Analysis
-
max time kernel
31s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 10:08
Static task
static1
Behavioral task
behavioral1
Sample
175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll
Resource
win7v20210408
General
-
Target
175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll
-
Size
963KB
-
MD5
16f84c82e6f0d47389f70d59d395778d
-
SHA1
2bc9c1965b0996d9f2e931f1a83dcf81ffd66876
-
SHA256
175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6
-
SHA512
78b6b58a857f54038daf1769ec52c23bd2fc5a4d79e3fa4dcd4df2c2a2bbc7a10f2d456a710f1b8ea1fdc67a666933204072e4f361c27101105de61e4efd751b
Malware Config
Extracted
qakbot
401.138
domain02
1613028094
32.210.98.6:443
70.49.88.199:2222
151.205.102.42:443
178.152.79.153:995
216.195.46.163:2222
72.252.201.69:443
90.65.236.181:2222
98.173.34.212:995
97.69.160.4:2222
69.245.102.225:443
144.139.166.18:443
73.25.124.140:2222
189.223.205.126:443
157.131.108.180:443
71.197.126.250:443
73.228.197.5:443
151.213.189.62:443
24.229.150.54:995
84.72.35.226:443
199.19.117.131:443
189.146.183.105:443
195.12.154.8:443
172.87.157.235:3389
81.88.254.62:443
71.199.192.62:443
109.12.111.14:443
76.177.232.22:443
209.210.187.52:443
81.97.154.100:443
67.8.103.21:443
24.50.118.93:443
149.28.99.97:443
149.28.99.97:2222
149.28.99.97:995
45.63.107.192:2222
45.63.107.192:443
45.63.107.192:995
149.28.98.196:2222
149.28.98.196:995
149.28.98.196:443
144.202.38.185:2222
144.202.38.185:995
144.202.38.185:443
45.32.211.207:443
45.32.211.207:995
45.32.211.207:8443
45.32.211.207:2222
149.28.101.90:443
149.28.101.90:995
149.28.101.90:2222
149.28.101.90:8443
45.77.115.208:443
45.77.115.208:995
45.77.115.208:2222
45.77.115.208:8443
207.246.77.75:443
207.246.77.75:995
207.246.77.75:2222
207.246.77.75:8443
207.246.116.237:443
207.246.116.237:8443
207.246.116.237:995
207.246.116.237:2222
86.220.60.133:2222
24.55.112.61:443
71.163.223.159:443
186.28.51.27:443
189.149.77.114:443
98.252.118.134:443
82.12.157.95:995
108.46.145.30:443
197.161.154.132:443
122.148.156.131:995
96.61.23.88:995
71.117.132.169:443
108.160.123.244:443
76.30.63.164:443
176.181.247.197:443
89.137.211.239:995
80.11.173.82:8443
73.153.211.227:443
81.150.181.168:2222
47.187.115.228:443
50.244.112.106:443
140.82.49.12:443
201.143.235.13:443
68.50.197.143:443
201.170.135.141:995
82.76.47.211:443
173.184.119.153:995
67.165.206.193:993
46.153.118.161:995
77.211.30.202:995
47.147.6.66:443
209.210.187.52:995
78.63.226.32:443
41.58.111.164:3389
73.4.146.225:443
90.101.117.122:2222
189.210.115.207:443
190.85.91.154:443
24.139.72.117:443
68.186.192.69:443
151.60.178.141:443
71.88.193.17:443
96.57.188.174:2222
75.118.1.141:443
70.168.130.172:995
86.160.137.132:443
86.236.77.68:2222
68.225.60.77:995
81.214.126.173:2222
94.53.92.42:443
160.3.187.114:443
38.92.225.121:443
47.217.24.69:443
201.114.220.210:443
78.22.58.205:3389
71.187.170.235:443
188.24.130.121:443
75.136.26.147:443
216.201.162.158:443
74.68.144.202:443
77.27.204.204:995
172.78.30.215:443
23.235.26.247:443
75.67.192.125:443
96.21.251.127:2222
196.151.252.84:443
24.95.61.62:443
179.113.183.60:995
189.223.234.23:995
47.187.74.181:443
125.239.152.76:995
74.222.204.82:995
76.25.142.196:443
75.136.40.155:443
69.123.179.70:443
189.211.177.183:995
47.22.148.6:443
24.30.62.205:443
98.192.185.86:443
213.60.147.140:443
106.51.85.162:443
98.240.24.57:443
208.126.142.17:443
95.77.223.148:443
45.46.53.140:2222
50.25.89.74:443
105.198.236.99:443
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2348 4076 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2348 WerFault.exe Token: SeBackupPrivilege 2348 WerFault.exe Token: SeDebugPrivilege 2348 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3944 wrote to memory of 4076 3944 rundll32.exe rundll32.exe PID 3944 wrote to memory of 4076 3944 rundll32.exe rundll32.exe PID 3944 wrote to memory of 4076 3944 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\175a611670e535ef1033f4cb95afd974b24334c2ceddb26b320ca14455a40bb6.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 7363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4076-114-0x0000000000000000-mapping.dmp
-
memory/4076-115-0x00000000007D0000-0x00000000008C5000-memory.dmpFilesize
980KB
-
memory/4076-116-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/4076-117-0x0000000001050000-0x0000000001083000-memory.dmpFilesize
204KB
-
memory/4076-118-0x0000000004570000-0x00000000045A5000-memory.dmpFilesize
212KB