Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 02:47
Static task
static1
Behavioral task
behavioral1
Sample
eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
Resource
win10v2004-en-20220112
General
-
Target
eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
-
Size
502KB
-
MD5
98ae6e7fbcd391e42a2a36b7bd53f99e
-
SHA1
9bf453f13814727bb17a3fe2e33de9886c059135
-
SHA256
eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa
-
SHA512
ff23798583f689fc0a94409ef9fa87447e26f39570a32df2c02cb390ef2828269f9b6bf2a46fb0a8a0f809344d2955a0143ce3776d852282ab8c85b385e4f89e
Malware Config
Extracted
qakbot
322.731
hhh07
1552409511
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
71.80.84.55:443
70.25.63.178:2222
190.120.196.18:443
192.226.157.108:993
76.122.104.20:443
50.247.230.33:443
69.249.141.152:443
69.70.37.246:465
45.50.227.169:995
199.36.199.104:443
66.171.24.252:443
96.20.84.208:443
24.200.91.146:2222
98.225.141.232:443
76.98.158.47:443
74.68.50.163:443
68.59.209.183:995
69.254.30.75:443
78.94.55.26:50003
216.221.73.45:993
70.53.99.56:32101
67.52.109.170:995
76.69.238.238:2222
200.75.252.82:443
75.119.227.45:443
174.89.17.43:443
216.221.73.45:465
82.210.149.155:443
72.194.226.99:2083
216.8.166.242:443
76.168.149.66:443
189.135.113.6:443
208.69.72.135:2222
187.233.56.240:443
69.70.37.246:993
75.170.63.3:2222
144.172.181.63:2222
69.75.254.182:443
70.49.35.92:2222
64.228.72.40:2222
70.53.99.56:2222
50.198.141.161:2078
104.173.33.43:443
70.183.177.22:61202
65.153.32.170:995
173.79.220.2:443
181.228.59.89:995
173.61.181.46:995
69.70.37.246:995
187.227.11.205:0
189.169.7.116:443
187.212.141.122:443
76.71.187.25:2222
174.88.1.94:2222
71.213.14.236:995
65.94.237.84:995
70.27.40.114:2222
67.71.45.168:2222
104.221.98.208:2222
68.14.210.246:22
66.222.88.126:995
207.134.207.44:443
68.147.26.96:443
108.189.84.199:2222
41.202.79.201:993
70.183.177.22:995
68.149.110.62:50010
24.173.61.30:443
68.102.37.211:995
65.116.179.83:443
207.178.109.161:443
70.183.154.153:995
71.198.244.191:2222
190.161.245.225:443
173.173.167.129:995
184.180.157.203:2222
24.76.123.171:2222
174.48.72.160:443
173.168.105.213:443
192.198.85.26:443
62.0.67.88:443
174.89.90.96:2222
162.237.221.101:443
190.120.196.18:995
190.120.196.18:50002
190.120.196.18:1194
189.155.76.117:443
189.163.252.64:443
148.240.66.99:6881
104.3.91.20:995
181.119.30.36:443
83.110.108.131:443
173.173.167.129:443
71.197.126.250:443
187.192.41.60:443
2.50.156.213:443
216.221.73.45:2222
69.77.200.26:443
69.57.123.218:443
24.200.41.36:443
98.16.17.60:443
173.70.165.101:995
47.214.144.253:443
108.49.108.127:443
190.120.196.18:993
204.193.7.206:443
71.171.94.146:443
47.180.18.14:443
179.27.125.34:443
76.69.84.83:2222
67.170.254.170:443
173.178.129.3:443
64.228.72.40:2078
64.201.125.172:443
98.181.182.13:2078
24.46.146.0:8443
76.93.183.98:443
50.125.73.88:443
70.176.230.125:443
189.159.21.5:443
201.152.195.81:993
186.101.203.154:2222
189.236.133.27:995
63.240.143.80:443
109.116.196.199:443
173.178.129.3:990
216.221.73.45:995
98.235.130.145:8443
187.229.55.17:443
189.209.167.173:995
47.48.236.98:2222
98.183.37.64:995
188.121.217.194:443
24.131.82.168:443
65.185.102.19:443
184.64.192.225:443
70.53.99.56:2078
96.20.94.194:2222
187.250.82.199:995
208.163.184.129:443
74.137.237.228:443
70.53.99.56:8443
207.167.7.141:443
68.196.193.221:443
70.53.99.56:61200
38.133.55.60:443
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exeeeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exedescription pid process PID 788 set thread context of 0 788 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe PID 520 set thread context of 0 520 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exeeeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exepid process 788 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe 520 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe 520 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.execmd.exedescription pid process target process PID 788 wrote to memory of 520 788 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe PID 788 wrote to memory of 520 788 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe PID 788 wrote to memory of 520 788 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe PID 788 wrote to memory of 520 788 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe PID 788 wrote to memory of 1344 788 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe cmd.exe PID 788 wrote to memory of 1344 788 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe cmd.exe PID 788 wrote to memory of 1344 788 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe cmd.exe PID 788 wrote to memory of 1344 788 eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe cmd.exe PID 1344 wrote to memory of 676 1344 cmd.exe PING.EXE PID 1344 wrote to memory of 676 1344 cmd.exe PING.EXE PID 1344 wrote to memory of 676 1344 cmd.exe PING.EXE PID 1344 wrote to memory of 676 1344 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe"C:\Users\Admin\AppData\Local\Temp\eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exeC:\Users\Admin\AppData\Local\Temp\eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe /C2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe