Analysis
-
max time kernel
128s -
max time network
165s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-10-2021 08:13
Static task
static1
Behavioral task
behavioral1
Sample
44483.353547338.dat.dll
Resource
win7v20210408
General
-
Target
44483.353547338.dat.dll
-
Size
756KB
-
MD5
acdcd26de7e78893c0b6861316721469
-
SHA1
2f8716ea8f2747f7fdac054ec58644d6a3a175a4
-
SHA256
e7e9ac9bbc69589e627f913f8605938b96afd929ebc974ffa0955598d19498d1
-
SHA512
84c29ce85551beda34e86c56da1d0a2a97f080b0073de679183eb5a1493c3a2bd760d414526f43643ec9689a3a010ed357e9428d4bd18c08cc664c9903f00aa7
Malware Config
Extracted
qakbot
402.363
obama113
1634023197
73.52.50.32:443
167.248.117.81:443
209.236.35.178:443
67.230.44.194:443
72.173.78.211:443
146.66.238.74:443
181.118.183.94:443
94.200.181.154:443
81.250.153.227:2222
69.30.186.190:443
93.48.58.123:2222
136.232.34.70:443
103.142.10.177:443
185.250.148.74:443
174.54.193.186:443
39.49.64.244:995
89.137.52.44:443
77.31.162.93:443
24.107.165.50:443
73.230.205.91:443
140.82.49.12:443
197.89.12.119:443
120.151.47.189:443
75.131.217.182:443
41.86.42.158:995
200.232.214.222:995
103.148.120.144:443
124.123.42.115:2222
67.166.233.75:443
41.228.22.180:443
122.11.222.242:2222
85.109.229.54:995
217.17.56.163:2078
216.201.162.158:443
81.241.252.59:2078
120.150.218.241:995
220.255.25.28:2222
63.143.92.99:995
76.25.142.196:443
73.151.236.31:443
173.22.178.66:443
187.250.159.104:443
37.210.152.224:995
173.21.10.71:2222
71.74.12.34:443
75.188.35.168:443
67.165.206.193:993
75.66.88.33:443
47.40.196.233:2222
89.101.97.139:443
201.68.60.118:995
188.55.245.223:995
109.12.111.14:443
45.46.53.140:2222
73.77.87.137:443
66.216.193.114:443
24.229.150.54:995
2.222.167.138:443
78.105.213.151:995
84.39.194.65:995
96.57.188.174:2078
72.252.201.69:995
81.213.59.22:443
68.204.7.158:443
73.207.119.14:443
105.198.236.99:443
182.181.67.141:995
68.117.61.91:2222
80.6.192.58:443
37.117.191.19:2222
24.119.214.7:443
109.177.115.85:995
41.86.42.158:443
197.90.242.92:61201
121.52.154.80:995
186.32.163.199:443
181.4.53.6:465
203.213.107.174:443
73.77.87.137:995
86.8.177.143:443
199.27.127.129:443
209.50.20.255:443
72.27.211.245:995
77.57.204.78:443
27.223.92.142:995
99.227.243.24:993
187.172.230.218:443
24.139.72.117:443
189.54.223.244:995
47.22.148.6:443
98.157.235.126:443
2.99.100.134:2222
182.176.180.73:443
40.131.140.155:995
162.244.227.34:443
110.174.64.179:995
202.134.178.157:443
189.136.217.97:995
24.55.112.61:443
66.103.170.104:2222
209.142.97.161:995
74.72.237.54:443
66.177.215.152:50010
131.191.107.34:995
75.75.179.226:443
24.171.50.5:443
49.33.237.65:443
162.210.220.137:443
201.6.246.227:995
66.177.215.152:443
217.17.56.163:2222
202.165.32.158:2222
42.60.70.14:443
73.140.38.124:443
167.248.100.227:443
63.70.164.200:443
189.131.221.201:443
181.84.114.46:443
167.248.99.149:443
177.94.21.110:995
50.54.32.149:443
189.224.181.39:443
177.94.125.59:995
73.130.180.25:443
206.47.134.234:2222
208.89.171.42:443
167.248.54.34:2222
181.4.53.6:443
190.198.206.189:2222
167.248.111.245:443
96.46.103.226:443
73.25.124.140:2222
24.152.219.253:995
68.186.192.69:443
174.54.58.170:443
103.246.130.114:1194
103.246.130.35:21
103.246.130.2:20
103.246.130.122:20
103.157.122.198:995
4.34.193.180:995
159.2.51.200:2222
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1040 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 10 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aquiewobvgvzc\95993476 = c9ff89f9ec85bffd6f5e46a0604b06f37a8a2a4820002d4185794144e720ac5a051b41e86db2c2f559dade286b83622deb1f820a4e3db0d39b1ca9e21154d5e92f59969a08d8e749655b208d6bc9e7 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aquiewobvgvzc\502d1c99 = c4fdb41b28727a2c8750a45b9754bda779220f634646f717a6e6cf2a445163f53cd310330354d1cc271e111b58fd81791d3ef06e62ddddf377f470947d14befdc3ea065e531461211cfaef97f8824a8906229fa7eb828ae861a5f38dfd7aaa17e51ff041a78784f6de39 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aquiewobvgvzc\97d8140a = edcfb7554c4db7634031d39ced3e19e7e94df8fec83f219895b36d0e8052c5aabd9e9e9022fafb57a50f3d814ef2faaeea8d89f06969eb1ab7da9eb596e48ed8b8c628e2d0179bbe03eeef4fd0c37addb3522a5c12db3a948cbe515be1c19c2905ad7b56f8ae0badd5 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Aquiewobvgvzc explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aquiewobvgvzc\1afba321 = 1dc95d22566d2efee4d491a0e60e30b67c49c913cabf4561cef6b0ebf982c4188a0474a9f03aa7e18c94 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aquiewobvgvzc\2d255313 = ab0e849ca6238425193e56078b8ddcf53bb0ca73604cb289ecbe88617361666b630b982612229fa4f7624f1f89eeaeafa4a278c866284d00a225950ebdbf0a76fdb86961c7dfd674d2 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aquiewobvgvzc\1afba321 = 1dc94a22566d1b8f6ba246cebecb359e53b70a6706b80036322d9a99d5cc4948552046b001658832909fbbea35a8ddbb354243d4bcee6547795f13dbba4f7a explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aquiewobvgvzc\2f64736f = 957dd6fd41846f8db9b0359171128c145d1a01f9ea7ca1ea53e7c827be0a12ce7ae7bec1ed5c1a4d4728217bce4ceb4ad1c21f1f3983a7f69454585dd986ee3fb0a930d34d7c27b97d638973728d6357cda14e97d515178299ff266d03dcc273744f5dd9a8cd59dacddb472c17d108fc11234a97ab062875f556bba86de829305ab3fbf52c6c2931f159574c6d619aefd7cdbde9b286b67ad49c3219e58cd778cb51cc297339c150c1fb461783 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aquiewobvgvzc\e8917bfc = 530261dd4d7674c8a31eb4f8cd8ad9263b588692403f93fef9fd94cfe85d46b6a61fe08f8a381653e42743bffb3e332df52e307f260e28df8350e22dc3bdae2142b577ebb9 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aquiewobvgvzc\65b2ccd7 = db9922748510833c19ed9d628a911bf5fbca0b01c5d8ef20f8a95e9f88528e1e3b1ddab8ba982ad279dbd555e54861893b8e2c0366f6561bee64fdfff5cc2d65f6b115c2e4c158ff2819c2f6308cf252954bab301c2fadcbc4e1c5bc2b3c055bc670d4da1b31 explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 1100 rundll32.exe 1040 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 1100 rundll32.exe 1040 regsvr32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exedescription pid process target process PID 816 wrote to memory of 1100 816 rundll32.exe rundll32.exe PID 816 wrote to memory of 1100 816 rundll32.exe rundll32.exe PID 816 wrote to memory of 1100 816 rundll32.exe rundll32.exe PID 816 wrote to memory of 1100 816 rundll32.exe rundll32.exe PID 816 wrote to memory of 1100 816 rundll32.exe rundll32.exe PID 816 wrote to memory of 1100 816 rundll32.exe rundll32.exe PID 816 wrote to memory of 1100 816 rundll32.exe rundll32.exe PID 1100 wrote to memory of 1760 1100 rundll32.exe explorer.exe PID 1100 wrote to memory of 1760 1100 rundll32.exe explorer.exe PID 1100 wrote to memory of 1760 1100 rundll32.exe explorer.exe PID 1100 wrote to memory of 1760 1100 rundll32.exe explorer.exe PID 1100 wrote to memory of 1760 1100 rundll32.exe explorer.exe PID 1100 wrote to memory of 1760 1100 rundll32.exe explorer.exe PID 1760 wrote to memory of 1572 1760 explorer.exe schtasks.exe PID 1760 wrote to memory of 1572 1760 explorer.exe schtasks.exe PID 1760 wrote to memory of 1572 1760 explorer.exe schtasks.exe PID 1760 wrote to memory of 1572 1760 explorer.exe schtasks.exe PID 744 wrote to memory of 1516 744 taskeng.exe regsvr32.exe PID 744 wrote to memory of 1516 744 taskeng.exe regsvr32.exe PID 744 wrote to memory of 1516 744 taskeng.exe regsvr32.exe PID 744 wrote to memory of 1516 744 taskeng.exe regsvr32.exe PID 744 wrote to memory of 1516 744 taskeng.exe regsvr32.exe PID 1516 wrote to memory of 1040 1516 regsvr32.exe regsvr32.exe PID 1516 wrote to memory of 1040 1516 regsvr32.exe regsvr32.exe PID 1516 wrote to memory of 1040 1516 regsvr32.exe regsvr32.exe PID 1516 wrote to memory of 1040 1516 regsvr32.exe regsvr32.exe PID 1516 wrote to memory of 1040 1516 regsvr32.exe regsvr32.exe PID 1516 wrote to memory of 1040 1516 regsvr32.exe regsvr32.exe PID 1516 wrote to memory of 1040 1516 regsvr32.exe regsvr32.exe PID 1040 wrote to memory of 1972 1040 regsvr32.exe explorer.exe PID 1040 wrote to memory of 1972 1040 regsvr32.exe explorer.exe PID 1040 wrote to memory of 1972 1040 regsvr32.exe explorer.exe PID 1040 wrote to memory of 1972 