Analysis
-
max time kernel
128s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 16:31
Behavioral task
behavioral1
Sample
40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe
Resource
win10v2004-en-20220113
General
-
Target
40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe
-
Size
2.0MB
-
MD5
e5607c54c026676782b24856d4214d58
-
SHA1
a0e576281fa43368f48a93b6009f4329ed35aa34
-
SHA256
40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2
-
SHA512
c7317c8caf82a0cebf63ad70f0095aeb6d884b93495f9b2c576dc4d8672ffb2c88ef0be4ae8d8c187bbc0476179598a95452a9c52b45b1ef9a493be94c376a13
Malware Config
Extracted
qakbot
324.127
spx105
1587988969
24.184.5.251:2222
184.98.104.7:995
97.127.144.203:2222
121.74.205.27:995
75.87.161.32:995
24.201.79.208:2078
86.125.208.132:443
84.247.55.190:443
94.53.119.108:443
58.177.238.186:443
71.77.231.251:443
89.137.208.171:443
5.107.186.224:2222
72.183.129.56:443
71.220.191.200:443
68.82.125.234:443
172.113.74.96:443
70.95.94.91:2222
86.127.12.161:21
216.16.178.115:443
201.146.188.44:443
75.110.250.89:443
108.185.113.12:443
98.173.34.212:995
24.226.137.154:443
76.93.183.98:443
24.100.99.235:995
98.242.36.86:443
24.55.152.50:995
70.57.15.187:993
68.224.192.39:443
89.38.101.144:443
70.174.3.241:443
173.173.68.41:443
73.210.114.187:443
96.57.42.130:443
73.226.220.56:443
76.170.77.99:443
63.155.71.107:995
70.62.160.186:6883
199.241.223.66:443
79.114.194.106:443
68.49.120.179:443
172.95.42.35:443
98.219.77.197:443
50.78.93.74:443
118.93.166.4:2222
74.33.68.160:443
121.121.119.6:443
65.116.179.83:443
24.61.47.73:443
69.206.6.71:2222
71.77.252.14:2222
24.202.42.48:2222
108.27.217.44:443
95.77.144.238:443
66.208.105.6:443
188.173.185.139:443
173.70.165.101:995
108.34.131.96:443
98.22.66.236:443
58.108.188.231:443
108.30.125.94:443
86.127.201.2:443
82.78.224.11:443
98.199.150.30:443
203.213.104.25:995
5.37.164.24:443
66.25.168.167:2222
108.190.151.108:2222
79.116.39.135:443
72.16.212.107:465
207.255.18.67:443
50.108.212.180:443
84.117.89.128:443
67.209.195.198:3389
47.146.169.85:443
47.214.144.253:443
116.202.36.62:21
35.142.126.181:443
64.19.74.29:995
75.137.60.81:443
73.37.1.116:443
92.97.116.28:443
47.41.3.40:443
47.136.224.60:443
108.227.161.27:995
46.214.62.199:443
203.33.139.134:443
68.46.142.48:995
72.209.191.27:443
68.98.142.248:443
68.4.137.211:443
24.10.42.174:443
72.36.59.46:2222
172.242.156.50:443
50.244.112.106:443
79.117.150.213:443
190.198.110.84:2078
71.163.225.75:443
86.126.106.106:2222
77.159.149.74:443
24.110.14.40:443
216.201.162.158:443
68.14.210.246:22
24.110.96.149:443
2.190.226.125:443
86.123.221.186:443
87.65.204.240:995
76.187.8.160:443
68.1.171.93:443
181.126.86.223:443
197.165.151.154:443
89.33.87.107:995
46.214.86.217:443
86.123.29.181:443
72.214.55.147:995
94.52.160.116:443
39.59.37.145:995
173.79.220.156:443
1.40.42.4:443
71.80.66.107:443
47.202.98.230:443
89.43.136.239:443
46.11.37.93:2222
98.32.60.217:443
84.117.176.32:443
108.51.130.83:443
73.90.4.146:443
208.126.142.17:443
24.27.82.216:2222
79.114.140.198:443
66.76.105.143:443
83.25.1.136:2222
72.181.15.240:443
73.56.2.167:443
24.183.39.93:443
78.97.145.242:443
67.251.155.12:443
47.185.134.79:443
185.145.113.249:443
31.5.189.71:443
47.40.244.237:443
5.13.110.111:443
136.228.103.44:443
92.114.85.210:995
184.180.157.203:2222
137.99.224.198:443
47.232.26.181:443
94.52.151.23:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exepid process 1608 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe 1748 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe 1748 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.execmd.exedescription pid process target process PID 1608 wrote to memory of 1748 1608 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe PID 1608 wrote to memory of 1748 1608 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe PID 1608 wrote to memory of 1748 1608 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe PID 1608 wrote to memory of 1748 1608 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe PID 1608 wrote to memory of 1276 1608 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe cmd.exe PID 1608 wrote to memory of 1276 1608 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe cmd.exe PID 1608 wrote to memory of 1276 1608 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe cmd.exe PID 1608 wrote to memory of 1276 1608 40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe cmd.exe PID 1276 wrote to memory of 1632 1276 cmd.exe PING.EXE PID 1276 wrote to memory of 1632 1276 cmd.exe PING.EXE PID 1276 wrote to memory of 1632 1276 cmd.exe PING.EXE PID 1276 wrote to memory of 1632 1276 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe"C:\Users\Admin\AppData\Local\Temp\40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exeC:\Users\Admin\AppData\Local\Temp\40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\40a4f7184aee555b871823a677a8ac7278856f735f8fd0080322f8c67e8be4f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
PID:1632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1608-54-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB
-
memory/1608-55-0x0000000000220000-0x0000000000259000-memory.dmpFilesize
228KB
-
memory/1608-56-0x0000000000400000-0x00000000005F8000-memory.dmpFilesize
2.0MB
-
memory/1748-58-0x0000000000400000-0x00000000005F8000-memory.dmpFilesize
2.0MB