1566d011a12613080aaeb6741c06ea832b9d28af725dce6017e11b5eec148836 | Triage

Analysis

max time kernel
142s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2022 21:17

Sharing

Report Analysis Logs

General

Target

qakbot.dll
Size

533KB
MD5

76dd8de86a8a0c3c66c86cb854617879
SHA1

f4b53cfd6e81b532c585e62defae7c37a6b695ed
SHA256

1566d011a12613080aaeb6741c06ea832b9d28af725dce6017e11b5eec148836
SHA512

3d95fdc7a586d0a2a0b80d2f97bb18fb9321d16bf28cc793778a94f96f76b594cb841d6f53dfaa8163cbef34ee30c8f1553d61989e086ecb95b70d97fd023299
SSDEEP

12288:LWghjfsaHKisYUVJAEvyxN1Us1RvCey4CZfxz4uc:SijHHKH53vU1UwRq3bzp

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 5052 wrote to memory of 2296	5052	rundll32.exe	rundll32.exe
PID 5052 wrote to memory of 2296	5052	rundll32.exe	rundll32.exe
PID 5052 wrote to memory of 2296	5052	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qakbot.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qakbot.dll,#1
2⤵
PID:2296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2296-132-0x0000000000000000-mapping.dmp

Download
memory/2296-133-0x00000000005B0000-0x0000000000636000-memory.dmp

Filesize
536KB

Download