Analysis
-
max time kernel
42s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
24-02-2022 08:45
Static task
static1
Behavioral task
behavioral1
Sample
11552-QA-F-CTI.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11552-QA-F-CTI.exe
Resource
win10v2004-en-20220113
General
-
Target
11552-QA-F-CTI.exe
-
Size
560KB
-
MD5
10b77750d1d656f0e36f97b88a029c4b
-
SHA1
3999306417352fc9628d936f5061a37fc8432229
-
SHA256
9668d6b2a50e0ae7476c325b09ad36a1d9284ece981f63cea884763e6cab468c
-
SHA512
18d6062065b2c4c6408b323680e396063eb9e46463fdabedd8a2bc3b18d29c3e659d5ee6767ba0c367eea79ce94823ae273783076c1689b3e31d7d1bd81b3c3a
Malware Config
Extracted
qakbot
323.91
1571042641
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
98.186.90.192:995
2.50.170.151:443
74.194.4.181:443
70.74.159.126:2222
75.70.218.193:443
96.59.11.86:443
168.245.228.71:443
173.22.120.11:2222
71.77.231.251:443
24.184.6.58:2222
108.5.32.66:443
64.19.74.29:995
68.83.59.107:443
104.3.91.20:995
100.4.185.8:443
96.20.238.2:2087
99.228.242.183:995
206.255.212.179:443
50.247.230.33:443
108.55.23.221:443
105.246.79.97:995
172.78.185.176:443
47.23.101.26:993
68.238.56.27:443
72.213.98.233:443
74.88.112.250:2222
174.16.234.171:993
173.161.148.169:995
50.78.93.74:995
111.125.70.30:2222
47.202.98.230:443
222.195.69.36:2078
217.162.149.212:443
47.23.101.26:465
98.186.155.8:443
70.183.177.71:443
96.20.238.2:2222
69.119.185.172:995
104.152.16.45:995
199.126.92.231:995
174.82.131.155:995
96.20.238.2:2083
24.180.7.155:443
187.202.57.9:995
67.214.8.102:443
123.252.128.47:443
108.160.123.244:443
66.214.75.176:443
96.20.238.2:61201
79.106.13.119:995
176.205.62.156:443
64.20.68.35:2083
76.80.66.226:443
181.90.124.162:443
96.22.239.27:2222
96.20.238.2:2078
108.184.57.213:8443
173.178.129.3:443
12.5.37.3:443
75.69.3.12:443
70.169.2.228:21
207.179.194.91:443
67.10.18.112:993
184.191.62.78:443
72.29.181.77:2083
207.162.184.228:443
206.51.202.106:50002
75.131.72.82:2087
190.120.196.18:443
65.30.12.240:995
71.30.56.170:443
47.214.144.253:443
172.78.45.13:995
110.12.60.117:443
173.247.186.90:990
173.247.186.90:995
174.131.181.120:995
80.14.209.42:2222
76.181.237.223:443
50.246.229.50:443
78.94.55.26:50003
71.197.126.250:443
24.30.69.9:443
68.225.250.136:443
174.48.72.160:443
107.12.140.181:443
75.110.250.89:443
166.62.180.194:2078
173.247.186.90:22
108.45.183.59:443
98.165.206.64:443
62.103.70.217:995
12.176.32.146:443
47.153.115.154:443
68.174.15.223:443
71.93.60.90:443
76.116.128.81:443
162.244.224.166:443
181.126.80.118:443
184.74.101.234:995
75.131.72.82:995
47.146.169.85:443
47.153.115.154:995
75.81.25.223:995
193.154.185.19:995
173.247.186.90:993
172.250.91.246:443
196.194.84.165:2222
2.177.115.198:443
159.118.173.115:995
197.82.208.249:995
192.24.181.185:443
72.16.212.107:995
203.192.232.72:443
86.98.7.248:443
162.244.225.30:443
65.116.179.83:443
70.120.151.69:443
184.180.157.203:2222
104.32.185.213:2222
72.142.106.198:465
23.240.185.215:443
196.194.84.165:0
117.208.254.113:995
104.34.122.18:443
75.110.90.155:443
179.36.9.109:443
47.180.66.10:443
73.137.187.150:443
64.201.125.172:443
47.180.66.10:995
73.138.178.6:443
187.156.73.46:995
69.245.144.167:443
76.174.122.204:443
68.206.128.75:443
75.165.132.69:443
75.165.181.122:443
35.136.74.103:443
96.29.219.77:443
64.150.136.45:443
1.173.254.97:443
72.218.137.100:443
50.46.139.220:443
201.152.122.180:995
200.104.40.85:443
75.110.101.34:443
24.196.158.28:443
190.120.196.18:1194
201.188.97.244:443
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ohliabod.exeohliabod.exepid process 5032 ohliabod.exe 4252 ohliabod.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ohliabod.exe11552-QA-F-CTI.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 ohliabod.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service ohliabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 ohliabod.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc ohliabod.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service ohliabod.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc 11552-QA-F-CTI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service 11552-QA-F-CTI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 11552-QA-F-CTI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc ohliabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 11552-QA-F-CTI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc 11552-QA-F-CTI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service 11552-QA-F-CTI.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