1040 regsvr32.exe explorer.exe PID 1040 wrote to memory of 1972 1040 regsvr32.exe explorer.exe PID 1040 wrote to memory of 1972 1040 regsvr32.exe explorer.exe PID 1972 wrote to memory of 1820 1972 explorer.exe reg.exe PID 1972 wrote to memory of 1820 1972 explorer.exe reg.exe PID 1972 wrote to memory of 1820 1972 explorer.exe reg.exe PID 1972 wrote to memory of 1820 1972 explorer.exe reg.exe PID 1972 wrote to memory of 2008 1972 explorer.exe reg.exe PID 1972 wrote to memory of 2008 1972 explorer.exe reg.exe PID 1972 wrote to memory of 2008 1972 explorer.exe reg.exe PID 1972 wrote to memory of 2008 1972 explorer.exe reg.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\44483.353547338.dat.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\44483.353547338.dat.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wcwjkcx /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44483.353547338.dat.dll\"" /SC ONCE /Z /ST 10:16 /ET 10:284⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {77B47974-7818-47FF-8F58-F6CC22E123B4} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44483.353547338.dat.dll"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\44483.353547338.dat.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Eiolz" /d "0"5⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ttcbmedtn" /d "0"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\44483.353547338.dat.dllMD5
acdcd26de7e78893c0b6861316721469
SHA12f8716ea8f2747f7fdac054ec58644d6a3a175a4
SHA256e7e9ac9bbc69589e627f913f8605938b96afd929ebc974ffa0955598d19498d1
SHA51284c29ce85551beda34e86c56da1d0a2a97f080b0073de679183eb5a1493c3a2bd760d414526f43643ec9689a3a010ed357e9428d4bd18c08cc664c9903f00aa7
-
\Users\Admin\AppData\Local\Temp\44483.353547338.dat.dllMD5
acdcd26de7e78893c0b6861316721469
SHA12f8716ea8f2747f7fdac054ec58644d6a3a175a4
SHA256e7e9ac9bbc69589e627f913f8605938b96afd929ebc974ffa0955598d19498d1
SHA51284c29ce85551beda34e86c56da1d0a2a97f080b0073de679183eb5a1493c3a2bd760d414526f43643ec9689a3a010ed357e9428d4bd18c08cc664c9903f00aa7
-
memory/1040-92-0x0000000000210000-0x0000000000231000-memory.dmpFilesize
132KB
-
memory/1040-86-0x0000000000210000-0x0000000000231000-memory.dmpFilesize
132KB
-
memory/1040-85-0x0000000000210000-0x0000000000231000-memory.dmpFilesize
132KB
-
memory/1040-84-0x0000000000210000-0x0000000000231000-memory.dmpFilesize
132KB
-
memory/1040-83-0x0000000000210000-0x0000000000231000-memory.dmpFilesize
132KB
-
memory/1040-82-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1040-81-0x00000000009B0000-0x0000000000A71000-memory.dmpFilesize
772KB
-
memory/1040-78-0x0000000000000000-mapping.dmp
-
memory/1100-66-0x0000000000250000-0x0000000000271000-memory.dmpFilesize
132KB
-
memory/1100-59-0x0000000000000000-mapping.dmp
-
memory/1100-72-0x0000000000210000-0x000000000024B000-memory.dmpFilesize
236KB
-
memory/1100-73-0x0000000000250000-0x0000000000271000-memory.dmpFilesize
132KB
-
memory/1100-60-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB
-
memory/1100-61-0x00000000007C0000-0x0000000000881000-memory.dmpFilesize
772KB
-
memory/1100-62-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/1100-63-0x0000000000250000-0x0000000000271000-memory.dmpFilesize
132KB
-
memory/1100-64-0x0000000000250000-0x0000000000271000-memory.dmpFilesize
132KB
-
memory/1100-65-0x0000000000250000-0x0000000000271000-memory.dmpFilesize
132KB
-
memory/1516-76-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmpFilesize
8KB
-
memory/1516-75-0x0000000000000000-mapping.dmp
-
memory/1572-71-0x0000000000000000-mapping.dmp
-
memory/1760-67-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/1760-68-0x0000000000000000-mapping.dmp
-
memory/1760-70-0x00000000742E1000-0x00000000742E3000-memory.dmpFilesize
8KB
-
memory/1760-74-0x00000000000D0000-0x00000000000F1000-memory.dmpFilesize
132KB
-
memory/1820-91-0x0000000000000000-mapping.dmp
-
memory/1972-88-0x0000000000000000-mapping.dmp
-
memory/1972-93-0x0000000000080000-0x00000000000A1000-memory.dmpFilesize
132KB
-
memory/2008-94-0x0000000000000000-mapping.dmp