Analysis
-
max time kernel
149s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2023, 02:08
Static task
static1
Behavioral task
behavioral1
Sample
RR.lnk
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RR.lnk
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
vibrations/compartmentally.cmd
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
vibrations/compartmentally.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
vibrations/disobeys.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
vibrations/disobeys.exe
Resource
win10v2004-20230220-en
General
-
Target
RR.lnk
-
Size
1KB
-
MD5
e11e154ee90f27fa17050a139523939b
-
SHA1
20bd4d6a8e35d438d4b19c74c4a2d4fe5453fbcc
-
SHA256
e495000b075ced39574d17076457e30f36a45ba00cb87647e481ce004d09d306
-
SHA512
8bfde446bc0ae8501906838b1df7a6358ec060e79058c9f8bb0e8fce021c6587fa06d698141ab9f0c9abc906bf343c3a1e774e08afbfeaecde041f38d281c4b1
Malware Config
Extracted
qakbot
404.9
BB16
1677046917
47.21.51.138:443
72.80.7.6:50003
82.127.204.82:2222
49.175.72.56:443
201.244.108.183:995
122.184.143.82:443
102.156.253.86:443
74.58.71.237:443
47.21.51.138:995
77.86.98.236:443
71.31.101.183:443
136.232.184.134:995
86.225.214.138:2222
95.242.101.251:995
109.11.175.42:2222
90.78.138.217:2222
184.176.35.223:2222
35.143.97.145:995
202.186.177.88:443
114.79.180.14:995
86.150.47.219:443
183.87.163.165:443
50.68.186.195:443
190.75.95.164:2222
98.145.23.67:443
67.10.175.47:2222
71.212.147.224:2222
88.126.94.4:50000
103.140.174.19:2222
103.231.216.238:443
78.84.123.237:995
180.151.108.14:443
80.47.57.131:2222
198.2.51.242:993
50.68.204.71:995
205.164.227.222:443
147.219.4.194:443
77.124.6.149:443
49.245.82.178:2222
46.10.198.107:443
76.80.180.154:995
12.172.173.82:32101
68.150.18.161:443
68.173.170.110:8443
24.9.220.167:443
12.172.173.82:2087
50.68.204.71:993
107.146.12.26:2222
81.229.117.95:2222
27.0.48.233:443
69.133.162.35:443
59.28.84.65:443
76.170.252.153:995
89.32.159.192:995
202.142.98.62:995
73.78.215.104:443
181.164.217.211:443
92.97.203.51:2222
116.74.164.26:443
103.141.50.102:995
149.74.159.67:2222
116.72.250.18:443
125.99.69.178:443
202.142.98.62:443
67.61.71.201:443
103.123.223.168:443
80.13.205.69:2222
80.0.74.165:443
86.99.54.39:2222
213.67.255.57:2222
176.142.207.63:443
50.67.17.92:443
217.165.1.53:2222
70.64.77.115:443
2.50.47.74:443
66.191.69.18:995
75.143.236.149:443
197.92.136.122:443
108.190.203.42:995
50.68.204.71:443
12.172.173.82:995
70.77.116.233:443
162.248.14.107:443
75.98.154.19:443
58.247.115.126:995
184.68.116.146:61202
41.99.50.76:443
184.68.116.146:3389
72.203.216.98:2222
103.252.7.231:443
12.172.173.82:50001
70.160.80.210:443
12.172.173.82:465
12.172.173.82:21
47.34.30.133:443
202.187.232.161:995
98.147.155.235:443
124.122.56.144:443
75.141.227.169:443
103.144.201.53:2078
172.248.42.122:443
12.172.173.82:990
24.239.69.244:443
173.18.126.3:443
73.165.119.20:443
90.104.22.28:2222
14.192.241.76:995
74.33.196.114:443
74.93.148.97:995
86.202.48.142:2222
174.104.184.149:443
12.172.173.82:20
109.151.144.37:443
104.35.24.154:443
114.143.176.234:443
84.35.26.14:995
45.50.233.214:443
64.237.185.60:443
73.161.176.218:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2308 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4896 2308 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2308 rundll32.exe 2308 rundll32.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe 2968 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2308 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1320 wrote to memory of 4664 1320 cmd.exe 85 PID 1320 wrote to memory of 4664 1320 cmd.exe 85 PID 1320 wrote to memory of 4664 1320 cmd.exe 85 PID 4664 wrote to memory of 4480 4664 cmd.exe 87 PID 4664 wrote to memory of 4480 4664 cmd.exe 87 PID 4664 wrote to memory of 404 4664 cmd.exe 88 PID 4664 wrote to memory of 404 4664 cmd.exe 88 PID 4664 wrote to memory of 2308 4664 cmd.exe 89 PID 4664 wrote to memory of 2308 4664 cmd.exe 89 PID 4664 wrote to memory of 2308 4664 cmd.exe 89 PID 2308 wrote to memory of 2968 2308 rundll32.exe 93 PID 2308 wrote to memory of 2968 2308 rundll32.exe 93 PID 2308 wrote to memory of 2968 2308 rundll32.exe 93 PID 2308 wrote to memory of 2968 2308 rundll32.exe 93 PID 2308 wrote to memory of 2968 2308 rundll32.exe 93
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\compartmentally.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exevibrations\disobeys.exe -decode vibrations\battlement.sql c:\users\public\output.txt3⤵PID:4480
-
-
C:\Users\Admin\AppData\Local\Temp\vibrations\disobeys.exevibrations\disobeys.exe -decode c:\users\public\output.txt c:\users\public\output2.txt3⤵PID:404
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 c:\users\public\output2.txt,N1153⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 5444⤵
- Program crash
PID:4896
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2308 -ip 23081⤵PID:3744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904KB
MD57ce287ab51dcd202541ee90a55ce92e8
SHA13c1b267fe8e2194791685705bf741faa1fca170d
SHA256b11b016430c26ed5f6231a263a081518ae9120e828bbbc95460b226c065f0f33
SHA51206c42a93348114eab0f87f3784371e6aeeb412464856b76ecfec3d9d93f22b89775660a59969dca8a180658e4261f83e78bb63baba575b23b8fb2fd5e817b0cc
-
Filesize
1.2MB
MD5bce6418ffca344d5fcb65c8efb878a4d
SHA1f095cb88d9d9a1f3b234253de84ba18c1ee6aa65
SHA256f5ab66855faa0be039d3447038644b31efe874de4a4de67b7744d17cbb46e93a
SHA51250a1aaab3c113c3e1a82650ca91ecc61f62118b9dc71408240400736441baf307b9db1bca442351142d545e8ee117c2369443c1c2356322575e260ceecd0cef1
-
Filesize
904KB
MD57ce287ab51dcd202541ee90a55ce92e8
SHA13c1b267fe8e2194791685705bf741faa1fca170d
SHA256b11b016430c26ed5f6231a263a081518ae9120e828bbbc95460b226c065f0f33
SHA51206c42a93348114eab0f87f3784371e6aeeb412464856b76ecfec3d9d93f22b89775660a59969dca8a180658e4261f83e78bb63baba575b23b8fb2fd5e817b0cc