Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-01-2021 08:20
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll
-
Size
1.5MB
-
MD5
3b322b43ce402d24aa2e7740a4c1a228
-
SHA1
3d3b3e5f9ca28c17ce02bdea3e6b697749ade04d
-
SHA256
39012a1dc5ba702679b12a81d708f1d15d32be2f8c48746645e62e3fd4aa8d93
-
SHA512
330126a5648e3803a06b984197387339453545db16af7b95868d4a4ec45f6eb32bfeb133e9c880888d65ce7a28674153b929d20bb68a772976bb817664fb1969
Malware Config
Extracted
qakbot
abc119
1611224824
106.51.52.111:443
83.110.12.140:2222
89.3.198.238:443
86.220.60.133:2222
45.77.115.208:8443
45.77.115.208:995
71.117.132.169:443
82.76.47.211:443
125.63.101.62:443
86.98.93.124:2078
178.152.70.12:995
78.97.207.104:443
77.27.174.49:995
173.70.165.101:995
64.121.114.87:443
188.24.128.253:443
89.137.211.239:995
80.227.5.70:443
81.97.154.100:443
98.121.187.78:443
42.3.8.54:443
31.5.21.66:995
80.7.129.64:995
84.72.35.226:443
188.25.63.105:443
140.82.49.12:443
216.201.162.158:443
2.50.2.216:443
75.136.40.155:443
79.129.252.62:2222
2.7.69.217:2222
51.9.198.164:2222
96.19.117.140:443
75.67.192.125:443
24.27.82.216:2222
105.198.236.99:443
95.77.223.148:443
97.69.160.4:2222
78.63.226.32:443
172.78.30.215:443
202.184.210.27:443
86.236.77.68:2222
197.161.154.132:443
105.198.236.101:443
41.205.16.179:443
85.132.36.111:2222
203.106.195.67:443
172.87.157.235:3389
193.248.221.184:2222
69.123.179.70:443
149.28.98.196:443
207.246.116.237:995
207.246.77.75:2222
207.246.116.237:2222
149.28.98.196:995
45.77.115.208:2222
207.246.77.75:995
149.28.99.97:443
149.28.99.97:2222
149.28.99.97:995
149.28.101.90:995
149.28.101.90:2222
149.28.101.90:8443
149.28.101.90:443
45.63.107.192:995
197.45.110.165:995
144.202.38.185:443
45.32.211.207:2222
45.32.211.207:443
45.32.211.207:8443
45.63.107.192:2222
207.246.77.75:8443
149.28.98.196:2222
45.77.115.208:443
45.32.211.207:995
207.246.77.75:443
45.63.107.192:443
207.246.116.237:443
144.202.38.185:995
207.246.116.237:8443
144.202.38.185:2222
173.21.10.71:2222
27.223.92.142:995
86.124.93.144:443
217.133.54.140:32100
95.76.27.6:443
106.250.150.98:443
94.53.92.42:443
69.47.239.10:443
47.208.8.187:443
71.14.110.199:443
75.136.26.147:443
71.74.12.34:443
96.37.113.36:993
76.111.128.194:443
202.188.138.162:443
74.68.144.202:443
180.222.161.85:443
70.168.130.172:995
201.143.95.254:443
201.127.5.175:443
76.25.142.196:443
67.165.206.193:993
50.244.112.106:443
90.175.88.99:2222
186.155.151.167:443
24.201.61.153:2078
80.106.85.24:2222
72.204.242.138:443
151.60.82.200:443
96.227.127.13:995
83.110.248.121:995
184.189.122.72:443
47.146.169.85:443
47.22.148.6:443
76.94.200.148:995
71.197.126.250:443
92.59.35.196:2222
190.85.91.154:443
189.237.7.9:443
71.187.170.235:443
79.129.121.81:995
12.5.37.4:995
81.88.254.62:443
189.210.115.207:443
67.6.91.75:443
83.110.108.181:2222
24.152.219.253:995
108.160.123.244:443
50.29.166.232:995
105.226.208.140:443
45.46.53.140:2222
142.129.227.86:443
68.225.60.77:995
184.179.14.130:22
196.151.252.84:443
78.96.168.18:443
72.240.200.181:2222
209.210.187.52:443
74.75.237.11:443
46.153.36.53:995
84.232.252.202:2222
24.43.22.218:993
71.182.142.63:443
31.215.69.207:443
68.186.192.69:443
98.116.21.115:443
72.252.201.69:443
151.205.102.42:443
172.87.134.226:995
