Analysis
-
max time kernel
61s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 16:49
Static task
static1
Behavioral task
behavioral1
Sample
f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe
Resource
win7-20220715-en
General
-
Target
f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe
-
Size
717KB
-
MD5
4b6accb73061345ed143f01d6199fc95
-
SHA1
4c157859670b75b6abc5a09715a0ff0b7f028f55
-
SHA256
f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30
-
SHA512
8fd4948a04a0a5f74ee6b74599bc3a1840d8e1369bf436eb9f854d611e9a0ce60d5a8fa5b4775c916cfb7f6db04c437b2cff18355e354ae590405349629aa68c
Malware Config
Extracted
qakbot
323.91
spx35
1573827297
71.77.231.251:443
76.116.128.81:443
108.5.34.128:443
75.110.90.155:443
181.126.80.118:443
62.103.70.217:995
207.237.1.152:443
47.202.98.230:443
63.224.81.92:995
74.33.70.14:443
81.103.144.77:443
75.142.59.167:443
104.173.119.54:2222
190.198.47.65:443
72.255.200.129:2222
73.137.187.150:443
24.203.221.252:2222
71.182.142.63:443
72.142.106.198:465
173.52.119.247:443
108.160.123.244:443
75.182.214.87:443
172.78.87.180:995
71.30.56.170:443
65.30.12.240:443
104.32.185.213:2222
174.130.203.235:443
24.229.150.54:995
2.50.157.249:443
47.23.101.26:465
173.172.205.216:995
74.134.35.54:443
174.131.181.120:995
207.162.184.228:443
5.182.39.156:443
206.51.202.106:50002
93.177.144.236:443
66.214.75.176:443
100.4.185.8:443
173.247.186.90:995
50.246.229.50:443
47.203.95.245:443
174.48.72.160:443
24.32.119.146:443
162.244.225.30:443
72.16.212.107:995
162.244.224.166:443
24.184.6.58:2222
181.197.195.138:995
74.102.76.221:443
199.126.92.231:995
98.210.41.34:0
173.178.129.3:990
190.217.1.149:443
74.215.81.185:443
67.200.146.98:2222
68.225.250.136:443
73.133.46.105:995
67.250.76.135:443
173.178.129.3:443
75.131.72.82:995
68.238.56.27:443
96.59.11.86:443
5.89.115.73:2222
47.146.169.85:443
107.12.140.181:443
72.218.167.183:443
68.238.144.55:443
68.83.59.107:443
174.16.234.171:993
179.36.16.164:443
73.226.220.56:443
12.176.32.146:443
69.133.112.13:443
205.250.79.62:443
68.174.15.223:443
173.22.120.11:2222
75.175.209.163:995
108.227.161.27:443
201.152.218.64:995
24.111.196.195:443
104.3.91.20:995
108.45.183.59:443
186.47.208.238:50000
47.214.144.253:443
47.153.115.154:995
67.246.180.90:443
174.82.131.155:995
74.194.4.181:443
24.201.68.105:2078
64.19.74.29:995
173.3.132.17:995
107.184.252.92:443
197.82.208.176:995
32.208.1.239:443
217.162.149.212:443
23.240.185.215:443
116.58.100.130:443
108.55.23.221:443
108.190.148.31:2222
187.163.101.137:995
74.73.27.35:443
69.245.144.167:443
73.235.65.73:443
2.185.70.232:995
173.247.186.90:465
75.130.117.134:443
2.190.232.12:443
184.180.157.203:2222
71.84.5.114:995
67.246.16.250:995
75.110.250.89:443
104.172.153.159:2222
176.205.62.174:443
50.78.93.74:995
90.43.20.226:2222
181.25.209.233:995
24.202.42.48:2222
72.46.151.196:995
166.62.180.194:2078
96.35.170.82:2222
107.12.131.249:443
123.252.128.47:443
81.149.189.61:8443
12.5.37.3:995
24.30.71.200:443
104.34.122.18:443
72.29.181.77:2083
70.124.29.226:443
67.10.18.112:993
80.14.209.42:2222
50.247.230.33:995
50.247.230.33:443
184.74.101.234:995
72.29.181.77:2078
83.25.3.51:2222
184.191.62.78:443
116.58.100.130:995
47.23.101.26:993
71.93.60.90:443
72.28.255.159:443
71.58.21.235:443
90.254.56.85:2222
75.182.115.93:443
151.234.80.34:995
46.245.55.22:995
209.182.122.217:443
137.119.216.25:443
72.161.157.148:443
106.51.0.228:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exef28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exepid process 620 f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe 1336 f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe 1336 f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.execmd.exedescription pid process target process PID 620 wrote to memory of 1336 620 f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe PID 620 wrote to memory of 1336 620 f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe PID 620 wrote to memory of 1336 620 f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe PID 620 wrote to memory of 1336 620 f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe PID 620 wrote to memory of 2004 620 f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe cmd.exe PID 620 wrote to memory of 2004 620 f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe cmd.exe PID 620 wrote to memory of 2004 620 f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe cmd.exe PID 620 wrote to memory of 2004 620 f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe cmd.exe PID 2004 wrote to memory of 1136 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 1136 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 1136 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 1136 2004 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe"C:\Users\Admin\AppData\Local\Temp\f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exeC:\Users\Admin\AppData\Local\Temp\f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/620-54-0x0000000075311000-0x0000000075313000-memory.dmpFilesize
8KB
-
memory/620-55-0x00000000002B0000-0x00000000002B7000-memory.dmpFilesize
28KB
-
memory/620-56-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/1136-68-0x0000000000000000-mapping.dmp
-
memory/1336-60-0x0000000000000000-mapping.dmp
-
memory/1336-66-0x00000000003C0000-0x00000000003C7000-memory.dmpFilesize
28KB
-
memory/2004-67-0x0000000000000000-mapping.dmp