Analysis
-
max time kernel
70s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 10:47
Behavioral task
behavioral1
Sample
736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe
Resource
win7-20220414-en
General
-
Target
736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe
-
Size
2.6MB
-
MD5
7d05b151fd2b28582cfca8ca8ceaa58f
-
SHA1
6d4d8baf550550ebd1e15f3b3a697f8516fe79cf
-
SHA256
736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9
-
SHA512
5e6b7105b5e36581a43b9d6e6e460c6ea08618a3b8fbad52f2aafdee4f4162dc40e6a723b03488dcf7f200ee251f3588c41cc41149739dfccc65988b29b77fb2
Malware Config
Extracted
qakbot
324.142
spx135
1591627649
89.32.216.156:443
74.222.204.82:443
24.183.39.93:443
97.93.211.17:443
80.14.209.42:2222
96.35.170.82:2222
151.73.124.242:443
98.110.231.63:443
108.227.161.27:995
173.3.132.17:995
31.5.41.52:443
24.122.228.88:443
5.107.208.94:2222
76.185.136.58:443
50.29.166.232:995
73.210.114.187:443
92.114.107.193:995
24.43.22.220:993
50.247.230.33:995
72.142.106.198:465
102.41.122.185:995
67.131.59.17:443
184.98.104.7:995
69.11.247.242:443
201.127.4.70:443
72.204.242.138:50003
189.231.198.212:443
5.14.44.173:2222
5.14.76.156:443
151.205.102.42:443
179.51.23.31:443
72.190.101.70:443
73.76.47.127:443
80.240.26.178:443
72.36.59.46:2222
73.209.113.58:443
68.49.120.179:443
69.92.54.95:995
187.19.151.218:995
50.244.112.10:443
66.222.88.126:995
207.255.161.8:32102
108.58.9.238:995
105.98.154.57:443
98.219.77.197:443
216.163.4.91:443
47.152.210.233:443
178.223.17.74:995
72.204.242.138:20
82.127.193.151:2222
50.91.171.137:443
172.242.80.243:443
189.163.110.244:443
108.30.125.94:443
104.50.141.139:995
73.94.229.115:443
67.83.54.76:2222
72.29.181.77:2078
188.24.102.178:443
66.68.22.151:443
24.122.157.93:443
72.204.242.138:53
172.87.134.226:443
118.160.164.140:443
173.49.122.160:995
71.187.170.235:443
134.0.196.46:995
75.81.25.223:443
92.17.167.87:2222
185.246.9.69:995
70.123.92.175:2222
82.37.242.8:443
108.51.73.186:443
137.99.222.152:443
100.38.164.182:443
75.137.239.211:443
24.43.22.220:995
24.99.180.247:443
96.56.237.174:993
72.204.242.138:80
79.114.196.97:443
72.204.242.138:443
72.240.245.253:443
24.202.42.48:2222
46.102.60.186:443
200.113.201.83:993
98.27.176.35:443
47.201.1.210:443
50.78.93.74:443
68.60.221.169:465
66.26.160.37:443
190.198.124.212:2078
65.131.83.170:995
50.244.112.106:443
72.204.242.138:32102
77.159.149.74:443
184.96.155.4:993
72.16.212.108:465
47.153.115.154:995
72.240.200.181:2222
24.46.40.189:2222
68.82.125.234:443
188.173.70.18:443
47.40.244.237:443
5.13.105.2:443
76.30.66.244:443
5.14.188.235:443
72.204.242.138:995
5.69.56.255:443
5.14.248.119:443
188.192.75.8:443
24.27.82.216:2222
98.118.156.172:443
189.236.218.181:443
72.204.242.138:2078
47.41.3.40:443
108.28.90.129:443
184.89.71.68:443
31.50.210.205:2222
95.76.27.89:443
207.255.161.8:443
149.71.50.158:443
98.222.23.221:443
96.56.237.174:32103
68.116.193.239:443
100.38.123.22:443
47.24.47.218:443
24.110.96.149:443
181.91.254.1:443
96.18.240.158:443
67.165.206.193:995
69.28.222.54:443
98.243.187.85:443
184.180.157.203:2222
47.136.224.60:443
73.90.4.146:443
207.255.161.8:2222
203.33.139.134:443
104.221.4.11:2222
72.228.3.116:443
72.209.191.27:443
97.127.136.28:0
108.45.29.12:443
2.89.100.34:443
64.19.74.29:995
208.82.44.203:443
199.247.16.80:443
199.247.22.145:443
89.43.108.19:443
71.182.142.63:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exepid process 1800 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe 956 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe 956 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.execmd.exedescription pid process target process PID 1800 wrote to memory of 956 1800 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe PID 1800 wrote to memory of 956 1800 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe PID 1800 wrote to memory of 956 1800 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe PID 1800 wrote to memory of 956 1800 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe PID 1800 wrote to memory of 632 1800 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe cmd.exe PID 1800 wrote to memory of 632 1800 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe cmd.exe PID 1800 wrote to memory of 632 1800 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe cmd.exe PID 1800 wrote to memory of 632 1800 736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe cmd.exe PID 632 wrote to memory of 1132 632 cmd.exe PING.EXE PID 632 wrote to memory of 1132 632 cmd.exe PING.EXE PID 632 wrote to memory of 1132 632 cmd.exe PING.EXE PID 632 wrote to memory of 1132 632 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe"C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exeC:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/632-60-0x0000000000000000-mapping.dmp
-
memory/956-57-0x0000000000000000-mapping.dmp
-
memory/956-59-0x0000000000400000-0x000000000069F000-memory.dmpFilesize
2.6MB
-
memory/1132-61-0x0000000000000000-mapping.dmp
-
memory/1800-54-0x0000000075C71000-0x0000000075C73000-memory.dmpFilesize
8KB
-
memory/1800-55-0x0000000000220000-0x0000000000257000-memory.dmpFilesize
220KB
-
memory/1800-56-0x0000000000400000-0x000000000069F000-memory.dmpFilesize
2.6MB