Analysis
-
max time kernel
23s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 20:33
Behavioral task
behavioral1
Sample
41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe
Resource
win7v20210410
General
-
Target
41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe
-
Size
2.0MB
-
MD5
4d5c6e47b8955c4a773e9d2b4d979210
-
SHA1
5a97d356ccac35bde3d1640db02bdd7dc42fbd2d
-
SHA256
41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08
-
SHA512
c296de09bc613b75888d32fc6f472f3ecddaec1428118fecfa001232710ad396fd550f79d7e248616c64aac5508f036f957497d2e806fa4a24e59ac67d232d26
Malware Config
Extracted
qakbot
324.136
spx113
1588679102
81.133.234.36:2222
31.5.21.66:443
41.233.43.51:995
96.37.113.36:443
86.233.4.153:2222
98.118.156.172:443
89.34.214.130:443
79.116.237.126:443
72.16.212.107:465
72.36.59.46:2222
5.74.188.119:995
67.209.195.198:3389
98.32.60.217:443
24.46.40.189:2222
77.159.149.74:443
174.30.24.61:443
98.115.138.61:443
189.159.82.203:995
108.21.54.174:443
81.103.144.77:443
116.202.36.62:21
71.187.170.235:443
216.201.162.158:443
73.226.220.56:443
75.87.161.32:995
216.163.4.91:443
24.110.96.149:443
172.78.87.180:443
121.122.68.145:443
75.110.250.89:443
98.22.234.245:443
24.228.7.174:443
46.214.86.217:443
71.213.29.14:995
209.182.121.133:2222
96.227.122.123:443
51.223.115.34:443
109.177.170.150:443
72.240.124.46:443
173.3.132.17:995
207.255.161.8:443
79.113.219.75:443
41.228.220.8:443
107.5.252.194:443
47.205.231.60:443
216.152.7.12:443
72.204.242.138:465
97.96.51.117:443
70.57.15.187:993
76.15.41.32:443
108.54.103.234:443
71.163.225.75:443
24.90.160.91:443
31.5.189.71:443
64.19.74.29:995
68.46.142.48:443
63.230.2.205:2083
188.25.163.53:443
178.137.232.136:443
94.53.113.43:443
45.46.175.21:443
79.127.76.238:995
172.87.134.226:443
24.55.152.50:995
107.2.148.99:443
24.226.137.154:443
67.141.143.110:443
108.183.200.239:443
72.204.242.138:32102
58.108.188.231:443
47.202.98.230:443
76.170.77.99:443
72.183.129.56:443
67.170.137.8:443
72.204.242.138:20
81.245.66.237:995
72.204.242.138:80
72.204.242.138:2087
94.52.124.226:443
199.241.223.66:443
24.184.5.251:2222
178.193.33.121:2222
200.75.197.193:443
98.219.77.197:443
97.127.144.203:2222
73.210.114.187:443
89.34.231.30:443
184.21.151.81:995
5.193.175.12:2078
74.90.76.128:2222
86.124.111.91:443
188.25.223.107:2222
173.173.68.41:443
75.183.171.155:3389
50.108.212.180:443
108.227.161.27:995
207.255.161.8:32103
59.96.167.242:443
47.155.19.205:443
2.190.226.125:443
39.36.135.113:995
203.33.139.134:443
47.180.66.10:443
49.191.9.180:995
72.209.191.27:443
70.62.160.186:6883
136.228.103.44:443
72.204.242.138:443
96.57.42.130:443
50.247.230.33:995
67.131.59.17:443
83.25.18.252:2222
71.29.180.113:22
24.201.79.208:2078
72.190.101.70:443
50.244.112.10:443
203.213.104.25:995
50.246.229.50:443
50.104.186.71:443
137.99.224.198:443
47.232.26.181:443
72.45.14.185:443
74.96.151.6:443
173.172.205.216:443
208.126.142.17:443
76.187.8.160:443
76.173.145.112:443
72.204.242.138:6881
184.98.104.7:995
94.176.128.176:443
73.137.187.150:443
95.77.204.208:443
201.146.188.44:443
5.182.39.156:443
47.214.144.253:443
47.146.169.85:443
64.121.114.87:443
71.193.126.206:443
75.161.36.21:2222
47.40.244.237:443
96.244.227.176:443
78.97.145.242:443
203.198.96.218:443
84.117.176.32:443
74.215.201.51:443
70.174.3.241:443
184.180.157.203:2222
71.220.191.200:443
73.163.242.114:443
39.32.171.83:993
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exepid process 796 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 796 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 200 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 200 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 200 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 200 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.execmd.exedescription pid process target process PID 796 wrote to memory of 200 796 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe PID 796 wrote to memory of 200 796 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe PID 796 wrote to memory of 200 796 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe PID 796 wrote to memory of 2224 796 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe cmd.exe PID 796 wrote to memory of 2224 796 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe cmd.exe PID 796 wrote to memory of 2224 796 41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe cmd.exe PID 2224 wrote to memory of 1020 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 1020 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 1020 2224 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe"C:\Users\Admin\AppData\Local\Temp\41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exeC:\Users\Admin\AppData\Local\Temp\41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\41e136d04c9d1ebe660489768fc2f62ba4e8c29c08f100e07ff8be703cd3ec08.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/200-116-0x0000000000000000-mapping.dmp
-
memory/200-118-0x0000000000400000-0x0000000000600000-memory.dmpFilesize
2.0MB
-
memory/200-117-0x0000000000680000-0x00000000007CA000-memory.dmpFilesize
1.3MB
-
memory/796-114-0x0000000002310000-0x0000000002347000-memory.dmpFilesize
220KB
-
memory/796-115-0x0000000000400000-0x0000000000600000-memory.dmpFilesize
2.0MB
-
memory/1020-120-0x0000000000000000-mapping.dmp
-
memory/2224-119-0x0000000000000000-mapping.dmp