Analysis
-
max time kernel
74s -
max time network
27s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 12:22
Behavioral task
behavioral1
Sample
9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe
Resource
win10v2004-en-20220113
General
-
Target
9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe
-
Size
2.3MB
-
MD5
88e6e68878d36a079f9725a7f9b2a00d
-
SHA1
ad275915a856e2c0fb5970b9ee4c3a14ce20c43a
-
SHA256
9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864
-
SHA512
615d120ffc59e21177b6eee228a5ddd6f161af3ed7e94bb73bd3c49b15c9b4384c68f21101f7e3b87f525e678193b277eaa0d5ceba35e6ec6be2a194eb9c6ed5
Malware Config
Extracted
qakbot
324.127
spx98
1587042061
24.37.178.158:990
24.110.96.149:443
68.1.171.93:443
24.210.45.215:443
77.159.149.74:443
72.190.101.70:443
71.187.170.235:443
24.110.14.40:443
46.102.52.24:443
96.234.20.230:443
184.57.17.74:443
47.153.115.154:993
72.142.106.198:995
12.5.37.3:443
168.103.52.51:995
216.163.4.91:443
100.4.185.8:443
72.172.49.164:443
5.2.149.216:443
47.202.98.230:443
24.168.237.215:443
156.96.45.215:443
68.207.39.244:2222
98.213.28.175:443
72.16.57.99:443
47.153.115.154:995
184.167.2.251:2222
207.255.18.67:443
50.246.229.50:443
24.201.79.208:2078
85.7.22.186:2222
70.95.94.91:2078
73.163.242.114:443
70.57.15.187:993
5.14.253.163:443
209.182.121.133:2222
85.204.189.105:443
24.228.7.174:443
68.39.207.79:443
172.95.42.35:443
97.96.51.117:443
46.214.62.199:443
86.126.205.201:443
35.138.46.16:443
79.78.131.124:443
173.175.29.210:443
206.255.163.120:443
188.25.162.108:443
201.152.165.97:995
188.26.142.13:443
46.102.91.19:443
86.126.122.243:443
74.135.85.117:443
173.173.68.41:443
68.82.125.234:443
63.230.2.205:2083
206.183.190.53:995
107.2.148.99:443
188.173.185.139:443
72.183.241.2:443
79.118.20.164:443
72.190.30.180:443
86.126.49.109:443
86.123.211.28:443
47.185.167.163:443
73.214.231.2:443
86.125.193.90:443
85.121.42.12:443
95.77.144.238:443
108.49.221.180:443
46.214.156.146:443
184.8.90.251:443
121.139.184.226:443
174.55.134.59:443
94.52.124.226:443
72.224.213.98:2222
208.93.202.49:443
47.214.144.253:443
104.235.73.89:443
81.103.144.77:443
83.25.7.201:2222
93.113.177.152:443
75.110.250.89:443
190.198.103.228:2078
50.78.93.74:443
66.208.105.6:443
67.165.206.193:995
72.190.124.29:443
96.37.113.36:443
74.129.26.223:443
100.40.48.96:443
65.131.79.162:995
73.169.47.57:443
24.37.178.158:995
41.96.9.130:443
50.108.212.180:443
195.162.106.93:2222
24.184.5.251:2222
23.24.115.181:443
173.79.220.156:443
96.41.93.96:443
70.183.127.6:995
172.78.87.180:443
31.5.189.71:443
173.70.165.101:995
208.126.142.17:443
24.55.152.50:995
108.227.161.27:995
108.190.151.108:2222
72.209.191.27:443
86.126.74.125:443
173.22.120.11:2222
121.121.119.6:443
89.137.162.193:443
181.197.195.138:995
86.107.81.40:443
37.105.82.82:443
71.220.222.169:443
72.80.137.215:443
76.180.69.236:443
98.199.226.41:443
95.77.223.148:443
73.73.53.90:443
108.54.103.234:443
100.1.239.189:443
86.127.12.161:21
80.11.10.151:990
104.36.135.227:443
76.170.77.99:443
86.125.208.132:443
70.62.160.186:6883
73.226.220.56:443
74.33.70.30:443
47.41.3.40:443
49.191.9.180:995
65.116.179.83:443
79.114.194.106:443
47.153.115.154:443
108.27.217.44:443
24.202.42.48:2222
68.174.15.223:443
64.19.74.29:995
70.170.111.174:443
31.5.21.66:443
24.37.178.158:443
47.136.224.60:443
72.29.181.77:2078
50.29.181.193:995
80.14.209.42:2222
47.180.66.10:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exepid process 2028 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe 1484 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe 1484 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.execmd.exedescription pid process target process PID 2028 wrote to memory of 1484 2028 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe PID 2028 wrote to memory of 1484 2028 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe PID 2028 wrote to memory of 1484 2028 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe PID 2028 wrote to memory of 1484 2028 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe PID 2028 wrote to memory of 1536 2028 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe cmd.exe PID 2028 wrote to memory of 1536 2028 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe cmd.exe PID 2028 wrote to memory of 1536 2028 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe cmd.exe PID 2028 wrote to memory of 1536 2028 9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe cmd.exe PID 1536 wrote to memory of 948 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 948 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 948 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 948 1536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe"C:\Users\Admin\AppData\Local\Temp\9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exeC:\Users\Admin\AppData\Local\Temp\9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\9c039fc6a1c1579a6c5d2baccbcb4de565c0dd1ca466424bd7de8386f6548864.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe