Analysis
-
max time kernel
1795s -
max time network
1583s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 15:19
Behavioral task
behavioral1
Sample
1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
Resource
win7-20220812-en
General
-
Target
1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
-
Size
580KB
-
MD5
068710300defccac15e8bee569682fff
-
SHA1
4a44425eec56c8310e3fa34ca9542a490b7d6133
-
SHA256
1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e
-
SHA512
d8bd5d3271a7d30b00447a5bcab103a87024c057b940e15e6d4a6882573fd5f7eae64c0b139e77be539f5e13915f4b8ba6eaa28d75a956d3d75afc8ac61cf8a2
-
SSDEEP
6144:abJZWua+S7vgXGCTkqe+oQePWTmzxWSilcsjhbS1Zi7DzmzAEN:abjVa9ruXTDKPn76njhbSnirOA
Malware Config
Extracted
qakbot
324.141
notset
1588850855
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
24.110.14.40:443
96.35.170.82:2222
50.78.93.74:443
76.187.97.98:2222
202.77.4.37:443
89.38.171.30:443
66.26.160.37:443
58.108.188.231:443
67.83.54.76:2222
102.41.116.213:995
78.96.245.58:443
176.193.14.165:2222
73.1.68.242:443
96.37.113.36:443
98.22.234.245:443
76.15.41.32:443
95.77.235.132:0
24.226.137.154:443
24.99.180.247:443
24.43.22.220:995
41.228.192.103:443
96.37.137.42:443
97.78.107.14:443
70.120.149.173:443
96.41.93.96:443
207.255.94.98:443
63.230.2.205:2083
216.152.7.12:443
97.96.51.117:443
72.240.124.46:443
173.3.132.17:995
178.236.108.131:443
47.138.200.85:443
207.255.161.8:443
75.81.25.223:995
100.38.123.22:443
84.117.176.32:443
80.14.209.42:2222
67.165.206.193:995
47.153.115.154:443
104.36.135.227:443
173.173.68.41:443
86.126.50.168:21
100.40.48.96:443
47.205.231.60:443
216.201.162.158:443
108.185.108.124:443
47.202.98.230:443
68.174.15.223:443
47.17.70.45:443
188.115.130.128:443
68.1.171.93:443
79.118.188.252:443
72.204.242.138:990
75.110.93.212:443
134.19.208.152:443
72.204.242.138:2078
108.31.85.191:1194
63.155.71.107:995
86.124.13.37:443
71.77.231.251:443
172.95.42.35:443
65.116.179.83:443
184.21.151.81:995
72.204.242.138:993
64.121.114.87:443
100.37.33.10:443
72.204.242.138:50003
24.202.42.48:2222
142.129.227.86:443
207.255.161.8:2078
108.27.217.44:443
72.204.242.138:53
46.214.152.89:443
82.77.177.33:443
31.5.168.31:443
107.5.252.194:443
5.15.62.250:443
65.131.110.141:995
41.97.159.163:443
24.88.76.111:443
86.127.144.244:2222
98.118.156.172:443
24.203.36.180:2222
78.97.145.242:443
203.213.104.25:995
71.88.104.107:443
89.45.102.218:2222
89.44.194.21:443
65.60.228.130:443
72.204.242.138:465
70.57.15.187:993
64.19.74.29:995
75.183.171.155:3389
81.103.144.77:443
134.0.196.46:995
24.67.37.137:443
49.191.9.180:995
71.163.225.75:443
50.247.230.33:995
72.204.242.138:443
137.99.224.198:443
67.131.59.17:443
72.190.101.70:443
83.25.18.252:2222
24.201.79.208:2078
72.45.14.185:443
182.56.134.44:995
50.246.229.50:443
50.104.186.71:443
121.74.205.27:995
199.241.223.66:443
92.5.146.37:2222
72.16.212.107:465
188.26.150.82:2222
98.32.60.217:443
67.209.195.198:3389
110.142.29.212:443
203.33.139.134:443
24.46.40.189:2222
68.49.120.179:443
98.115.138.61:443
79.119.126.161:443
47.40.244.237:443
24.27.82.216:2222
116.202.36.62:21
71.187.170.235:443
216.163.4.91:443
75.87.161.32:995
188.247.252.236:443
71.77.252.14:2222
69.123.179.70:443
94.53.92.42:443
118.174.167.6:443
173.175.29.210:443
201.215.29.153:443
86.22.41.176:443
72.209.191.27:443
94.52.160.116:443
74.75.237.11:443
93.114.246.67:443
72.204.242.138:32102
156.222.109.244:995
76.170.77.99:443
50.108.212.180:443
108.227.161.27:995
67.170.137.8:443
50.244.112.10:443
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exepid process 4876 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe 4876 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe 2208 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe 2208 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe 2208 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe 2208 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exedescription pid process target process PID 4876 wrote to memory of 2208 4876 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe PID 4876 wrote to memory of 2208 4876 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe PID 4876 wrote to memory of 2208 4876 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe"C:\Users\Admin\AppData\Local\Temp\1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exeC:\Users\Admin\AppData\Local\Temp\1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2208-134-0x0000000000000000-mapping.dmp
-
memory/2208-135-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/2208-136-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/4876-132-0x0000000000640000-0x0000000000677000-memory.dmpFilesize
220KB
-
memory/4876-133-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/4876-137-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB