Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 12:12
Behavioral task
behavioral1
Sample
9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe
Resource
win10v2004-en-20220113
General
-
Target
9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe
-
Size
2.3MB
-
MD5
112a8486e2ff5c18ba18793019431d54
-
SHA1
1dac14c185394f16a259583a8076cf3e46bdcc8c
-
SHA256
9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde
-
SHA512
9c40af61404144907421efc90b76f60c86d27c91b2e20504abde15ff783729863e476218cbbb7ffdcb7f4e21ab2b2525f67597ada4afc39187ac3fe891d284b8
Malware Config
Extracted
qakbot
324.127
spx102
1587561129
68.1.171.93:443
98.213.28.175:443
31.5.189.71:443
75.81.25.223:995
86.106.126.91:443
216.201.162.158:443
80.14.209.42:2222
86.122.254.67:2222
98.26.50.62:995
197.166.90.151:443
71.58.21.235:443
78.96.177.188:443
73.137.187.150:443
188.173.185.139:443
46.214.136.6:443
86.124.227.238:443
104.36.135.227:443
76.111.128.194:443
81.245.66.237:995
71.220.222.169:443
50.247.230.33:995
216.163.4.91:443
24.168.237.215:443
70.124.29.226:443
68.60.221.169:465
86.189.181.83:443
2.179.27.180:443
108.185.113.12:443
46.153.115.228:995
176.100.2.192:443
201.209.218.89:2078
186.135.122.22:443
72.16.57.99:443
65.131.79.162:995
67.6.34.43:443
73.94.229.115:443
173.3.132.17:995
24.229.245.124:995
67.165.206.193:995
68.39.177.147:995
72.80.137.215:443
47.203.89.185:443
68.14.210.246:22
74.135.85.117:443
188.25.93.215:443
100.1.239.189:443
152.32.80.37:443
71.74.12.34:443
69.92.54.95:995
148.75.231.53:443
72.142.106.198:995
86.124.1.76:443
47.222.40.131:443
62.121.78.22:443
94.53.92.42:443
71.69.128.2:2222
168.103.52.51:995
72.218.167.183:995
89.43.136.239:443
96.255.188.58:443
202.161.126.168:443
76.172.59.56:2222
206.183.190.53:995
212.126.109.14:443
50.246.229.50:443
47.40.244.237:443
24.210.45.215:443
24.44.180.236:2222
100.38.123.22:443
72.204.242.138:443
72.16.212.107:465
110.142.205.182:443
70.126.76.75:443
100.40.48.96:443
46.214.62.199:443
181.126.86.223:443
73.169.47.57:443
72.204.242.138:53
72.204.242.138:50003
108.54.103.234:443
68.98.142.248:443
24.115.246.224:995
75.82.228.209:443
93.26.180.87:443
58.177.238.186:443
89.34.231.30:443
120.147.67.62:2222
72.78.198.100:443
76.180.69.236:443
209.182.121.133:2222
5.182.39.156:443
47.136.224.60:443
108.227.161.27:995
203.33.139.134:443
72.209.191.27:443
5.193.175.12:2078
68.82.125.234:443
86.126.219.246:443
104.235.116.15:443
76.187.97.98:2222
95.77.144.238:443
184.180.157.203:2222
76.187.8.160:443
97.127.144.203:2222
207.255.158.180:443
98.22.66.236:443
137.99.224.198:443
67.250.184.157:443
96.236.225.10:443
24.55.152.50:995
50.104.67.101:443
173.172.205.216:443
50.244.112.106:443
187.163.101.137:995
96.35.170.82:2222
47.205.231.60:443
79.113.219.121:443
73.214.231.2:443
67.209.195.198:3389
47.146.169.85:443
47.214.144.253:443
89.45.111.127:443
72.204.242.138:993
75.87.161.32:995
108.30.161.143:443
72.132.249.144:995
67.131.59.17:443
24.201.79.208:2078
50.108.212.180:443
5.13.126.243:443
73.23.194.75:443
75.110.250.89:443
68.134.181.98:443
73.60.156.223:443
81.103.144.77:443
94.176.128.176:443
89.137.162.193:443
98.118.156.172:443
118.93.167.173:2222
86.125.208.132:443
174.34.67.106:2222
85.154.102.243:443
121.121.119.6:443
176.223.114.79:443
76.15.41.32:443
79.119.69.76:443
98.23.52.168:22
46.214.139.214:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exepid process 1096 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe 916 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe 916 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.execmd.exedescription pid process target process PID 1096 wrote to memory of 916 1096 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe PID 1096 wrote to memory of 916 1096 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe PID 1096 wrote to memory of 916 1096 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe PID 1096 wrote to memory of 916 1096 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe PID 1096 wrote to memory of 756 1096 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe cmd.exe PID 1096 wrote to memory of 756 1096 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe cmd.exe PID 1096 wrote to memory of 756 1096 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe cmd.exe PID 1096 wrote to memory of 756 1096 9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe cmd.exe PID 756 wrote to memory of 812 756 cmd.exe PING.EXE PID 756 wrote to memory of 812 756 cmd.exe PING.EXE PID 756 wrote to memory of 812 756 cmd.exe PING.EXE PID 756 wrote to memory of 812 756 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe"C:\Users\Admin\AppData\Local\Temp\9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exeC:\Users\Admin\AppData\Local\Temp\9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\9fd802cc98954dfb11a8e53cacee7ed1829b8746e061919dfdebd10924275fde.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/916-58-0x0000000000400000-0x0000000000646000-memory.dmpFilesize
2.3MB
-
memory/1096-54-0x0000000076C61000-0x0000000076C63000-memory.dmpFilesize
8KB
-
memory/1096-55-0x0000000000220000-0x0000000000259000-memory.dmpFilesize
228KB
-
memory/1096-57-0x0000000000400000-0x0000000000646000-memory.dmpFilesize
2.3MB