Analysis
-
max time kernel
128s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 12:38
Static task
static1
Behavioral task
behavioral1
Sample
1634215061.dat.dll
Resource
win7-en-20210920
General
-
Target
1634215061.dat.dll
-
Size
500KB
-
MD5
5ae6f2a3c261fb2f4352c5635892e3d0
-
SHA1
ac3ccabbc297efc42a563f75e8c9a508be39598c
-
SHA256
8907a22252f61b0627d9c97eafcd22eb450e2a694da244e31c906a10c0d5b21f
-
SHA512
b982a9f0e8d049c1e467f8b2aeb36a00532a755ab6e36f1e4d587d551fe94e1d8724e5d910b73edecca4fc78697d14447332ddba6c3a27878729f28eb5dd9c70
Malware Config
Extracted
qakbot
402.363
obama115
1634197867
91.178.126.51:995
220.255.25.28:2222
208.78.220.143:443
77.31.162.93:443
73.230.205.91:443
216.201.162.158:443
94.200.181.154:443
24.231.209.2:2222
89.137.52.44:443
140.82.49.12:443
65.100.174.110:32103
41.86.42.158:995
27.223.92.142:995
200.232.214.222:995
81.250.153.227:2222
217.17.56.163:465
122.60.71.201:995
120.150.218.241:995
41.228.22.180:443
69.30.186.190:443
78.179.137.102:995
188.50.47.23:995
81.241.252.59:2078
174.54.193.186:443
76.25.142.196:443
136.232.254.46:443
89.101.97.139:443
136.232.34.70:443
39.49.7.254:995
193.17.191.154:995
115.96.62.113:443
73.52.50.32:443
177.76.251.27:995
136.143.11.232:443
146.66.238.74:443
103.142.10.177:443
136.232.254.46:995
167.248.117.81:443
68.186.192.69:443
67.230.44.194:443
181.118.183.94:443
197.89.144.200:443
98.203.26.168:443
173.21.10.71:2222
199.27.127.129:443
93.48.58.123:2222
72.173.78.211:443
189.252.166.130:32101
103.148.120.144:443
63.143.92.99:995
37.210.152.224:995
67.165.206.193:993
45.46.53.140:2222
189.135.16.92:443
73.151.236.31:443
75.188.35.168:443
103.82.211.39:995
50.194.160.233:995
96.37.113.36:993
71.74.12.34:443
189.146.41.71:443
65.100.174.110:8443
47.40.196.233:2222
50.194.160.233:465
181.4.53.6:465
103.82.211.39:465
50.194.160.233:32100
72.252.201.69:995
65.100.174.110:443
68.204.7.158:443
187.156.169.68:443
189.147.159.42:443
201.68.60.118:995
24.139.72.117:443
109.12.111.14:443
24.229.150.54:995
78.105.213.151:995
24.55.112.61:443
2.222.167.138:443
85.60.147.26:2078
75.131.217.182:443
85.60.147.26:2222
39.52.209.173:995
37.117.191.19:2222
196.207.140.40:995
129.35.116.77:990
68.117.229.117:443
83.110.201.195:443
80.6.192.58:443
49.206.29.127:443
103.250.38.115:443
117.198.158.234:443
185.250.148.74:443
82.43.184.158:443
111.125.245.116:443
124.123.42.115:2222
103.82.211.39:993
24.119.214.7:443
82.178.55.68:443
173.22.178.66:443
187.149.255.245:443
72.252.32.47:443
24.231.209.2:8443
105.242.94.246:995
24.231.209.2:50000
24.231.209.2:1194
24.107.165.50:443
50.194.160.233:993
50.194.160.233:22
24.231.209.2:2083
24.231.209.2:2087
24.231.209.2:2078
24.231.209.2:6881
39.49.64.244:995
24.231.209.2:50001
24.231.209.2:32100
50.194.160.233:443
123.201.40.112:443
120.151.47.189:443
86.152.43.223:443
67.166.233.75:443
122.11.222.242:2222
187.250.159.104:443
75.66.88.33:443
73.77.87.137:443
66.216.193.114:443
96.57.188.174:2078
81.213.59.22:443
73.207.119.14:443
105.198.236.99:443
68.117.61.91:2222
109.177.115.85:995
41.86.42.158:443
197.90.242.92:61201
115.186.190.60:995
186.32.163.199:443
203.213.107.174:443
73.77.87.137:995
86.8.177.143:443
