Analysis
-
max time kernel
147s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 19:11
Behavioral task
behavioral1
Sample
127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe
Resource
win10v2004-en-20220113
General
-
Target
127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe
-
Size
2.3MB
-
MD5
2147a19a25c6ad02e9494331ee70aebf
-
SHA1
24cd88cb6e7de1dbfbdcb3d88156f9835d7f4f93
-
SHA256
127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28
-
SHA512
a45ea001b9a8e389e974a0c0a08993a9648fc3b73eb8ce6ffcb128e7bf48d001337ff5e8d2404a8313f2d03a140c569e9ff4f8b520a1317721cd57e1378602af
Malware Config
Extracted
qakbot
324.127
spx102
1587561129
68.1.171.93:443
98.213.28.175:443
31.5.189.71:443
75.81.25.223:995
86.106.126.91:443
216.201.162.158:443
80.14.209.42:2222
86.122.254.67:2222
98.26.50.62:995
197.166.90.151:443
71.58.21.235:443
78.96.177.188:443
73.137.187.150:443
188.173.185.139:443
46.214.136.6:443
86.124.227.238:443
104.36.135.227:443
76.111.128.194:443
81.245.66.237:995
71.220.222.169:443
50.247.230.33:995
216.163.4.91:443
24.168.237.215:443
70.124.29.226:443
68.60.221.169:465
86.189.181.83:443
2.179.27.180:443
108.185.113.12:443
46.153.115.228:995
176.100.2.192:443
201.209.218.89:2078
186.135.122.22:443
72.16.57.99:443
65.131.79.162:995
67.6.34.43:443
73.94.229.115:443
173.3.132.17:995
24.229.245.124:995
67.165.206.193:995
68.39.177.147:995
72.80.137.215:443
47.203.89.185:443
68.14.210.246:22
74.135.85.117:443
188.25.93.215:443
100.1.239.189:443
152.32.80.37:443
71.74.12.34:443
69.92.54.95:995
148.75.231.53:443
72.142.106.198:995
86.124.1.76:443
47.222.40.131:443
62.121.78.22:443
94.53.92.42:443
71.69.128.2:2222
168.103.52.51:995
72.218.167.183:995
89.43.136.239:443
96.255.188.58:443
202.161.126.168:443
76.172.59.56:2222
206.183.190.53:995
212.126.109.14:443
50.246.229.50:443
47.40.244.237:443
24.210.45.215:443
24.44.180.236:2222
100.38.123.22:443
72.204.242.138:443
72.16.212.107:465
110.142.205.182:443
70.126.76.75:443
100.40.48.96:443
46.214.62.199:443
181.126.86.223:443
73.169.47.57:443
72.204.242.138:53
72.204.242.138:50003
108.54.103.234:443
68.98.142.248:443
24.115.246.224:995
75.82.228.209:443
93.26.180.87:443
58.177.238.186:443
89.34.231.30:443
120.147.67.62:2222
72.78.198.100:443
76.180.69.236:443
209.182.121.133:2222
5.182.39.156:443
47.136.224.60:443
108.227.161.27:995
203.33.139.134:443
72.209.191.27:443
5.193.175.12:2078
68.82.125.234:443
86.126.219.246:443
104.235.116.15:443
76.187.97.98:2222
95.77.144.238:443
184.180.157.203:2222
76.187.8.160:443
97.127.144.203:2222
207.255.158.180:443
98.22.66.236:443
137.99.224.198:443
67.250.184.157:443
96.236.225.10:443
24.55.152.50:995
50.104.67.101:443
173.172.205.216:443
50.244.112.106:443
187.163.101.137:995
96.35.170.82:2222
47.205.231.60:443
79.113.219.121:443
73.214.231.2:443
67.209.195.198:3389
47.146.169.85:443
47.214.144.253:443
89.45.111.127:443
72.204.242.138:993
75.87.161.32:995
108.30.161.143:443
72.132.249.144:995
67.131.59.17:443
24.201.79.208:2078
50.108.212.180:443
5.13.126.243:443
73.23.194.75:443
75.110.250.89:443
68.134.181.98:443
73.60.156.223:443
81.103.144.77:443
94.176.128.176:443
89.137.162.193:443
98.118.156.172:443
118.93.167.173:2222
86.125.208.132:443
174.34.67.106:2222
85.154.102.243:443
121.121.119.6:443
176.223.114.79:443
76.15.41.32:443
79.119.69.76:443
98.23.52.168:22
46.214.139.214:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exepid process 2024 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe 1696 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe 1696 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.execmd.exedescription pid process target process PID 2024 wrote to memory of 1696 2024 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe PID 2024 wrote to memory of 1696 2024 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe PID 2024 wrote to memory of 1696 2024 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe PID 2024 wrote to memory of 1696 2024 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe PID 2024 wrote to memory of 1592 2024 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe cmd.exe PID 2024 wrote to memory of 1592 2024 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe cmd.exe PID 2024 wrote to memory of 1592 2024 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe cmd.exe PID 2024 wrote to memory of 1592 2024 127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe cmd.exe PID 1592 wrote to memory of 1492 1592 cmd.exe PING.EXE PID 1592 wrote to memory of 1492 1592 cmd.exe PING.EXE PID 1592 wrote to memory of 1492 1592 cmd.exe PING.EXE PID 1592 wrote to memory of 1492 1592 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe"C:\Users\Admin\AppData\Local\Temp\127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exeC:\Users\Admin\AppData\Local\Temp\127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\127e781e7ccb800f17493c389ad8365c025aedeec07f92ad92e20c61c95d4e28.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
PID:1492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1696-57-0x0000000000400000-0x0000000000646000-memory.dmpFilesize
2.3MB
-
memory/2024-53-0x00000000751B1000-0x00000000751B3000-memory.dmpFilesize
8KB
-
memory/2024-54-0x0000000000220000-0x0000000000259000-memory.dmpFilesize
228KB
-
memory/2024-55-0x0000000000400000-0x0000000000646000-memory.dmpFilesize
2.3MB