Analysis
-
max time kernel
143s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 13:39
Static task
static1
General
-
Target
AVC67.iso
-
Size
742KB
-
MD5
685f279b87a90a7fad35d2c36ac25b10
-
SHA1
767f16470c4bf219cb5d35226b1eec6ab93a6cca
-
SHA256
c62bad06cef065e8baee469fb0de8c34ce9b994cce656f1842e228bf903fda7d
-
SHA512
3fc74eebb8fabc7c06ee585c09ab54cdb3f3c9d6e01201770332f7ea0cee608589c12b3592a845b994e8fcd1356b740c5ad48d89b3d2ac841d509d91c1561326
-
SSDEEP
12288:FNCm1Mcw5EO6dHvDe0P3lx5EBto8BkfzNbuTyGrC6N2c2mcsAMzxGBRA4cZDNgvN:FN5MFEO6dHvDe0P335EXpUNSleQ2cYi8
Malware Config
Extracted
qakbot
404.46
BB08
1669628564
98.147.155.235:443
85.52.73.34:2222
75.158.15.211:443
2.91.184.252:995
92.106.70.62:2222
85.152.152.46:443
86.159.48.25:2222
217.128.91.196:2222
92.11.189.236:2222
83.92.85.93:443
2.83.62.105:443
93.24.192.142:20
76.20.42.45:443
24.64.114.59:2078
73.36.196.11:443
130.43.99.103:995
172.117.139.142:995
100.16.107.117:443
12.172.173.82:22
176.151.15.101:443
50.68.204.71:443
58.162.223.233:443
50.68.204.71:993
108.162.6.34:995
24.142.218.202:443
174.112.25.29:2078
190.207.253.41:2222
66.191.69.18:995
85.241.180.94:443
149.126.159.106:443
75.141.227.169:443
31.167.227.31:443
173.18.126.3:443
184.153.132.82:443
176.142.207.63:443
82.9.210.36:443
87.221.197.110:2222
174.104.184.149:443
98.145.23.67:443
12.172.173.82:993
24.64.114.59:2222
116.75.63.225:443
136.232.184.134:995
77.126.81.208:443
62.31.130.138:465
75.99.125.235:2222
173.239.94.212:443
92.186.69.229:2222
92.24.200.226:995
109.218.104.206:2222
87.223.85.4:443
24.206.27.39:443
69.119.123.159:2222
64.121.161.102:443
91.169.12.198:32100
58.247.115.126:995
187.199.224.16:32103
123.3.240.16:995
122.178.197.139:995
102.156.232.220:443
12.172.173.82:995
92.98.228.28:2222
86.98.182.30:2222
90.116.219.167:2222
92.27.86.48:2222
93.156.103.241:443
85.7.61.22:2222
105.109.140.201:32103
86.225.214.138:2222
76.100.159.250:443
93.147.235.8:443
75.143.236.149:443
94.63.65.146:443
74.92.243.113:50000
75.98.154.19:443
216.196.245.102:2222
83.110.223.247:443
121.122.99.223:995
70.120.228.205:2083
47.229.96.60:443
86.171.75.63:443
89.129.109.27:2222
136.244.25.165:443
92.137.74.174:2222
78.69.251.252:2222
175.205.2.54:443
12.172.173.82:465
92.185.204.18:2078
58.186.75.42:443
76.80.180.154:995
84.35.26.14:995
190.18.236.175:443
47.41.154.250:443
190.11.198.66:443
81.229.117.95:2222
190.39.199.51:443
197.3.64.204:995
213.67.255.57:2222
86.195.32.149:2222
70.115.104.126:995
24.64.114.59:3389
216.196.245.102:2083
108.162.6.34:443
50.90.249.161:443
170.253.25.35:443
103.144.201.62:2078
24.64.114.59:50010
23.240.47.58:995
45.248.169.101:443
92.239.81.124:443
83.21.138.251:2222
80.13.179.151:2222
184.155.91.69:443
193.154.207.221:443
90.104.22.28:2222
71.247.10.63:50003
108.6.249.139:443
184.176.154.83:995
174.77.209.5:443
100.8.168.108:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4396 rundll32.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WScript.exedescription ioc process File opened (read-only) \??\E: WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exerundll32.exewermgr.exepid process 1376 powershell.exe 1376 powershell.exe 1376 powershell.exe 4396 rundll32.exe 4396 rundll32.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe 3060 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 4396 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