209.50.20.255:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1916 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 10 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eglzadyj\18442994 = 82afe0a1f375f3ea5ddb79818e3a69d269a5dc858233d603c1ee38cce6f015349a25411c5dbb78356f68dfe94b16480a060cc0d920929cbb7ec420de6b82bece87d742e1d8626ad32251bf0341ea53802d76 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eglzadyj explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eglzadyj\2ddbf9da = f73b5cc95ecf7d5e5dd0f4f7ff3d7d5e00a632ce82638356159a9dfb6c29dbaabd382487b793a4facfe38fbca4dd8c137fac84a3721d4d18fcc064836c7996e70a62f6752248e5823e6de404f6ca430f32efe844a9173e4ec1cf2d9326eb0d815371ddcd12df426fe62eb14fa93629b81274fb81ff3631ce43a2cc5f16bdae5782c838a24cf617f331655f899e80051aa6fea8734caf115d9f92dbf2b4de explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eglzadyj\ea2ef149 = f2612a6ed5fea0070a4415631acfe250801e60e95efb8bdbeac23ed21ba95679132e6f4cb9d027d92eccf5078c79134e68c2495548b8f2cffee7f42a14f134c0d7d3 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eglzadyj\5292962c = b22b5ce54f67905cfbf8b9ef7ca5aaf75e533f975e52bd57fa98aa8140b690c712fd564a0d847a569f259603e678827a302ba5daa171f3f079f5c7bad6232fe7d5b851dcc77714076acd2ab32cabf80ff420c814251623fd0c37dfa208cc70a3bf85ca1cb41153745df3ff356771 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eglzadyj\670d4662 = c64a3bfc42b7cdc71bc16954e88748fc227313461e843fb43ff4a86f8132e85dcb5a3729cda216fded7fdae8498189a2c3cc62429a4d37fca506e8f7fab81343b1902640f49b009b2436bcf40710bffc0902209552e0772d5b5779444cffcd131f1bafaa46e994 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eglzadyj\18442994 = 82aff7a1f375c6543847516ac66397800df60e1d685986dfedf7f6484ef9d9ba09710b03cad7805edb5eefc2fa0e1ca74bdaffd04bd87201c1749b1120 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eglzadyj\2f9ad9a6 = 0671d077f631b6301693044990b1331fdb67de6f462c60e8c5d6dbe75f9c331ea5b14ceec4ecafa6e0758ec026466f41f50878219482e543d44964294d76cad07590c107235c54b252722b14f1b5ed95bbe46dfee4028d25a6ae0a0dd1286316054d3014d7a73769427d6ccc58 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eglzadyj\9726bec3 = a0d3abff0e82bf2ece36605c39da8afe7ac1bfdc4fdd45f74efc5bd0e7268ee3c3d8ee explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eglzadyj\95679ebf = edf5698b8793ddf91dfe7f0a380c65451afbbf72b31cb2852af1b54665cbda26c5f51e2636f7fdfadca99d3e87513b6560f662005580849e0e5798a7904f9039719c55ddac5604d7f592d9ae979cdedb4c explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 1648 rundll32.exe 1916 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 1648 rundll32.exe 1916 regsvr32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exedescription pid process target process PID 1612 wrote to memory of 1648 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1648 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1648 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1648 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1648 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1648 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1648 1612 rundll32.exe rundll32.exe PID 1648 wrote to memory of 1852 1648 rundll32.exe explorer.exe PID 1648 wrote to memory of 1852 1648 rundll32.exe explorer.exe PID 1648 wrote to memory of 1852 1648 rundll32.exe explorer.exe PID 1648 wrote to memory of 1852 1648 rundll32.exe explorer.exe PID 1648 wrote to memory of 1852 1648 rundll32.exe explorer.exe PID 1648 wrote to memory of 1852 1648 rundll32.exe explorer.exe PID 1852 wrote to memory of 792 1852 explorer.exe schtasks.exe PID 1852 wrote to memory of 792 1852 explorer.exe schtasks.exe PID 1852 wrote to memory of 792 1852 explorer.exe schtasks.exe PID 1852 wrote to memory of 792 1852 explorer.exe schtasks.exe PID 1344 wrote to memory of 1144 1344 taskeng.exe regsvr32.exe PID 1344 wrote to memory of 1144 1344 taskeng.exe regsvr32.exe PID 1344 wrote to memory of 1144 1344 taskeng.exe regsvr32.exe PID 1344 wrote to memory of 1144 1344 taskeng.exe regsvr32.exe PID 1344 wrote to memory of 1144 1344 taskeng.exe regsvr32.exe PID 1144 wrote to memory of 1916 1144 regsvr32.exe regsvr32.exe PID 1144 wrote to memory of 1916 1144 regsvr32.exe regsvr32.exe PID 1144 wrote to memory