Analysis
-
max time kernel
149s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-05-2021 06:03
Static task
static1
Behavioral task
behavioral1
Sample
1312.gif.dll
Resource
win7v20210410
General
-
Target
1312.gif.dll
-
Size
2.0MB
-
MD5
ec11ad0b0b09671b0e1d33a0426fc545
-
SHA1
f3527e4bbb1f3ea8db2365824c41cd0fac0bdf44
-
SHA256
caf0413ce43dd36aad32438727ff41ae1b9cd3243e240a21474e606572e35712
-
SHA512
7953df254175a8db3a16ca079bb770845bb931701ae7ff77274a2d45e26deb5e5456ecbc4053a02d65cc5b806e1442b3395075473efeb583affbeeae20e4463a
Malware Config
Extracted
qakbot
401.78
tr02
1607955641
120.151.95.167:443
47.44.217.98:443
32.212.117.188:443
184.97.145.239:443
86.121.3.80:443
83.110.97.149:443
83.194.193.247:2222
105.198.236.101:443
35.134.202.234:443
189.62.175.92:22
2.89.122.157:443
78.97.207.104:443
208.93.202.41:443
45.118.216.157:443
5.204.148.208:995
5.15.226.81:443
66.26.160.37:443
84.78.128.76:2222
80.106.85.24:2222
108.31.15.10:995
67.6.54.180:443
70.118.146.154:995
98.16.204.189:995
5.15.109.245:443
50.244.112.10:995
96.27.47.70:2222
47.146.34.236:443
45.77.115.208:443
24.95.61.62:443
37.107.76.36:995
78.63.226.32:443
77.27.174.49:995
149.135.101.20:443
87.238.133.190:995
58.179.21.147:995
103.110.6.151:2087
197.161.154.132:443
200.38.254.177:443
67.249.12.146:443
83.110.78.194:443
85.122.5.98:443
83.110.109.78:2222
181.48.190.78:443
108.190.151.108:2222
190.220.8.10:995
78.187.125.116:2222
197.135.246.41:443
51.235.149.29:443
65.30.213.13:6882
105.184.50.206:443
24.229.150.54:995
24.234.204.230:995
80.14.22.234:2222
74.222.204.82:995
82.76.47.211:443
206.183.190.53:993
109.205.204.229:2222
191.84.8.167:443
200.44.237.189:2222
80.195.103.146:2222
198.2.35.226:2222
86.121.41.112:443
92.154.83.96:1194
66.25.168.167:2222
154.238.37.26:995
75.109.180.221:995
85.132.36.111:2222
156.213.217.254:443
217.128.117.218:2222
108.30.125.94:443
122.148.156.131:995
76.167.240.21:443
5.193.106.230:2078
120.57.72.44:443
103.102.100.78:2222
2.50.88.125:995
149.28.99.97:443
45.77.115.208:995
149.28.101.90:995
149.28.98.196:443
85.105.29.218:443
144.202.38.185:2222
144.202.38.185:443
86.98.21.136:443
2.50.2.146:995
45.63.107.192:995
149.28.98.196:2222
149.28.98.196:995
116.240.76.97:0
84.232.252.202:2222
45.63.107.192:443
149.28.101.90:2222
144.202.38.185:995
149.28.99.97:2222
45.63.107.192:2222
149.28.99.97:995
85.101.187.146:443
51.223.138.251:443
71.117.132.169:443
90.201.21.58:443
81.214.126.173:2222
84.117.176.32:443
78.181.19.134:443
92.154.83.96:2078
71.58.19.33:443
47.22.148.6:995
86.245.82.249:2078
92.154.83.96:2087
197.49.240.8:995
95.76.27.6:443
116.240.78.45:995
140.82.49.12:443
201.152.69.198:995
160.3.184.253:443
24.139.72.117:443
47.22.148.6:443
197.82.221.199:443
174.62.13.151:443
186.29.96.147:443
79.129.252.62:2222
2.50.2.216:443
200.30.223.162:443
105.99.18.189:443
90.101.117.122:2222
102.187.59.94:443
151.60.38.21:443
185.163.221.77:2222
105.199.235.142:443
102.185.13.89:443
189.183.209.65:443
92.59.35.196:2083
86.122.248.164:2222
151.73.121.136:443
93.148.241.179:2222
105.198.236.99:443
134.228.24.29:443
46.53.0.32:443
178.191.126.94:993
2.50.57.224:443
184.98.97.227:995
80.11.5.65:2222
185.138.132.186:443
24.179.13.119:443
47.138.204.19:443
74.73.27.35:443
