6615138cddcabf2141d40627718f3f618b080d789b573cb698f3651d07eb681af34850f2179526bdafd544136f0882bbda902cb6c7ac865378adaa31cb9
-
memory/240-12-0x0000000000000000-mapping.dmp
-
memory/1660-11-0x00000000003C0000-0x00000000003FA000-memory.dmpFilesize
232KB
-
memory/1660-4-0x0000000000000000-mapping.dmp
-
memory/1704-8-0x0000000000000000-mapping.dmp
-
memory/1704-10-0x0000000002610000-0x0000000002621000-memory.dmpFilesize
68KB
-
memory/1728-0-0x0000000000000000-mapping.dmp
-
memory/1728-1-0x0000000002630000-0x0000000002641000-memory.dmpFilesize
68KB
-
memory/1920-14-0x0000000000000000-mapping.dmp
-
memory/1932-6-0x0000000000000000-mapping.dmp