11552-QA-F-CTI.exe11552-QA-F-CTI.exeohliabod.exeohliabod.exeexplorer.exepid process 2140 11552-QA-F-CTI.exe 2140 11552-QA-F-CTI.exe 4220 11552-QA-F-CTI.exe 4220 11552-QA-F-CTI.exe 4220 11552-QA-F-CTI.exe 4220 11552-QA-F-CTI.exe 5032 ohliabod.exe 5032 ohliabod.exe 4252 ohliabod.exe 4252 ohliabod.exe 4252 ohliabod.exe 4252 ohliabod.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ohliabod.exepid process 5032 ohliabod.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
11552-QA-F-CTI.exeohliabod.exedescription pid process target process PID 2140 wrote to memory of 4220 2140 11552-QA-F-CTI.exe 11552-QA-F-CTI.exe PID 2140 wrote to memory of 4220 2140 11552-QA-F-CTI.exe 11552-QA-F-CTI.exe PID 2140 wrote to memory of 4220 2140 11552-QA-F-CTI.exe 11552-QA-F-CTI.exe PID 2140 wrote to memory of 5032 2140 11552-QA-F-CTI.exe ohliabod.exe PID 2140 wrote to memory of 5032 2140 11552-QA-F-CTI.exe ohliabod.exe PID 2140 wrote to memory of 5032 2140 11552-QA-F-CTI.exe ohliabod.exe PID 2140 wrote to memory of 4412 2140 11552-QA-F-CTI.exe schtasks.exe PID 2140 wrote to memory of 4412 2140 11552-QA-F-CTI.exe schtasks.exe PID 2140 wrote to memory of 4412 2140 11552-QA-F-CTI.exe schtasks.exe PID 5032 wrote to memory of 4252 5032 ohliabod.exe ohliabod.exe PID 5032 wrote to memory of 4252 5032 ohliabod.exe ohliabod.exe PID 5032 wrote to memory of 4252 5032 ohliabod.exe ohliabod.exe PID 5032 wrote to memory of 3496 5032 ohliabod.exe explorer.exe PID 5032 wrote to memory of 3496 5032 ohliabod.exe explorer.exe PID 5032 wrote to memory of 3496 5032 ohliabod.exe explorer.exe PID 5032 wrote to memory of 3496 5032 ohliabod.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe"C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exeC:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exeC:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exeC:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exe /C3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rzzayfwojf /tr "\"C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe\" /I rzzayfwojf" /SC ONCE /Z /ST 08:48 /ET 09:002⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.datMD5
31198963f8ea55cb2dcc2641fc758d62
SHA1ec7804e484f654c09e9f10aaed26511ff7eba378
SHA256470e745f83a989e8ce0a8ab05e5de9e2a716733ac0284f5617d5d089b5b26142
SHA51215014ff3cd409bd1922a019de30aa2be5d7b9dd84fb769dc21d50f3b97404703cd21b8a4ff4db49a215aac0906f14709f07cda1a55c99919bb468d8063c30b11
-
C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exeMD5
10b77750d1d656f0e36f97b88a029c4b
SHA13999306417352fc9628d936f5061a37fc8432229
SHA2569668d6b2a50e0ae7476c325b09ad36a1d9284ece981f63cea884763e6cab468c
SHA51218d6062065b2c4c6408b323680e396063eb9e46463fdabedd8a2bc3b18d29c3e659d5ee6767ba0c367eea79ce94823ae273783076c1689b3e31d7d1bd81b3c3a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exeMD5
10b77750d1d656f0e36f97b88a029c4b
SHA13999306417352fc9628d936f5061a37fc8432229
SHA2569668d6b2a50e0ae7476c325b09ad36a1d9284ece981f63cea884763e6cab468c
SHA51218d6062065b2c4c6408b323680e396063eb9e46463fdabedd8a2bc3b18d29c3e659d5ee6767ba0c367eea79ce94823ae273783076c1689b3e31d7d1bd81b3c3a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exeMD5
10b77750d1d656f0e36f97b88a029c4b
SHA13999306417352fc9628d936f5061a37fc8432229
SHA2569668d6b2a50e0ae7476c325b09ad36a1d9284ece981f63cea884763e6cab468c
SHA51218d6062065b2c4c6408b323680e396063eb9e46463fdabedd8a2bc3b18d29c3e659d5ee6767ba0c367eea79ce94823ae273783076c1689b3e31d7d1bd81b3c3a
-
memory/3496-134-0x0000000001060000-0x00000000010F2000-memory.dmpFilesize
584KB
-
memory/3496-135-0x0000000002DA0000-0x0000000002DE1000-memory.dmpFilesize
260KB