Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2022 14:42
Static task
static1
Behavioral task
behavioral1
Sample
Calculation8808_Oct18.html
Resource
win7-20220812-en
windows7-x64
General
-
Target
Calculation8808_Oct18.html
-
Size
941KB
-
MD5
afcaeea9c56bdec58a207c8ac6890ad3
-
SHA1
03a7ed0478539b55f7bb1cc8c073b2d282f8c5d3
-
SHA256
f80312acccc149b481bcd2efd336c083815379dc51e6d8207711825efc0b2d89
-
SHA512
943811ef44e3aa4152a9c59b203763f6ec7b288cad9b9475416c7dfd326bb2c29d66c9b01a621d7348ffe47e626ba28d46bc437310a9db10148e1f8be01ab5ec
-
SSDEEP
24576:EIVZSR+10T9+2x5F/y57dZyPXhl0LJkqj:3y1BD7F6b
Malware Config
Extracted
qakbot
403.973
obama214
1666019778
105.96.221.136:443
37.37.80.2:3389
105.154.56.232:995
41.107.116.19:443
105.103.52.189:443
159.192.204.135:443
41.107.58.251:443
177.152.65.142:443
102.47.218.41:443
176.45.35.243:443
70.173.248.13:443
102.159.77.134:995
220.123.29.76:443
82.12.196.197:443
103.156.237.71:443
149.126.159.254:443
176.44.119.153:443
181.56.171.3:995
190.205.229.67:2222
151.251.50.117:443
163.182.177.80:443
72.21.109.1:443
41.101.92.195:443
190.193.180.228:443
190.204.112.207:2222
41.97.56.102:443
41.69.209.76:443
190.78.89.157:993
206.1.216.19:2087
85.242.200.96:443
41.251.219.50:443
105.111.141.73:443
41.103.64.82:443
190.39.218.17:443
84.220.13.28:443
190.100.149.122:995
197.1.19.60:443
196.64.70.216:443
196.89.213.40:995
181.168.145.94:443
187.101.200.186:995
41.105.245.174:443
179.25.144.177:995
78.179.135.247:443
94.52.127.44:443
186.18.210.16:443
102.158.215.180:443
78.183.238.79:443
197.1.50.150:443
42.189.32.186:80
167.58.235.5:443
14.54.83.15:443
187.198.8.241:443
71.239.12.136:443
112.70.141.221:443
37.245.136.135:2222
88.232.10.69:443
41.98.250.65:443
82.205.9.34:443
196.64.239.75:443
37.8.68.1:443
197.1.248.244:443
197.2.139.7:443
79.45.134.162:22
182.183.211.163:995
154.246.14.94:443
144.86.17.168:443
182.185.29.69:995
160.177.47.116:6881
181.197.41.173:443
160.248.194.147:443
85.109.221.97:443
125.25.77.249:995
1.20.185.138:443
91.171.72.214:32100
197.10.195.7:443
45.160.33.163:443
202.170.206.61:995
96.9.66.118:995
132.251.244.227:443
113.188.13.246:443
78.181.39.116:443
1.53.101.75:443
197.202.173.111:443
31.201.40.194:443
197.116.178.224:443
79.155.159.177:443
181.188.164.123:443
156.221.50.226:995
41.251.15.7:990
45.240.140.233:995
102.188.91.158:995
189.243.187.76:443
179.105.182.216:995
196.65.230.248:995
181.141.3.126:443
128.234.26.174:995
78.161.194.147:443
78.101.177.210:443
86.217.167.235:2222
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1648 mb.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: cmd.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\attachment.zip:Zone.Identifier firefox.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2076 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 376 regsvr32.exe 376 regsvr32.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 376 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2560 firefox.exe Token: SeDebugPrivilege 2560 firefox.exe Token: SeDebugPrivilege 2560 firefox.exe Token: SeDebugPrivilege 2560 firefox.exe Token: SeDebugPrivilege 2560 firefox.exe Token: SeDebugPrivilege 2560 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2560 firefox.exe 2560 firefox.exe 2560 firefox.exe 2560 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2560 firefox.exe 2560 firefox.exe 2560 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2560 firefox.exe 2560 firefox.exe 2560 firefox.exe 2560 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2560 2980 firefox.exe 82 PID 2980 wrote to memory of 2560 2980 firefox.exe 82 PID 2980 wrote to memory of 2560 2980 firefox.exe 82 PID 2980 wrote to memory of 2560 2980 firefox.exe 82 PID 2980 wrote to memory of 2560 2980 firefox.exe 82 PID 2980 wrote to memory of 2560 2980 firefox.exe 82 PID 2980 wrote to memory of 2560 2980 firefox.exe 82 PID 2980 wrote to memory of 2560 2980 firefox.exe 82 PID 2980 wrote to memory of 2560 2980 firefox.exe 82 PID 2560 wrote to memory of 2904 2560 firefox.exe 83 PID 2560 wrote to memory of 2904 2560 firefox.exe 83 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 956 2560 firefox.exe 86 PID 2560 wrote to memory of 2172 2560 firefox.exe 89 PID 2560 wrote to memory of 2172 2560 firefox.exe 89 PID 2560 wrote to memory of 2172 2560 firefox.exe 89 PID 2560 wrote to memory of 2172 2560 firefox.exe 89 PID 2560 wrote to memory of 2172 2560 firefox.exe 89 PID 2560 wrote to memory of 2172 2560 firefox.exe 89 PID 2560 wrote to memory of 2172 2560 firefox.exe 89 PID 2560 wrote to memory of 2172 2560 firefox.exe 89 PID 2560 wrote to memory of 2172 2560 firefox.exe 89 PID 2560 wrote to memory of 2172 2560 firefox.exe 89
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\Calculation8808_Oct18.html1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\Calculation8808_Oct18.html2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.0.515639250\1724775556" -parentBuildID 20200403170909 -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 1 -prefMapSize 219989 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 1804 gpu3⤵PID:2904
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.3.2064456308\351596371" -childID 1 -isForBrowser -prefsHandle 2460 -prefMapHandle 2444 -prefsLen 112 -prefMapSize 219989 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 2436 tab3⤵PID:956
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.13.58264662\1803564895" -childID 2 -isForBrowser -prefsHandle 3780 -prefMapHandle 3776 -prefsLen 6894 -prefMapSize 219989 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 3768 tab3⤵PID:2172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.20.238834925\270535239" -childID 3 -isForBrowser -prefsHandle 4596 -prefMapHandle 4612 -prefsLen 7599 -prefMapSize 219989 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 3096 tab3⤵PID:2792
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2784
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vertices\knockers.cmd regsvr1⤵
- Enumerates connected drives
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\mb.exeC:\Users\Admin\AppData\Local\Temp\mb.exe vertices\unenviably.asc2⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\regsvr32.exevertices\unenviably.asc3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:376 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2768
-
-
-
-
C:\Windows\system32\PING.EXEping 127.0.0.12⤵
- Runs ping.exe
PID:2076
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5b0c2fa35d14a9fad919e99d9d75e1b9e
SHA18d7c2fd354363daee63e8f591ec52fa5d0e23f6f
SHA256022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7
SHA512a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022