Analysis
-
max time kernel
53s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 22:52
Behavioral task
behavioral1
Sample
f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe
Resource
win7-20220414-en
General
-
Target
f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe
-
Size
2.0MB
-
MD5
6d2c38664e16c3af259924a6b305f7e9
-
SHA1
57e75be243c8fb92079e67ccbe84e770469c634a
-
SHA256
f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33
-
SHA512
049faf572fb034c6351bbdcf174ebc5434e7f005673a544999bd466f8ad97ea2bb8a69b816c1b58f866ae2c6c96af8795ffb23a5f076ebf14416f096f9e48021
Malware Config
Extracted
qakbot
324.136
spx114
1588766102
78.96.148.177:443
5.13.110.111:443
73.214.231.2:443
98.116.119.123:443
108.190.151.108:2222
186.28.178.94:443
24.226.137.154:443
207.255.158.180:443
46.214.62.199:443
148.75.231.53:443
89.212.207.43:443
102.41.116.213:995
69.88.211.123:443
47.232.26.181:443
89.45.98.163:443
72.36.59.46:2222
5.107.193.147:2222
63.230.2.205:2083
68.134.181.98:443
24.110.96.149:443
172.78.87.180:443
75.110.250.89:443
209.182.121.133:2222
71.213.29.14:995
96.227.122.123:443
86.126.50.168:21
72.183.129.56:443
5.14.209.223:443
66.208.105.6:443
5.13.93.89:995
207.255.161.8:2222
207.255.161.8:2087
1.40.42.4:443
207.255.161.8:995
207.255.161.8:32102
190.158.224.107:443
93.114.122.174:443
5.13.139.175:443
89.46.27.192:443
75.191.188.23:443
187.19.151.218:995
95.77.144.238:443
184.175.37.229:443
68.46.142.48:443
191.84.6.103:443
121.122.68.74:443
94.52.160.116:443
76.169.72.48:443
74.33.70.18:443
81.133.234.36:2222
24.43.22.220:993
72.29.181.77:2078
47.136.224.60:443
89.38.171.30:443
50.244.112.106:443
24.229.245.124:995
72.204.242.138:443
73.163.242.114:443
24.110.14.40:443
87.65.204.240:995
202.77.4.37:443
31.5.21.66:443
66.26.160.37:443
173.172.205.216:443
208.126.142.17:443
76.187.8.160:443
76.173.145.112:443
72.204.242.138:6881
184.98.104.7:995
201.146.188.44:443
81.103.144.77:443
47.146.169.85:443
5.182.39.156:443
47.214.144.253:443
73.210.114.187:443
201.103.13.19:443
71.80.66.107:443
24.55.152.50:995
78.97.3.6:443
184.21.151.81:995
85.204.189.105:443
107.2.148.99:443
67.141.143.110:443
108.183.200.239:443
31.5.189.71:443
72.204.242.138:32102
173.175.29.210:443
71.220.191.200:443
107.5.252.194:443
24.99.180.247:443
79.114.164.47:443
94.52.124.226:443
188.115.130.128:443
78.97.145.242:443
188.25.237.208:443
197.37.182.194:993
99.196.208.246:443
71.172.110.236:443
213.183.224.110:995
69.11.247.242:443
70.174.3.241:443
184.180.157.203:2222
176.223.54.180:443
68.174.15.223:443
47.17.70.45:443
86.97.87.62:443
68.1.171.93:443
188.26.150.82:2222
72.204.242.138:990
75.110.93.212:443
72.204.242.138:2078
134.19.208.152:443
108.31.85.191:1194
63.155.71.107:995
47.185.186.9:443
86.124.13.37:443
172.95.42.35:443
72.204.242.138:993
65.116.179.83:443
100.37.33.10:443
72.204.242.138:50003
86.126.126.75:443
47.152.207.177:443
207.255.161.8:2078
24.202.42.48:2222
108.27.217.44:443
72.204.242.138:53
142.129.227.86:443
68.39.177.147:995
98.16.204.189:995
104.36.135.227:443
79.113.217.79:443
70.171.43.208:443
5.2.149.216:443
72.204.242.138:995
75.137.60.81:443
47.41.3.40:443
184.57.17.74:443
104.235.44.77:443
47.153.115.154:995
79.119.245.1:443
99.18.45.137:995
73.78.149.206:443
65.71.77.90:443
82.210.157.185:443
96.35.170.82:2222
50.78.93.74:443
76.187.97.98:2222
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exef51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exepid process 636 f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe 1716 f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe 1716 f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.execmd.exedescription pid process target process PID 636 wrote to memory of 1716 636 f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe PID 636 wrote to memory of 1716 636 f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe PID 636 wrote to memory of 1716 636 f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe PID 636 wrote to memory of 1716 636 f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe PID 636 wrote to memory of 2024 636 f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe cmd.exe PID 636 wrote to memory of 2024 636 f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe cmd.exe PID 636 wrote to memory of 2024 636 f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe cmd.exe PID 636 wrote to memory of 2024 636 f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe cmd.exe PID 2024 wrote to memory of 1788 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1788 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1788 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1788 2024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe"C:\Users\Admin\AppData\Local\Temp\f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exeC:\Users\Admin\AppData\Local\Temp\f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/636-54-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB
-
memory/636-55-0x0000000000220000-0x0000000000257000-memory.dmpFilesize
220KB
-
memory/636-56-0x0000000000400000-0x0000000000602000-memory.dmpFilesize
2.0MB
-
memory/1716-57-0x0000000000000000-mapping.dmp
-
memory/1716-59-0x0000000000400000-0x0000000000602000-memory.dmpFilesize
2.0MB
-
memory/1788-61-0x0000000000000000-mapping.dmp
-
memory/2024-60-0x0000000000000000-mapping.dmp