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1308 regsvr32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1304 1308 WerFault.exe regsvr32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 rundll32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
rundll32.exeWerFault.exepid process 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1004 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1304 WerFault.exe Token: SeBackupPrivilege 1304 WerFault.exe Token: SeDebugPrivilege 1304 WerFault.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exeregsvr32.exedescription pid process target process PID 508 wrote to memory of 1004 508 rundll32.exe rundll32.exe PID 508 wrote to memory of 1004 508 rundll32.exe rundll32.exe PID 508 wrote to memory of 1004 508 rundll32.exe rundll32.exe PID 1004 wrote to memory of 4012 1004 rundll32.exe explorer.exe PID 1004 wrote to memory of 4012 1004 rundll32.exe explorer.exe PID 1004 wrote to memory of 4012 1004 rundll32.exe explorer.exe PID 1004 wrote to memory of 4012 1004 rundll32.exe explorer.exe PID 1004 wrote to memory of 4012 1004 rundll32.exe explorer.exe PID 4012 wrote to memory of 3904 4012 explorer.exe schtasks.exe PID 4012 wrote to memory of 3904 4012 explorer.exe schtasks.exe PID 4012 wrote to memory of 3904 4012 explorer.exe schtasks.exe PID 2268 wrote to memory of 1308 2268 regsvr32.exe regsvr32.exe PID 2268 wrote to memory of 1308 2268 regsvr32.exe regsvr32.exe PID 2268 wrote to memory of 1308 2268 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll,#12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hxqbjimzvq /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll\"" /SC ONCE /Z /ST 09:18 /ET 09:304⤵
- Creates scheduled task(s)
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dll"2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 5963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dllMD5
a5c332938346b2a5ac2796637df514b2
SHA1e6087b42c9ee6591a094b1a3d036e16344d74903
SHA2562707d26fd4137e118ef46a40f0694eb7be3889b9be5c85d22ac4abca664a54d8
SHA5126730c79000876838c02801085a67545724bbc80448c843d050765972a7fbd3f24d27a3459ab9d0d249d9432e7d6dfb7faf195dc5e2303ae9bb5c17c0fae874e3
-
\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.831269.8387.7344.dllMD5
a5c332938346b2a5ac2796637df514b2
SHA1e6087b42c9ee6591a094b1a3d036e16344d74903
SHA2562707d26fd4137e118ef46a40f0694eb7be3889b9be5c85d22ac4abca664a54d8
SHA5126730c79000876838c02801085a67545724bbc80448c843d050765972a7fbd3f24d27a3459ab9d0d249d9432e7d6dfb7faf195dc5e2303ae9bb5c17c0fae874e3
-
memory/1004-2-0x0000000000000000-mapping.dmp
-
memory/1004-4-0x0000000010000000-0x0000000010035000-memory.dmpFilesize
212KB
-
memory/1004-3-0x0000000002C00000-0x0000000002C33000-memory.dmpFilesize
204KB
-
memory/1004-6-0x0000000010000000-0x0000000010035000-memory.dmpFilesize
212KB
-
memory/1304-13-0x0000000003540000-0x0000000003541000-memory.dmpFilesize
4KB
-
memory/1308-11-0x0000000000000000-mapping.dmp
-
memory/3904-7-0x0000000000000000-mapping.dmp
-
memory/4012-5-0x0000000000000000-mapping.dmp
-
memory/4012-8-0x0000000000550000-0x0000000000585000-memory.dmpFilesize
212KB
-
memory/4012-9-0x0000000000550000-0x0000000000585000-memory.dmpFilesize
212KB