cmd.exepowershell.exedescription pid process Token: SeManageVolumePrivilege 632 cmd.exe Token: SeManageVolumePrivilege 632 cmd.exe Token: SeDebugPrivilege 1376 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WScript.exepowershell.exerundll32.exerundll32.exedescription pid process target process PID 1564 wrote to memory of 1376 1564 WScript.exe powershell.exe PID 1564 wrote to memory of 1376 1564 WScript.exe powershell.exe PID 1376 wrote to memory of 3272 1376 powershell.exe rundll32.exe PID 1376 wrote to memory of 3272 1376 powershell.exe rundll32.exe PID 3272 wrote to memory of 4396 3272 rundll32.exe rundll32.exe PID 3272 wrote to memory of 4396 3272 rundll32.exe rundll32.exe PID 3272 wrote to memory of 4396 3272 rundll32.exe rundll32.exe PID 4396 wrote to memory of 3060 4396 rundll32.exe wermgr.exe PID 4396 wrote to memory of 3060 4396 rundll32.exe wermgr.exe PID 4396 wrote to memory of 3060 4396 rundll32.exe wermgr.exe PID 4396 wrote to memory of 3060 4396 rundll32.exe wermgr.exe PID 4396 wrote to memory of 3060 4396 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\AVC67.iso1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "E:\AS.js"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass peseta\persistence.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\users\public\test1.txt DrawThemeIcon3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\users\public\test1.txt DrawThemeIcon4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe5⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\test1.txtFilesize
472KB
MD5c89575b2d429b29a9d434d4a089f34f9
SHA14eea86d109a16d930ed7c2dee480dec926d68a49
SHA2569d91fd2db63d8227afad1b24ba15e8c1edf28d01152efa91402efa7872c2200c
SHA51283e464a3b042445d6fdee7a612b45292d1360f6e68ccd03bf83024be15aadff8756748bead37193f6d5916da2549e9eba98f76a541bc6f6f766a8ea694feaa3c
-
C:\users\public\test1.txtFilesize
472KB
MD5c89575b2d429b29a9d434d4a089f34f9
SHA14eea86d109a16d930ed7c2dee480dec926d68a49
SHA2569d91fd2db63d8227afad1b24ba15e8c1edf28d01152efa91402efa7872c2200c
SHA51283e464a3b042445d6fdee7a612b45292d1360f6e68ccd03bf83024be15aadff8756748bead37193f6d5916da2549e9eba98f76a541bc6f6f766a8ea694feaa3c
-
memory/1376-133-0x0000024A57D30000-0x0000024A57D52000-memory.dmpFilesize
136KB
-
memory/1376-134-0x00007FFE90550000-0x00007FFE91011000-memory.dmpFilesize
10.8MB
-
memory/1376-132-0x0000000000000000-mapping.dmp
-
memory/1376-138-0x00007FFE90550000-0x00007FFE91011000-memory.dmpFilesize
10.8MB
-
memory/3060-142-0x0000000000000000-mapping.dmp
-
memory/3060-145-0x0000000000C50000-0x0000000000C7A000-memory.dmpFilesize
168KB
-
memory/3060-144-0x0000000000C50000-0x0000000000C7A000-memory.dmpFilesize
168KB
-
memory/3272-135-0x0000000000000000-mapping.dmp
-
memory/4396-141-0x00000000023C0000-0x00000000023EA000-memory.dmpFilesize
168KB
-
memory/4396-143-0x00000000023C0000-0x00000000023EA000-memory.dmpFilesize
168KB
-
memory/4396-140-0x0000000002390000-0x00000000023BA000-memory.dmpFilesize
168KB
-
memory/4396-137-0x0000000000000000-mapping.dmp