Analysis
-
max time kernel
144s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-02-2021 20:41
Static task
static1
Behavioral task
behavioral1
Sample
0df2454118e456768e7f1f3ddf5df8ecaba692ed0d46c1a22b76c95ab5853d55.dll
Resource
win7v20201028
General
-
Target
0df2454118e456768e7f1f3ddf5df8ecaba692ed0d46c1a22b76c95ab5853d55.dll
-
Size
1021KB
-
MD5
c4937efde639aebb1dd44f39b4fd7e86
-
SHA1
5ec55bee8a19ca6436ac13518ef5e3755a8b50e4
-
SHA256
0df2454118e456768e7f1f3ddf5df8ecaba692ed0d46c1a22b76c95ab5853d55
-
SHA512
16451b7a3aa1c9ed7b87d4164c34384557480582fe79fd9f7ab3a6e9761ead39d68d3ffd362c6d30c9efb6655ba33d708672a7d1eaa2e2836fd23a5efde147a3
Malware Config
Extracted
qakbot
abc123
1612349986
222.154.253.111:995
50.244.112.106:443
83.110.108.181:2222
105.198.236.99:443
74.77.162.33:443
106.250.150.98:443
196.151.252.84:443
45.118.216.157:443
140.82.49.12:443
80.11.173.82:8443
71.88.193.17:443
68.186.192.69:443
46.153.119.255:995
81.214.126.173:2222
108.31.15.10:995
197.45.110.165:995
81.88.254.62:443
86.97.8.249:443
202.187.58.21:443
41.39.134.183:443
80.227.5.69:443
105.186.102.16:443
125.63.101.62:443
68.225.60.77:995
188.25.63.105:443
216.201.162.158:443
82.76.47.211:443
71.187.170.235:443
144.139.47.206:443
96.21.251.127:2222
203.194.110.74:443
171.103.138.122:995
193.248.221.184:2222
81.97.154.100:443
151.60.14.100:443
79.129.121.81:995
37.211.90.175:995
75.136.40.155:443
86.220.60.133:2222
203.198.96.37:443
160.3.187.114:443
47.22.148.6:443
176.181.247.197:443
77.31.46.230:443
82.127.125.209:990
197.35.9.48:443
202.188.138.162:443
60.49.104.167:443
81.150.181.168:2222
172.78.30.215:443
83.110.103.152:443
45.77.115.208:2222
78.63.226.32:443
90.101.117.122:2222
2.50.2.216:443
68.131.107.37:443
75.67.192.125:443
85.52.72.32:2222
76.110.113.71:995
106.51.52.111:443
209.210.187.52:443
154.125.89.244:995
84.72.35.226:443
172.115.177.204:2222
86.98.93.124:2078
45.32.211.207:2222
45.32.211.207:995
207.246.116.237:443
144.202.38.185:443
45.63.107.192:443
149.28.99.97:443
149.28.99.97:2222
149.28.99.97:995
149.28.101.90:443
149.28.101.90:995
149.28.101.90:2222
45.63.107.192:995
207.246.77.75:2222
144.202.38.185:2222
45.32.211.207:8443
144.202.38.185:995
45.32.211.207:443
149.28.98.196:2222
207.246.116.237:8443
207.246.77.75:443
207.246.77.75:8443
207.246.116.237:2222
207.246.116.237:995
149.28.98.196:995
45.63.107.192:2222
149.28.98.196:443
149.28.101.90:8443
45.77.115.208:443
207.246.77.75:995
77.27.174.49:995
92.59.35.196:2222
98.121.187.78:443
184.189.122.72:443
109.106.69.138:2222
175.141.219.71:443
45.77.115.208:8443
45.77.115.208:995
172.87.157.235:3389
184.179.14.130:22
190.85.91.154:443
83.110.12.140:2222
85.58.200.50:2222
151.242.43.85:32103
176.205.222.30:2222
202.184.20.119:443
84.247.55.190:8443
2.232.253.79:995
213.60.147.140:443
24.50.118.93:443
64.121.114.87:443
85.132.36.111:2222
70.126.76.75:443
105.198.236.101:443
89.137.211.239:995
95.77.223.148:443
86.236.77.68:2222
115.133.243.6:443
197.161.154.132:443
45.46.53.140:2222
82.12.157.95:995
27.223.92.142:995
209.210.187.52:995
139.216.137.189:995
31.5.21.66:995
76.25.142.196:443
173.21.10.71:2222
50.29.166.232:995
94.53.92.42:443
75.118.1.141:443
50.240.77.238:22
71.74.12.34:443
75.136.26.147:443
144.139.166.18:443
37.211.83.41:443
67.6.12.4:443
184.103.117.178:443
24.253.38.139:993
122.148.156.131:995
69.123.179.70:443
125.239.152.76:995
71.197.126.250:443
98.207.89.76:2222
100.2.123.122:443
98.240.24.57:443
186.28.51.27:443
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3992 956 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3992 WerFault.exe 3992 WerFault.exe 3992 WerFault.exe 3992 WerFault.exe 3992 WerFault.exe 3992 WerFault.exe 3992 WerFault.exe 3992 WerFault.exe 3992 WerFault.exe 3992 WerFault.exe 3992 WerFault.exe 3992 WerFault.exe 3992 WerFault.exe 3992 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3992 WerFault.exe Token: SeBackupPrivilege 3992 WerFault.exe Token: SeDebugPrivilege 3992 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 724 wrote to memory of 956 724 rundll32.exe rundll32.exe PID 724 wrote to memory of 956 724 rundll32.exe rundll32.exe PID 724 wrote to memory of 956 724 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0df2454118e456768e7f1f3ddf5df8ecaba692ed0d46c1a22b76c95ab5853d55.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0df2454118e456768e7f1f3ddf5df8ecaba692ed0d46c1a22b76c95ab5853d55.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 7483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/956-2-0x0000000000000000-mapping.dmp
-
memory/956-3-0x00000000011D0000-0x00000000011D1000-memory.dmpFilesize
4KB
-
memory/956-4-0x0000000006480000-0x00000000064C7000-memory.dmpFilesize
284KB
-
memory/956-5-0x0000000004F00000-0x0000000004F35000-memory.dmpFilesize
212KB
-
memory/3992-6-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB