Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-05-2021 20:33
Behavioral task
behavioral1
Sample
41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe
Resource
win7v20210410
General
-
Target
41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe
-
Size
2.0MB
-
MD5
4d5c6e47b8955c4a773e9d2b4d979210
-
SHA1
5a97d356ccac35bde3d1640db02bdd7dc42fbd2d
-
SHA256
41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08
-
SHA512
c296de09bc613b75888d32fc6f472f3ecddaec1428118fecfa001232710ad396fd550f79d7e248616c64aac5508f036f957497d2e806fa4a24e59ac67d232d26
Malware Config
Extracted
qakbot
324.136
spx113
1588679102
81.133.234.36:2222
31.5.21.66:443
41.233.43.51:995
96.37.113.36:443
86.233.4.153:2222
98.118.156.172:443
89.34.214.130:443
79.116.237.126:443
72.16.212.107:465
72.36.59.46:2222
5.74.188.119:995
67.209.195.198:3389
98.32.60.217:443
24.46.40.189:2222
77.159.149.74:443
174.30.24.61:443
98.115.138.61:443
189.159.82.203:995
108.21.54.174:443
81.103.144.77:443
116.202.36.62:21
71.187.170.235:443
216.201.162.158:443
73.226.220.56:443
75.87.161.32:995
216.163.4.91:443
24.110.96.149:443
172.78.87.180:443
121.122.68.145:443
75.110.250.89:443
98.22.234.245:443
24.228.7.174:443
46.214.86.217:443
71.213.29.14:995
209.182.121.133:2222
96.227.122.123:443
51.223.115.34:443
109.177.170.150:443
72.240.124.46:443
173.3.132.17:995
207.255.161.8:443
79.113.219.75:443
41.228.220.8:443
107.5.252.194:443
47.205.231.60:443
216.152.7.12:443
72.204.242.138:465
97.96.51.117:443
70.57.15.187:993
76.15.41.32:443
108.54.103.234:443
71.163.225.75:443
24.90.160.91:443
31.5.189.71:443
64.19.74.29:995
68.46.142.48:443
63.230.2.205:2083
188.25.163.53:443
178.137.232.136:443
94.53.113.43:443
45.46.175.21:443
79.127.76.238:995
172.87.134.226:443
24.55.152.50:995
107.2.148.99:443
24.226.137.154:443
67.141.143.110:443
108.183.200.239:443
72.204.242.138:32102
58.108.188.231:443
47.202.98.230:443
76.170.77.99:443
72.183.129.56:443
67.170.137.8:443
72.204.242.138:20
81.245.66.237:995
72.204.242.138:80
72.204.242.138:2087
94.52.124.226:443
199.241.223.66:443
24.184.5.251:2222
178.193.33.121:2222
200.75.197.193:443
98.219.77.197:443
97.127.144.203:2222
73.210.114.187:443
89.34.231.30:443
184.21.151.81:995
5.193.175.12:2078
74.90.76.128:2222
86.124.111.91:443
188.25.223.107:2222
173.173.68.41:443
75.183.171.155:3389
50.108.212.180:443
108.227.161.27:995
207.255.161.8:32103
59.96.167.242:443
47.155.19.205:443
2.190.226.125:443
39.36.135.113:995
203.33.139.134:443
47.180.66.10:443
49.191.9.180:995
72.209.191.27:443
70.62.160.186:6883
136.228.103.44:443
72.204.242.138:443
96.57.42.130:443
50.247.230.33:995
67.131.59.17:443
83.25.18.252:2222
71.29.180.113:22
24.201.79.208:2078
72.190.101.70:443
50.244.112.10:443
203.213.104.25:995
50.246.229.50:443
50.104.186.71:443
137.99.224.198:443
47.232.26.181:443
72.45.14.185:443
74.96.151.6:443
173.172.205.216:443
208.126.142.17:443
76.187.8.160:443
76.173.145.112:443
72.204.242.138:6881
184.98.104.7:995
94.176.128.176:443
73.137.187.150:443
95.77.204.208:443
201.146.188.44:443
5.182.39.156:443
47.214.144.253:443
47.146.169.85:443
64.121.114.87:443
71.193.126.206:443
75.161.36.21:2222
47.40.244.237:443
96.244.227.176:443
78.97.145.242:443
203.198.96.218:443
84.117.176.32:443
74.215.201.51:443
70.174.3.241:443
184.180.157.203:2222
71.220.191.200:443
73.163.242.114:443
39.32.171.83:993
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exepid process 1040 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 1272 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 1272 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.execmd.exedescription pid process target process PID 1040 wrote to memory of 1272 1040 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe PID 1040 wrote to memory of 1272 1040 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe PID 1040 wrote to memory of 1272 1040 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe PID 1040 wrote to memory of 1272 1040 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe PID 1040 wrote to memory of 1648 1040 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe cmd.exe PID 1040 wrote to memory of 1648 1040 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe cmd.exe PID 1040 wrote to memory of 1648 1040 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe cmd.exe PID 1040 wrote to memory of 1648 1040 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe cmd.exe PID 1648 wrote to memory of 1060 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 1060 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 1060 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 1060 1648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe"C:\Users\Admin\AppData\Local\Temp\41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exeC:\Users\Admin\AppData\Local\Temp\41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1040-59-0x0000000074F31000-0x0000000074F33000-memory.dmpFilesize
8KB
-
memory/1040-60-0x0000000000600000-0x0000000000637000-memory.dmpFilesize
220KB
-
memory/1040-61-0x0000000000400000-0x0000000000600000-memory.dmpFilesize
2.0MB
-
memory/1060-67-0x0000000000000000-mapping.dmp
-
memory/1272-62-0x0000000000000000-mapping.dmp
-
memory/1272-65-0x0000000000400000-0x0000000000600000-memory.dmpFilesize
2.0MB
-
memory/1648-66-0x0000000000000000-mapping.dmp