125.63.101.62:443
59.96.58.232:443
95.77.144.238:443
37.130.115.124:443
216.201.162.158:443
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3552 regsvr32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2156 3552 WerFault.exe regsvr32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service rundll32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
rundll32.exeWerFault.exepid process 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1184 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2156 WerFault.exe Token: SeBackupPrivilege 2156 WerFault.exe Token: SeDebugPrivilege 2156 WerFault.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exeregsvr32.exedescription pid process target process PID 808 wrote to memory of 1184 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1184 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1184 808 rundll32.exe rundll32.exe PID 1184 wrote to memory of 204 1184 rundll32.exe explorer.exe PID 1184 wrote to memory of 204 1184 rundll32.exe explorer.exe PID 1184 wrote to memory of 204 1184 rundll32.exe explorer.exe PID 1184 wrote to memory of 204 1184 rundll32.exe explorer.exe PID 1184 wrote to memory of 204 1184 rundll32.exe explorer.exe PID 204 wrote to memory of 4044 204 explorer.exe schtasks.exe PID 204 wrote to memory of 4044 204 explorer.exe schtasks.exe PID 204 wrote to memory of 4044 204 explorer.exe schtasks.exe PID 2820 wrote to memory of 3552 2820 regsvr32.exe regsvr32.exe PID 2820 wrote to memory of 3552 2820 regsvr32.exe regsvr32.exe PID 2820 wrote to memory of 3552 2820 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1312.gif.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1312.gif.dll,#12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn enkejhjs /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\1312.gif.dll\"" /SC ONCE /Z /ST 08:09 /ET 08:214⤵
- Creates scheduled task(s)
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\1312.gif.dll"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\1312.gif.dll"2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 5963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1312.gif.dllMD5
7fa71d3adffd18c2f7038dbeaef014b3
SHA1af502b52ecb72f48fe5ef1119607ea4f422be242
SHA256c468670d8b78a054cd22e4aac5853e91383d35a7472f64d46898b4236f88e937
SHA512a2572720d657e868d1abb652f0d2cbc0569f55f9ff8fbb47ac9655179d01e425aa69ee82ebbb81935efc8ebe77c4bec43019542d87743d002c4ef6688e948694
-
\Users\Admin\AppData\Local\Temp\1312.gif.dllMD5
7fa71d3adffd18c2f7038dbeaef014b3
SHA1af502b52ecb72f48fe5ef1119607ea4f422be242
SHA256c468670d8b78a054cd22e4aac5853e91383d35a7472f64d46898b4236f88e937
SHA512a2572720d657e868d1abb652f0d2cbc0569f55f9ff8fbb47ac9655179d01e425aa69ee82ebbb81935efc8ebe77c4bec43019542d87743d002c4ef6688e948694
-
memory/204-117-0x0000000000000000-mapping.dmp
-
memory/204-121-0x0000000000720000-0x0000000000741000-memory.dmpFilesize
132KB
-
memory/1184-114-0x0000000000000000-mapping.dmp
-
memory/1184-115-0x0000000004720000-0x000000000490A000-memory.dmpFilesize
1.9MB
-
memory/1184-116-0x0000000010000000-0x0000000010214000-memory.dmpFilesize
2.1MB
-
memory/3552-123-0x0000000000000000-mapping.dmp
-
memory/4044-118-0x0000000000000000-mapping.dmp