Analysis
-
max time kernel
131s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17-12-2021 06:00
Static task
static1
Behavioral task
behavioral1
Sample
latin.dll
Resource
win7-en-20211208
General
-
Target
latin.dll
-
Size
945KB
-
MD5
bb17bf13123596ba3065efc74d625a3c
-
SHA1
b589b0dee84e30e205f242a8d429b1e231b5ec5b
-
SHA256
d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937
-
SHA512
40d6bb5bb741b43a03969c40acafbc621281ad9f4fa23d3a90f07e30b01eda95227af6b96a20d48712f08b2252069e711842d71d3f1e95374db44fb7845ab427
Malware Config
Extracted
qakbot
403.10
cullinan
1639333530
65.100.174.110:443
173.21.10.71:2222
140.82.49.12:443
190.73.3.148:2222
76.25.142.196:443
71.74.12.34:443
31.215.98.160:443
93.48.80.198:995
45.9.20.200:2211
41.228.22.180:443
109.12.111.14:443
63.143.92.99:995
120.150.218.241:995
94.60.254.81:443
86.148.6.51:443
218.101.110.3:995
216.238.71.31:443
207.246.112.221:443
216.238.72.121:443
216.238.71.31:995
207.246.112.221:995
216.238.72.121:995
186.64.87.195:443
73.151.236.31:443
78.191.12.29:995
67.165.206.193:993
68.186.192.69:443
65.100.174.110:8443
89.137.52.44:443
75.188.35.168:995
105.198.236.99:995
182.176.180.73:443
103.142.10.177:443
136.232.34.70:443
68.204.7.158:443
27.223.92.142:995
102.65.38.67:443
189.175.200.244:80
100.1.119.41:443
73.140.38.124:443
73.171.4.177:443
89.101.97.139:443
24.229.150.54:995
72.252.201.34:995
39.49.44.85:995
2.222.167.138:443
96.37.113.36:993
117.248.109.38:21
39.43.130.50:995
75.169.58.229:32100
24.55.112.61:443
27.5.4.111:2222
197.89.144.207:443
73.5.119.219:443
136.143.11.232:443
86.98.36.211:443
106.220.76.130:443
129.208.139.229:995
45.46.53.140:2222
190.229.210.128:465
91.178.126.51:995
189.18.181.24:995
185.53.147.51:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1340 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 10 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uaiumataz\ccda76de = 8a403aa43f37de404952e3628720481a40199792a7a2b86e3c6beb2a550199e7124b73b022d92981e508ff3804fb708cfd7a77eeeffd020c02cc7050a5f35bf5db8843172b47e6b340c55333c6c9ab1e874ddd97f305f33251d17fc09288929f839f025da6583655defd2946 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uaiumataz\96e5e31 = 0d26f029fe485a68efbb438435b8f218684e2beaa7653e665dc5f211552e explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uaiumataz\762731c7 = 4d365cd6699d8d36bae15c82b1af4053e812469be53a06d3f6b8d2939d38fda66d1bc393950d04fc95b7434c7450168c87e12784d750e9b683fc32c06a002de5a4114b9aa80f2563ba1b27ddb7a25c0516037d67f42f0d1cab5c39c4ad395d7bdf227f28f0e2d379891776788e3d8880f3 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uaiumataz\fb0486ec = d82232ae57ebad7343a20fc5f3c2a771c682a40f02c5cb4a1b1ce091f6bf315e5d8f72d1ca3b4204f6caaba5ed797b66a4d46cca8a15832e08805bab67f8c59f84ccb34aa8b31ab2ba715d39abf997c5669735b9b6c9cd1f4cbae4dab0c304f412b5 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uaiumataz explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uaiumataz\fb0486ec = d82225ae57eb98272ea20118a4a7cad81ef4914caf64ad14c541b6d2f28f1c8a98b11b8bf802878d68b9e58c97c58547894f474e1f0e45d933dd7be9b2c6a1c8a5f08cae1a70ca7c0b12ab4669 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uaiumataz\ce9b56a2 = 6bb1360ae2ef4db9ebf347348b66c8345c12d84f32e3fa8970187482940371e103fee410255c1be4cd41962992ae09ab5f03a733d97af20251c8e240e5458f819656b49ac826ad7fc853428eb5ee3a0ad38265cae8e3a45d09d984cbc622da4b6255f282ee8321c53dc1e1fb5a348f6ecf8cfdfc1c15356be5efe1e2031e7d8babbb9ec247225db9f1b92f52c39120d474f7d779552a4b explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uaiumataz\746611bb = f0a208bd40dba0db52add99236aa12fe6c9b8c3b202395b3f53b3fce7deea4966daa394cbd49ca6eccbba09edf254837e7feba9f6db153443b279a043135fc1b815a1b3a22be8a35f03ecaccdc8fbf1da74dd5904b320187fa explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uaiumataz\b1d23954 = 22355cca31f359bbc226b0e673aa255c7e590dbbbfd8ebe701c5a7d3b7153d4e425de37f41bf91f2eca89288649223298029c5b2f170a7f9ee0335cd6ac9aea0eb57f609b3eddc38ba18f5f156b001a5b15f1a8c6a750aa381282305f25ce9a3f6661db0e935 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uaiumataz\844de91a = 55a4c969a66d978bcc67b37e19f34485678c00243b97d1290a50138230b47582fc054922cf7f34c4c0fda0eeee0819494ec2fbf29bd9c324d61305c3285be983a24bf939c7b1637a93c354f79974a2f260c3df56b522512fbb2b707d20363b10 explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1624 regsvr32.exe 1340 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1624 regsvr32.exe 1340 regsvr32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exedescription pid process target process PID 1744 wrote to memory of 1624 1744 regsvr32.exe regsvr32.exe PID 1744 wrote to memory of 1624 1744 regsvr32.exe regsvr32.exe PID 1744 wrote to memory of 1624 1744 regsvr32.exe regsvr32.exe PID 1744 