Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 09:08
Behavioral task
behavioral1
Sample
dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe
Resource
win10v2004-en-20220113
General
-
Target
dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe
-
Size
2.3MB
-
MD5
ae878fe52d0dff30d94cfbe611d7825b
-
SHA1
f4acba58dd7a9b9bd760a0e10ec81b19fa41d65c
-
SHA256
dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386
-
SHA512
15b6da936d1db186e7fa16eb47b95edb1ef7430117634c5e29fa62d1056871b91b6f0342bf0fdf71f66e618f85145e469bd7c04da554df8f82d4e1d76ea10871
Malware Config
Extracted
qakbot
324.127
spx96
1586873043
72.209.191.27:443
173.22.120.11:2222
108.227.161.27:995
172.87.134.226:443
181.197.195.138:995
98.21.52.194:443
76.180.69.236:443
68.98.142.248:443
68.52.164.175:443
39.59.63.142:995
35.142.126.181:443
96.35.170.82:2222
75.111.145.5:443
47.214.144.253:443
74.105.139.160:443
67.8.103.21:443
50.108.212.180:443
83.25.7.201:2222
188.25.237.208:443
184.167.2.251:2222
75.110.250.89:443
84.232.216.243:443
188.27.17.115:443
93.113.91.129:443
71.74.12.34:443
71.182.142.63:443
86.189.181.83:443
72.190.124.29:443
70.183.127.6:995
98.121.187.78:443
97.81.255.189:443
93.114.89.119:995
98.190.24.81:443
68.224.192.39:443
50.244.112.106:443
5.182.39.156:443
97.96.51.117:443
67.209.195.198:3389
181.126.86.223:443
47.146.169.85:443
2.190.144.230:443
67.131.59.17:443
71.11.209.101:443
72.218.167.183:995
66.26.160.37:443
94.52.160.218:443
173.3.132.17:995
66.225.65.155:32101
24.229.245.124:995
100.38.123.22:443
47.205.231.60:443
72.16.212.107:465
100.40.48.96:443
65.131.79.162:995
24.202.42.48:2222
73.169.47.57:443
24.37.178.158:995
108.54.103.234:443
68.116.183.68:443
151.205.102.42:443
66.208.105.6:443
80.11.10.151:990
73.226.220.56:443
75.182.220.196:2222
96.232.203.15:443
69.206.6.71:2222
188.27.67.221:443
70.62.160.186:6883
47.41.3.40:443
49.191.9.180:995
65.116.179.83:443
71.172.110.236:443
47.153.115.154:443
24.158.103.220:443
71.220.222.169:443
108.27.217.44:443
98.197.254.40:443
64.19.74.29:995
71.58.21.235:443
89.34.231.30:443
24.37.178.158:443
70.174.3.241:443
76.170.77.99:443
72.224.213.98:2222
47.136.224.60:443
68.174.15.223:443
72.29.181.77:2078
50.29.181.193:995
69.92.54.95:995
47.180.66.10:443
79.117.9.144:443
184.180.157.203:2222
80.14.209.42:2222
189.163.185.56:443
184.57.17.74:443
98.244.249.165:995
94.52.151.23:443
137.99.224.198:443
120.147.67.62:2222
67.250.184.157:443
206.169.163.147:995
201.146.122.138:443
24.46.40.189:2222
108.34.131.96:443
94.53.113.91:443
50.91.171.137:443
100.1.239.189:443
86.106.126.31:443
86.120.98.221:443
62.121.78.22:443
74.33.70.30:443
78.97.119.189:443
63.230.2.205:2083
79.118.168.203:443
31.5.189.71:443
104.235.60.13:443
173.175.29.210:443
84.117.30.222:443
86.123.130.104:443
81.103.144.77:443
82.210.154.111:443
95.77.237.115:443
121.139.184.226:443
35.143.248.234:443
72.80.137.215:443
98.11.113.199:443
206.183.190.53:995
216.16.178.115:443
79.113.193.29:443
207.255.18.67:443
46.153.95.116:995
71.77.231.251:443
72.36.59.46:2222
188.173.185.139:443
95.77.223.148:443
50.247.230.33:995
89.43.136.239:443
84.247.55.190:443
23.240.76.67:443
98.243.187.85:443
5.14.253.163:443
152.32.80.37:443
79.115.211.4:2222
47.40.244.237:443
67.197.97.144:443
193.23.5.134:443
72.183.129.56:443
85.204.189.105:443
71.77.252.14:2222
95.77.144.238:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exedd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exepid process 980 dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe 1128 dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe 1128 dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.execmd.exedescription pid process target process PID 980 wrote to memory of 1128 980 dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe PID 980 wrote to memory of 1128 980 dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe PID 980 wrote to memory of 1128 980 dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe PID 980 wrote to memory of 1128 980 dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe PID 980 wrote to memory of 1356 980 dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe cmd.exe PID 980 wrote to memory of 1356 980 dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe cmd.exe PID 980 wrote to memory of 1356 980 dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe cmd.exe PID 980 wrote to memory of 1356 980 dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe cmd.exe PID 1356 wrote to memory of 1688 1356 cmd.exe PING.EXE PID 1356 wrote to memory of 1688 1356 cmd.exe PING.EXE PID 1356 wrote to memory of 1688 1356 cmd.exe PING.EXE PID 1356 wrote to memory of 1688 1356 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe"C:\Users\Admin\AppData\Local\Temp\dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exeC:\Users\Admin\AppData\Local\Temp\dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\dd4ce28811c332a025789d046b676085b038d524041e9388f4f0d4fbd6192386.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe