Analysis
-
max time kernel
135s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 11:18
Behavioral task
behavioral1
Sample
b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe
Resource
win10v2004-en-20220113
General
-
Target
b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe
-
Size
2.3MB
-
MD5
fabbf0b8f976f393fd0438a61532a3f6
-
SHA1
b8d59be52e7c6c9eaf35b95790703354541ae2b6
-
SHA256
b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a
-
SHA512
005bc63e68519c60c64a0618d024fda412b0672918b9b1f8138773f6074b5239cf0bbb8eb54d24637835572707dbc5e38d48158605ef9726476c54fe5cee7376
Malware Config
Extracted
qakbot
324.127
spx97
1586971769
72.214.55.147:995
78.96.64.230:443
100.38.123.22:443
47.205.231.60:443
185.145.113.249:443
72.16.212.107:465
94.52.124.226:443
72.255.200.69:2222
73.56.2.167:443
67.249.222.14:443
71.58.21.235:443
79.113.193.29:443
96.35.170.82:2222
76.111.128.194:443
181.126.86.223:443
67.209.195.198:3389
47.146.169.85:443
47.39.76.74:443
67.131.59.17:443
71.11.209.101:443
197.210.96.222:995
98.197.254.40:443
206.255.163.120:443
189.163.185.56:443
72.218.167.183:995
66.26.160.37:443
173.174.94.95:443
189.140.23.219:443
173.3.132.17:995
137.103.143.124:443
24.229.245.124:995
187.212.143.197:443
172.87.134.226:443
100.1.239.189:443
68.46.142.48:995
72.78.198.100:443
102.186.58.240:6881
67.197.97.144:443
74.33.70.30:443
187.138.213.205:443
23.240.76.67:443
76.187.8.160:443
98.244.249.165:995
98.27.176.35:443
68.225.250.136:443
85.121.42.12:443
24.28.183.107:995
46.214.139.70:443
98.243.187.85:443
186.135.127.3:443
47.40.244.237:443
71.77.252.14:2222
5.14.253.163:443
73.23.194.75:443
79.113.219.121:443
94.52.151.23:443
24.191.214.43:2083
68.60.221.169:465
68.98.142.248:443
96.57.237.162:443
72.29.181.77:2222
96.232.203.15:443
190.79.43.28:2078
93.118.221.204:443
50.104.67.101:443
86.125.138.141:995
95.77.204.208:443
108.30.161.143:443
193.23.5.134:443
174.104.23.7:443
86.126.126.75:443
72.36.59.46:2222
74.109.200.208:443
24.183.39.93:443
50.247.230.33:995
79.115.121.46:443
71.77.231.251:443
89.34.231.30:443
79.118.149.0:443
71.195.111.107:443
71.10.43.79:443
98.210.41.34:0
199.241.223.66:443
188.27.55.226:443
76.187.97.98:2222
173.197.155.139:443
86.125.208.132:443
50.244.112.10:443
58.177.238.186:443
84.117.115.162:443
24.37.178.158:990
152.32.80.37:443
95.77.223.148:443
24.110.96.149:443
77.159.149.74:443
24.210.45.215:443
72.190.101.70:443
71.187.170.235:443
24.110.14.40:443
100.4.185.8:443
47.153.115.154:993
78.96.245.58:443
188.27.67.96:443
12.5.37.3:443
216.163.4.91:443
72.172.49.164:443
47.202.98.230:443
5.2.149.216:443
24.168.237.215:443
107.2.148.99:443
156.96.45.215:443
98.213.28.175:443
72.16.57.99:443
47.153.115.154:995
75.183.171.155:3389
74.102.83.89:443
184.98.104.7:995
69.206.6.71:2222
79.113.207.142:443
74.138.18.247:443
50.78.93.74:443
84.117.89.128:443
174.131.80.220:995
24.32.119.146:443
64.121.114.87:443
68.49.120.179:443
46.214.62.199:443
68.1.171.93:443
46.214.153.33:443
173.30.188.202:2222
65.60.228.130:443
24.44.180.236:2222
73.87.97.153:32103
89.36.249.46:443
86.120.98.221:443
98.116.62.242:443
89.43.136.239:443
93.26.180.87:443
137.119.71.87:443
47.157.85.96:443
24.234.86.201:995
86.22.41.176:443
98.148.177.77:443
100.43.250.74:995
189.183.74.53:995
85.122.141.42:995
66.25.168.167:2222
59.94.165.115:443
86.121.197.61:443
86.123.130.104:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exeb0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exepid process 832 b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe 1352 b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe 1352 b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.execmd.exedescription pid process target process PID 832 wrote to memory of 1352 832 b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe PID 832 wrote to memory of 1352 832 b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe PID 832 wrote to memory of 1352 832 b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe PID 832 wrote to memory of 1352 832 b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe PID 832 wrote to memory of 1692 832 b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe cmd.exe PID 832 wrote to memory of 1692 832 b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe cmd.exe PID 832 wrote to memory of 1692 832 b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe cmd.exe PID 832 wrote to memory of 1692 832 b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe cmd.exe PID 1692 wrote to memory of 1316 1692 cmd.exe PING.EXE PID 1692 wrote to memory of 1316 1692 cmd.exe PING.EXE PID 1692 wrote to memory of 1316 1692 cmd.exe PING.EXE PID 1692 wrote to memory of 1316 1692 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe"C:\Users\Admin\AppData\Local\Temp\b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exeC:\Users\Admin\AppData\Local\Temp\b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/832-53-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/832-54-0x0000000000220000-0x0000000000259000-memory.dmpFilesize
228KB
-
memory/832-55-0x0000000000400000-0x0000000000647000-memory.dmpFilesize
2.3MB
-
memory/1352-57-0x0000000000400000-0x0000000000647000-memory.dmpFilesize
2.3MB