Analysis
-
max time kernel
154s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-02-2022 19:18
Behavioral task
behavioral1
Sample
10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe
Resource
win7-en-20211208
General
-
Target
10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe
-
Size
2.1MB
-
MD5
0a9c1233092c30e2f0aa8e6b1d3873d9
-
SHA1
6a666f68ef1e059871cce88299476e2175b09217
-
SHA256
10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de
-
SHA512
e37b3556b5bac7bd4ad4cfbde79eef134bc3fa096929534d322feb627dc5c51938e6cf60a2f9a5b54d7302201eeb2872fc3508837c7e33b6e756831ae7b2c7ba
Malware Config
Extracted
qakbot
324.75
spx91
1586289193
173.173.1.164:443
70.62.160.186:6883
68.41.60.225:443
100.40.48.96:443
73.192.209.168:443
93.114.89.119:995
64.19.74.29:995
73.60.148.209:443
66.26.160.37:443
97.96.51.117:443
5.13.221.230:443
68.174.9.179:443
73.137.187.150:443
24.37.178.158:443
47.136.224.60:443
68.39.177.147:995
176.223.46.147:443
72.29.181.77:2078
68.174.15.223:443
50.29.181.193:995
121.139.184.226:443
96.227.122.123:443
47.180.66.10:443
68.49.120.179:443
72.224.215.180:2222
47.202.98.230:443
73.196.57.77:443
184.180.157.203:2222
68.224.192.39:443
86.124.109.100:443
152.32.80.37:443
199.241.223.66:443
206.169.163.147:995
66.225.65.155:32101
173.172.205.216:443
73.226.220.56:443
185.145.113.249:443
50.246.229.50:443
98.190.24.81:443
72.190.101.70:443
62.231.107.180:443
69.47.239.10:443
173.216.174.39:443
73.156.64.203:443
50.244.112.106:443
86.125.141.143:443
98.164.253.75:443
137.119.71.87:443
72.29.181.77:2222
67.209.195.198:3389
47.146.169.85:443
181.126.86.223:443
24.110.14.40:443
39.35.20.148:995
76.175.67.211:443
100.4.185.8:443
208.93.202.49:443
73.23.77.142:443
24.99.180.247:443
69.123.179.70:443
216.163.4.91:443
71.58.21.235:443
173.30.188.202:2222
186.135.13.215:443
72.80.137.215:443
84.247.55.190:443
173.26.65.44:50010
64.121.114.87:443
98.116.119.123:443
71.197.126.250:443
100.33.132.135:443
72.142.106.198:995
66.208.105.6:443
75.88.182.14:22
68.204.164.222:443
104.174.71.153:2222
65.116.179.83:443
85.121.42.12:443
86.107.86.177:443
188.240.233.107:995
217.162.149.212:443
12.5.37.3:443
50.247.230.33:995
174.130.226.180:443
69.246.151.5:443
35.142.24.147:2222
5.2.149.216:443
207.155.106.187:443
24.168.237.215:443
156.96.45.215:443
24.37.178.158:990
62.121.78.22:443
173.173.68.41:443
172.78.27.85:443
98.213.28.175:443
71.193.126.206:443
24.44.180.236:2222
50.29.166.232:995
73.32.109.26:443
47.157.85.96:443
47.40.244.237:443
70.174.3.241:443
70.120.149.173:443
24.234.86.201:995
137.99.224.198:443
173.69.58.179:443
72.231.224.122:2222
24.212.149.77:443
108.190.151.108:2222
100.43.250.74:995
24.37.178.158:995
95.77.223.148:443
79.115.145.238:443
68.14.210.246:22
151.205.102.42:443
70.35.230.57:443
80.11.10.151:990
193.23.5.134:443
72.218.167.183:995
82.210.157.185:443
24.32.119.146:443
81.103.144.77:443
39.59.17.84:995
79.119.20.210:443
86.123.130.104:443
86.125.196.123:443
73.214.231.2:443
108.30.161.143:443
160.2.198.181:443
78.97.27.28:443
184.167.2.251:2222
31.5.205.122:443
68.46.142.48:995
189.140.74.166:443
24.183.39.93:443
69.206.6.71:2222
50.108.212.180:443
98.13.0.128:443
72.228.3.116:443
188.27.17.115:443
172.95.42.35:443
75.110.93.212:443
47.185.167.163:443
188.27.22.162:443
98.116.62.242:443
96.37.113.36:443
172.78.87.180:443
159.242.41.235:443
100.38.164.182:443
47.134.5.231:443
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3912" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887387382765329" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.257743" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006560" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4084" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exepid process 1228 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe 1228 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe 2192 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe 2192 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe 2192 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe 2192 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.execmd.exedescription pid process target process PID 1228 wrote to memory of 2192 1228 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe PID 1228 wrote to memory of 2192 1228 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe PID 1228 wrote to memory of 2192 1228 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe PID 1228 wrote to memory of 2716 1228 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe cmd.exe PID 1228 wrote to memory of 2716 1228 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe cmd.exe PID 1228 wrote to memory of 2716 1228 10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe cmd.exe PID 2716 wrote to memory of 3296 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 3296 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 3296 2716 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe"C:\Users\Admin\AppData\Local\Temp\10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exeC:\Users\Admin\AppData\Local\Temp\10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\10d47223997a57c61309ef019dd7e7f7279b6ae2c1cf6633c53113fe3034d1de.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS