Analysis
-
max time kernel
134s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 16:18
Static task
static1
Behavioral task
behavioral1
Sample
c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll
Resource
win7v20201028
General
-
Target
c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll
-
Size
2.2MB
-
MD5
61e8905be3070fa88942c3abdb300394
-
SHA1
d06b2db986cdf55b282c85381e03da2139ed6454
-
SHA256
c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c
-
SHA512
8442edc5aa6e7485bf35955c31ac1f5566afc76e9dfb6169f65cd7d4072945c241e8ec4889f55197080e51f3917f77d1cd1acb1c7085eb8de7d9f21781a6399a
Malware Config
Extracted
qakbot
tr02s
1608638923
41.230.209.182:443
35.134.202.234:443
73.166.10.38:50010
172.87.157.235:3389
24.216.56.6:443
184.179.14.130:22
24.152.219.253:995
67.209.195.198:443
86.98.89.36:2222
47.146.169.85:443
197.135.60.192:443
90.201.21.58:443
81.214.126.173:2222
37.116.152.122:2078
64.225.166.16:2222
187.7.236.197:995
47.196.192.184:443
82.12.157.95:995
2.50.161.6:2222
83.110.213.49:443
174.87.65.179:443
174.104.31.209:443
50.244.112.106:443
77.81.155.184:465
45.118.216.157:443
79.129.252.62:2222
98.190.24.81:443
68.225.60.77:995
189.62.175.92:22
94.26.116.31:443
68.13.99.24:443
71.74.12.34:443
94.59.225.49:995
71.117.132.169:443
154.238.248.20:995
217.165.3.30:443
65.30.213.13:6882
78.101.130.59:995
45.250.69.150:443
81.97.154.100:443
45.63.107.192:995
149.28.99.97:443
149.28.99.97:995
79.129.121.81:995
196.151.252.84:443
103.92.113.14:443
81.133.234.36:2222
125.209.114.180:995
108.46.145.30:443
105.198.236.101:443
213.60.147.140:443
86.237.20.57:2222
87.218.53.48:2222
83.110.236.232:443
185.163.221.77:2222
172.116.85.178:443
106.51.85.162:443
185.246.9.69:995
217.54.46.64:995
108.190.194.146:2222
24.62.176.9:443
72.186.1.237:443
156.222.43.196:995
96.19.117.140:443
75.136.40.155:443
41.239.134.34:993
144.139.47.206:443
85.132.36.111:2222
89.136.39.108:443
187.155.59.73:443
74.75.237.11:443
83.110.13.182:2222
105.184.50.206:443
109.177.63.245:2078
151.61.125.180:2222
197.82.221.199:443
151.73.121.136:443
71.187.170.235:443
90.175.186.38:2222
87.27.110.90:2222
106.250.150.98:443
197.45.110.165:995
80.11.210.247:443
216.201.162.158:443
92.154.83.96:2078
109.116.214.124:443
86.236.77.68:2222
5.15.109.245:443
62.38.114.12:2222
90.53.100.20:2222
41.205.16.106:443
94.53.92.42:443
193.248.154.174:2222
120.150.218.241:995
59.99.36.85:443
72.28.255.159:995
117.215.199.8:443
77.136.217.50:995
31.215.98.110:443
149.28.101.90:8443
197.90.144.75:32100
74.73.27.35:443
207.246.77.75:2222
86.98.21.136:443
45.32.211.207:995
45.77.115.208:2222
37.104.39.32:995
14.137.64.132:995
2.50.167.241:443
70.126.76.75:443
85.72.255.119:2222
178.223.22.192:995
217.128.117.218:2222
2.7.69.217:2222
86.163.174.88:2222
201.127.79.186:2222
24.201.61.153:2078
2.89.8.135:443
188.25.61.41:443
98.118.156.172:443
202.141.244.118:993
90.65.236.181:2222
94.52.68.72:443
73.166.10.38:2222
86.124.93.144:443
216.215.77.18:2078
80.106.85.24:2222
98.16.204.189:995
83.202.68.220:2222
116.240.78.45:995
90.188.91.57:995
120.57.76.109:443
39.32.140.166:995
90.101.62.189:2222
190.72.211.89:2222
207.246.77.75:995
45.77.115.208:8443
95.77.144.238:443
45.77.115.208:443
45.32.211.207:8443
24.218.181.15:443
2.49.130.241:2078
67.141.11.98:443
86.121.43.200:443
37.182.244.124:2222
141.237.22.157:2222
184.189.122.72:443
77.27.174.49:995
2.88.184.160:443
86.126.220.127:443
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 784 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1484 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1484 rundll32.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exedescription pid process target process PID 1088 wrote to memory of 1484 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1484 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1484 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1484 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1484 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1484 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1484 1088 rundll32.exe rundll32.exe PID 1484 wrote to memory of 1428 1484 rundll32.exe explorer.exe PID 1484 wrote to memory of 1428 1484 rundll32.exe explorer.exe PID 1484 wrote to memory of 1428 1484 rundll32.exe explorer.exe PID 1484 wrote to memory of 1428 1484 rundll32.exe explorer.exe PID 1484 wrote to memory of 1428 1484 rundll32.exe explorer.exe PID 1484 wrote to memory of 1428 1484 rundll32.exe explorer.exe PID 1428 wrote to memory of 1280 1428 explorer.exe schtasks.exe PID 1428 wrote to memory of 1280 1428 explorer.exe schtasks.exe PID 1428 wrote to memory of 1280 1428 explorer.exe schtasks.exe PID 1428 wrote to memory of 1280 1428 explorer.exe schtasks.exe PID 892 wrote to memory of 560 892 taskeng.exe regsvr32.exe PID 892 wrote to memory of 560 892 taskeng.exe regsvr32.exe PID 892 wrote to memory of 560 892 taskeng.exe regsvr32.exe PID 892 wrote to memory of 560 892 taskeng.exe regsvr32.exe PID 892 wrote to memory of 560 892 taskeng.exe regsvr32.exe PID 560 wrote to memory of 784 560 regsvr32.exe regsvr32.exe PID 560 wrote to memory of 784 560 regsvr32.exe regsvr32.exe PID 560 wrote to memory of 784 560 regsvr32.exe regsvr32.exe PID 560 wrote to memory of 784 560 regsvr32.exe regsvr32.exe PID 560 wrote to memory of 784 560 regsvr32.exe regsvr32.exe PID 560 wrote to memory of 784 560 regsvr32.exe regsvr32.exe PID 560 wrote to memory of 784 560 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn glfpodqm /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll\"" /SC ONCE /Z /ST 17:24 /ET 17:364⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {C1EE01A2-F59D-472A-975B-D8FAF8818317} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dll"3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dllMD5
a4903a395b91e77a92bfa23901f05627
SHA10333d6c6b1b91c84a23e81e0817f6aeb5d04360a
SHA25685726a1d394466c39808046764eab14e3aa718bb8cc339a888d2da61470647ba
SHA5126185d9e0379d38174a9f059e81ccd9f1ef53e131dbab82bbcbc600a6a5ee811c1bdcef035099b27ef70879acca79355886b88cecfc4860f20959b464c51ac237
-
\Users\Admin\AppData\Local\Temp\c972346b25a36cb3ddaeb4ede844d18711cbbf8226d74075879e5d8b49b8d46c.dllMD5
a4903a395b91e77a92bfa23901f05627
SHA10333d6c6b1b91c84a23e81e0817f6aeb5d04360a
SHA25685726a1d394466c39808046764eab14e3aa718bb8cc339a888d2da61470647ba
SHA5126185d9e0379d38174a9f059e81ccd9f1ef53e131dbab82bbcbc600a6a5ee811c1bdcef035099b27ef70879acca79355886b88cecfc4860f20959b464c51ac237
-
memory/560-9-0x0000000000000000-mapping.dmp
-
memory/784-11-0x0000000000000000-mapping.dmp
-
memory/1280-7-0x0000000000000000-mapping.dmp
-
memory/1428-3-0x0000000000100000-0x0000000000102000-memory.dmpFilesize
8KB
-
memory/1428-5-0x0000000000000000-mapping.dmp
-
memory/1428-8-0x00000000000C0000-0x00000000000F5000-memory.dmpFilesize
212KB
-
memory/1484-2-0x0000000000000000-mapping.dmp
-
memory/1484-4-0x00000000002E0000-0x0000000000315000-memory.dmpFilesize
212KB
-
memory/1484-6-0x0000000010000000-0x0000000010035000-memory.dmpFilesize
212KB