Analysis
-
max time kernel
13s -
max time network
48s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-05-2021 22:53
Behavioral task
behavioral1
Sample
9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe
Resource
win7v20210410
General
-
Target
9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe
-
Size
2.0MB
-
MD5
63e2a229ae8372ee1566103f9eb971be
-
SHA1
621056045539271d9ea3f2e442cfbbbb091228aa
-
SHA256
9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36
-
SHA512
8842a82f674c431f2ce8ce625e956fd093c03189dd7d2940810df2fa46ae77390edf52d924626f4f479dc450225c44645e2e029980813b125ef82db59b0feff3
Malware Config
Extracted
qakbot
324.136
spx112
1588678797
81.133.234.36:2222
31.5.21.66:443
41.233.43.51:995
96.37.113.36:443
86.233.4.153:2222
98.118.156.172:443
89.34.214.130:443
79.116.237.126:443
72.16.212.107:465
72.36.59.46:2222
5.74.188.119:995
67.209.195.198:3389
98.32.60.217:443
24.46.40.189:2222
77.159.149.74:443
174.30.24.61:443
98.115.138.61:443
189.159.82.203:995
108.21.54.174:443
81.103.144.77:443
116.202.36.62:21
71.187.170.235:443
216.201.162.158:443
73.226.220.56:443
75.87.161.32:995
216.163.4.91:443
24.110.96.149:443
172.78.87.180:443
121.122.68.145:443
75.110.250.89:443
98.22.234.245:443
24.228.7.174:443
46.214.86.217:443
71.213.29.14:995
209.182.121.133:2222
96.227.122.123:443
51.223.115.34:443
109.177.170.150:443
72.240.124.46:443
173.3.132.17:995
207.255.161.8:443
79.113.219.75:443
41.228.220.8:443
107.5.252.194:443
47.205.231.60:443
216.152.7.12:443
72.204.242.138:465
97.96.51.117:443
70.57.15.187:993
76.15.41.32:443
108.54.103.234:443
71.163.225.75:443
24.90.160.91:443
31.5.189.71:443
64.19.74.29:995
68.46.142.48:443
63.230.2.205:2083
188.25.163.53:443
178.137.232.136:443
94.53.113.43:443
45.46.175.21:443
79.127.76.238:995
172.87.134.226:443
24.55.152.50:995
107.2.148.99:443
24.226.137.154:443
67.141.143.110:443
108.183.200.239:443
72.204.242.138:32102
58.108.188.231:443
47.202.98.230:443
76.170.77.99:443
72.183.129.56:443
67.170.137.8:443
72.204.242.138:20
81.245.66.237:995
72.204.242.138:80
72.204.242.138:2087
94.52.124.226:443
199.241.223.66:443
24.184.5.251:2222
178.193.33.121:2222
200.75.197.193:443
98.219.77.197:443
97.127.144.203:2222
73.210.114.187:443
89.34.231.30:443
184.21.151.81:995
5.193.175.12:2078
74.90.76.128:2222
86.124.111.91:443
188.25.223.107:2222
173.173.68.41:443
75.183.171.155:3389
50.108.212.180:443
108.227.161.27:995
207.255.161.8:32103
59.96.167.242:443
47.155.19.205:443
2.190.226.125:443
39.36.135.113:995
203.33.139.134:443
47.180.66.10:443
49.191.9.180:995
72.209.191.27:443
70.62.160.186:6883
136.228.103.44:443
72.204.242.138:443
96.57.42.130:443
50.247.230.33:995
67.131.59.17:443
83.25.18.252:2222
71.29.180.113:22
24.201.79.208:2078
72.190.101.70:443
50.244.112.10:443
203.213.104.25:995
50.246.229.50:443
50.104.186.71:443
137.99.224.198:443
47.232.26.181:443
72.45.14.185:443
74.96.151.6:443
173.172.205.216:443
208.126.142.17:443
76.187.8.160:443
76.173.145.112:443
72.204.242.138:6881
184.98.104.7:995
94.176.128.176:443
73.137.187.150:443
95.77.204.208:443
201.146.188.44:443
5.182.39.156:443
47.214.144.253:443
47.146.169.85:443
64.121.114.87:443
71.193.126.206:443
75.161.36.21:2222
47.40.244.237:443
96.244.227.176:443
78.97.145.242:443
203.198.96.218:443
84.117.176.32:443
74.215.201.51:443
70.174.3.241:443
184.180.157.203:2222
71.220.191.200:443
73.163.242.114:443
39.32.171.83:993
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exepid process 2004 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe 1696 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe 1696 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.execmd.exedescription pid process target process PID 2004 wrote to memory of 1696 2004 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe PID 2004 wrote to memory of 1696 2004 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe PID 2004 wrote to memory of 1696 2004 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe PID 2004 wrote to memory of 1696 2004 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe PID 2004 wrote to memory of 1088 2004 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe cmd.exe PID 2004 wrote to memory of 1088 2004 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe cmd.exe PID 2004 wrote to memory of 1088 2004 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe cmd.exe PID 2004 wrote to memory of 1088 2004 9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe cmd.exe PID 1088 wrote to memory of 1900 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1900 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1900 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 1900 1088 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe"C:\Users\Admin\AppData\Local\Temp\9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exeC:\Users\Admin\AppData\Local\Temp\9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\9bd7c1b2024ee082afd9878639fe42f6284f4a83d2bb18469afec7ae51d92b36.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1088-67-0x0000000000000000-mapping.dmp
-
memory/1696-63-0x0000000000000000-mapping.dmp
-
memory/1696-66-0x0000000000400000-0x0000000000600000-memory.dmpFilesize
2.0MB
-
memory/1900-68-0x0000000000000000-mapping.dmp
-
memory/2004-60-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/2004-62-0x0000000000400000-0x0000000000600000-memory.dmpFilesize
2.0MB
-
memory/2004-61-0x0000000000230000-0x0000000000267000-memory.dmpFilesize
220KB