Analysis
-
max time kernel
18s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
09-05-2021 21:53
Behavioral task
behavioral1
Sample
e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe
Resource
win7v20210408
General
-
Target
e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe
-
Size
2.0MB
-
MD5
e5f6b6dc4a63393415468b905c321a52
-
SHA1
cc557a945047ba52718ee59cc50049ca7ff9cacc
-
SHA256
e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee
-
SHA512
0f63d9895cc302ece902b875636642d287953a85aac34fd837529672102e7f7f3683f8cc3e30dcc2ae8300ab82f88857f21c432dad7dd4fee8ec16b423b23a98
Malware Config
Extracted
qakbot
324.136
spx112
1588678797
81.133.234.36:2222
31.5.21.66:443
41.233.43.51:995
96.37.113.36:443
86.233.4.153:2222
98.118.156.172:443
89.34.214.130:443
79.116.237.126:443
72.16.212.107:465
72.36.59.46:2222
5.74.188.119:995
67.209.195.198:3389
98.32.60.217:443
24.46.40.189:2222
77.159.149.74:443
174.30.24.61:443
98.115.138.61:443
189.159.82.203:995
108.21.54.174:443
81.103.144.77:443
116.202.36.62:21
71.187.170.235:443
216.201.162.158:443
73.226.220.56:443
75.87.161.32:995
216.163.4.91:443
24.110.96.149:443
172.78.87.180:443
121.122.68.145:443
75.110.250.89:443
98.22.234.245:443
24.228.7.174:443
46.214.86.217:443
71.213.29.14:995
209.182.121.133:2222
96.227.122.123:443
51.223.115.34:443
109.177.170.150:443
72.240.124.46:443
173.3.132.17:995
207.255.161.8:443
79.113.219.75:443
41.228.220.8:443
107.5.252.194:443
47.205.231.60:443
216.152.7.12:443
72.204.242.138:465
97.96.51.117:443
70.57.15.187:993
76.15.41.32:443
108.54.103.234:443
71.163.225.75:443
24.90.160.91:443
31.5.189.71:443
64.19.74.29:995
68.46.142.48:443
63.230.2.205:2083
188.25.163.53:443
178.137.232.136:443
94.53.113.43:443
45.46.175.21:443
79.127.76.238:995
172.87.134.226:443
24.55.152.50:995
107.2.148.99:443
24.226.137.154:443
67.141.143.110:443
108.183.200.239:443
72.204.242.138:32102
58.108.188.231:443
47.202.98.230:443
76.170.77.99:443
72.183.129.56:443
67.170.137.8:443
72.204.242.138:20
81.245.66.237:995
72.204.242.138:80
72.204.242.138:2087
94.52.124.226:443
199.241.223.66:443
24.184.5.251:2222
178.193.33.121:2222
200.75.197.193:443
98.219.77.197:443
97.127.144.203:2222
73.210.114.187:443
89.34.231.30:443
184.21.151.81:995
5.193.175.12:2078
74.90.76.128:2222
86.124.111.91:443
188.25.223.107:2222
173.173.68.41:443
75.183.171.155:3389
50.108.212.180:443
108.227.161.27:995
207.255.161.8:32103
59.96.167.242:443
47.155.19.205:443
2.190.226.125:443
39.36.135.113:995
203.33.139.134:443
47.180.66.10:443
49.191.9.180:995
72.209.191.27:443
70.62.160.186:6883
136.228.103.44:443
72.204.242.138:443
96.57.42.130:443
50.247.230.33:995
67.131.59.17:443
83.25.18.252:2222
71.29.180.113:22
24.201.79.208:2078
72.190.101.70:443
50.244.112.10:443
203.213.104.25:995
50.246.229.50:443
50.104.186.71:443
137.99.224.198:443
47.232.26.181:443
72.45.14.185:443
74.96.151.6:443
173.172.205.216:443
208.126.142.17:443
76.187.8.160:443
76.173.145.112:443
72.204.242.138:6881
184.98.104.7:995
94.176.128.176:443
73.137.187.150:443
95.77.204.208:443
201.146.188.44:443
5.182.39.156:443
47.214.144.253:443
47.146.169.85:443
64.121.114.87:443
71.193.126.206:443
75.161.36.21:2222
47.40.244.237:443
96.244.227.176:443
78.97.145.242:443
203.198.96.218:443
84.117.176.32:443
74.215.201.51:443
70.174.3.241:443
184.180.157.203:2222
71.220.191.200:443
73.163.242.114:443
39.32.171.83:993
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exee7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exepid process 112 e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe 1288 e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe 1288 e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.execmd.exedescription pid process target process PID 112 wrote to memory of 1288 112 e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe PID 112 wrote to memory of 1288 112 e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe PID 112 wrote to memory of 1288 112 e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe PID 112 wrote to memory of 1288 112 e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe PID 112 wrote to memory of 1224 112 e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe cmd.exe PID 112 wrote to memory of 1224 112 e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe cmd.exe PID 112 wrote to memory of 1224 112 e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe cmd.exe PID 112 wrote to memory of 1224 112 e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe cmd.exe PID 1224 wrote to memory of 664 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 664 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 664 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 664 1224 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe"C:\Users\Admin\AppData\Local\Temp\e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exeC:\Users\Admin\AppData\Local\Temp\e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\e7018ba6ad1b8c97bc751a38cb6c22a653b1a0aa297d245595b46fcd3b9d6bee.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-60-0x0000000075AF1000-0x0000000075AF3000-memory.dmpFilesize
8KB
-
memory/112-61-0x00000000001B0000-0x00000000001E7000-memory.dmpFilesize
220KB
-
memory/112-62-0x0000000000400000-0x0000000000600000-memory.dmpFilesize
2.0MB
-
memory/664-68-0x0000000000000000-mapping.dmp
-
memory/1224-67-0x0000000000000000-mapping.dmp
-
memory/1288-63-0x0000000000000000-mapping.dmp
-
memory/1288-66-0x0000000000400000-0x0000000000600000-memory.dmpFilesize
2.0MB