Resubmissions
03/01/2023, 22:21
230103-19zbkadb27 1003/01/2023, 21:37
230103-1ggaaagc4v 320/12/2022, 21:04
221220-zwk2caec3s 1020/12/2022, 20:57
221220-zrtgxsec2x 1020/12/2022, 19:58
221220-ypwzlaah56 1020/12/2022, 19:49
221220-yjtx2sea5z 3Analysis
-
max time kernel
1800s -
max time network
1768s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2023, 22:21
Static task
static1
General
-
Target
DocumentsFolder 9790038 12202022.img
-
Size
2.3MB
-
MD5
9c48a4a759736c484133d5f0b7f8fb6b
-
SHA1
f3789ccf422731acd0267c6401b48f7369942e9a
-
SHA256
d11c02eedbdce883293bc676d4f635357ab3dab76ccc4c3d100c73e41e1e7a65
-
SHA512
276f572e8e835b5a4425b169bfa0bf12844692747c61fbbcfc3417f5be27cc7b157086808208493ac3c7ed9bda1359e17fefb0e21e8ac0d139e729ea79d36063
-
SSDEEP
24576:MKbbqQlRH90zhBs7tl+vJtzsJPwfwXR1F0yvc8NTmIg9EcjZdFkz:MKXqQz901gcDsJPwfwXfFxvFnQ
Malware Config
Extracted
qakbot
404.60
obama231
1671537480
181.118.206.65:995
83.110.95.209:995
147.148.234.231:2222
93.156.97.50:443
217.128.200.114:2222
76.11.14.249:443
80.98.132.66:443
175.139.130.191:2222
27.99.45.237:2222
72.200.109.104:443
184.153.132.82:443
92.148.54.239:2222
90.119.197.132:2222
86.96.75.237:2222
199.83.165.233:443
12.172.173.82:995
12.172.173.82:50001
37.15.128.31:2222
86.99.15.254:2222
91.96.249.3:443
69.165.145.141:443
60.254.51.168:443
116.75.63.156:443
75.156.125.215:995
150.107.231.59:2222
93.147.134.85:443
82.9.210.36:443
174.112.22.106:2078
86.195.14.72:2222
60.234.194.12:2222
89.152.120.181:443
94.30.98.134:32100
86.183.251.169:2222
128.127.21.57:443
184.68.116.146:2222
184.68.116.146:3389
83.213.201.104:993
92.189.214.236:2222
73.29.92.128:443
206.166.209.170:2222
93.147.235.8:443
103.212.19.254:995
86.98.23.199:443
45.152.16.14:443
202.142.98.62:443
92.185.204.18:2078
92.27.86.48:2222
85.241.180.94:443
109.159.119.186:2222
84.113.121.103:443
70.64.77.115:443
75.143.236.149:443
90.79.129.166:2222
67.235.138.14:443
84.35.26.14:995
108.6.249.139:443
176.44.121.220:995
80.103.77.44:2222
217.43.16.149:443
182.79.116.126:443
184.68.116.146:2078
76.80.180.154:995
181.118.183.50:443
27.0.48.233:443
72.80.7.6:995
47.34.30.133:443
76.170.252.153:995
70.77.116.233:443
47.41.154.250:443
103.144.201.62:2078
108.162.6.34:443
50.68.204.71:443
73.36.196.11:443
87.65.160.87:995
12.172.173.82:465
144.64.226.144:443
66.191.69.18:995
79.13.202.140:443
77.86.98.236:443
152.170.17.136:443
123.3.240.16:995
70.115.104.126:995
45.248.169.101:443
86.160.253.56:443
24.228.132.224:2222
69.133.162.35:443
171.97.42.82:443
86.130.9.250:2222
178.153.5.54:443
12.172.173.82:20
75.84.234.68:443
136.244.25.165:443
71.31.101.183:443
74.33.196.114:443
183.82.100.110:2222
76.100.159.250:443
12.172.173.82:32101
2.99.47.198:2222
90.66.229.185:2222
174.104.184.149:443
82.6.99.234:443
103.42.86.42:995
90.89.95.158:2222
122.186.71.98:443
27.109.19.90:2078
12.172.173.82:22
86.225.214.138:2222
173.18.126.3:443
162.248.14.107:443
12.172.173.82:990
184.68.116.146:61202
184.176.154.83:995
92.207.132.174:2222
75.98.154.19:443
81.248.77.37:2222
142.161.27.232:2222
90.104.22.28:2222
96.255.66.51:995
