Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-02-2022 08:20
Behavioral task
behavioral1
Sample
ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe
Resource
win10v2004-en-20220112
General
-
Target
ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe
-
Size
2.2MB
-
MD5
8df49fd30a7193206bdef9e99c35e6bf
-
SHA1
67e17fee3d00c0559a8e23a40ebb88f12315a0c7
-
SHA256
ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185
-
SHA512
3b915e8486eb26120bf216e253c984571ed40bae700421ea41a26c557d0d5afd3a83f0491e2f7c52355f37da83a9e7c99e56dfb9789d584f1bd6f8d43fd11c2a
Malware Config
Extracted
qakbot
324.127
spx99
1587123128
66.208.105.6:443
83.25.7.201:2222
68.134.181.98:443
108.190.151.108:2222
81.102.127.116:443
93.118.221.204:443
72.183.129.56:443
72.29.181.77:2222
96.35.170.82:2222
50.104.67.101:443
5.182.39.156:443
68.224.192.39:443
50.244.112.106:443
47.205.231.60:443
67.209.195.198:3389
47.146.169.85:443
86.124.13.55:443
108.30.161.143:443
75.87.161.32:995
67.131.59.17:443
71.11.209.101:443
69.254.141.249:443
85.121.42.12:443
81.133.234.36:2222
197.160.31.234:443
72.218.167.183:995
75.81.25.223:995
174.34.67.106:2222
31.5.244.43:443
181.126.86.223:443
72.190.30.180:443
39.59.9.59:995
71.74.12.34:443
71.220.222.169:443
35.138.46.16:443
95.76.27.89:443
75.137.60.81:443
5.74.132.72:995
72.183.241.2:443
188.25.237.208:443
68.13.99.24:443
73.214.231.2:443
50.244.112.10:443
74.75.237.11:443
68.98.142.248:443
72.214.55.147:995
173.197.155.139:443
84.117.89.128:443
199.241.223.66:443
24.32.119.146:443
47.40.244.237:443
98.219.77.197:443
97.96.51.117:443
68.49.120.179:443
67.197.97.144:443
76.187.8.160:443
206.255.163.120:443
71.77.252.14:2222
68.225.250.136:443
82.79.178.244:443
79.116.132.215:443
68.46.142.48:995
93.113.177.152:443
73.163.242.114:443
73.1.68.242:443
81.103.144.77:443
46.102.52.24:443
98.22.66.236:443
62.121.78.22:443
78.97.145.242:443
46.214.139.70:443
50.247.230.33:995
47.202.98.230:443
64.121.114.87:443
156.96.45.215:443
68.39.177.147:995
98.213.28.175:443
72.16.57.99:443
47.153.115.154:995
46.214.86.217:443
105.184.217.217:443
141.85.114.163:443
75.183.171.155:3389
71.77.231.251:443
74.138.18.247:443
70.57.15.187:993
174.50.39.109:443
188.222.234.113:443
209.182.121.133:2222
72.36.59.46:2222
73.37.1.116:443
46.153.95.116:995
68.59.27.48:443
216.201.162.158:443
79.115.211.4:2222
31.5.189.71:443
217.162.149.212:443
79.118.168.203:443
79.113.38.37:443
24.27.82.216:2222
46.214.62.199:443
84.247.55.190:443
85.7.22.186:2222
89.44.194.4:443
173.79.220.156:443
24.46.40.189:2222
46.102.91.19:443
186.94.191.6:2078
107.2.148.99:443
76.187.97.98:2222
181.197.195.138:995
70.174.3.241:443
172.91.19.192:443
58.177.238.186:443
190.217.1.149:443
86.106.126.31:443
24.37.178.158:990
192.40.225.168:443
86.122.244.122:443
24.110.96.149:443
68.1.171.93:443
73.56.2.167:443
77.159.149.74:443
24.210.45.215:443
72.190.101.70:443
71.187.170.235:443
24.110.14.40:443
47.153.115.154:993
94.52.124.226:443
12.5.37.3:443
216.163.4.91:443
188.24.170.205:443
68.113.208.193:443
89.137.162.193:443
108.56.213.30:443
24.168.237.215:443
5.2.149.216:443
89.47.214.86:443
75.105.224.113:443
86.126.201.108:443
173.173.68.41:443
86.4.44.48:443
120.147.67.62:2222
76.180.69.236:443
50.246.229.50:443
47.214.144.253:443
72.132.249.144:995
24.201.79.208:2078
70.95.94.91:2078
24.115.246.224:995
Signatures
-
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
svchost.exeWaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3888" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.818206" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132886992908162492" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006648" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exeed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exepid process 3744 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe 3744 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe 3368 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe 3368 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe 3368 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe 3368 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.execmd.exedescription pid process target process PID 3744 wrote to memory of 3368 3744 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe PID 3744 wrote to memory of 3368 3744 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe PID 3744 wrote to memory of 3368 3744 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe PID 3744 wrote to memory of 2696 3744 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe cmd.exe PID 3744 wrote to memory of 2696 3744 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe cmd.exe PID 3744 wrote to memory of 2696 3744 ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe cmd.exe PID 2696 wrote to memory of 1320 2696 cmd.exe PING.EXE PID 2696 wrote to memory of 1320 2696 cmd.exe PING.EXE PID 2696 wrote to memory of 1320 2696 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe"C:\Users\Admin\AppData\Local\Temp\ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exeC:\Users\Admin\AppData\Local\Temp\ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\ed29a2f69fce0d137552ba25ae97e99033527c56a9365b5637abce6cc2bce185.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe aad7e9790449325399f4772b8c60b9f2 xZyWRlLLnkiYqRNCmyWHng.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS