Analysis
-
max time kernel
177s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 04:38
Static task
static1
Behavioral task
behavioral1
Sample
d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe
Resource
win7-20220718-en
General
-
Target
d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe
-
Size
1.9MB
-
MD5
278077d8bb6e66ab2cd7bf2162d097e4
-
SHA1
53092c67e92298d671642690e550daa22ad901d0
-
SHA256
d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa
-
SHA512
ed535972a260c5a9d48e27e70b0ca8c6f5c4b1c3ae41fd1d98238d1a4ca77dd97ecec3c19e14402e2db2f9e8122c01ff1a6fae58d7c6a90d158d3c21393413a1
Malware Config
Extracted
qakbot
323.91
spx24
1571222456
207.179.194.91:443
47.214.144.253:443
69.119.185.172:995
72.29.181.77:2083
174.131.181.120:995
137.119.216.25:443
207.162.184.228:443
65.30.12.240:995
190.120.196.18:443
206.51.202.106:50002
80.14.209.42:2222
76.80.66.226:443
173.178.129.3:443
181.90.124.162:443
96.22.239.27:2222
78.94.55.26:50003
24.201.68.105:2078
197.89.78.191:995
108.184.57.213:8443
181.126.80.118:443
24.48.5.105:2222
76.181.237.223:443
12.5.37.3:443
72.213.98.233:443
75.131.239.76:443
24.30.69.9:443
173.247.186.90:990
184.191.62.78:443
71.30.56.170:443
72.218.137.100:443
173.247.186.90:995
172.78.45.13:995
108.45.183.59:443
76.116.128.81:443
162.244.224.166:443
184.74.101.234:995
75.131.72.82:995
47.146.169.85:443
105.246.78.207:995
196.194.66.119:2222
71.93.60.90:443
47.153.115.154:995
173.247.186.90:993
174.48.72.160:443
222.195.69.36:2078
107.12.140.181:443
75.110.250.89:443
70.120.151.69:443
98.165.206.64:443
173.247.186.90:22
62.103.70.217:995
104.34.122.18:443
12.176.32.146:443
47.153.115.154:443
68.174.15.223:443
185.219.83.73:443
108.55.23.221:443
203.192.232.72:443
82.14.7.46:443
74.88.112.250:2222
75.165.181.122:443
24.199.0.138:443
174.16.234.171:993
98.186.90.192:995
181.143.141.226:995
2.50.170.151:443
74.194.4.181:443
70.74.159.126:2222
75.70.218.193:443
96.59.11.86:443
168.245.228.71:443
173.22.120.11:2222
72.132.247.194:995
24.184.6.58:2222
108.5.32.66:443
64.19.74.29:995
2.177.115.198:443
104.3.91.20:995
100.4.185.8:443
24.201.68.105:2087
99.228.242.183:995
75.131.72.82:443
159.118.173.115:995
206.255.212.179:443
209.182.122.217:443
117.208.245.38:995
23.240.185.215:443
68.225.250.136:443
192.24.181.185:443
72.16.212.107:995
188.52.67.251:443
172.78.185.176:443
162.244.225.30:443
65.116.179.83:443
47.23.101.26:993
184.180.157.203:2222
71.77.231.251:443
104.32.185.213:2222
68.238.56.27:443
72.142.106.198:465
166.62.180.194:2078
200.104.249.67:443
176.205.62.156:443
86.98.7.248:443
72.47.115.182:443
75.183.171.155:3389
190.217.1.149:443
123.252.128.47:443
116.58.100.130:443
95.67.210.20:21
217.162.149.212:443
174.82.131.155:995
24.201.68.105:2083
50.78.93.74:995
111.125.70.30:2222
173.233.182.249:443
24.201.68.105:61201
66.214.75.176:443
50.247.230.33:443
67.10.18.112:993
47.202.98.230:443
67.214.8.102:443
108.160.123.244:443
47.23.101.26:465
5.182.39.156:443
181.197.195.138:995
187.206.23.167:995
201.152.122.180:995
98.186.155.8:443
173.172.205.216:443
70.183.177.71:443
90.43.142.61:2222
24.201.68.105:2222
104.152.16.45:995
50.246.229.50:443
199.126.92.231:995
175.138.7.101:443
1.172.103.196:443
24.27.82.216:2222
172.250.91.246:443
75.90.234.95:443
24.180.7.155:443
99.247.60.103:465
92.97.21.81:443
193.154.185.19:995
69.245.144.167:443
201.188.114.189:443
50.46.139.220:443
172.251.77.230:443
24.196.158.28:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exed3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exepid process 1660 d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe 1544 d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe 1544 d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.execmd.exedescription pid process target process PID 1660 wrote to memory of 1544 1660 d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe PID 1660 wrote to memory of 1544 1660 d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe PID 1660 wrote to memory of 1544 1660 d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe PID 1660 wrote to memory of 1544 1660 d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe PID 1660 wrote to memory of 432 1660 d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe cmd.exe PID 1660 wrote to memory of 432 1660 d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe cmd.exe PID 1660 wrote to memory of 432 1660 d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe cmd.exe PID 1660 wrote to memory of 432 1660 d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe cmd.exe PID 432 wrote to memory of 868 432 cmd.exe PING.EXE PID 432 wrote to memory of 868 432 cmd.exe PING.EXE PID 432 wrote to memory of 868 432 cmd.exe PING.EXE PID 432 wrote to memory of 868 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe"C:\Users\Admin\AppData\Local\Temp\d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exeC:\Users\Admin\AppData\Local\Temp\d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\d3d12b471180f4f32789b48429358dd63d502d0f585e30a88add6122ae6c02aa.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/432-69-0x0000000000000000-mapping.dmp
-
memory/868-71-0x0000000000000000-mapping.dmp
-
memory/1544-62-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1544-61-0x0000000000000000-mapping.dmp
-
memory/1544-65-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1544-68-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1544-72-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1660-56-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/1660-60-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1660-54-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1660-57-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1660-70-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1660-55-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB