Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 16:49
Static task
static1
Behavioral task
behavioral1
Sample
8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
Resource
win7-20220715-en
General
-
Target
8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
-
Size
708KB
-
MD5
d93db4daa650dcdc5ffe670d61fcfa8f
-
SHA1
3ed89771339ea3e6d0ea56d16aface69ddef4f74
-
SHA256
8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad
-
SHA512
bb1ab6ef623db5f71573ddd23a7c1873fabfc87c6f4f181fd8c8328367457bffc99edbb28d1c51991b137a69794d0915b845d9fbea6ca54c1dd922e9a797dabd
Malware Config
Extracted
qakbot
323.91
spx46
1576587820
32.208.1.239:8443
181.123.59.111:443
73.226.220.56:443
93.177.144.236:443
24.184.6.58:2222
72.16.212.107:465
162.244.224.166:443
62.47.252.79:993
67.10.18.112:993
104.235.119.20:443
72.224.159.224:2222
181.197.195.138:995
74.134.35.54:443
174.20.189.226:995
67.214.21.207:443
187.163.101.137:995
72.47.115.182:443
173.31.178.20:443
75.131.72.82:995
5.182.39.156:443
181.126.80.118:443
98.118.162.34:443
73.142.81.221:443
73.133.46.105:995
50.245.107.73:443
137.99.224.198:443
100.38.123.22:443
217.162.149.212:443
68.134.181.98:443
5.48.231.126:443
76.23.204.29:443
24.189.222.222:2222
23.240.185.215:443
106.51.148.162:443
47.185.43.243:443
47.187.133.183:443
47.40.244.237:443
138.122.5.214:443
66.169.209.201:443
67.141.21.18:443
184.4.192.200:443
190.158.208.149:443
73.179.178.78:443
108.45.183.59:443
116.58.100.130:443
75.177.91.92:443
83.110.153.83:443
68.49.120.179:443
108.190.148.31:2222
46.248.48.167:995
69.70.37.246:465
72.190.101.70:443
64.33.68.198:443
96.227.138.53:443
50.78.93.74:995
117.204.227.149:995
107.12.140.181:443
24.202.42.48:2222
184.167.2.251:2222
72.142.106.198:993
75.81.25.223:995
71.222.14.97:443
74.194.4.181:443
96.35.170.82:2222
173.172.205.216:443
24.201.79.208:2078
74.71.216.1:443
75.110.250.89:443
184.180.157.203:2222
162.244.225.30:443
65.30.12.240:443
74.33.70.219:443
68.100.248.78:443
75.142.59.167:443
24.91.26.212:443
201.152.209.215:995
66.90.149.186:443
108.55.23.221:443
70.177.25.99:443
98.237.120.65:995
47.227.198.155:443
183.83.97.60:443
72.29.181.77:2078
67.246.180.90:443
71.77.224.65:443
97.93.211.17:443
179.36.61.179:443
71.77.231.251:443
50.247.230.33:995
107.12.131.249:443
75.131.239.76:995
86.133.23.218:2222
63.230.16.166:995
47.153.115.154:995
166.62.180.194:2078
173.3.132.17:995
24.229.245.124:995
45.45.105.94:443
208.126.142.17:443
72.187.35.131:443
80.14.209.42:2222
75.90.230.120:995
130.93.11.211:995
130.93.11.211:443
83.76.204.98:2222
67.200.146.98:2222
47.214.144.253:443
97.96.51.117:443
88.111.224.103:2222
75.165.142.212:443
172.78.87.180:995
66.214.75.176:443
174.48.72.160:443
71.30.56.170:443
12.5.37.3:995
71.226.140.73:443
75.70.218.193:443
107.5.252.194:443
70.124.29.226:443
190.133.41.102:995
138.122.5.214:2222
67.246.16.250:995
108.160.123.244:443
64.19.74.29:995
78.13.212.163:2222
172.242.9.118:995
47.146.169.85:443
47.23.101.26:465
97.122.229.88:993
45.45.105.94:995
174.82.131.155:995
68.174.15.223:443
108.27.217.44:443
206.51.202.106:50002
207.5.138.66:0
66.44.125.165:443
24.32.119.146:443
108.227.161.27:443
100.4.185.8:443
70.120.151.69:443
108.46.22.47:443
173.22.120.11:2222
66.222.88.126:995
12.5.37.3:443
64.250.55.239:443
65.131.252.13:443
98.252.150.180:443
104.3.91.20:995
68.238.56.27:443
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exepid process 4216 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe 4216 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe 1132 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe 1132 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe 1132 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe 1132 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.execmd.exedescription pid process target process PID 4216 wrote to memory of 1132 4216 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe PID 4216 wrote to memory of 1132 4216 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe PID 4216 wrote to memory of 1132 4216 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe PID 4216 wrote to memory of 920 4216 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe cmd.exe PID 4216 wrote to memory of 920 4216 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe cmd.exe PID 4216 wrote to memory of 920 4216 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe cmd.exe PID 920 wrote to memory of 3168 920 cmd.exe PING.EXE PID 920 wrote to memory of 3168 920 cmd.exe PING.EXE PID 920 wrote to memory of 3168 920 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe"C:\Users\Admin\AppData\Local\Temp\8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exeC:\Users\Admin\AppData\Local\Temp\8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/920-141-0x0000000000000000-mapping.dmp
-
memory/1132-135-0x0000000000000000-mapping.dmp
-
memory/1132-140-0x00000000022F0000-0x0000000002382000-memory.dmpFilesize
584KB
-
memory/3168-142-0x0000000000000000-mapping.dmp
-
memory/4216-130-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/4216-134-0x00000000023C0000-0x0000000002452000-memory.dmpFilesize
584KB