Analysis
-
max time kernel
39s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 10:08
Static task
static1
Behavioral task
behavioral1
Sample
a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll
Resource
win7v20210408
General
-
Target
a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll
-
Size
1.0MB
-
MD5
f8bedd553a00abdc81ae847d21e958a1
-
SHA1
1b5ac0acbba430c9e4ccad70a59eb2dedc9b0f5b
-
SHA256
a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5
-
SHA512
d0089483de35cda1b5fd0e498f7af2f3d471d08fd86cd7efb00df75e9a41fecaccfedfb34f048d69f2663062fd177e823c1213831ce22e0076506ed5eeb35b4e
Malware Config
Extracted
qakbot
401.138
domain02
1613028094
32.210.98.6:443
70.49.88.199:2222
151.205.102.42:443
178.152.79.153:995
216.195.46.163:2222
72.252.201.69:443
90.65.236.181:2222
98.173.34.212:995
97.69.160.4:2222
69.245.102.225:443
144.139.166.18:443
73.25.124.140:2222
189.223.205.126:443
157.131.108.180:443
71.197.126.250:443
73.228.197.5:443
151.213.189.62:443
24.229.150.54:995
84.72.35.226:443
199.19.117.131:443
189.146.183.105:443
195.12.154.8:443
172.87.157.235:3389
81.88.254.62:443
71.199.192.62:443
109.12.111.14:443
76.177.232.22:443
209.210.187.52:443
81.97.154.100:443
67.8.103.21:443
24.50.118.93:443
149.28.99.97:443
149.28.99.97:2222
149.28.99.97:995
45.63.107.192:2222
45.63.107.192:443
45.63.107.192:995
149.28.98.196:2222
149.28.98.196:995
149.28.98.196:443
144.202.38.185:2222
144.202.38.185:995
144.202.38.185:443
45.32.211.207:443
45.32.211.207:995
45.32.211.207:8443
45.32.211.207:2222
149.28.101.90:443
149.28.101.90:995
149.28.101.90:2222
149.28.101.90:8443
45.77.115.208:443
45.77.115.208:995
45.77.115.208:2222
45.77.115.208:8443
207.246.77.75:443
207.246.77.75:995
207.246.77.75:2222
207.246.77.75:8443
207.246.116.237:443
207.246.116.237:8443
207.246.116.237:995
207.246.116.237:2222
86.220.60.133:2222
24.55.112.61:443
71.163.223.159:443
186.28.51.27:443
189.149.77.114:443
98.252.118.134:443
82.12.157.95:995
108.46.145.30:443
197.161.154.132:443
122.148.156.131:995
96.61.23.88:995
71.117.132.169:443
108.160.123.244:443
76.30.63.164:443
176.181.247.197:443
89.137.211.239:995
80.11.173.82:8443
73.153.211.227:443
81.150.181.168:2222
47.187.115.228:443
50.244.112.106:443
140.82.49.12:443
201.143.235.13:443
68.50.197.143:443
201.170.135.141:995
82.76.47.211:443
173.184.119.153:995
67.165.206.193:993
46.153.118.161:995
77.211.30.202:995
47.147.6.66:443
209.210.187.52:995
78.63.226.32:443
41.58.111.164:3389
73.4.146.225:443
90.101.117.122:2222
189.210.115.207:443
190.85.91.154:443
24.139.72.117:443
68.186.192.69:443
151.60.178.141:443
71.88.193.17:443
96.57.188.174:2222
75.118.1.141:443
70.168.130.172:995
86.160.137.132:443
86.236.77.68:2222
68.225.60.77:995
81.214.126.173:2222
94.53.92.42:443
160.3.187.114:443
38.92.225.121:443
47.217.24.69:443
201.114.220.210:443
78.22.58.205:3389
71.187.170.235:443
188.24.130.121:443
75.136.26.147:443
216.201.162.158:443
74.68.144.202:443
77.27.204.204:995
172.78.30.215:443
23.235.26.247:443
75.67.192.125:443
96.21.251.127:2222
196.151.252.84:443
24.95.61.62:443
179.113.183.60:995
189.223.234.23:995
47.187.74.181:443
125.239.152.76:995
74.222.204.82:995
76.25.142.196:443
75.136.40.155:443
69.123.179.70:443
189.211.177.183:995
47.22.148.6:443
24.30.62.205:443
98.192.185.86:443
213.60.147.140:443
106.51.85.162:443
98.240.24.57:443
208.126.142.17:443
95.77.223.148:443
45.46.53.140:2222
50.25.89.74:443
105.198.236.99:443
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2352 3464 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2352 WerFault.exe Token: SeBackupPrivilege 2352 WerFault.exe Token: SeDebugPrivilege 2352 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3896 wrote to memory of 3464 3896 rundll32.exe rundll32.exe PID 3896 wrote to memory of 3464 3896 rundll32.exe rundll32.exe PID 3896 wrote to memory of 3464 3896 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a2869406c4661b2c003f0d38aebe8f8e5715bdbc7d67e429023cb0726dbc13f5.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 7643⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3464-114-0x0000000000000000-mapping.dmp
-
memory/3464-115-0x0000000000E20000-0x0000000000F27000-memory.dmpFilesize
1.0MB
-
memory/3464-116-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/3464-117-0x00000000049E0000-0x0000000004A40000-memory.dmpFilesize
384KB
-
memory/3464-118-0x0000000004A40000-0x0000000004A75000-memory.dmpFilesize
212KB