Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 05:20
Behavioral task
behavioral1
Sample
83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe
Resource
win10v2004-en-20220113
General
-
Target
83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe
-
Size
1.9MB
-
MD5
36b8590b8c9bf98ebed5d66094a2a627
-
SHA1
48a545da79bb4e166e28729c6658dc1e8cae1e9f
-
SHA256
83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c
-
SHA512
3ad407dc6f9e52fbb28f60b8e848c1de060c67a96b046f4d16c743ae0d9cb37423fb3f9d2d5119344b18e18ae4a094fe7e9dd485183b80059f5209c2cb3fdb68
Malware Config
Extracted
qakbot
324.70
spx85
1585299593
185.219.83.73:443
199.241.223.66:443
79.113.219.121:443
35.142.24.147:2222
71.68.197.202:995
50.108.212.180:443
47.153.115.154:995
108.227.161.27:995
47.136.224.60:443
65.30.12.240:443
79.114.194.106:443
209.137.209.163:995
5.12.213.152:2222
187.155.57.154:443
173.184.96.161:443
174.82.131.155:995
81.135.233.169:8443
173.172.205.216:443
71.233.73.222:995
208.126.142.17:443
72.38.44.119:995
47.41.3.57:443
67.250.184.157:443
47.153.115.154:443
173.79.220.156:443
75.81.25.223:995
108.27.217.44:443
67.209.195.198:3389
66.222.88.126:995
216.201.162.158:443
173.175.29.210:443
80.14.209.42:2222
108.185.113.12:443
216.8.170.82:2222
71.43.165.10:995
98.26.251.12:443
73.184.218.146:443
24.99.180.247:443
73.163.242.114:443
58.177.238.186:443
31.5.189.71:443
156.96.45.215:443
74.102.83.89:443
85.186.50.42:443
23.24.115.181:443
79.117.120.253:443
120.147.65.97:2222
86.124.109.100:443
173.22.120.11:2222
24.202.42.48:2222
108.54.103.234:443
47.205.150.29:443
104.220.197.187:443
72.28.255.159:443
47.40.244.237:443
68.113.208.193:443
71.213.61.215:995
74.33.70.220:443
47.187.137.34:443
70.166.158.118:443
24.229.245.124:995
71.187.170.235:443
49.191.6.183:995
76.107.242.174:443
71.172.110.236:443
85.122.141.42:443
98.116.62.242:443
104.235.125.137:443
97.78.107.14:443
188.26.131.41:443
68.46.142.48:995
104.34.122.18:443
70.126.76.75:443
24.184.5.251:2222
201.152.111.104:995
181.197.195.138:995
96.35.170.82:2222
89.136.179.137:443
50.244.112.10:443
174.126.230.25:443
173.3.244.208:443
100.1.239.189:443
79.114.131.172:443
206.169.163.147:995
96.41.93.96:443
72.142.106.198:465
98.190.24.81:443
93.114.89.119:995
173.173.68.41:443
72.218.167.183:995
190.204.58.240:2078
24.110.14.40:443
188.27.17.115:443
72.36.59.46:2222
100.4.185.8:443
5.2.149.216:443
83.25.14.84:2222
46.102.21.4:443
67.7.2.109:2222
75.110.250.89:443
78.97.145.242:443
81.103.144.77:443
24.55.152.50:995
47.202.98.230:443
70.57.15.187:993
68.204.164.222:443
24.46.40.189:2222
100.38.123.22:443
72.190.124.29:443
72.16.212.107:465
121.123.79.158:443
173.3.132.17:995
73.226.220.56:443
68.61.163.191:443
104.152.16.45:995
70.62.160.186:6883
73.101.211.117:443
98.219.77.197:443
46.214.86.45:443
207.255.18.67:443
89.137.211.38:443
39.59.33.179:995
12.5.37.3:443
73.169.47.57:443
24.110.96.149:443
184.176.139.8:443
172.95.42.35:443
67.165.206.193:995
206.255.163.120:443
100.40.48.96:443
78.96.148.177:443
68.174.15.223:443
64.19.74.29:995
74.129.26.223:443
63.155.135.211:995
216.104.200.187:443
75.82.228.209:443
73.232.165.200:995
69.246.151.5:443
47.153.115.154:993
71.77.252.14:2222
24.37.178.158:443
209.213.30.152:443
72.29.181.77:2078
5.14.118.122:443
76.23.204.29:443
68.49.120.179:443
50.244.112.106:443
98.213.28.175:443
47.180.66.10:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exepid process 956 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe 1744 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe 1744 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.execmd.exedescription pid process target process PID 956 wrote to memory of 1744 956 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe PID 956 wrote to memory of 1744 956 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe PID 956 wrote to memory of 1744 956 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe PID 956 wrote to memory of 1744 956 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe PID 956 wrote to memory of 736 956 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe cmd.exe PID 956 wrote to memory of 736 956 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe cmd.exe PID 956 wrote to memory of 736 956 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe cmd.exe PID 956 wrote to memory of 736 956 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe cmd.exe PID 736 wrote to memory of 1228 736 cmd.exe PING.EXE PID 736 wrote to memory of 1228 736 cmd.exe PING.EXE PID 736 wrote to memory of 1228 736 cmd.exe PING.EXE PID 736 wrote to memory of 1228 736 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe"C:\Users\Admin\AppData\Local\Temp\83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exeC:\Users\Admin\AppData\Local\Temp\83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/956-55-0x00000000763B1000-0x00000000763B3000-memory.dmpFilesize
8KB
-
memory/956-56-0x0000000000310000-0x0000000000349000-memory.dmpFilesize
228KB
-
memory/956-58-0x0000000000400000-0x00000000005DB000-memory.dmpFilesize
1.9MB
-
memory/1744-59-0x0000000000400000-0x00000000005DB000-memory.dmpFilesize
1.9MB