Analysis
-
max time kernel
149s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2023, 01:54
Static task
static1
Behavioral task
behavioral1
Sample
RR.lnk
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RR.lnk
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
vibrations/curtness.cmd
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
vibrations/curtness.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
vibrations/unmeticulous.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
vibrations/unmeticulous.exe
Resource
win10v2004-20230220-en
General
-
Target
RR.lnk
-
Size
1KB
-
MD5
116043c27c54721a59fa3e47186ec052
-
SHA1
4d9dcb94a693af74efd935f1b0867fbe8009e39e
-
SHA256
af2bf4c628f6b1cf815e9d5b898ec10334da7fc709436903d8f9a6dd68fcf392
-
SHA512
231ba488f405044aed8231a4e2d0303be49b46b0486c63ee6ddb72a8b0a895b89b486cc26b06524d84590ee19241352d95a040057c2a51d418985aeab372f7c7
Malware Config
Extracted
qakbot
404.9
BB16
1677046917
47.21.51.138:443
72.80.7.6:50003
82.127.204.82:2222
49.175.72.56:443
201.244.108.183:995
122.184.143.82:443
102.156.253.86:443
74.58.71.237:443
47.21.51.138:995
77.86.98.236:443
71.31.101.183:443
136.232.184.134:995
86.225.214.138:2222
95.242.101.251:995
109.11.175.42:2222
90.78.138.217:2222
184.176.35.223:2222
35.143.97.145:995
202.186.177.88:443
114.79.180.14:995
86.150.47.219:443
183.87.163.165:443
50.68.186.195:443
190.75.95.164:2222
98.145.23.67:443
67.10.175.47:2222
71.212.147.224:2222
88.126.94.4:50000
103.140.174.19:2222
103.231.216.238:443
78.84.123.237:995
180.151.108.14:443
80.47.57.131:2222
198.2.51.242:993
50.68.204.71:995
205.164.227.222:443
147.219.4.194:443
77.124.6.149:443
49.245.82.178:2222
46.10.198.107:443
76.80.180.154:995
12.172.173.82:32101
68.150.18.161:443
68.173.170.110:8443
24.9.220.167:443
12.172.173.82:2087
50.68.204.71:993
107.146.12.26:2222
81.229.117.95:2222
27.0.48.233:443
69.133.162.35:443
59.28.84.65:443
76.170.252.153:995
89.32.159.192:995
202.142.98.62:995
73.78.215.104:443
181.164.217.211:443
92.97.203.51:2222
116.74.164.26:443
103.141.50.102:995
149.74.159.67:2222
116.72.250.18:443
125.99.69.178:443
202.142.98.62:443
67.61.71.201:443
103.123.223.168:443
80.13.205.69:2222
80.0.74.165:443
86.99.54.39:2222
213.67.255.57:2222
176.142.207.63:443
50.67.17.92:443
217.165.1.53:2222
70.64.77.115:443
2.50.47.74:443
66.191.69.18:995
75.143.236.149:443
197.92.136.122:443
108.190.203.42:995
50.68.204.71:443
12.172.173.82:995
70.77.116.233:443
162.248.14.107:443
75.98.154.19:443
58.247.115.126:995
184.68.116.146:61202
41.99.50.76:443
184.68.116.146:3389
72.203.216.98:2222
103.252.7.231:443
12.172.173.82:50001
70.160.80.210:443
12.172.173.82:465
12.172.173.82:21
47.34.30.133:443
202.187.232.161:995
98.147.155.235:443
124.122.56.144:443
75.141.227.169:443
103.144.201.53:2078
172.248.42.122:443
12.172.173.82:990
24.239.69.244:443
173.18.126.3:443
73.165.119.20:443
90.104.22.28:2222
14.192.241.76:995
74.33.196.114:443
74.93.148.97:995
86.202.48.142:2222
174.104.184.149:443
12.172.173.82:20
109.151.144.37:443
104.35.24.154:443
114.143.176.234:443
84.35.26.14:995
45.50.233.214:443
64.237.185.60:443
73.161.176.218:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 3972 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2596 3972 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3972 rundll32.exe 3972 rundll32.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe 4360 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3972 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 5092 wrote to memory of 1688 5092 cmd.exe 84 PID 5092 wrote to memory of 1688 5092 cmd.exe 84 PID 5092 wrote to memory of 1688 5092 cmd.exe 84 PID 1688 wrote to memory of 1832 1688 cmd.exe 85 PID 1688 wrote to memory of 1832 1688 cmd.exe 85 PID 1688 wrote to memory of 3236 1688 cmd.exe 86 PID 1688 wrote to memory of 3236 1688 cmd.exe 86 PID 1688 wrote to memory of 3972 1688 cmd.exe 87 PID 1688 wrote to memory of 3972 1688 cmd.exe 87 PID 1688 wrote to memory of 3972 1688 cmd.exe 87 PID 3972 wrote to memory of 4360 3972 rundll32.exe 90 PID 3972 wrote to memory of 4360 3972 rundll32.exe 90 PID 3972 wrote to memory of 4360 3972 rundll32.exe 90 PID 3972 wrote to memory of 4360 3972 rundll32.exe 90 PID 3972 wrote to memory of 4360 3972 rundll32.exe 90
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\curtness.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exevibrations\unmeticulous.exe -decode vibrations\thriftlessness.sql c:\users\public\output.txt3⤵PID:1832
-
-
C:\Users\Admin\AppData\Local\Temp\vibrations\unmeticulous.exevibrations\unmeticulous.exe -decode c:\users\public\output.txt c:\users\public\output2.txt3⤵PID:3236
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 c:\users\public\output2.txt,N1153⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 5444⤵
- Program crash
PID:2596
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4360
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3972 -ip 39721⤵PID:2976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904KB
MD5c45edab97e4d8530994f4348836b6908
SHA16814a0c947524f1997970e496eac380f5e4b2b55
SHA256e9f82251f1a1408f9bfe31f60c6d67d8df0cc08f35dd010d63e7a996813c68e4
SHA512ba2395e85363ea878758e96a47362e7132bc447ca325863f35a99aeba327e4cc0b3180b5e768a79da91c4278a6ff344c58040023f2eb6087e2bbc4f6c7473330
-
Filesize
1.2MB
MD5a1e20cd6b72079c2ed16419518c7cd62
SHA1660f1c063b62871a6dc8fcfa2df26ae3773634d7
SHA256e83a4d87c62b7eb48921c18c034c4d75e2c1f060a155dc08d9b0b1de578a6010
SHA5122021d6114a4a011e3aa9ae44ffdbdcd447fe9029a90345635c12bf9391c0072c876556efcf3df51d771a2a9935ab26de43c058fc6d4e358bca2d1ee97d7dc489
-
Filesize
904KB
MD5c45edab97e4d8530994f4348836b6908
SHA16814a0c947524f1997970e496eac380f5e4b2b55
SHA256e9f82251f1a1408f9bfe31f60c6d67d8df0cc08f35dd010d63e7a996813c68e4
SHA512ba2395e85363ea878758e96a47362e7132bc447ca325863f35a99aeba327e4cc0b3180b5e768a79da91c4278a6ff344c58040023f2eb6087e2bbc4f6c7473330