Analysis
-
max time kernel
135s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 17:29
Behavioral task
behavioral1
Sample
2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe
Resource
win7-en-20211208
General
-
Target
2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe
-
Size
2.3MB
-
MD5
51ef7ab29ff078954cde12e57af0c290
-
SHA1
f7dbe4d2f84d55a2f85baf5b58e6a452e04007fc
-
SHA256
2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd
-
SHA512
ead5962cf7057b102d9dfe38187df0e4e90b75f08ae53a85603e6b224fa228b8b56c8f7290b3642e6c28d6dd66c47b9a5ebf19fd7321b3fa93535f4c9e438fec
Malware Config
Extracted
qakbot
324.127
spx98
1587042061
24.37.178.158:990
24.110.96.149:443
68.1.171.93:443
24.210.45.215:443
77.159.149.74:443
72.190.101.70:443
71.187.170.235:443
24.110.14.40:443
46.102.52.24:443
96.234.20.230:443
184.57.17.74:443
47.153.115.154:993
72.142.106.198:995
12.5.37.3:443
168.103.52.51:995
216.163.4.91:443
100.4.185.8:443
72.172.49.164:443
5.2.149.216:443
47.202.98.230:443
24.168.237.215:443
156.96.45.215:443
68.207.39.244:2222
98.213.28.175:443
72.16.57.99:443
47.153.115.154:995
184.167.2.251:2222
207.255.18.67:443
50.246.229.50:443
24.201.79.208:2078
85.7.22.186:2222
70.95.94.91:2078
73.163.242.114:443
70.57.15.187:993
5.14.253.163:443
209.182.121.133:2222
85.204.189.105:443
24.228.7.174:443
68.39.207.79:443
172.95.42.35:443
97.96.51.117:443
46.214.62.199:443
86.126.205.201:443
35.138.46.16:443
79.78.131.124:443
173.175.29.210:443
206.255.163.120:443
188.25.162.108:443
201.152.165.97:995
188.26.142.13:443
46.102.91.19:443
86.126.122.243:443
74.135.85.117:443
173.173.68.41:443
68.82.125.234:443
63.230.2.205:2083
206.183.190.53:995
107.2.148.99:443
188.173.185.139:443
72.183.241.2:443
79.118.20.164:443
72.190.30.180:443
86.126.49.109:443
86.123.211.28:443
47.185.167.163:443
73.214.231.2:443
86.125.193.90:443
85.121.42.12:443
95.77.144.238:443
108.49.221.180:443
46.214.156.146:443
184.8.90.251:443
121.139.184.226:443
174.55.134.59:443
94.52.124.226:443
72.224.213.98:2222
208.93.202.49:443
47.214.144.253:443
104.235.73.89:443
81.103.144.77:443
83.25.7.201:2222
93.113.177.152:443
75.110.250.89:443
190.198.103.228:2078
50.78.93.74:443
66.208.105.6:443
67.165.206.193:995
72.190.124.29:443
96.37.113.36:443
74.129.26.223:443
100.40.48.96:443
65.131.79.162:995
73.169.47.57:443
24.37.178.158:995
41.96.9.130:443
50.108.212.180:443
195.162.106.93:2222
24.184.5.251:2222
23.24.115.181:443
173.79.220.156:443
96.41.93.96:443
70.183.127.6:995
172.78.87.180:443
31.5.189.71:443
173.70.165.101:995
208.126.142.17:443
24.55.152.50:995
108.227.161.27:995
108.190.151.108:2222
72.209.191.27:443
86.126.74.125:443
173.22.120.11:2222
121.121.119.6:443
89.137.162.193:443
181.197.195.138:995
86.107.81.40:443
37.105.82.82:443
71.220.222.169:443
72.80.137.215:443
76.180.69.236:443
98.199.226.41:443
95.77.223.148:443
73.73.53.90:443
108.54.103.234:443
100.1.239.189:443
86.127.12.161:21
80.11.10.151:990
104.36.135.227:443
76.170.77.99:443
86.125.208.132:443
70.62.160.186:6883
73.226.220.56:443
74.33.70.30:443
47.41.3.40:443
49.191.9.180:995
65.116.179.83:443
79.114.194.106:443
47.153.115.154:443
108.27.217.44:443
24.202.42.48:2222
68.174.15.223:443
64.19.74.29:995
70.170.111.174:443
31.5.21.66:443
24.37.178.158:443
47.136.224.60:443
72.29.181.77:2078
50.29.181.193:995
80.14.209.42:2222
47.180.66.10:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exepid process 1312 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe 1184 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe 1184 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.execmd.exedescription pid process target process PID 1312 wrote to memory of 1184 1312 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe PID 1312 wrote to memory of 1184 1312 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe PID 1312 wrote to memory of 1184 1312 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe PID 1312 wrote to memory of 1184 1312 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe PID 1312 wrote to memory of 1576 1312 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe cmd.exe PID 1312 wrote to memory of 1576 1312 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe cmd.exe PID 1312 wrote to memory of 1576 1312 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe cmd.exe PID 1312 wrote to memory of 1576 1312 2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe cmd.exe PID 1576 wrote to memory of 1696 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 1696 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 1696 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 1696 1576 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe"C:\Users\Admin\AppData\Local\Temp\2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exeC:\Users\Admin\AppData\Local\Temp\2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\2a3915d38dcc4e9897a62ff014b6adcebdfd4f4d55c907329ad539d1d13784dd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1184-57-0x0000000000400000-0x0000000000649000-memory.dmpFilesize
2.3MB
-
memory/1312-53-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB
-
memory/1312-54-0x00000000007E0000-0x0000000000819000-memory.dmpFilesize
228KB
-
memory/1312-55-0x0000000000400000-0x0000000000649000-memory.dmpFilesize
2.3MB