Resubmissions
25-01-2022 11:49
220125-ny1zssfed9 1024-01-2022 17:16
220124-vs87jsfhc9 1024-01-2022 16:22
220124-tvkrasfec4 10Analysis
-
max time kernel
1756s -
max time network
1570s -
platform
windows10_x64 -
resource
win10-ja-20211208 -
submitted
25-01-2022 11:49
Static task
static1
Behavioral task
behavioral1
Sample
ba7e9131dd5aa9f2e7e0050c688d2830787dd01e8d58aef364a878b61156b35b.dll
Resource
win7-ja-20211208
General
-
Target
ba7e9131dd5aa9f2e7e0050c688d2830787dd01e8d58aef364a878b61156b35b.dll
-
Size
1.6MB
-
MD5
6317f9ae495c49ab7b5e5b501a5639ef
-
SHA1
2d49c0f32a441d09ddee7c3b2b019ae8904ea1e7
-
SHA256
ba7e9131dd5aa9f2e7e0050c688d2830787dd01e8d58aef364a878b61156b35b
-
SHA512
bd9c6df8b2d91959580c6227a990882625c029528c0e53a600de8f6cc970e95fbb26108f3ae7f1bc8ef18d2b4b429490ec4ae5f6935e47c6c44dbf06c21be4f1
Malware Config
Extracted
qakbot
403.2
obama152
1643019304
96.80.109.57:995
209.210.95.228:32100
180.233.150.134:995
149.135.101.20:443
38.70.253.226:2222
24.222.20.254:443
83.110.2.97:443
78.87.44.54:995
86.108.46.251:443
74.15.2.252:2222
102.65.38.67:443
37.203.225.248:443
75.139.7.190:2083
24.53.49.240:443
80.14.196.176:2222
94.60.254.81:443
86.98.32.228:443
130.164.129.3:443
176.67.56.94:443
31.167.160.170:443
31.35.28.29:443
32.221.231.1:443
71.74.12.34:443
96.21.251.127:2222
41.86.42.158:995
41.228.22.180:443
93.48.80.198:995
45.9.20.200:443
86.98.47.119:61200
96.246.158.154:995
89.114.156.182:995
67.209.195.198:443
75.156.151.34:443
89.101.97.139:443
103.143.8.71:6881
37.210.172.200:2222
136.143.11.232:443
190.73.3.148:2222
182.56.101.111:443
78.101.147.76:61202
82.152.39.39:443
128.106.122.39:443
65.100.174.110:995
65.100.174.110:443
111.125.245.116:995
117.248.109.38:21
31.215.99.178:443
86.97.246.244:1194
103.142.10.177:443
39.49.110.129:995
185.249.85.209:443
217.128.93.27:2222
144.86.28.125:443
94.59.253.222:2222
120.150.218.241:995
31.215.226.115:2222
70.163.1.219:443
69.14.172.24:443
94.200.181.154:995
182.191.92.203:995
24.95.61.62:443
86.97.246.244:2222
220.255.25.1:2222
24.178.196.158:2222
76.25.142.196:443
173.21.10.71:2222
142.186.63.108:2222
60.54.102.15:443
73.151.236.31:443
73.136.32.202:443
5.32.41.46:443
89.137.52.44:443
78.180.191.206:995
109.12.111.14:443
40.134.247.125:995
31.215.99.6:443
217.164.76.107:2078
80.6.192.58:443
63.143.92.99:995
27.5.4.194:2078
68.204.7.158:443
86.133.23.70:443
116.86.26.140:995
90.8.56.248:2222
101.50.120.112:995
67.165.206.193:993
100.1.119.41:443
31.215.29.238:443
186.64.87.207:443
190.206.211.182:443
218.101.110.3:995
103.139.242.30:990
136.232.34.70:443
73.67.152.98:2222
47.158.25.67:443
187.189.86.168:443
72.252.201.34:995
72.252.201.34:990
70.51.153.245:2222
108.4.67.252:443
70.45.174.173:443
72.252.201.34:993
217.165.109.189:32101
114.79.148.170:443
197.89.105.165:443
182.176.180.73:443
103.139.242.30:993
75.188.35.168:443
27.223.92.142:995
200.75.131.234:443
71.163.110.53:995
75.168.192.223:2222
107.77.232.51:443
201.172.31.135:80
217.165.21.244:995
96.37.113.36:993
78.191.27.236:995
78.96.235.245:443
23.229.117.237:443
91.185.131.89:61202
76.169.147.192:32103
114.143.84.25:61202
92.98.33.251:995
23.233.146.92:443
75.169.58.229:32100
184.100.174.73:443
50.237.134.22:995
36.234.184.238:995
65.100.174.110:8443
59.12.216.39:443
103.139.242.30:22
190.45.79.111:443
176.24.150.197:443
106.51.48.170:50001
111.119.252.178:995
73.59.201.174:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4832 1924 WerFault.exe rundll32.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exenetstat.exepid process 3304 ipconfig.exe 3896 netstat.exe -
Processes:
msfeedssync.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch msfeedssync.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" msfeedssync.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Suggested Sites msfeedssync.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Suggested Sites\DeletePending = "0" msfeedssync.exe Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Suggested Sites\UploadDiagInfo = 02000000000000000000000000000000000000000000000000000000000000001d040000b9abb6c6a1eed70104000000b9abb6c6a1eed701b9abb6c6a1eed7016801000068010000000301 msfeedssync.exe -
Modifies data under HKEY_USERS 14 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00188005E450309F" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" svchost.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
rundll32.exeWerFault.exeexplorer.exepid process 1924 rundll32.exe 1924 rundll32.exe 4832 WerFault.exe 4832 WerFault.exe 4832 WerFault.exe 4832 WerFault.exe 4832 WerFault.exe 4832 WerFault.exe 4832 WerFault.exe 4832 WerFault.exe 4832 WerFault.exe 4832 WerFault.exe 4832 WerFault.exe 4832 WerFault.exe 4832 WerFault.exe 4732 explorer.exe 4732 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1924 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
