Analysis
-
max time kernel
129s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-12-2020 07:44
Static task
static1
Behavioral task
behavioral1
Sample
dbc1c772413a6d461d8c5db0d1b2538d9879c3f6890c8be34fe9723b5817909f.bin.dll
Resource
win7v20201028
General
-
Target
dbc1c772413a6d461d8c5db0d1b2538d9879c3f6890c8be34fe9723b5817909f.bin.dll
-
Size
2.0MB
-
MD5
8cedb99f2453ecc7bb0f9bfc941f24f1
-
SHA1
40a4d16171d53f62d72317a5f717639df6dd0729
-
SHA256
dbc1c772413a6d461d8c5db0d1b2538d9879c3f6890c8be34fe9723b5817909f
-
SHA512
51c21a7d16291c017577a22bf5ad930b2780f8dae81b1ccf190f631443df0d353237761bb8213cec5ed46a1aa36633ea57a95d0e56a338c89246d29d22d6388b
Malware Config
Extracted
qakbot
tr02
1607427512
73.32.115.251:443
161.199.180.159:443
185.163.221.77:2222
197.161.154.132:443
105.198.236.99:443
83.196.50.197:2222
96.225.88.23:443
156.222.27.207:995
81.214.126.173:2222
83.110.13.182:2222
85.121.42.12:443
67.82.244.199:2222
172.87.157.235:3389
86.176.133.145:2222
72.186.1.237:443
80.11.5.65:2222
94.59.236.155:995
81.150.181.168:2222
184.98.97.227:995
149.28.101.90:443
86.125.205.97:443
110.142.205.182:443
83.110.250.71:995
41.228.242.14:443
37.106.7.7:443
164.155.230.98:443
2.88.246.223:443
193.83.25.177:995
109.154.193.21:2222
67.141.11.98:443
37.116.152.122:2078
96.40.175.33:443
2.90.124.155:995
162.157.19.33:2222
117.197.217.107:443
24.179.13.119:443
120.150.218.241:443
83.114.243.80:2222
2.50.56.81:443
47.21.192.182:2222
90.53.103.229:2222
77.211.30.202:995
93.146.133.102:2222
96.21.251.127:2222
58.179.21.147:995
98.124.76.187:443
72.36.59.46:2222
86.99.134.235:2222
174.87.65.179:443
193.248.154.174:2222
47.146.34.236:443
63.155.29.193:995
24.95.61.62:443
108.46.145.30:443
32.212.117.188:443
73.166.10.38:50003
105.101.182.178:443
87.218.53.206:2222
71.163.223.144:443
5.193.106.230:2078
184.97.145.239:443
106.51.85.162:443
188.50.187.45:995
45.63.107.192:2222
144.202.38.185:995
151.33.226.156:443
144.202.38.185:443
78.101.158.1:61201
45.32.155.12:443
45.32.162.253:443
173.18.126.193:2222
65.131.41.96:995
149.28.98.196:995
149.28.98.196:443
207.246.75.201:443
178.87.18.221:443
99.244.210.10:443
149.28.101.90:995
149.28.98.196:2222
149.28.99.97:2222
149.28.99.97:443
200.44.237.189:2222
45.63.107.192:995
199.247.16.80:443
144.202.38.185:2222
202.141.244.118:993
85.132.36.111:2222
45.250.69.150:443
111.95.212.237:2222
2.89.122.180:995
79.166.96.86:2222
109.93.245.93:995
78.181.19.134:443
83.202.68.220:2222
217.39.74.146:2222
156.213.147.56:443
72.182.209.97:2222
86.162.13.35:2222
37.21.231.245:995
2.132.32.23:995
187.202.166.21:443
78.187.125.116:2222
80.14.22.234:2222
89.137.211.239:443
81.97.154.100:443
86.121.43.200:443
31.5.21.66:995
80.227.5.70:443
91.104.235.91:995
188.161.207.196:443
109.205.204.229:2222
24.218.181.15:443
72.28.255.159:995
118.40.124.211:443
141.237.135.194:443
149.28.101.90:2222
78.162.70.119:443
39.36.225.15:995
47.22.148.6:995
209.210.187.52:443
85.105.29.218:443
197.86.204.201:443
86.245.87.251:2078
37.106.117.51:443
176.58.133.136:2222
59.103.76.230:443
195.97.101.40:443
2.89.122.180:993
110.159.80.243:443
95.77.223.148:443
79.129.252.62:2222
182.161.6.57:3389
5.193.177.247:2078
41.39.134.183:443
95.76.27.6:443
74.124.191.6:443
184.21.136.237:995
185.105.131.233:443
2.50.2.216:443
24.206.4.203:2222
5.70.178.62:443
2.7.202.106:2222
92.154.83.96:2078
93.113.177.152:443
151.27.88.197:443
160.3.184.253:443
89.136.226.44:995
78.97.110.47:443
92.154.83.96:2087
78.63.226.32:443
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1188 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 884 rundll32.exe 884 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 884 rundll32.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exedescription pid process target process PID 648 wrote to memory of 884 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 884 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 884 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 884 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 884 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 884 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 884 648 rundll32.exe rundll32.exe PID 884 wrote to memory of 1412 884 rundll32.exe explorer.exe PID 884 wrote to memory of 1412 884 rundll32.exe explorer.exe PID 884 wrote to memory of 1412 884 rundll32.exe explorer.exe PID 884 wrote to memory of 1412 884 rundll32.exe explorer.exe PID 884 wrote to memory of 1412 884 rundll32.exe explorer.exe PID 884 wrote to memory of 1412 884 rundll32.exe explorer.exe PID 1412 wrote to memory of 1684 1412 explorer.exe schtasks.exe PID 1412 wrote to memory of 1684 1412 explorer.exe schtasks.exe PID 1412 wrote to memory of 1684 1412 explorer.exe schtasks.exe PID 1412 wrote to memory of 1684 1412 explorer.exe schtasks.exe PID 564 wrote to memory of 340 564 taskeng.exe regsvr32.exe PID 564 wrote to memory of 340 564 taskeng.exe regsvr32.exe PID 564 wrote to memory of 340 564 taskeng.exe regsvr32.exe PID 564 wrote to memory of 340 564 taskeng.exe regsvr32.exe PID 564 wrote to memory of 340 564 taskeng.exe regsvr32.exe PID 340 wrote to memory of 1188 340 regsvr32.exe regsvr32.exe PID 340 wrote to memory of 1188 340 regsvr32.exe regsvr32.exe PID 340 wrote to memory of 1188 340 regsvr32.exe regsvr32.exe PID 340 wrote to memory of 1188 340 regsvr32.exe regsvr32.exe PID 340 wrote to memory of 1188 340 regsvr32.exe regsvr32.exe PID 340 wrote to memory of 1188 340 regsvr32.exe regsvr32.exe PID 340 wrote to memory of 1188 340 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbc1c772413a6d461d8c5db0d1b2538d9879c3f6890c8be34fe9723b5817909f.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbc1c772413a6d461d8c5db0d1b2538d9879c3f6890c8be34fe9723b5817909f.bin.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hlxglnjyp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\dbc1c772413a6d461d8c5db0d1b2538d9879c3f6890c8be34fe9723b5817909f.bin.dll\"" /SC ONCE /Z /ST 07:42 /ET 07:544⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {C4E4A3F8-5A44-476F-B590-00F295858A78} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\dbc1c772413a6d461d8c5db0d1b2538d9879c3f6890c8be34fe9723b5817909f.bin.dll"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\dbc1c772413a6d461d8c5db0d1b2538d9879c3f6890c8be34fe9723b5817909f.bin.dll"3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dbc1c772413a6d461d8c5db0d1b2538d9879c3f6890c8be34fe9723b5817909f.bin.dllMD5
85e8c60cd367f986b1bde4fd99afbd90
SHA183d09c5bd36a23bcc20e9656c0ab7fd92fc595d4
SHA25661333a03b9a3b1886dbbbd73cd8c4e24b8ec85d56c4f38c407cd30e9d6a98785
SHA5123235cfd4bfc360549e93ce93f627a9d146a18fb181d63dc19da4498d51a7b9816779b0dd1c14615ff11ee247774bc51f492ad83447f5e7b49ce5c6d5dcce1ef7
-
\Users\Admin\AppData\Local\Temp\dbc1c772413a6d461d8c5db0d1b2538d9879c3f6890c8be34fe9723b5817909f.bin.dllMD5
85e8c60cd367f986b1bde4fd99afbd90
SHA183d09c5bd36a23bcc20e9656c0ab7fd92fc595d4
SHA25661333a03b9a3b1886dbbbd73cd8c4e24b8ec85d56c4f38c407cd30e9d6a98785
SHA5123235cfd4bfc360549e93ce93f627a9d146a18fb181d63dc19da4498d51a7b9816779b0dd1c14615ff11ee247774bc51f492ad83447f5e7b49ce5c6d5dcce1ef7
-
memory/340-9-0x0000000000000000-mapping.dmp
-
memory/884-2-0x0000000000000000-mapping.dmp
-
memory/884-4-0x0000000000690000-0x00000000006B1000-memory.dmpFilesize
132KB
-
memory/884-6-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/1188-11-0x0000000000000000-mapping.dmp
-
memory/1412-3-0x00000000000B0000-0x00000000000B2000-memory.dmpFilesize
8KB
-
memory/1412-5-0x0000000000000000-mapping.dmp
-
memory/1412-8-0x0000000000080000-0x00000000000A1000-memory.dmpFilesize
132KB
-
memory/1684-7-0x0000000000000000-mapping.dmp