wrote to memory of 1624 1744 regsvr32.exe regsvr32.exe PID 1744 wrote to memory of 1624 1744 regsvr32.exe regsvr32.exe PID 1744 wrote to memory of 1624 1744 regsvr32.exe regsvr32.exe PID 1744 wrote to memory of 1624 1744 regsvr32.exe regsvr32.exe PID 1624 wrote to memory of 864 1624 regsvr32.exe explorer.exe PID 1624 wrote to memory of 864 1624 regsvr32.exe explorer.exe PID 1624 wrote to memory of 864 1624 regsvr32.exe explorer.exe PID 1624 wrote to memory of 864 1624 regsvr32.exe explorer.exe PID 1624 wrote to memory of 864 1624 regsvr32.exe explorer.exe PID 1624 wrote to memory of 864 1624 regsvr32.exe explorer.exe PID 864 wrote to memory of 672 864 explorer.exe schtasks.exe PID 864 wrote to memory of 672 864 explorer.exe schtasks.exe PID 864 wrote to memory of 672 864 explorer.exe schtasks.exe PID 864 wrote to memory of 672 864 explorer.exe schtasks.exe PID 2028 wrote to memory of 1400 2028 taskeng.exe regsvr32.exe PID 2028 wrote to memory of 1400 2028 taskeng.exe regsvr32.exe PID 2028 wrote to memory of 1400 2028 taskeng.exe regsvr32.exe PID 2028 wrote to memory of 1400 2028 taskeng.exe regsvr32.exe PID 2028 wrote to memory of 1400 2028 taskeng.exe regsvr32.exe PID 1400 wrote to memory of 1340 1400 regsvr32.exe regsvr32.exe PID 1400 wrote to memory of 1340 1400 regsvr32.exe regsvr32.exe PID 1400 wrote to memory of 1340 1400 regsvr32.exe regsvr32.exe PID 1400 wrote to memory of 1340 1400 regsvr32.exe regsvr32.exe PID 1400 wrote to memory of 1340 1400 regsvr32.exe regsvr32.exe PID 1400 wrote to memory of 1340 1400 regsvr32.exe regsvr32.exe PID 1400 wrote to memory of 1340 1400 regsvr32.exe regsvr32.exe PID 1340 wrote to memory of 988 1340 regsvr32.exe explorer.exe PID 1340 wrote to memory of 988 1340 regsvr32.exe explorer.exe PID 1340 wrote to memory of 988 1340 regsvr32.exe explorer.exe PID 1340 wrote to memory of 988 1340 regsvr32.exe explorer.exe PID 1340 wrote to memory of 988 1340 regsvr32.exe explorer.exe PID 1340 wrote to memory of 988 1340 regsvr32.exe explorer.exe PID 988 wrote to memory of 1956 988 explorer.exe reg.exe PID 988 wrote to memory of 1956 988 explorer.exe reg.exe PID 988 wrote to memory of 1956 988 explorer.exe reg.exe PID 988 wrote to memory of 1956 988 explorer.exe reg.exe PID 988 wrote to memory of 2044 988 explorer.exe reg.exe PID 988 wrote to memory of 2044 988 explorer.exe reg.exe PID 988 wrote to memory of 2044 988 explorer.exe reg.exe PID 988 wrote to memory of 2044 988 explorer.exe reg.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\latin.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\latin.dll2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wevekwit /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\latin.dll\"" /SC ONCE /Z /ST 06:02 /ET 06:144⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {CAFE74DB-9607-4A4F-83F5-BF4A6BBAB791} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\latin.dll"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\latin.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ouniwojjm" /d "0"5⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Oshioo" /d "0"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\latin.dllMD5
bb17bf13123596ba3065efc74d625a3c
SHA1b589b0dee84e30e205f242a8d429b1e231b5ec5b
SHA256d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937
SHA51240d6bb5bb741b43a03969c40acafbc621281ad9f4fa23d3a90f07e30b01eda95227af6b96a20d48712f08b2252069e711842d71d3f1e95374db44fb7845ab427
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\latin.dllMD5
bb17bf13123596ba3065efc74d625a3c
SHA1b589b0dee84e30e205f242a8d429b1e231b5ec5b
SHA256d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937
SHA51240d6bb5bb741b43a03969c40acafbc621281ad9f4fa23d3a90f07e30b01eda95227af6b96a20d48712f08b2252069e711842d71d3f1e95374db44fb7845ab427
-
memory/672-63-0x0000000000000000-mapping.dmp
-
memory/864-59-0x00000000000B0000-0x00000000000B2000-memory.dmpFilesize
8KB
-
memory/864-60-0x0000000000000000-mapping.dmp
-
memory/864-62-0x0000000074501000-0x0000000074503000-memory.dmpFilesize
8KB
-
memory/864-64-0x0000000000080000-0x00000000000A1000-memory.dmpFilesize
132KB
-
memory/988-78-0x0000000000080000-0x00000000000A1000-memory.dmpFilesize
132KB
-
memory/988-72-0x0000000000000000-mapping.dmp
-
memory/1340-68-0x0000000000000000-mapping.dmp
-
memory/1400-65-0x0000000000000000-mapping.dmp
-
memory/1624-58-0x0000000010000000-0x00000000100F5000-memory.dmpFilesize
980KB
-
memory/1624-57-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/1624-56-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1624-55-0x0000000000000000-mapping.dmp
-
memory/1744-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmpFilesize
8KB
-
memory/1956-76-0x0000000000000000-mapping.dmp
-
memory/2044-77-0x0000000000000000-mapping.dmp