Overview
overview
10Static
static
005cdb3474...6d.exe
windows7_x64
10005cdb3474...6d.exe
windows10_x64
103f0879776f...c0.exe
windows7_x64
3f0879776f...c0.exe
windows10_x64
4568b57ad4...74.exe
windows7_x64
104568b57ad4...74.exe
windows10_x64
105aa990d786...ba.exe
windows7_x64
105aa990d786...ba.exe
windows10_x64
105d60ef2d7c...0b.exe
windows7_x64
105d60ef2d7c...0b.exe
windows10_x64
1083b15f14e1...8a.exe
windows7_x64
1083b15f14e1...8a.exe
windows10_x64
18edc802c27...79.exe
windows7_x64
108edc802c27...79.exe
windows10_x64
1ae95189f75...dc.exe
windows7_x64
10ae95189f75...dc.exe
windows10_x64
10d92312b6a9...f8.exe
windows7_x64
10d92312b6a9...f8.exe
windows10_x64
10e166035566...2c.exe
windows7_x64
10e166035566...2c.exe
windows10_x64
10Analysis
-
max time kernel
42s -
max time network
17s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-05-2021 12:27
Static task
static1
Behavioral task
behavioral1
Sample
005cdb34748048c41a3c57ba7358986d.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
005cdb34748048c41a3c57ba7358986d.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
3f0879776f937dbb75e02826b39e09c0.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
3f0879776f937dbb75e02826b39e09c0.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
4568b57ad46502fe4740a6ec3282a874.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
4568b57ad46502fe4740a6ec3282a874.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
5aa990d7864b3bd6c80718c7e86e00ba.exe
Resource
win7v20210408
Behavioral task
behavioral8
Sample
5aa990d7864b3bd6c80718c7e86e00ba.exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
5d60ef2d7cb084878cdcccd63b4df50b.exe
Resource
win7v20210408
Behavioral task
behavioral10
Sample
5d60ef2d7cb084878cdcccd63b4df50b.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
83b15f14e171cce96ab3fdea915c388a.exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
83b15f14e171cce96ab3fdea915c388a.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
8edc802c274f3fd64be9aa5557b7ca79.exe
Resource
win7v20210410
Behavioral task
behavioral14
Sample
8edc802c274f3fd64be9aa5557b7ca79.exe
Resource
win10v20210408
Behavioral task
behavioral15
Sample
ae95189f757df558e743ff2e0701f3dc.exe
Resource
win7v20210410
Behavioral task
behavioral16
Sample
ae95189f757df558e743ff2e0701f3dc.exe
Resource
win10v20210408
Behavioral task
behavioral17
Sample
d92312b6a956d0d1da70c007068965f8.exe
Resource
win7v20210410
Behavioral task
behavioral18
Sample
d92312b6a956d0d1da70c007068965f8.exe
Resource
win10v20210408
Behavioral task
behavioral19
Sample
e166035566a91e406ce66656be68012c.exe
Resource
win7v20210410
General
-
Target
5aa990d7864b3bd6c80718c7e86e00ba.exe
-
Size
4.0MB
-
MD5
5aa990d7864b3bd6c80718c7e86e00ba
-
SHA1
862091d41bb5ecbba19b9d657811254e322a4825
-
SHA256
88d89e9a3eb88b44e9109185f880eccc5ecb2ed1df906db25677e18ebaff1f47
-
SHA512
0055808e6d742825edc96114fa91162b0d068de859b1d98f30a480f43f380e93a3a0ddc1ae19b4958a7be6a365b632d4ed81b2725992934b8fdf3bedcf99ddc1
Malware Config
Extracted
qakbot
325.43
domain01
1597161528
96.227.127.13:443
197.37.252.37:993
95.221.48.169:2222
72.190.101.70:443
47.39.76.74:443
207.255.18.67:443
108.46.145.30:443
142.117.109.129:2222
176.205.255.97:443
2.89.74.34:995
98.219.77.197:443
75.110.250.89:995
47.28.131.209:443
47.18.252.135:2222
66.30.92.147:443
188.51.3.210:995
83.110.92.29:443
68.225.56.31:443
189.183.72.138:995
98.121.187.78:443
93.113.177.152:443
108.30.125.94:443
5.193.178.241:2078
24.139.132.70:443
24.71.28.247:443
151.73.127.65:443
193.248.44.2:2222
2.89.74.34:21
79.118.187.79:443
85.186.233.237:443
66.222.88.126:995
197.210.96.222:995
95.76.109.181:443
208.93.202.49:443
98.110.231.63:443
76.111.128.194:443
71.192.44.92:443
207.255.161.8:993
47.153.115.154:995
172.78.30.215:443
200.124.231.21:443
47.146.32.175:443
12.5.37.3:995
