Analysis
-
max time kernel
91s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-06-2022 04:24
Static task
static1
Behavioral task
behavioral1
Sample
1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe
Resource
win7-20220414-en
General
-
Target
1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe
-
Size
1.9MB
-
MD5
fa586aad3d8b41892966eaeb8fc49ba4
-
SHA1
90028aae5925fcf60d8635ee8c37b6e072aedc5f
-
SHA256
1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0
-
SHA512
b1adcac8c53c7cc9afb2c1d9477a973d83e049a0678c2f89338b21fe966cfeff539ea3a2c855aafa815d5e2892656295599b915ddcc560d53baf32b054c51ea1
Malware Config
Extracted
qakbot
323.91
spx24
1571222456
207.179.194.91:443
47.214.144.253:443
69.119.185.172:995
72.29.181.77:2083
174.131.181.120:995
137.119.216.25:443
207.162.184.228:443
65.30.12.240:995
190.120.196.18:443
206.51.202.106:50002
80.14.209.42:2222
76.80.66.226:443
173.178.129.3:443
181.90.124.162:443
96.22.239.27:2222
78.94.55.26:50003
24.201.68.105:2078
197.89.78.191:995
108.184.57.213:8443
181.126.80.118:443
24.48.5.105:2222
76.181.237.223:443
12.5.37.3:443
72.213.98.233:443
75.131.239.76:443
24.30.69.9:443
173.247.186.90:990
184.191.62.78:443
71.30.56.170:443
72.218.137.100:443
173.247.186.90:995
172.78.45.13:995
108.45.183.59:443
76.116.128.81:443
162.244.224.166:443
184.74.101.234:995
75.131.72.82:995
47.146.169.85:443
105.246.78.207:995
196.194.66.119:2222
71.93.60.90:443
47.153.115.154:995
173.247.186.90:993
174.48.72.160:443
222.195.69.36:2078
107.12.140.181:443
75.110.250.89:443
70.120.151.69:443
98.165.206.64:443
173.247.186.90:22
62.103.70.217:995
104.34.122.18:443
12.176.32.146:443
47.153.115.154:443
68.174.15.223:443
185.219.83.73:443
108.55.23.221:443
203.192.232.72:443
82.14.7.46:443
74.88.112.250:2222
75.165.181.122:443
24.199.0.138:443
174.16.234.171:993
98.186.90.192:995
181.143.141.226:995
2.50.170.151:443
74.194.4.181:443
70.74.159.126:2222
75.70.218.193:443
96.59.11.86:443
168.245.228.71:443
173.22.120.11:2222
72.132.247.194:995
24.184.6.58:2222
108.5.32.66:443
64.19.74.29:995
2.177.115.198:443
104.3.91.20:995
100.4.185.8:443
24.201.68.105:2087
99.228.242.183:995
75.131.72.82:443
159.118.173.115:995
206.255.212.179:443
209.182.122.217:443
117.208.245.38:995
23.240.185.215:443
68.225.250.136:443
192.24.181.185:443
72.16.212.107:995
188.52.67.251:443
172.78.185.176:443
162.244.225.30:443
65.116.179.83:443
47.23.101.26:993
184.180.157.203:2222
71.77.231.251:443
104.32.185.213:2222
68.238.56.27:443
72.142.106.198:465
166.62.180.194:2078
200.104.249.67:443
176.205.62.156:443
86.98.7.248:443
72.47.115.182:443
75.183.171.155:3389
190.217.1.149:443
123.252.128.47:443
116.58.100.130:443
95.67.210.20:21
217.162.149.212:443
174.82.131.155:995
24.201.68.105:2083
50.78.93.74:995
111.125.70.30:2222
173.233.182.249:443
24.201.68.105:61201
66.214.75.176:443
50.247.230.33:443
67.10.18.112:993
47.202.98.230:443
67.214.8.102:443
108.160.123.244:443
47.23.101.26:465
5.182.39.156:443
181.197.195.138:995
187.206.23.167:995
201.152.122.180:995
98.186.155.8:443
173.172.205.216:443
70.183.177.71:443
90.43.142.61:2222
24.201.68.105:2222
104.152.16.45:995
50.246.229.50:443
199.126.92.231:995
175.138.7.101:443
1.172.103.196:443
24.27.82.216:2222
172.250.91.246:443
75.90.234.95:443
24.180.7.155:443
99.247.60.103:465
92.97.21.81:443
193.154.185.19:995
69.245.144.167:443
201.188.114.189:443
50.46.139.220:443
172.251.77.230:443
24.196.158.28:443
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exepid process 2496 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe 2496 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe 3544 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe 3544 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe 3544 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe 3544 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.execmd.exedescription pid process target process PID 2496 wrote to memory of 3544 2496 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe PID 2496 wrote to memory of 3544 2496 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe PID 2496 wrote to memory of 3544 2496 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe PID 2496 wrote to memory of 4764 2496 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe cmd.exe PID 2496 wrote to memory of 4764 2496 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe cmd.exe PID 2496 wrote to memory of 4764 2496 1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe cmd.exe PID 4764 wrote to memory of 208 4764 cmd.exe PING.EXE PID 4764 wrote to memory of 208 4764 cmd.exe PING.EXE PID 4764 wrote to memory of 208 4764 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe"C:\Users\Admin\AppData\Local\Temp\1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exeC:\Users\Admin\AppData\Local\Temp\1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\1d333fbfed4320a9edc5ff3a37ce8d43c994ef20a3323f34f17f3cafe2300bc0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/208-147-0x0000000000000000-mapping.dmp
-
memory/2496-146-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/2496-131-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/2496-132-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/2496-135-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/2496-137-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/2496-130-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/3544-138-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/3544-143-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/3544-144-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/3544-140-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/3544-136-0x0000000000000000-mapping.dmp
-
memory/4764-145-0x0000000000000000-mapping.dmp