Analysis
-
max time kernel
113s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-02-2022 08:10
Behavioral task
behavioral1
Sample
1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
Resource
win10v2004-en-20220112
General
-
Target
1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
-
Size
821KB
-
MD5
7b92d9b8da680f686a1a8c3b06cdc936
-
SHA1
aaecc58409d6c60ba4ee83c4446f2082814e2aed
-
SHA256
1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702
-
SHA512
c1de52fd6abb96d69d315f5c1761f534004191f4563e3e9c9b5127142b8758fb110409002a988602e6641123f8bab6fb9589b5f58e444ea4b726dd88355267ec
Malware Config
Extracted
qakbot
324.65
spx82
1584449336
98.213.28.175:443
72.209.191.27:443
100.37.33.10:443
70.62.160.186:6883
104.152.16.45:995
68.174.15.223:443
24.99.180.247:443
72.218.167.183:995
71.77.252.14:2222
104.34.122.18:443
176.205.145.81:995
73.163.242.114:443
73.214.231.2:443
83.66.111.85:443
35.142.24.147:2222
67.250.184.157:443
41.228.55.118:443
65.131.79.162:995
137.99.224.198:443
100.33.132.135:443
74.135.85.117:443
175.111.128.234:443
41.69.25.184:443
71.69.128.2:2222
67.251.155.12:443
179.36.4.69:443
68.82.125.234:443
177.54.136.34:443
151.243.156.188:995
97.78.107.14:995
81.245.66.237:995
50.108.212.180:443
47.153.115.154:993
65.185.84.240:443
184.21.151.81:995
207.119.226.80:443
67.131.59.17:443
182.56.134.44:995
72.29.181.77:2078
172.78.87.180:443
67.141.139.122:443
82.137.58.162:443
24.229.245.124:995
80.11.10.151:990
83.25.17.147:2222
206.255.163.120:443
5.182.39.156:443
24.32.119.146:443
98.219.77.197:443
210.61.141.92:443
100.40.48.96:443
80.195.103.146:2222
99.228.5.106:995
49.191.136.172:995
72.224.215.180:2222
108.189.242.241:443
64.19.74.29:995
59.94.165.110:443
201.152.172.26:995
23.24.115.181:443
206.169.163.147:995
72.80.137.215:443
50.29.166.232:995
72.90.243.117:443
108.12.211.218:443
100.38.164.182:443
72.190.101.70:443
142.255.99.254:443
175.111.128.234:995
184.191.62.24:995
68.96.122.189:2222
112.196.184.34:50010
41.97.154.81:443
74.75.237.11:443
87.201.206.22:443
141.193.83.107:443
70.95.94.91:2078
116.72.228.8:443
104.36.135.227:443
12.5.37.3:443
121.122.76.193:443
50.247.230.33:995
45.45.105.94:443
72.36.59.46:2222
173.173.68.41:443
72.16.212.107:465
74.5.149.16:0
108.190.148.31:2222
108.54.103.234:443
98.199.226.41:443
75.137.60.81:443
74.194.4.181:443
50.29.181.193:995
103.206.112.234:443
73.23.194.75:443
173.79.220.156:443
108.27.217.44:443
75.81.25.223:995
75.82.228.209:443
71.80.227.238:443
73.7.197.94:443
71.220.222.169:443
93.114.89.119:443
108.30.161.143:443
73.6.30.128:443
96.41.93.96:443
96.227.122.123:443
24.46.40.189:2222
173.175.29.210:443
47.205.150.29:443
173.3.132.17:995
91.75.21.18:443
24.210.45.215:443
152.208.21.141:995
108.227.161.27:443
173.22.120.11:2222
216.201.162.158:443
80.14.209.42:2222
70.164.39.91:443
47.41.3.57:443
72.38.44.119:995
47.136.224.60:443
188.27.17.115:443
108.49.221.180:443
68.113.208.193:443
71.29.145.48:443
24.107.199.192:443
174.82.131.155:995
96.243.35.201:443
173.172.205.216:443
67.209.195.198:3389
72.190.30.180:443
77.159.149.74:443
47.153.115.154:995
74.138.18.247:443
98.118.156.172:443
71.74.12.34:443
84.247.55.190:443
181.126.86.223:443
181.197.195.138:995
96.35.170.82:2222
75.131.239.76:995
68.224.192.39:443
47.202.98.230:443
47.187.141.144:443
47.26.35.113:443
72.190.124.29:443
86.125.134.232:995
68.61.163.191:443
70.124.29.226:443
Signatures
-
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exepid process 3828 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe 3828 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe 1460 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe 1460 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe 1460 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe 1460 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.execmd.exedescription pid process target process PID 3828 wrote to memory of 1460 3828 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe PID 3828 wrote to memory of 1460 3828 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe PID 3828 wrote to memory of 1460 3828 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe PID 3828 wrote to memory of 3288 3828 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe cmd.exe PID 3828 wrote to memory of 3288 3828 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe cmd.exe PID 3828 wrote to memory of 3288 3828 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe cmd.exe PID 3288 wrote to memory of 1760 3288 cmd.exe PING.EXE PID 3288 wrote to memory of 1760 3288 cmd.exe PING.EXE PID 3288 wrote to memory of 1760 3288 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe"C:\Users\Admin\AppData\Local\Temp\1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exeC:\Users\Admin\AppData\Local\Temp\1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 4c39fea2df10d319a2fb03aa4328f384 6Eo/quQvI0GfXKhB/KjJeQ.0.1.0.0.01⤵
- Modifies data under HKEY_USERS