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 4716 net.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1676 ipconfig.exe 3444 netstat.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4104 rundll32.exe 4104 rundll32.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe 1764 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4104 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeManageVolumePrivilege 4272 cmd.exe Token: SeManageVolumePrivilege 4272 cmd.exe Token: SeDebugPrivilege 3444 netstat.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeDebugPrivilege 2376 whoami.exe Token: SeSecurityPrivilege 3240 msiexec.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 3208 wrote to memory of 4104 3208 rundll32.exe 92 PID 3208 wrote to memory of 4104 3208 rundll32.exe 92 PID 3208 wrote to memory of 4104 3208 rundll32.exe 92 PID 4104 wrote to memory of 1764 4104 rundll32.exe 93 PID 4104 wrote to memory of 1764 4104 rundll32.exe 93 PID 4104 wrote to memory of 1764 4104 rundll32.exe 93 PID 4104 wrote to memory of 1764 4104 rundll32.exe 93 PID 4104 wrote to memory of 1764 4104 rundll32.exe 93 PID 1764 wrote to memory of 4716 1764 wermgr.exe 97 PID 1764 wrote to memory of 4716 1764 wermgr.exe 97 PID 1764 wrote to memory of 4716 1764 wermgr.exe 97 PID 1764 wrote to memory of 1664 1764 wermgr.exe 99 PID 1764 wrote to memory of 1664 1764 wermgr.exe 99 PID 1764 wrote to memory of 1664 1764 wermgr.exe 99 PID 1764 wrote to memory of 1392 1764 wermgr.exe 101 PID 1764 wrote to memory of 1392 1764 wermgr.exe 101 PID 1764 wrote to memory of 1392 1764 wermgr.exe 101 PID 1764 wrote to memory of 1676 1764 wermgr.exe 103 PID 1764 wrote to memory of 1676 1764 wermgr.exe 103 PID 1764 wrote to memory of 1676 1764 wermgr.exe 103 PID 1764 wrote to memory of 4316 1764 wermgr.exe 105 PID 1764 wrote to memory of 4316 1764 wermgr.exe 105 PID 1764 wrote to memory of 4316 1764 wermgr.exe 105 PID 1764 wrote to memory of 4756 1764 wermgr.exe 107 PID 1764 wrote to memory of 4756 1764 wermgr.exe 107 PID 1764 wrote to memory of 4756 1764 wermgr.exe 107 PID 4756 wrote to memory of 3680 4756 net.exe 109 PID 4756 wrote to memory of 3680 4756 net.exe 109 PID 4756 wrote to memory of 3680 4756 net.exe 109 PID 1764 wrote to memory of 1588 1764 wermgr.exe 110 PID 1764 wrote to memory of 1588 1764 wermgr.exe 110 PID 1764 wrote to memory of 1588 1764 wermgr.exe 110 PID 1764 wrote to memory of 3444 1764 wermgr.exe 112 PID 1764 wrote to memory of 3444 1764 wermgr.exe 112 PID 1764 wrote to memory of 3444 1764 wermgr.exe 112 PID 1764 wrote to memory of 5024 1764 wermgr.exe 114 PID 1764 wrote to memory of 5024 1764 wermgr.exe 114 PID 1764 wrote to memory of 5024 1764 wermgr.exe 114 PID 5024 wrote to memory of 3676 5024 net.exe 116 PID 5024 wrote to memory of 3676 5024 net.exe 116 PID 5024 wrote to memory of 3676 5024 net.exe 116 PID 1764 wrote to memory of 2376 1764 wermgr.exe 117 PID 1764 wrote to memory of 2376 1764 wermgr.exe 117 PID 1764 wrote to memory of 2376 1764 wermgr.exe 117
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DocumentsFolder 9790038 12202022.img"1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1616
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" \cursor.dat,qqqq1⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" \cursor.dat,qqqq2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\net.exenet view4⤵
- Discovers systems in the same network
PID:4716
-
-
C:\Windows\SysWOW64\cmd.execmd /c set4⤵PID:1664
-
-
C:\Windows\SysWOW64\arp.exearp -a4⤵PID:1392
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:1676
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP4⤵PID:4316
-
-
C:\Windows\SysWOW64\net.exenet share4⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵PID:3680
-
-
-
C:\Windows\SysWOW64\route.exeroute print4⤵PID:1588
-
-
C:\Windows\SysWOW64\netstat.exenetstat -nao4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
C:\Windows\SysWOW64\net.exenet localgroup4⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup5⤵PID:3676
-
-
-
C:\Windows\SysWOW64\whoami.exewhoami /all4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240