Analysis
-
max time kernel
601s -
max time network
590s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09-12-2022 21:26
Static task
static1
Behavioral task
behavioral1
Sample
BF.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
BF.vbs
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
teased/beguiler.vbs
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
teased/beguiler.vbs
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
teased/brainwaves.ps1
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
teased/brainwaves.ps1
Resource
win10v2004-20220901-en
General
-
Target
BF.vbs
-
Size
180B
-
MD5
fcf6c65b599aaad756e0c32e688ec9db
-
SHA1
28e5e0be32ec5d837dcbbf8bbe5be9a44e14750b
-
SHA256
dc9c38ba168c5fd0c78917e9cd8f1ddf7119c59a80ef5e097705091a157a3cb0
-
SHA512
e25f419e1b489e7f23259395ed39bca2b964ef5a963efdaa102415928f7e5370823a128c5510f5417617c50b200f2588257716d45a8c742e3cca364daa44e37b
Malware Config
Extracted
qakbot
404.46
BB08
1669628564
98.147.155.235:443
85.52.73.34:2222
75.158.15.211:443
2.91.184.252:995
92.106.70.62:2222
85.152.152.46:443
86.159.48.25:2222
217.128.91.196:2222
92.11.189.236:2222
83.92.85.93:443
2.83.62.105:443
93.24.192.142:20
76.20.42.45:443
24.64.114.59:2078
73.36.196.11:443
130.43.99.103:995
172.117.139.142:995
100.16.107.117:443
12.172.173.82:22
176.151.15.101:443
50.68.204.71:443
58.162.223.233:443
50.68.204.71:993
108.162.6.34:995
24.142.218.202:443
174.112.25.29:2078
190.207.253.41:2222
66.191.69.18:995
85.241.180.94:443
149.126.159.106:443
75.141.227.169:443
31.167.227.31:443
173.18.126.3:443
184.153.132.82:443
176.142.207.63:443
82.9.210.36:443
87.221.197.110:2222
174.104.184.149:443
98.145.23.67:443
12.172.173.82:993
24.64.114.59:2222
116.75.63.225:443
136.232.184.134:995
77.126.81.208:443
62.31.130.138:465
75.99.125.235:2222
173.239.94.212:443
92.186.69.229:2222
92.24.200.226:995
109.218.104.206:2222
87.223.85.4:443
24.206.27.39:443
69.119.123.159:2222
64.121.161.102:443
91.169.12.198:32100
58.247.115.126:995
187.199.224.16:32103
123.3.240.16:995
122.178.197.139:995
102.156.232.220:443
12.172.173.82:995
92.98.228.28:2222
86.98.182.30:2222
90.116.219.167:2222
92.27.86.48:2222
93.156.103.241:443
85.7.61.22:2222
105.109.140.201:32103
86.225.214.138:2222
76.100.159.250:443
93.147.235.8:443
75.143.236.149:443
94.63.65.146:443
74.92.243.113:50000
75.98.154.19:443
216.196.245.102:2222
83.110.223.247:443
121.122.99.223:995
70.120.228.205:2083
47.229.96.60:443
86.171.75.63:443
89.129.109.27:2222
136.244.25.165:443
92.137.74.174:2222
78.69.251.252:2222
175.205.2.54:443
12.172.173.82:465
92.185.204.18:2078
58.186.75.42:443
76.80.180.154:995
84.35.26.14:995
190.18.236.175:443
47.41.154.250:443
190.11.198.66:443
81.229.117.95:2222
190.39.199.51:443
197.3.64.204:995
213.67.255.57:2222
86.195.32.149:2222
70.115.104.126:995
24.64.114.59:3389
216.196.245.102:2083
108.162.6.34:443
50.90.249.161:443
170.253.25.35:443
103.144.201.62:2078
24.64.114.59:50010
23.240.47.58:995
45.248.169.101:443
92.239.81.124:443
83.21.138.251:2222
80.13.179.151:2222
184.155.91.69:443
193.154.207.221:443
90.104.22.28:2222
71.247.10.63:50003
108.6.249.139:443
184.176.154.83:995
174.77.209.5:443
100.8.168.108:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2000 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exenetstat.exepid process 828 ipconfig.exe 2016 netstat.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exerundll32.exewermgr.exepid process 1212 powershell.exe 1212 powershell.exe 2000 rundll32.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe 1464 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 2000 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
