Analysis
-
max time kernel
13s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-02-2021 14:17
Static task
static1
Behavioral task
behavioral1
Sample
8e92e1c25f5ebc5365493becb70a35d8081f945c8eb998d0ad5f1c251c3a71d7 (1).dll
Resource
win7v20201028
General
-
Target
8e92e1c25f5ebc5365493becb70a35d8081f945c8eb998d0ad5f1c251c3a71d7 (1).dll
-
Size
714KB
-
MD5
950d4a83d3d6922c72aa413999bdec4f
-
SHA1
637812bc32de99e47987e7990a57ba12b05cd1b9
-
SHA256
8e92e1c25f5ebc5365493becb70a35d8081f945c8eb998d0ad5f1c251c3a71d7
-
SHA512
7d48b33d758ed8fb6188c390d4dfbc8a7df0eb65ecb0057b356bcf1787c2788b52f35f18b911ae7d9cd7109cbcc53fb702f8934396786fef93d7e8f9765e32af
Malware Config
Extracted
qakbot
abc123
1612349986
222.154.253.111:995
50.244.112.106:443
83.110.108.181:2222
105.198.236.99:443
74.77.162.33:443
106.250.150.98:443
196.151.252.84:443
45.118.216.157:443
140.82.49.12:443
80.11.173.82:8443
71.88.193.17:443
68.186.192.69:443
46.153.119.255:995
81.214.126.173:2222
108.31.15.10:995
197.45.110.165:995
81.88.254.62:443
86.97.8.249:443
202.187.58.21:443
41.39.134.183:443
80.227.5.69:443
105.186.102.16:443
125.63.101.62:443
68.225.60.77:995
188.25.63.105:443
216.201.162.158:443
82.76.47.211:443
71.187.170.235:443
144.139.47.206:443
96.21.251.127:2222
203.194.110.74:443
171.103.138.122:995
193.248.221.184:2222
81.97.154.100:443
151.60.14.100:443
79.129.121.81:995
37.211.90.175:995
75.136.40.155:443
86.220.60.133:2222
203.198.96.37:443
160.3.187.114:443
47.22.148.6:443
176.181.247.197:443
77.31.46.230:443
82.127.125.209:990
197.35.9.48:443
202.188.138.162:443
60.49.104.167:443
81.150.181.168:2222
172.78.30.215:443
83.110.103.152:443
45.77.115.208:2222
78.63.226.32:443
90.101.117.122:2222
2.50.2.216:443
68.131.107.37:443
75.67.192.125:443
85.52.72.32:2222
76.110.113.71:995
106.51.52.111:443
209.210.187.52:443
154.125.89.244:995
84.72.35.226:443
172.115.177.204:2222
86.98.93.124:2078
45.32.211.207:2222
45.32.211.207:995
207.246.116.237:443
144.202.38.185:443
45.63.107.192:443
149.28.99.97:443
149.28.99.97:2222
149.28.99.97:995
149.28.101.90:443
149.28.101.90:995
149.28.101.90:2222
45.63.107.192:995
207.246.77.75:2222
144.202.38.185:2222
45.32.211.207:8443
144.202.38.185:995
45.32.211.207:443
149.28.98.196:2222
207.246.116.237:8443
207.246.77.75:443
207.246.77.75:8443
207.246.116.237:2222
207.246.116.237:995
149.28.98.196:995
45.63.107.192:2222
149.28.98.196:443
149.28.101.90:8443
45.77.115.208:443
207.246.77.75:995
77.27.174.49:995
92.59.35.196:2222
98.121.187.78:443
184.189.122.72:443
109.106.69.138:2222
175.141.219.71:443
45.77.115.208:8443
45.77.115.208:995
172.87.157.235:3389
184.179.14.130:22
190.85.91.154:443
83.110.12.140:2222
85.58.200.50:2222
151.242.43.85:32103
176.205.222.30:2222
202.184.20.119:443
84.247.55.190:8443
2.232.253.79:995
213.60.147.140:443
24.50.118.93:443
64.121.114.87:443
85.132.36.111:2222
70.126.76.75:443
105.198.236.101:443
89.137.211.239:995
95.77.223.148:443
86.236.77.68:2222
115.133.243.6:443
197.161.154.132:443
45.46.53.140:2222
82.12.157.95:995
27.223.92.142:995
209.210.187.52:995
139.216.137.189:995
31.5.21.66:995
76.25.142.196:443
173.21.10.71:2222
50.29.166.232:995
94.53.92.42:443
75.118.1.141:443
50.240.77.238:22
71.74.12.34:443
75.136.26.147:443
144.139.166.18:443
37.211.83.41:443
67.6.12.4:443
184.103.117.178:443
24.253.38.139:993
122.148.156.131:995
69.123.179.70:443
125.239.152.76:995
71.197.126.250:443
98.207.89.76:2222
100.2.123.122:443
98.240.24.57:443
186.28.51.27:443
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3064 3208 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3064 WerFault.exe Token: SeBackupPrivilege 3064 WerFault.exe Token: SeDebugPrivilege 3064 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 508 wrote to memory of 3208 508 rundll32.exe rundll32.exe PID 508 wrote to memory of 3208 508 rundll32.exe rundll32.exe PID 508 wrote to memory of 3208 508 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\8e92e1c25f5ebc5365493becb70a35d8081f945c8eb998d0ad5f1c251c3a71d7 (1).dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\8e92e1c25f5ebc5365493becb70a35d8081f945c8eb998d0ad5f1c251c3a71d7 (1).dll",#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 7523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3064-6-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/3208-2-0x0000000000000000-mapping.dmp
-
memory/3208-3-0x0000000002920000-0x0000000002921000-memory.dmpFilesize
4KB
-
memory/3208-5-0x0000000004A60000-0x0000000004A95000-memory.dmpFilesize
212KB
-
memory/3208-4-0x00000000044B0000-0x00000000044F7000-memory.dmpFilesize
284KB