Analysis
-
max time kernel
142s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-02-2021 20:39
Static task
static1
Behavioral task
behavioral1
Sample
7c16cd83d2c94fd23635df1e30d20f88a9a0359870a7d8e7cae03269f980f023.dll
Resource
win7v20201028
General
-
Target
7c16cd83d2c94fd23635df1e30d20f88a9a0359870a7d8e7cae03269f980f023.dll
-
Size
1016KB
-
MD5
873e74b88e18c15365f236ac1f98e2e0
-
SHA1
aa43ad94aeb7800931206e733494148abfe39d3f
-
SHA256
7c16cd83d2c94fd23635df1e30d20f88a9a0359870a7d8e7cae03269f980f023
-
SHA512
0bd59ab2bd699f7120ca32faacd72119f956ccb31f65b36a564b64d3503f1f983c5b1c08e8f6dc09e203e2b14e53685cb28b053b374b0b90019b3d4e396fc120
Malware Config
Extracted
qakbot
tr
1612175155
89.3.198.238:443
172.78.30.215:443
85.52.72.32:2222
76.110.113.71:995
106.51.52.111:443
75.67.192.125:443
172.115.177.204:2222
197.45.110.165:995
82.76.47.211:443
45.77.115.208:443
45.32.211.207:443
144.202.38.185:443
207.246.116.237:995
149.28.101.90:995
149.28.101.90:8443
207.246.116.237:8443
144.202.38.185:2222
45.32.211.207:8443
149.28.101.90:443
149.28.101.90:2222
207.246.116.237:443
207.246.77.75:995
149.28.98.196:2222
149.28.99.97:443
149.28.99.97:995
149.28.99.97:2222
45.63.107.192:2222
45.63.107.192:443
144.202.38.185:995
45.32.211.207:2222
207.246.116.237:2222
207.246.77.75:2222
207.246.77.75:443
45.77.115.208:2222
207.246.77.75:8443
149.28.98.196:995
149.28.98.196:443
45.63.107.192:995
45.32.211.207:995
184.189.122.72:443
80.227.5.69:443
175.141.219.71:443
202.188.138.162:443
77.27.174.49:995
92.59.35.196:2222
81.97.154.100:443
45.77.115.208:995
45.77.115.208:8443
85.58.200.50:2222
86.97.8.63:443
50.240.77.238:22
203.198.96.37:443
24.50.118.93:443
190.85.91.154:443
176.181.247.197:443
41.205.16.1:443
78.63.226.32:443
184.179.14.130:22
193.248.221.184:2222
82.12.157.95:995
172.87.157.235:3389
51.9.198.164:2222
151.242.62.59:32103
70.126.76.75:443
160.3.187.114:443
69.58.147.82:2078
64.121.114.87:443
50.244.112.106:443
76.25.142.196:443
188.25.63.105:443
2.50.2.216:443
80.11.173.82:8443
83.110.103.152:443
140.82.49.12:443
84.72.35.226:443
71.88.193.17:443
74.77.162.33:443
68.186.192.69:443
46.153.119.255:995
213.60.147.140:443
216.201.162.158:443
81.88.254.62:443
196.151.252.84:443
105.186.102.16:443
71.187.170.235:443
68.225.60.77:995
95.77.223.148:443
105.198.236.101:443
81.214.126.173:2222
83.110.108.181:2222
202.184.20.119:443
83.110.12.140:2222
75.136.40.155:443
79.129.121.81:995
37.211.90.175:995
80.11.5.65:2222
85.132.36.111:2222
90.101.117.122:2222
105.96.8.96:443
86.236.77.68:2222
151.33.227.106:443
197.161.154.132:443
115.133.243.6:443
86.98.93.124:2078
156.223.24.221:443
50.29.166.232:995
2.232.253.79:995
2.7.69.217:2222
106.250.150.98:443
47.22.148.6:443
68.131.107.37:443
173.21.10.71:2222
31.5.21.66:995
78.182.229.147:443
69.123.179.70:443
75.118.1.141:443
144.139.47.206:443
45.46.53.140:2222
70.54.25.76:2222
75.136.26.147:443
144.139.166.18:443
67.6.12.4:443
76.111.128.194:443
98.240.24.57:443
216.150.207.100:2222
71.74.12.34:443
71.197.126.250:443
98.121.187.78:443
47.196.192.184:443
74.222.204.82:995
74.68.144.202:443
67.165.206.193:993
71.182.142.63:443
109.12.111.14:443
68.129.194.130:443
31.57.48.136:443
94.53.92.42:443
65.27.228.247:443
71.14.110.199:443
84.247.55.190:8443
67.8.103.21:443
105.198.236.99:443
78.97.207.104:443
27.223.92.142:995
24.152.219.253:995
161.199.180.159:443
77.211.30.202:995
199.19.117.131:443
86.220.60.133:2222
96.37.113.36:993
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 484 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1780 rundll32.exe 1780 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1780 rundll32.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exedescription pid process target process PID 1040 wrote to memory of 1780 1040 rundll32.exe rundll32.exe PID 1040 wrote to memory of 1780 1040 rundll32.exe rundll32.exe PID 1040 wrote to memory of 1780 1040 rundll32.exe rundll32.exe PID 1040 wrote to memory of 1780 1040 rundll32.exe rundll32.exe PID 1040 wrote to memory of 1780 1040 rundll32.exe rundll32.exe PID 1040 wrote to memory of 1780 1040 rundll32.exe rundll32.exe PID 1040 wrote to memory of 1780 1040 rundll32.exe rundll32.exe PID 1780 wrote to memory of 1544 1780 rundll32.exe explorer.exe PID 1780 wrote to memory of 1544 1780 rundll32.exe explorer.exe PID 1780 wrote to memory of 1544 1780 rundll32.exe explorer.exe PID 1780 wrote to memory of 1544 1780 rundll32.exe explorer.exe PID 1780 wrote to memory of 1544 1780 rundll32.exe explorer.exe PID 1780 wrote to memory of 1544 1780 rundll32.exe explorer.exe PID 1544 wrote to memory of 1552 1544 explorer.exe schtasks.exe PID 1544 wrote to memory of 1552 1544 explorer.exe schtasks.exe PID 1544 wrote to memory of 1552 1544 explorer.exe schtasks.exe PID 1544 wrote to memory of 1552 1544 explorer.exe schtasks.exe PID 1704 wrote to memory of 2032 1704 taskeng.exe regsvr32.exe PID 1704 wrote to memory of 2032 1704 taskeng.exe regsvr32.exe PID 1704 wrote to memory of 2032 1704 taskeng.exe regsvr32.exe PID 1704 wrote to memory of 2032 1704 taskeng.exe regsvr32.exe PID 1704 wrote to memory of 2032 1704 taskeng.exe regsvr32.exe PID 2032 wrote to memory of 484 2032 regsvr32.exe regsvr32.exe PID 2032 wrote to memory of 484 2032 regsvr32.exe regsvr32.exe PID 2032 wrote to memory of 484 2032 regsvr32.exe regsvr32.exe PID 2032 wrote to memory of 484 2032 regsvr32.exe regsvr32.exe PID 2032 wrote to memory of 484 2032 regsvr32.exe regsvr32.exe PID 2032 wrote to memory of 484 2032 regsvr32.exe regsvr32.exe PID 2032 wrote to memory of 484 2032 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c16cd83d2c94fd23635df1e30d20f88a9a0359870a7d8e7cae03269f980f023.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c16cd83d2c94fd23635df1e30d20f88a9a0359870a7d8e7cae03269f980f023.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn oxxaktzssq /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\7c16cd83d2c94fd23635df1e30d20f88a9a0359870a7d8e7cae03269f980f023.dll\"" /SC ONCE /Z /ST 21:38 /ET 21:504⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {11C82A4E-3E44-42F8-83BA-73588B1683BD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\7c16cd83d2c94fd23635df1e30d20f88a9a0359870a7d8e7cae03269f980f023.dll"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\7c16cd83d2c94fd23635df1e30d20f88a9a0359870a7d8e7cae03269f980f023.dll"3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7c16cd83d2c94fd23635df1e30d20f88a9a0359870a7d8e7cae03269f980f023.dllMD5
babc9d51adcda32c57159338f33cc7e9
SHA1ac444a80ca47a8770cc399e871df9143e91c08e7
SHA256fc6756f3da18f111fb26f9e1a67a8beb7636088e471e7a2e137349dbb53c14e3
SHA512a47eb52f91d4ad12228ccd0df486bdd654df68770c5b93336f2c6d6cb27ec2f678162d34dd71ccd4fea356de7814b7a1fccd0a4db70887838839631d6257b20b
-
\Users\Admin\AppData\Local\Temp\7c16cd83d2c94fd23635df1e30d20f88a9a0359870a7d8e7cae03269f980f023.dllMD5
babc9d51adcda32c57159338f33cc7e9
SHA1ac444a80ca47a8770cc399e871df9143e91c08e7
SHA256fc6756f3da18f111fb26f9e1a67a8beb7636088e471e7a2e137349dbb53c14e3
SHA512a47eb52f91d4ad12228ccd0df486bdd654df68770c5b93336f2c6d6cb27ec2f678162d34dd71ccd4fea356de7814b7a1fccd0a4db70887838839631d6257b20b
-
memory/484-18-0x0000000000000000-mapping.dmp
-
memory/1544-12-0x00000000000E0000-0x0000000000115000-memory.dmpFilesize
212KB
-
memory/1544-14-0x00000000000E0000-0x0000000000115000-memory.dmpFilesize
212KB
-
memory/1544-8-0x0000000000000000-mapping.dmp
-
memory/1544-10-0x0000000074681000-0x0000000074683000-memory.dmpFilesize
8KB
-
memory/1552-13-0x0000000000000000-mapping.dmp
-
memory/1780-6-0x0000000000320000-0x0000000000355000-memory.dmpFilesize
212KB
-
memory/1780-11-0x0000000000320000-0x0000000000355000-memory.dmpFilesize
212KB
-
memory/1780-2-0x0000000000000000-mapping.dmp
-
memory/1780-5-0x00000000002D0000-0x0000000000317000-memory.dmpFilesize
284KB
-
memory/1780-4-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/1780-3-0x0000000076311000-0x0000000076313000-memory.dmpFilesize
8KB
-
memory/2032-15-0x0000000000000000-mapping.dmp
-
memory/2032-16-0x000007FEFBCF1000-0x000007FEFBCF3000-memory.dmpFilesize
8KB