144.139.47.206:443
165.228.200.94:443
216.201.162.158:443
24.46.40.189:2222
50.244.112.10:995
95.77.144.238:443
41.228.218.242:443
109.154.214.242:2222
24.201.79.208:2078
41.36.55.195:995
78.100.229.44:61201
96.20.108.17:2222
68.174.15.223:443
173.173.72.199:443
115.21.224.117:443
70.95.118.217:443
24.116.227.63:443
70.164.39.91:443
24.234.86.201:995
201.216.216.245:443
5.15.65.198:2222
24.122.228.88:443
186.82.157.66:443
99.240.226.2:443
100.4.173.223:443
95.77.223.148:443
185.19.190.81:443
67.170.137.8:443
134.0.196.46:995
71.163.224.206:443
24.37.178.158:443
65.96.36.157:443
81.133.234.36:2222
73.60.148.209:443
187.200.218.244:443
178.222.12.162:995
89.47.110.5:443
189.231.196.216:443
103.238.231.40:443
69.123.179.70:443
35.134.202.234:443
35.209.218.146:443
174.80.7.235:443
45.32.155.12:443
174.82.131.155:995
86.127.149.136:443
189.130.26.216:443
189.223.67.205:443
45.32.154.10:443
66.26.160.37:443
104.235.94.155:443
2.89.74.34:20
71.220.191.200:443
72.142.106.198:995
2.51.240.61:995
73.227.232.166:443
72.28.255.159:995
141.158.47.123:443
172.87.134.226:443
24.204.155.208:443
39.118.245.6:443
71.187.170.235:443
188.15.173.34:995
72.240.200.181:2222
166.62.180.194:2078
98.243.187.85:443
50.244.112.106:443
189.140.55.226:443
188.26.11.29:2222
210.195.174.114:443
200.84.244.33:2078
185.246.9.69:995
209.59.86.206:20
206.51.202.106:50003
5.12.114.55:443
68.116.193.239:443
173.26.189.151:443
102.190.213.116:443
78.100.192.173:443
209.182.122.217:443
68.134.181.98:443
5.13.73.44:443
189.210.114.157:443
179.14.167.91:443
89.137.215.100:443
149.71.49.39:443
85.122.141.42:995
100.37.36.240:443
77.27.173.8:995
75.137.239.211:443
213.120.109.73:2222
76.170.77.99:995
98.173.34.212:995
73.140.88.255:443
73.228.1.246:443
96.234.20.230:443
70.126.76.75:443
70.123.92.175:2222
92.59.35.196:2222
99.231.221.117:443
151.205.102.42:443
5.13.102.138:995
71.182.142.63:443
81.103.144.77:443
47.44.217.98:443
134.228.24.29:443
73.137.184.213:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
5aa990d7864b3bd6c80718c7e86e00ba.exe5aa990d7864b3bd6c80718c7e86e00ba.exepid process 2004 5aa990d7864b3bd6c80718c7e86e00ba.exe 296 5aa990d7864b3bd6c80718c7e86e00ba.exe 296 5aa990d7864b3bd6c80718c7e86e00ba.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5aa990d7864b3bd6c80718c7e86e00ba.execmd.exedescription pid process target process PID 2004 wrote to memory of 296 2004 5aa990d7864b3bd6c80718c7e86e00ba.exe 5aa990d7864b3bd6c80718c7e86e00ba.exe PID 2004 wrote to memory of 296 2004 5aa990d7864b3bd6c80718c7e86e00ba.exe 5aa990d7864b3bd6c80718c7e86e00ba.exe PID 2004 wrote to memory of 296 2004 5aa990d7864b3bd6c80718c7e86e00ba.exe 5aa990d7864b3bd6c80718c7e86e00ba.exe PID 2004 wrote to memory of 296 2004 5aa990d7864b3bd6c80718c7e86e00ba.exe 5aa990d7864b3bd6c80718c7e86e00ba.exe PID 2004 wrote to memory of 368 2004 5aa990d7864b3bd6c80718c7e86e00ba.exe cmd.exe PID 2004 wrote to memory of 368 2004 5aa990d7864b3bd6c80718c7e86e00ba.exe cmd.exe PID 2004 wrote to memory of 368 2004 5aa990d7864b3bd6c80718c7e86e00ba.exe cmd.exe PID 2004 wrote to memory of 368 2004 5aa990d7864b3bd6c80718c7e86e00ba.exe cmd.exe PID 368 wrote to memory of 552 368 cmd.exe PING.EXE PID 368 wrote to memory of 552 368 cmd.exe PING.EXE PID 368 wrote to memory of 552 368 cmd.exe PING.EXE PID 368 wrote to memory of 552 368 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe"C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exeC:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/296-63-0x0000000000000000-mapping.dmp
-
memory/368-67-0x0000000000000000-mapping.dmp
-
memory/552-68-0x0000000000000000-mapping.dmp
-
memory/2004-60-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/2004-62-0x0000000000400000-0x0000000000800000-memory.dmpFilesize
4.0MB
-
memory/2004-61-0x0000000000220000-0x000000000029C000-memory.dmpFilesize
496KB