powershell.exenetstat.exewhoami.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 2016 netstat.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeDebugPrivilege 532 whoami.exe Token: SeRestorePrivilege 1968 msiexec.exe Token: SeTakeOwnershipPrivilege 1968 msiexec.exe Token: SeSecurityPrivilege 1968 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WScript.exepowershell.exerundll32.exewermgr.exenet.exenet.exedescription pid process target process PID 1848 wrote to memory of 1212 1848 WScript.exe powershell.exe PID 1848 wrote to memory of 1212 1848 WScript.exe powershell.exe PID 1848 wrote to memory of 1212 1848 WScript.exe powershell.exe PID 1848 wrote to memory of 1212 1848 WScript.exe powershell.exe PID 1212 wrote to memory of 2000 1212 powershell.exe rundll32.exe PID 1212 wrote to memory of 2000 1212 powershell.exe rundll32.exe PID 1212 wrote to memory of 2000 1212 powershell.exe rundll32.exe PID 1212 wrote to memory of 2000 1212 powershell.exe rundll32.exe PID 1212 wrote to memory of 2000 1212 powershell.exe rundll32.exe PID 1212 wrote to memory of 2000 1212 powershell.exe rundll32.exe PID 1212 wrote to memory of 2000 1212 powershell.exe rundll32.exe PID 2000 wrote to memory of 1464 2000 rundll32.exe wermgr.exe PID 2000 wrote to memory of 1464 2000 rundll32.exe wermgr.exe PID 2000 wrote to memory of 1464 2000 rundll32.exe wermgr.exe PID 2000 wrote to memory of 1464 2000 rundll32.exe wermgr.exe PID 2000 wrote to memory of 1464 2000 rundll32.exe wermgr.exe PID 2000 wrote to memory of 1464 2000 rundll32.exe wermgr.exe PID 1464 wrote to memory of 1328 1464 wermgr.exe net.exe PID 1464 wrote to memory of 1328 1464 wermgr.exe net.exe PID 1464 wrote to memory of 1328 1464 wermgr.exe net.exe PID 1464 wrote to memory of 1328 1464 wermgr.exe net.exe PID 1464 wrote to memory of 1316 1464 wermgr.exe cmd.exe PID 1464 wrote to memory of 1316 1464 wermgr.exe cmd.exe PID 1464 wrote to memory of 1316 1464 wermgr.exe cmd.exe PID 1464 wrote to memory of 1316 1464 wermgr.exe cmd.exe PID 1464 wrote to memory of 1392 1464 wermgr.exe arp.exe PID 1464 wrote to memory of 1392 1464 wermgr.exe arp.exe PID 1464 wrote to memory of 1392 1464 wermgr.exe arp.exe PID 1464 wrote to memory of 1392 1464 wermgr.exe arp.exe PID 1464 wrote to memory of 828 1464 wermgr.exe ipconfig.exe PID 1464 wrote to memory of 828 1464 wermgr.exe ipconfig.exe PID 1464 wrote to memory of 828 1464 wermgr.exe ipconfig.exe PID 1464 wrote to memory of 828 1464 wermgr.exe ipconfig.exe PID 1464 wrote to memory of 1692 1464 wermgr.exe nslookup.exe PID 1464 wrote to memory of 1692 1464 wermgr.exe nslookup.exe PID 1464 wrote to memory of 1692 1464 wermgr.exe nslookup.exe PID 1464 wrote to memory of 1692 1464 wermgr.exe nslookup.exe PID 1464 wrote to memory of 1172 1464 wermgr.exe net.exe PID 1464 wrote to memory of 1172 1464 wermgr.exe net.exe PID 1464 wrote to memory of 1172 1464 wermgr.exe net.exe PID 1464 wrote to memory of 1172 1464 wermgr.exe net.exe PID 1172 wrote to memory of 1740 1172 net.exe net1.exe PID 1172 wrote to memory of 1740 1172 net.exe net1.exe PID 1172 wrote to memory of 1740 1172 net.exe net1.exe PID 1172 wrote to memory of 1740 1172 net.exe net1.exe PID 1464 wrote to memory of 388 1464 wermgr.exe route.exe PID 1464 wrote to memory of 388 1464 wermgr.exe route.exe PID 1464 wrote to memory of 388 1464 wermgr.exe route.exe PID 1464 wrote to memory of 388 1464 wermgr.exe route.exe PID 1464 wrote to memory of 2016 1464 wermgr.exe netstat.exe PID 1464 wrote to memory of 2016 1464 wermgr.exe netstat.exe PID 1464 wrote to memory of 2016 1464 wermgr.exe netstat.exe PID 1464 wrote to memory of 2016 1464 wermgr.exe netstat.exe PID 1464 wrote to memory of 1480 1464 wermgr.exe net.exe PID 1464 wrote to memory of 1480 1464 wermgr.exe net.exe PID 1464 wrote to memory of 1480 1464 wermgr.exe net.exe PID 1464 wrote to memory of 1480 1464 wermgr.exe net.exe PID 1480 wrote to memory of 1628 1480 net.exe net1.exe PID 1480 wrote to memory of 1628 1480 net.exe net1.exe PID 1480 wrote to memory of 1628 1480 net.exe net1.exe PID 1480 wrote to memory of 1628 1480 net.exe net1.exe PID 1464 wrote to memory of 532 1464 wermgr.exe whoami.exe PID 1464 wrote to memory of 532 1464 wermgr.exe whoami.exe PID 1464 wrote to memory of 532 1464 wermgr.exe whoami.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass teased\\brainwaves.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\users\public\extroversionRadiantly.txt DrawThemeIcon3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\cmd.execmd /c set5⤵
-
C:\Windows\SysWOW64\arp.exearp -a5⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP5⤵
-
C:\Windows\SysWOW64\net.exenet share5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share6⤵
-
C:\Windows\SysWOW64\route.exeroute print5⤵
-
C:\Windows\SysWOW64\netstat.exenetstat -nao5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exenet localgroup5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup6⤵
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\extroversionRadiantly.txtFilesize
725KB
MD5ed77586a14e95e3480d26c85219ae795
SHA1bc15afb8b4aec58f7c3ce38f780ce4c5f8444b1d
SHA256e978b0c77018e382ef87f6cee623b5b8b436a331449f8e2edca65b1c045aacc7
SHA51203fee67cc0dda7b9518e5cb7934e0a18d872d40c357b70454d2353f91ac763eabeec5c9f2ca62cdcb510dff09f11e1acd47caaf7a96651c4010a5402c45ec857
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Public\extroversionRadiantly.txtFilesize
725KB
MD5ed77586a14e95e3480d26c85219ae795
SHA1bc15afb8b4aec58f7c3ce38f780ce4c5f8444b1d
SHA256e978b0c77018e382ef87f6cee623b5b8b436a331449f8e2edca65b1c045aacc7
SHA51203fee67cc0dda7b9518e5cb7934e0a18d872d40c357b70454d2353f91ac763eabeec5c9f2ca62cdcb510dff09f11e1acd47caaf7a96651c4010a5402c45ec857
-
memory/388-79-0x0000000000000000-mapping.dmp
-
memory/532-84-0x0000000000000000-mapping.dmp
-
memory/828-74-0x0000000000000000-mapping.dmp
-
memory/1172-77-0x0000000000000000-mapping.dmp
-
memory/1212-57-0x0000000073CF0000-0x000000007429B000-memory.dmpFilesize
5.7MB
-
memory/1212-61-0x0000000073CF0000-0x000000007429B000-memory.dmpFilesize
5.7MB
-
memory/1212-58-0x0000000073CF0000-0x000000007429B000-memory.dmpFilesize
5.7MB
-
memory/1212-56-0x0000000076091000-0x0000000076093000-memory.dmpFilesize
8KB
-
memory/1212-55-0x0000000000000000-mapping.dmp
-
memory/1316-72-0x0000000000000000-mapping.dmp
-
memory/1328-71-0x0000000000000000-mapping.dmp
-
memory/1392-73-0x0000000000000000-mapping.dmp
-
memory/1464-70-0x0000000000080000-0x00000000000AA000-memory.dmpFilesize
168KB
-
memory/1464-69-0x0000000000080000-0x00000000000AA000-memory.dmpFilesize
168KB
-
memory/1464-66-0x0000000000000000-mapping.dmp
-
memory/1480-81-0x0000000000000000-mapping.dmp
-
memory/1628-82-0x0000000000000000-mapping.dmp
-
memory/1692-76-0x0000000000000000-mapping.dmp
-
memory/1740-78-0x0000000000000000-mapping.dmp
-
memory/1848-54-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmpFilesize
8KB
-
memory/2000-68-0x00000000001C0000-0x00000000001EA000-memory.dmpFilesize
168KB
-
memory/2000-65-0x00000000001C0000-0x00000000001EA000-memory.dmpFilesize
168KB
-
memory/2000-64-0x0000000001D80000-0x0000000001DF3000-memory.dmpFilesize
460KB
-
memory/2000-59-0x0000000000000000-mapping.dmp
-
memory/2016-80-0x0000000000000000-mapping.dmp