Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 16:06
Behavioral task
behavioral1
Sample
7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe
Resource
win7-en-20211208
General
-
Target
7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe
-
Size
2.6MB
-
MD5
14c29c6a94f9b6aa43bbcf586dec1fb9
-
SHA1
449f2b10320115e98b182204a4376ddc669e1369
-
SHA256
7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca
-
SHA512
9b8be89d317e023705f5264b4abe9736ab49c61da12beed65b5e897c6e673b713e1e7980026d670f23e75a6a356bde786df3531b69dc0ccaa2585c0ed04fc0b1
Malware Config
Extracted
qakbot
324.142
spx145
1592822522
79.115.207.120:443
156.213.80.140:443
189.160.203.110:443
71.114.39.220:443
189.236.166.167:443
193.248.44.2:2222
206.51.202.106:50003
24.152.219.253:995
2.50.47.97:2222
108.49.221.180:443
207.246.75.201:443
80.240.26.178:443
199.247.16.80:443
207.255.161.8:2222
69.92.54.95:995
199.247.22.145:443
2.50.171.142:443
24.110.14.40:3389
79.101.130.104:995
94.52.160.116:443
172.243.155.62:443
188.192.75.8:443
175.111.128.234:443
74.129.18.56:443
36.77.151.211:443
203.45.104.33:443
118.160.162.77:443
86.126.97.183:2222
185.246.9.69:995
140.82.21.191:443
66.208.105.6:443
206.183.190.53:993
5.12.111.213:443
72.177.157.217:995
98.210.41.34:443
98.242.36.86:443
199.116.241.147:443
49.144.81.46:8443
75.110.250.89:995
219.76.148.142:443
70.174.3.241:443
71.205.158.156:443
78.96.192.26:443
108.190.151.108:2222
81.133.234.36:2222
12.5.37.3:995
210.61.141.92:443
173.70.165.101:995
5.13.84.186:995
68.46.142.48:443
188.27.6.170:443
188.173.70.18:443
86.124.13.101:443
5.13.74.26:443
68.190.152.98:443
96.56.237.174:990
175.143.12.8:443
79.113.224.85:443
2.51.240.61:995
95.76.27.89:443
5.12.243.211:443
24.183.39.93:443
86.124.228.254:443
5.193.178.241:2078
2.88.186.229:443
108.227.161.27:995
188.192.75.8:995
98.32.60.217:443
176.223.35.19:2222
24.42.14.241:443
70.95.118.217:443
68.225.56.31:443
191.84.11.112:443
72.204.242.138:50001
173.22.120.11:2222
64.121.114.87:443
68.60.221.169:465
92.17.167.87:2222
47.138.200.85:443
71.187.7.239:443
151.205.102.42:443
72.179.13.59:443
172.113.74.96:443
5.193.61.212:2222
47.28.135.155:443
188.26.243.186:443
41.228.206.99:443
117.218.208.239:443
203.122.7.82:443
39.36.61.58:995
49.207.105.25:443
59.124.10.133:443
89.44.196.211:443
79.117.129.171:21
24.110.96.149:443
184.90.139.176:2222
82.79.67.68:443
86.153.98.35:2222
101.108.4.251:443
209.182.122.217:443
89.32.220.79:443
104.50.141.139:995
85.204.189.105:443
94.10.81.239:443
211.24.72.253:443
110.142.205.182:443
86.124.105.88:443
72.90.243.117:0
41.225.231.43:443
87.65.204.240:995
62.121.123.57:443
47.153.115.154:990
66.30.92.147:443
49.191.4.245:443
47.180.66.10:443
97.93.211.17:443
65.100.247.6:2083
65.131.43.76:995
45.45.51.182:2222
98.219.77.197:443
166.62.180.194:2078
72.16.212.108:995
73.217.4.42:443
76.187.8.160:443
67.182.188.217:443
37.182.238.170:2222
117.216.227.70:443
74.222.204.82:443
89.137.77.237:443
82.77.169.118:2222
188.27.36.190:443
108.39.93.45:443
72.181.9.163:443
58.233.220.182:443
73.137.187.150:443
97.127.144.203:2222
103.76.160.110:443
37.156.243.67:995
67.246.16.250:995
182.185.7.220:995
82.81.172.21:443
117.199.6.105:443
216.163.4.132:443
199.102.55.87:53
96.244.45.155:443
122.147.204.4:443
89.45.107.209:443
35.142.12.163:2222
73.94.229.115:443
165.0.3.95:995
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exepid process 2008 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe 572 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe 572 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.execmd.execmd.exedescription pid process target process PID 2008 wrote to memory of 572 2008 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe PID 2008 wrote to memory of 572 2008 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe PID 2008 wrote to memory of 572 2008 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe PID 2008 wrote to memory of 572 2008 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe PID 2008 wrote to memory of 1340 2008 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe cmd.exe PID 2008 wrote to memory of 1340 2008 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe cmd.exe PID 2008 wrote to memory of 1340 2008 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe cmd.exe PID 2008 wrote to memory of 1340 2008 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe cmd.exe PID 1340 wrote to memory of 1648 1340 cmd.exe PING.EXE PID 1340 wrote to memory of 1648 1340 cmd.exe PING.EXE PID 1340 wrote to memory of 1648 1340 cmd.exe PING.EXE PID 1340 wrote to memory of 1648 1340 cmd.exe PING.EXE PID 1832 wrote to memory of 1092 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1092 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1092 1832 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe"C:\Users\Admin\AppData\Local\Temp\7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exeC:\Users\Admin\AppData\Local\Temp\7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
PID:572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
PID:1648
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵PID:608
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\PING.EXEping 8.8.8.82⤵
- Runs ping.exe
PID:1092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/572-58-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/608-59-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmpFilesize
8KB
-
memory/2008-54-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB
-
memory/2008-55-0x0000000000220000-0x0000000000257000-memory.dmpFilesize
220KB
-
memory/2008-57-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB