Analysis
-
max time kernel
139s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 04:38
Static task
static1
Behavioral task
behavioral1
Sample
b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe
Resource
win7-20220718-en
General
-
Target
b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe
-
Size
1.9MB
-
MD5
4f8fd5974bf3bce9902fafdd806dfc4f
-
SHA1
5c0166bc8ccfef298657d02239b36827d233fb7d
-
SHA256
b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08
-
SHA512
0ae3300d1645e9ea17282eece4aeab79fc8de6661247286d8f117c0ba2ffb43b0e130119a6fc738e103e53a2c54bb623a83e0340c27a4555df76e3decf6a08cf
Malware Config
Extracted
qakbot
323.91
spx24
1571222456
207.179.194.91:443
47.214.144.253:443
69.119.185.172:995
72.29.181.77:2083
174.131.181.120:995
137.119.216.25:443
207.162.184.228:443
65.30.12.240:995
190.120.196.18:443
206.51.202.106:50002
80.14.209.42:2222
76.80.66.226:443
173.178.129.3:443
181.90.124.162:443
96.22.239.27:2222
78.94.55.26:50003
24.201.68.105:2078
197.89.78.191:995
108.184.57.213:8443
181.126.80.118:443
24.48.5.105:2222
76.181.237.223:443
12.5.37.3:443
72.213.98.233:443
75.131.239.76:443
24.30.69.9:443
173.247.186.90:990
184.191.62.78:443
71.30.56.170:443
72.218.137.100:443
173.247.186.90:995
172.78.45.13:995
108.45.183.59:443
76.116.128.81:443
162.244.224.166:443
184.74.101.234:995
75.131.72.82:995
47.146.169.85:443
105.246.78.207:995
196.194.66.119:2222
71.93.60.90:443
47.153.115.154:995
173.247.186.90:993
174.48.72.160:443
222.195.69.36:2078
107.12.140.181:443
75.110.250.89:443
70.120.151.69:443
98.165.206.64:443
173.247.186.90:22
62.103.70.217:995
104.34.122.18:443
12.176.32.146:443
47.153.115.154:443
68.174.15.223:443
185.219.83.73:443
108.55.23.221:443
203.192.232.72:443
82.14.7.46:443
74.88.112.250:2222
75.165.181.122:443
24.199.0.138:443
174.16.234.171:993
98.186.90.192:995
181.143.141.226:995
2.50.170.151:443
74.194.4.181:443
70.74.159.126:2222
75.70.218.193:443
96.59.11.86:443
168.245.228.71:443
173.22.120.11:2222
72.132.247.194:995
24.184.6.58:2222
108.5.32.66:443
64.19.74.29:995
2.177.115.198:443
104.3.91.20:995
100.4.185.8:443
24.201.68.105:2087
99.228.242.183:995
75.131.72.82:443
159.118.173.115:995
206.255.212.179:443
209.182.122.217:443
117.208.245.38:995
23.240.185.215:443
68.225.250.136:443
192.24.181.185:443
72.16.212.107:995
188.52.67.251:443
172.78.185.176:443
162.244.225.30:443
65.116.179.83:443
47.23.101.26:993
184.180.157.203:2222
71.77.231.251:443
104.32.185.213:2222
68.238.56.27:443
72.142.106.198:465
166.62.180.194:2078
200.104.249.67:443
176.205.62.156:443
86.98.7.248:443
72.47.115.182:443
75.183.171.155:3389
190.217.1.149:443
123.252.128.47:443
116.58.100.130:443
95.67.210.20:21
217.162.149.212:443
174.82.131.155:995
24.201.68.105:2083
50.78.93.74:995
111.125.70.30:2222
173.233.182.249:443
24.201.68.105:61201
66.214.75.176:443
50.247.230.33:443
67.10.18.112:993
47.202.98.230:443
67.214.8.102:443
108.160.123.244:443
47.23.101.26:465
5.182.39.156:443
181.197.195.138:995
187.206.23.167:995
201.152.122.180:995
98.186.155.8:443
173.172.205.216:443
70.183.177.71:443
90.43.142.61:2222
24.201.68.105:2222
104.152.16.45:995
50.246.229.50:443
199.126.92.231:995
175.138.7.101:443
1.172.103.196:443
24.27.82.216:2222
172.250.91.246:443
75.90.234.95:443
24.180.7.155:443
99.247.60.103:465
92.97.21.81:443
193.154.185.19:995
69.245.144.167:443
201.188.114.189:443
50.46.139.220:443
172.251.77.230:443
24.196.158.28:443
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exeb77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exepid process 936 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe 936 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe 4076 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe 4076 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe 4076 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe 4076 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.execmd.exedescription pid process target process PID 936 wrote to memory of 4076 936 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe PID 936 wrote to memory of 4076 936 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe PID 936 wrote to memory of 4076 936 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe PID 936 wrote to memory of 684 936 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe cmd.exe PID 936 wrote to memory of 684 936 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe cmd.exe PID 936 wrote to memory of 684 936 b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe cmd.exe PID 684 wrote to memory of 1904 684 cmd.exe PING.EXE PID 684 wrote to memory of 1904 684 cmd.exe PING.EXE PID 684 wrote to memory of 1904 684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe"C:\Users\Admin\AppData\Local\Temp\b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exeC:\Users\Admin\AppData\Local\Temp\b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\b77768e1332195e344270d974c46ca27bdd91ecb001b8bc6b7218590d0abac08.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/684-145-0x0000000000000000-mapping.dmp
-
memory/936-131-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/936-132-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/936-133-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/936-134-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/936-130-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/936-146-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1904-147-0x0000000000000000-mapping.dmp
-
memory/4076-138-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/4076-144-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/4076-143-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/4076-140-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/4076-137-0x0000000000000000-mapping.dmp