Analysis
-
max time kernel
123s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 04:38
Static task
static1
Behavioral task
behavioral1
Sample
b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe
Resource
win7-20220715-en
General
-
Target
b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe
-
Size
1.9MB
-
MD5
fe0dfda0d0a36461e119e26f933fdc2a
-
SHA1
a0214a28a7436eeb7df73f8a76657d33cc78fd34
-
SHA256
b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c
-
SHA512
531a5cc0df24666f21d36fbd3bbc9916c5f202cf16707aaea5bcc15302ce1ede564173ce2b657c8a089c00e7f2b27290a5a18928b28728b4ad684656fed14efc
Malware Config
Extracted
qakbot
323.91
spx24
1571222456
207.179.194.91:443
47.214.144.253:443
69.119.185.172:995
72.29.181.77:2083
174.131.181.120:995
137.119.216.25:443
207.162.184.228:443
65.30.12.240:995
190.120.196.18:443
206.51.202.106:50002
80.14.209.42:2222
76.80.66.226:443
173.178.129.3:443
181.90.124.162:443
96.22.239.27:2222
78.94.55.26:50003
24.201.68.105:2078
197.89.78.191:995
108.184.57.213:8443
181.126.80.118:443
24.48.5.105:2222
76.181.237.223:443
12.5.37.3:443
72.213.98.233:443
75.131.239.76:443
24.30.69.9:443
173.247.186.90:990
184.191.62.78:443
71.30.56.170:443
72.218.137.100:443
173.247.186.90:995
172.78.45.13:995
108.45.183.59:443
76.116.128.81:443
162.244.224.166:443
184.74.101.234:995
75.131.72.82:995
47.146.169.85:443
105.246.78.207:995
196.194.66.119:2222
71.93.60.90:443
47.153.115.154:995
173.247.186.90:993
174.48.72.160:443
222.195.69.36:2078
107.12.140.181:443
75.110.250.89:443
70.120.151.69:443
98.165.206.64:443
173.247.186.90:22
62.103.70.217:995
104.34.122.18:443
12.176.32.146:443
47.153.115.154:443
68.174.15.223:443
185.219.83.73:443
108.55.23.221:443
203.192.232.72:443
82.14.7.46:443
74.88.112.250:2222
75.165.181.122:443
24.199.0.138:443
174.16.234.171:993
98.186.90.192:995
181.143.141.226:995
2.50.170.151:443
74.194.4.181:443
70.74.159.126:2222
75.70.218.193:443
96.59.11.86:443
168.245.228.71:443
173.22.120.11:2222
72.132.247.194:995
24.184.6.58:2222
108.5.32.66:443
64.19.74.29:995
2.177.115.198:443
104.3.91.20:995
100.4.185.8:443
24.201.68.105:2087
99.228.242.183:995
75.131.72.82:443
159.118.173.115:995
206.255.212.179:443
209.182.122.217:443
117.208.245.38:995
23.240.185.215:443
68.225.250.136:443
192.24.181.185:443
72.16.212.107:995
188.52.67.251:443
172.78.185.176:443
162.244.225.30:443
65.116.179.83:443
47.23.101.26:993
184.180.157.203:2222
71.77.231.251:443
104.32.185.213:2222
68.238.56.27:443
72.142.106.198:465
166.62.180.194:2078
200.104.249.67:443
176.205.62.156:443
86.98.7.248:443
72.47.115.182:443
75.183.171.155:3389
190.217.1.149:443
123.252.128.47:443
116.58.100.130:443
95.67.210.20:21
217.162.149.212:443
174.82.131.155:995
24.201.68.105:2083
50.78.93.74:995
111.125.70.30:2222
173.233.182.249:443
24.201.68.105:61201
66.214.75.176:443
50.247.230.33:443
67.10.18.112:993
47.202.98.230:443
67.214.8.102:443
108.160.123.244:443
47.23.101.26:465
5.182.39.156:443
181.197.195.138:995
187.206.23.167:995
201.152.122.180:995
98.186.155.8:443
173.172.205.216:443
70.183.177.71:443
90.43.142.61:2222
24.201.68.105:2222
104.152.16.45:995
50.246.229.50:443
199.126.92.231:995
175.138.7.101:443
1.172.103.196:443
24.27.82.216:2222
172.250.91.246:443
75.90.234.95:443
24.180.7.155:443
99.247.60.103:465
92.97.21.81:443
193.154.185.19:995
69.245.144.167:443
201.188.114.189:443
50.46.139.220:443
172.251.77.230:443
24.196.158.28:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exeb558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exepid process 1456 b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe 952 b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe 952 b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.execmd.exedescription pid process target process PID 1456 wrote to memory of 952 1456 b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe PID 1456 wrote to memory of 952 1456 b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe PID 1456 wrote to memory of 952 1456 b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe PID 1456 wrote to memory of 952 1456 b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe PID 1456 wrote to memory of 880 1456 b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe cmd.exe PID 1456 wrote to memory of 880 1456 b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe cmd.exe PID 1456 wrote to memory of 880 1456 b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe cmd.exe PID 1456 wrote to memory of 880 1456 b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe cmd.exe PID 880 wrote to memory of 1076 880 cmd.exe PING.EXE PID 880 wrote to memory of 1076 880 cmd.exe PING.EXE PID 880 wrote to memory of 1076 880 cmd.exe PING.EXE PID 880 wrote to memory of 1076 880 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe"C:\Users\Admin\AppData\Local\Temp\b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exeC:\Users\Admin\AppData\Local\Temp\b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\b558197d8287ef724b6e7af39116450dd2e7bfcfd2b02f6f637fb9f8979aa83c.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/880-69-0x0000000000000000-mapping.dmp
-
memory/952-62-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/952-61-0x0000000000000000-mapping.dmp
-
memory/952-65-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/952-68-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/952-72-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1076-71-0x0000000000000000-mapping.dmp
-
memory/1456-57-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1456-56-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/1456-60-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1456-54-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB
-
memory/1456-55-0x0000000076631000-0x0000000076633000-memory.dmpFilesize
8KB
-
memory/1456-70-0x0000000000400000-0x000000000074F000-memory.dmpFilesize
3.3MB