WerFault.exewhoami.exenetstat.exemsiexec.exedescription pid process Token: SeRestorePrivilege 4832 WerFault.exe Token: SeBackupPrivilege 4832 WerFault.exe Token: SeDebugPrivilege 4832 WerFault.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 4456 whoami.exe Token: SeDebugPrivilege 3896 netstat.exe Token: SeSecurityPrivilege 2764 msiexec.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exenet.exenet.exedescription pid process target process PID 3160 wrote to memory of 1924 3160 rundll32.exe rundll32.exe PID 3160 wrote to memory of 1924 3160 rundll32.exe rundll32.exe PID 3160 wrote to memory of 1924 3160 rundll32.exe rundll32.exe PID 1924 wrote to memory of 4732 1924 rundll32.exe explorer.exe PID 1924 wrote to memory of 4732 1924 rundll32.exe explorer.exe PID 1924 wrote to memory of 4732 1924 rundll32.exe explorer.exe PID 1924 wrote to memory of 4732 1924 rundll32.exe explorer.exe PID 1924 wrote to memory of 4732 1924 rundll32.exe explorer.exe PID 4732 wrote to memory of 4456 4732 explorer.exe whoami.exe PID 4732 wrote to memory of 4456 4732 explorer.exe whoami.exe PID 4732 wrote to memory of 4456 4732 explorer.exe whoami.exe PID 4732 wrote to memory of 3664 4732 explorer.exe cmd.exe PID 4732 wrote to memory of 3664 4732 explorer.exe cmd.exe PID 4732 wrote to memory of 3664 4732 explorer.exe cmd.exe PID 4732 wrote to memory of 3416 4732 explorer.exe arp.exe PID 4732 wrote to memory of 3416 4732 explorer.exe arp.exe PID 4732 wrote to memory of 3416 4732 explorer.exe arp.exe PID 4732 wrote to memory of 3304 4732 explorer.exe ipconfig.exe PID 4732 wrote to memory of 3304 4732 explorer.exe ipconfig.exe PID 4732 wrote to memory of 3304 4732 explorer.exe ipconfig.exe PID 4732 wrote to memory of 2216 4732 explorer.exe net.exe PID 4732 wrote to memory of 2216 4732 explorer.exe net.exe PID 4732 wrote to memory of 2216 4732 explorer.exe net.exe PID 4732 wrote to memory of 3944 4732 explorer.exe nslookup.exe PID 4732 wrote to memory of 3944 4732 explorer.exe nslookup.exe PID 4732 wrote to memory of 3944 4732 explorer.exe nslookup.exe PID 4732 wrote to memory of 4644 4732 explorer.exe net.exe PID 4732 wrote to memory of 4644 4732 explorer.exe net.exe PID 4732 wrote to memory of 4644 4732 explorer.exe net.exe PID 4644 wrote to memory of 980 4644 net.exe net1.exe PID 4644 wrote to memory of 980 4644 net.exe net1.exe PID 4644 wrote to memory of 980 4644 net.exe net1.exe PID 4732 wrote to memory of 4480 4732 explorer.exe route.exe PID 4732 wrote to memory of 4480 4732 explorer.exe route.exe PID 4732 wrote to memory of 4480 4732 explorer.exe route.exe PID 4732 wrote to memory of 3896 4732 explorer.exe netstat.exe PID 4732 wrote to memory of 3896 4732 explorer.exe netstat.exe PID 4732 wrote to memory of 3896 4732 explorer.exe netstat.exe PID 4732 wrote to memory of 1496 4732 explorer.exe net.exe PID 4732 wrote to memory of 1496 4732 explorer.exe net.exe PID 4732 wrote to memory of 1496 4732 explorer.exe net.exe PID 1496 wrote to memory of 2116 1496 net.exe net1.exe PID 1496 wrote to memory of 2116 1496 net.exe net1.exe PID 1496 wrote to memory of 2116 1496 net.exe net1.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ba7e9131dd5aa9f2e7e0050c688d2830787dd01e8d58aef364a878b61156b35b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ba7e9131dd5aa9f2e7e0050c688d2830787dd01e8d58aef364a878b61156b35b.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 6963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\whoami.exewhoami /all4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c set4⤵
-
C:\Windows\SysWOW64\arp.exearp -a4⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
C:\Windows\SysWOW64\net.exenet view /all4⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP4⤵
-
C:\Windows\SysWOW64\net.exenet share4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
-
C:\Windows\SysWOW64\route.exeroute print4⤵
-
C:\Windows\SysWOW64\netstat.exenetstat -nao4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exenet localgroup4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\msfeedssync.exeC:\Windows\system32\msfeedssync.exe sync1⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1924-118-0x0000000004950000-0x0000000004971000-memory.dmpFilesize
132KB
-
memory/1924-119-0x0000000004950000-0x0000000004971000-memory.dmpFilesize
132KB
-
memory/1924-120-0x0000000004900000-0x0000000004943000-memory.dmpFilesize
268KB
-
memory/1924-121-0x0000000004950000-0x0000000004971000-memory.dmpFilesize
132KB
-
memory/4732-122-0x0000000000E30000-0x0000000000E51000-memory.dmpFilesize
132KB