Analysis
-
max time kernel
152s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 08:09
Behavioral task
behavioral1
Sample
f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe
Resource
win10v2004-en-20220113
General
-
Target
f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe
-
Size
2.2MB
-
MD5
db8916ad4b0bd08a4acb74641e7baede
-
SHA1
d1a5125d449c0dc8170bf2de72eff35228bb4eb3
-
SHA256
f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d
-
SHA512
48d268a4e5b9add0c67fdd29df269400fcc1f87cee77511a0601f65d9ee44dbb661076f63672c5b11d811967242ab64a7fa760a16385d4e4b86f529518bba1b6
Malware Config
Extracted
qakbot
324.127
spx99
1587123128
66.208.105.6:443
83.25.7.201:2222
68.134.181.98:443
108.190.151.108:2222
81.102.127.116:443
93.118.221.204:443
72.183.129.56:443
72.29.181.77:2222
96.35.170.82:2222
50.104.67.101:443
5.182.39.156:443
68.224.192.39:443
50.244.112.106:443
47.205.231.60:443
67.209.195.198:3389
47.146.169.85:443
86.124.13.55:443
108.30.161.143:443
75.87.161.32:995
67.131.59.17:443
71.11.209.101:443
69.254.141.249:443
85.121.42.12:443
81.133.234.36:2222
197.160.31.234:443
72.218.167.183:995
75.81.25.223:995
174.34.67.106:2222
31.5.244.43:443
181.126.86.223:443
72.190.30.180:443
39.59.9.59:995
71.74.12.34:443
71.220.222.169:443
35.138.46.16:443
95.76.27.89:443
75.137.60.81:443
5.74.132.72:995
72.183.241.2:443
188.25.237.208:443
68.13.99.24:443
73.214.231.2:443
50.244.112.10:443
74.75.237.11:443
68.98.142.248:443
72.214.55.147:995
173.197.155.139:443
84.117.89.128:443
199.241.223.66:443
24.32.119.146:443
47.40.244.237:443
98.219.77.197:443
97.96.51.117:443
68.49.120.179:443
67.197.97.144:443
76.187.8.160:443
206.255.163.120:443
71.77.252.14:2222
68.225.250.136:443
82.79.178.244:443
79.116.132.215:443
68.46.142.48:995
93.113.177.152:443
73.163.242.114:443
73.1.68.242:443
81.103.144.77:443
46.102.52.24:443
98.22.66.236:443
62.121.78.22:443
78.97.145.242:443
46.214.139.70:443
50.247.230.33:995
47.202.98.230:443
64.121.114.87:443
156.96.45.215:443
68.39.177.147:995
98.213.28.175:443
72.16.57.99:443
47.153.115.154:995
46.214.86.217:443
105.184.217.217:443
141.85.114.163:443
75.183.171.155:3389
71.77.231.251:443
74.138.18.247:443
70.57.15.187:993
174.50.39.109:443
188.222.234.113:443
209.182.121.133:2222
72.36.59.46:2222
73.37.1.116:443
46.153.95.116:995
68.59.27.48:443
216.201.162.158:443
79.115.211.4:2222
31.5.189.71:443
217.162.149.212:443
79.118.168.203:443
79.113.38.37:443
24.27.82.216:2222
46.214.62.199:443
84.247.55.190:443
85.7.22.186:2222
89.44.194.4:443
173.79.220.156:443
24.46.40.189:2222
46.102.91.19:443
186.94.191.6:2078
107.2.148.99:443
76.187.97.98:2222
181.197.195.138:995
70.174.3.241:443
172.91.19.192:443
58.177.238.186:443
190.217.1.149:443
86.106.126.31:443
24.37.178.158:990
192.40.225.168:443
86.122.244.122:443
24.110.96.149:443
68.1.171.93:443
73.56.2.167:443
77.159.149.74:443
24.210.45.215:443
72.190.101.70:443
71.187.170.235:443
24.110.14.40:443
47.153.115.154:993
94.52.124.226:443
12.5.37.3:443
216.163.4.91:443
188.24.170.205:443
68.113.208.193:443
89.137.162.193:443
108.56.213.30:443
24.168.237.215:443
5.2.149.216:443
89.47.214.86:443
75.105.224.113:443
86.126.201.108:443
173.173.68.41:443
86.4.44.48:443
120.147.67.62:2222
76.180.69.236:443
50.246.229.50:443
47.214.144.253:443
72.132.249.144:995
24.201.79.208:2078
70.95.94.91:2078
24.115.246.224:995
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exef13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exepid process 1628 f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe 1348 f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe 1348 f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.execmd.exedescription pid process target process PID 1628 wrote to memory of 1348 1628 f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe PID 1628 wrote to memory of 1348 1628 f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe PID 1628 wrote to memory of 1348 1628 f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe PID 1628 wrote to memory of 1348 1628 f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe PID 1628 wrote to memory of 796 1628 f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe cmd.exe PID 1628 wrote to memory of 796 1628 f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe cmd.exe PID 1628 wrote to memory of 796 1628 f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe cmd.exe PID 1628 wrote to memory of 796 1628 f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe cmd.exe PID 796 wrote to memory of 1716 796 cmd.exe PING.EXE PID 796 wrote to memory of 1716 796 cmd.exe PING.EXE PID 796 wrote to memory of 1716 796 cmd.exe PING.EXE PID 796 wrote to memory of 1716 796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe"C:\Users\Admin\AppData\Local\Temp\f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exeC:\Users\Admin\AppData\Local\Temp\f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe