Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2023, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
RR.lnk
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RR.lnk
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
vibrations/disharmony.cmd
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
vibrations/disharmony.cmd
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
vibrations/smirch.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
vibrations/smirch.exe
Resource
win10v2004-20230220-en
General
-
Target
RR.lnk
-
Size
1KB
-
MD5
db1ff5d2699b70f0932f6ba65f5642cf
-
SHA1
104b04eddf98e76c50e54fbd5645ec0f22c64035
-
SHA256
6af7106256432463f4281e0ee44a499c8c7188b034f5428b5f1018bc22883de1
-
SHA512
2e81a9472927a873bf05d700a591d72afe9ad006f2d46413b507690e5d9d4b9b18a71bd1f2f3d142d037d6e7c880857b6bb6b02620977d66cd779fd06ae9e664
Malware Config
Extracted
qakbot
404.9
BB16
1677046917
47.21.51.138:443
72.80.7.6:50003
82.127.204.82:2222
49.175.72.56:443
201.244.108.183:995
122.184.143.82:443
102.156.253.86:443
74.58.71.237:443
47.21.51.138:995
77.86.98.236:443
71.31.101.183:443
136.232.184.134:995
86.225.214.138:2222
95.242.101.251:995
109.11.175.42:2222
90.78.138.217:2222
184.176.35.223:2222
35.143.97.145:995
202.186.177.88:443
114.79.180.14:995
86.150.47.219:443
183.87.163.165:443
50.68.186.195:443
190.75.95.164:2222
98.145.23.67:443
67.10.175.47:2222
71.212.147.224:2222
88.126.94.4:50000
103.140.174.19:2222
103.231.216.238:443
78.84.123.237:995
180.151.108.14:443
80.47.57.131:2222
198.2.51.242:993
50.68.204.71:995
205.164.227.222:443
147.219.4.194:443
77.124.6.149:443
49.245.82.178:2222
46.10.198.107:443
76.80.180.154:995
12.172.173.82:32101
68.150.18.161:443
68.173.170.110:8443
24.9.220.167:443
12.172.173.82:2087
50.68.204.71:993
107.146.12.26:2222
81.229.117.95:2222
27.0.48.233:443
69.133.162.35:443
59.28.84.65:443
76.170.252.153:995
89.32.159.192:995
202.142.98.62:995
73.78.215.104:443
181.164.217.211:443
92.97.203.51:2222
116.74.164.26:443
103.141.50.102:995
149.74.159.67:2222
116.72.250.18:443
125.99.69.178:443
202.142.98.62:443
67.61.71.201:443
103.123.223.168:443
80.13.205.69:2222
80.0.74.165:443
86.99.54.39:2222
213.67.255.57:2222
176.142.207.63:443
50.67.17.92:443
217.165.1.53:2222
70.64.77.115:443
2.50.47.74:443
66.191.69.18:995
75.143.236.149:443
197.92.136.122:443
108.190.203.42:995
50.68.204.71:443
12.172.173.82:995
70.77.116.233:443
162.248.14.107:443
75.98.154.19:443
58.247.115.126:995
184.68.116.146:61202
41.99.50.76:443
184.68.116.146:3389
72.203.216.98:2222
103.252.7.231:443
12.172.173.82:50001
70.160.80.210:443
12.172.173.82:465
12.172.173.82:21
47.34.30.133:443
202.187.232.161:995
98.147.155.235:443
124.122.56.144:443
75.141.227.169:443
103.144.201.53:2078
172.248.42.122:443
12.172.173.82:990
24.239.69.244:443
173.18.126.3:443
73.165.119.20:443
90.104.22.28:2222
14.192.241.76:995
74.33.196.114:443
74.93.148.97:995
86.202.48.142:2222
174.104.184.149:443
12.172.173.82:20
109.151.144.37:443
104.35.24.154:443
114.143.176.234:443
84.35.26.14:995
45.50.233.214:443
64.237.185.60:443
73.161.176.218:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1160 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3472 1160 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1160 rundll32.exe 1160 rundll32.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe 1900 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1160 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4680 wrote to memory of 4308 4680 cmd.exe 84 PID 4680 wrote to memory of 4308 4680 cmd.exe 84 PID 4680 wrote to memory of 4308 4680 cmd.exe 84 PID 4308 wrote to memory of 2304 4308 cmd.exe 85 PID 4308 wrote to memory of 2304 4308 cmd.exe 85 PID 4308 wrote to memory of 2020 4308 cmd.exe 86 PID 4308 wrote to memory of 2020 4308 cmd.exe 86 PID 4308 wrote to memory of 1160 4308 cmd.exe 87 PID 4308 wrote to memory of 1160 4308 cmd.exe 87 PID 4308 wrote to memory of 1160 4308 cmd.exe 87 PID 1160 wrote to memory of 1900 1160 rundll32.exe 90 PID 1160 wrote to memory of 1900 1160 rundll32.exe 90 PID 1160 wrote to memory of 1900 1160 rundll32.exe 90 PID 1160 wrote to memory of 1900 1160 rundll32.exe 90 PID 1160 wrote to memory of 1900 1160 rundll32.exe 90
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\disharmony.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exevibrations\smirch.exe -decode vibrations\stateswoman.sql c:\users\public\output.txt3⤵PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exevibrations\smirch.exe -decode c:\users\public\output.txt c:\users\public\output2.txt3⤵PID:2020
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 c:\users\public\output2.txt,N1153⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 5444⤵
- Program crash
PID:3472
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1160 -ip 11601⤵PID:2976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904KB
MD5e167b519cf6baad2089f2bec22012ead
SHA1ba000e9403ce92eab037edca6f92eaf6cbbcb8f5
SHA2568152566ab0b74913edaf3cfdc1d5f44d157d6b35545a782c2f5dcf40dc0c5cbe
SHA51256838ee5dc29457efce3e8923290fbcb82d669844d2453d4ed8bf6688ceaa723c4050c83026f0572c568651e91a41a0bab6ae6c58b8be5821452fa8161d65a8d
-
Filesize
1.2MB
MD589fc5ce67cf242cc5b83d8faa7b5e51d
SHA18e895df0b516a0c62b95f54643c90e67395f63ae
SHA25655fbd2380d89035f0ac744c832ba6f27e3430ae877c3b013cfb8b3577e2a4ad6
SHA5124aac5fdc2f1e374f2ead608856b087156dda368e0fba523ea1693e6dc1a9332db46bca2c78b2c70bbb8bf5840e353728c991519deebaa4a45bcc4b8eb3dcd91e
-
Filesize
904KB
MD5e167b519cf6baad2089f2bec22012ead
SHA1ba000e9403ce92eab037edca6f92eaf6cbbcb8f5
SHA2568152566ab0b74913edaf3cfdc1d5f44d157d6b35545a782c2f5dcf40dc0c5cbe
SHA51256838ee5dc29457efce3e8923290fbcb82d669844d2453d4ed8bf6688ceaa723c4050c83026f0572c568651e91a41a0bab6ae6c58b8be5821452fa8161d65a8d