Overview
overview
10Static
static
1RR.lnk
windows7-x64
3RR.lnk
windows10-2004-x64
10vibrations...ss.exe
windows7-x64
vibrations...ss.exe
windows10-2004-x64
1vibrations/croaks.sql
windows7-x64
3vibrations/croaks.sql
windows10-2004-x64
3vibrations...id.cmd
windows7-x64
1vibrations...id.cmd
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2023, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
RR.lnk
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RR.lnk
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
vibrations/airtightness.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
vibrations/airtightness.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
vibrations/croaks.sql
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
vibrations/croaks.sql
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
vibrations/polaroid.cmd
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
vibrations/polaroid.cmd
Resource
win10v2004-20230220-en
General
-
Target
RR.lnk
-
Size
1KB
-
MD5
02ffb37fb80d62bccbe6013ff3d4d2f0
-
SHA1
8f06f89e0fa1ef30b3be0637c3f9a009f8492854
-
SHA256
acbfe9386d83f7db8529f9a5d10a0add6a26b1ee6a855210a4f4100f94dea21c
-
SHA512
0f4883a7d35e3cee520ba8c3b78c6cf9d339cd273172f999a9d6cd4149120aca330c01c078653af99a171f7a49ddd0d61ffe2af3aab9a66421d814c923b9149e
Malware Config
Extracted
qakbot
404.9
BB16
1677046917
47.21.51.138:443
72.80.7.6:50003
82.127.204.82:2222
49.175.72.56:443
201.244.108.183:995
122.184.143.82:443
102.156.253.86:443
74.58.71.237:443
47.21.51.138:995
77.86.98.236:443
71.31.101.183:443
136.232.184.134:995
86.225.214.138:2222
95.242.101.251:995
109.11.175.42:2222
90.78.138.217:2222
184.176.35.223:2222
35.143.97.145:995
202.186.177.88:443
114.79.180.14:995
86.150.47.219:443
183.87.163.165:443
50.68.186.195:443
190.75.95.164:2222
98.145.23.67:443
67.10.175.47:2222
71.212.147.224:2222
88.126.94.4:50000
103.140.174.19:2222
103.231.216.238:443
78.84.123.237:995
180.151.108.14:443
80.47.57.131:2222
198.2.51.242:993
50.68.204.71:995
205.164.227.222:443
147.219.4.194:443
77.124.6.149:443
49.245.82.178:2222
46.10.198.107:443
76.80.180.154:995
12.172.173.82:32101
68.150.18.161:443
68.173.170.110:8443
24.9.220.167:443
12.172.173.82:2087
50.68.204.71:993
107.146.12.26:2222
81.229.117.95:2222
27.0.48.233:443
69.133.162.35:443
59.28.84.65:443
76.170.252.153:995
89.32.159.192:995
202.142.98.62:995
73.78.215.104:443
181.164.217.211:443
92.97.203.51:2222
116.74.164.26:443
103.141.50.102:995
149.74.159.67:2222
116.72.250.18:443
125.99.69.178:443
202.142.98.62:443
67.61.71.201:443
103.123.223.168:443
80.13.205.69:2222
80.0.74.165:443
86.99.54.39:2222
213.67.255.57:2222
176.142.207.63:443
50.67.17.92:443
217.165.1.53:2222
70.64.77.115:443
2.50.47.74:443
66.191.69.18:995
75.143.236.149:443
197.92.136.122:443
108.190.203.42:995
50.68.204.71:443
12.172.173.82:995
70.77.116.233:443
162.248.14.107:443
75.98.154.19:443
58.247.115.126:995
184.68.116.146:61202
41.99.50.76:443
184.68.116.146:3389
72.203.216.98:2222
103.252.7.231:443
12.172.173.82:50001
70.160.80.210:443
12.172.173.82:465
12.172.173.82:21
47.34.30.133:443
202.187.232.161:995
98.147.155.235:443
124.122.56.144:443
75.141.227.169:443
103.144.201.53:2078
172.248.42.122:443
12.172.173.82:990
24.239.69.244:443
173.18.126.3:443
73.165.119.20:443
90.104.22.28:2222
14.192.241.76:995
74.33.196.114:443
74.93.148.97:995
86.202.48.142:2222
174.104.184.149:443
12.172.173.82:20
109.151.144.37:443
104.35.24.154:443
114.143.176.234:443
84.35.26.14:995
45.50.233.214:443
64.237.185.60:443
73.161.176.218:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 4004 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2168 4004 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4004 rundll32.exe 4004 rundll32.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe 216 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4004 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2184 wrote to memory of 5104 2184 cmd.exe 85 PID 2184 wrote to memory of 5104 2184 cmd.exe 85 PID 2184 wrote to memory of 5104 2184 cmd.exe 85 PID 5104 wrote to memory of 488 5104 cmd.exe 86 PID 5104 wrote to memory of 488 5104 cmd.exe 86 PID 5104 wrote to memory of 728 5104 cmd.exe 87 PID 5104 wrote to memory of 728 5104 cmd.exe 87 PID 5104 wrote to memory of 4004 5104 cmd.exe 88 PID 5104 wrote to memory of 4004 5104 cmd.exe 88 PID 5104 wrote to memory of 4004 5104 cmd.exe 88 PID 4004 wrote to memory of 216 4004 rundll32.exe 91 PID 4004 wrote to memory of 216 4004 rundll32.exe 91 PID 4004 wrote to memory of 216 4004 rundll32.exe 91 PID 4004 wrote to memory of 216 4004 rundll32.exe 91 PID 4004 wrote to memory of 216 4004 rundll32.exe 91
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\polaroid.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exevibrations\airtightness.exe -decode vibrations\croaks.sql c:\users\public\output.txt3⤵PID:488
-
-
C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exevibrations\airtightness.exe -decode c:\users\public\output.txt c:\users\public\output2.txt3⤵PID:728
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 c:\users\public\output2.txt,N1153⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 5404⤵
- Program crash
PID:2168
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:216
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4004 -ip 40041⤵PID:3612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904KB
MD5a6baa56cc1fb0fb73ad86142aa7b55d9
SHA18651cf4de25617b9727afd4004fe70e516f05c6f
SHA256860f6be05c43522e405e9bfd862ee9a02c16c406ee87d8da662764d0cb3c39cd
SHA512cbbb171a14fb0376924302cc160a8130b82403cd9644af424baf96617774f463813ae90cf8c7a676cebfffd5c2441ef283f2ddb890cc051fed283059a61e43e3
-
Filesize
1.2MB
MD522cfe9eedc2e6c8ff516656b6242ac41
SHA1f59c6a1431ad36bb9035dc8043ca2aa7f151607d
SHA256ffc649866a338db3fd611a8ad361674ce83d20dfaf547f76fdd37c0442c287c4
SHA5121c02a208d0ff6142247ef9eb2ffbf73ea06b0f3c06903462c46b55c0cd3420b9c471d6f29aa6bdd844b32c489828bdb6c4455fc1fff838cf2c4fc3d923eb2b03
-
Filesize
904KB
MD5a6baa56cc1fb0fb73ad86142aa7b55d9
SHA18651cf4de25617b9727afd4004fe70e516f05c6f
SHA256860f6be05c43522e405e9bfd862ee9a02c16c406ee87d8da662764d0cb3c39cd
SHA512cbbb171a14fb0376924302cc160a8130b82403cd9644af424baf96617774f463813ae90cf8c7a676cebfffd5c2441ef283f2ddb890cc051fed283059a61e43e3