of 1916 1144 regsvr32.exe regsvr32.exe PID 1144 wrote to memory of 1916 1144 regsvr32.exe regsvr32.exe PID 1144 wrote to memory of 1916 1144 regsvr32.exe regsvr32.exe PID 1144 wrote to memory of 1916 1144 regsvr32.exe regsvr32.exe PID 1144 wrote to memory of 1916 1144 regsvr32.exe regsvr32.exe PID 1916 wrote to memory of 1608 1916 regsvr32.exe explorer.exe PID 1916 wrote to memory of 1608 1916 regsvr32.exe explorer.exe PID 1916 wrote to memory of 1608 1916 regsvr32.exe explorer.exe PID 1916 wrote to memory of 1608 1916 regsvr32.exe explorer.exe PID 1916 wrote to memory of 1608 1916 regsvr32.exe explorer.exe PID 1916 wrote to memory of 1608 1916 regsvr32.exe explorer.exe PID 1608 wrote to memory of 1708 1608 explorer.exe reg.exe PID 1608 wrote to memory of 1708 1608 explorer.exe reg.exe PID 1608 wrote to memory of 1708 1608 explorer.exe reg.exe PID 1608 wrote to memory of 1708 1608 explorer.exe reg.exe PID 1608 wrote to memory of 320 1608 explorer.exe reg.exe PID 1608 wrote to memory of 320 1608 explorer.exe reg.exe PID 1608 wrote to memory of 320 1608 explorer.exe reg.exe PID 1608 wrote to memory of 320 1608 explorer.exe reg.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1634215061.dat.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1634215061.dat.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hqjeqwumx /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\1634215061.dat.dll\"" /SC ONCE /Z /ST 12:40 /ET 12:524⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {573BD6A5-DFC4-4370-8C00-B0737B2BC90F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\1634215061.dat.dll"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\1634215061.dat.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Bgpxdouieyj" /d "0"5⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Auwua" /d "0"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1634215061.dat.dllMD5
5ae6f2a3c261fb2f4352c5635892e3d0
SHA1ac3ccabbc297efc42a563f75e8c9a508be39598c
SHA2568907a22252f61b0627d9c97eafcd22eb450e2a694da244e31c906a10c0d5b21f
SHA512b982a9f0e8d049c1e467f8b2aeb36a00532a755ab6e36f1e4d587d551fe94e1d8724e5d910b73edecca4fc78697d14447332ddba6c3a27878729f28eb5dd9c70
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\1634215061.dat.dllMD5
5ae6f2a3c261fb2f4352c5635892e3d0
SHA1ac3ccabbc297efc42a563f75e8c9a508be39598c
SHA2568907a22252f61b0627d9c97eafcd22eb450e2a694da244e31c906a10c0d5b21f
SHA512b982a9f0e8d049c1e467f8b2aeb36a00532a755ab6e36f1e4d587d551fe94e1d8724e5d910b73edecca4fc78697d14447332ddba6c3a27878729f28eb5dd9c70
-
memory/320-78-0x0000000000000000-mapping.dmp
-
memory/792-63-0x0000000000000000-mapping.dmp
-
memory/1144-64-0x0000000000000000-mapping.dmp
-
memory/1144-65-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmpFilesize
8KB
-
memory/1608-79-0x0000000000080000-0x00000000000A1000-memory.dmpFilesize
132KB
-
memory/1608-73-0x0000000000000000-mapping.dmp
-
memory/1648-60-0x0000000000120000-0x0000000000153000-memory.dmpFilesize
204KB
-
memory/1648-62-0x0000000010000000-0x000000001007F000-memory.dmpFilesize
508KB
-
memory/1648-54-0x0000000000000000-mapping.dmp
-
memory/1648-55-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB
-
memory/1708-77-0x0000000000000000-mapping.dmp
-
memory/1852-61-0x00000000000D0000-0x00000000000F1000-memory.dmpFilesize
132KB
-
memory/1852-59-0x0000000074E31000-0x0000000074E33000-memory.dmpFilesize
8KB
-
memory/1852-57-0x0000000000000000-mapping.dmp
-
memory/1852-56-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/1916-67-0x0000000000000000-mapping.dmp
-
memory/1916-70-0x0000000000200000-0x0000000000233000-memory.dmpFilesize
204KB
-
memory/1916-71-0x0000000010000000-0x000000001007F000-memory.dmpFilesize
508KB