Analysis
-
max time kernel
1558s -
max time network
1512s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
23-09-2022 06:29
Static task
static1
General
-
Target
aggravates.dll
-
Size
849KB
-
MD5
e22a4ef15b7c6c9eb884e445cefa2ef9
-
SHA1
b9da48940ae7e41de7bc6c0909ab53465d05e3c7
-
SHA256
5e5c55c133d644de044f5bcb782b618fd188a1c6ca707298815ab23295fb43c1
-
SHA512
3cc653b343d7f972d823e42bda4150c0747f81617b4f795e2724dfa4f0f0f10756fc068feaeedeb69ef7b4bdcd931908c5cfb0f1e8a170925915a771ff1738f8
-
SSDEEP
12288:VByskGoWHwa0nZXKlhb/H9TT+iTojfQCA3kptT68JtQrB5UT+QD1lNMABa:SnEjYNAeh4X668JA5w9Mqa
Malware Config
Extracted
qakbot
403.895
BB
1663698873
173.218.180.91:443
134.35.13.43:443
197.94.84.128:443
70.51.132.197:2222
181.118.183.123:443
189.19.189.222:32101
41.111.1.60:995
70.49.33.200:2222
99.232.140.205:2222
139.228.33.176:2222
193.3.19.37:443
41.99.57.155:443
177.255.14.99:995
31.54.39.153:2078
191.97.234.238:995
105.159.30.48:443
217.165.146.41:993
119.82.111.158:443
66.181.164.43:443
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
64.207.215.69:443
109.155.5.164:993
190.44.40.48:995
187.205.222.100:443
76.169.76.44:2222
72.88.245.71:443
197.204.243.167:443
68.53.110.74:995
41.69.103.179:995
68.224.229.42:443
100.1.5.250:995
194.166.205.204:995
88.232.207.24:443
14.183.63.12:443
89.211.223.138:2222
85.98.206.165:995
191.254.74.89:32101
72.66.96.129:995
176.42.245.2:995
186.154.92.181:443
88.231.221.198:995
102.38.97.229:995
45.51.148.111:993
87.243.113.104:995
84.38.133.191:443
123.240.131.1:443
180.180.131.95:443
191.84.204.214:995
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2952 348 WerFault.exe rundll32.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
netstat.exeipconfig.exepid process 3000 netstat.exe 1020 ipconfig.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exewermgr.exepid process 3832 regsvr32.exe 3832 regsvr32.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe 4304 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
regsvr32.exepid process 3832 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
netstat.exewhoami.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3000 netstat.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeDebugPrivilege 3516 whoami.exe Token: SeSecurityPrivilege 2332 msiexec.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
rundll32.execmd.exeregsvr32.exeregsvr32.exewermgr.exenet.exenet.exedescription pid process target process PID 2796 wrote to memory of 348 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 348 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 348 2796 rundll32.exe rundll32.exe PID 3612 wrote to memory of 3604 3612 cmd.exe regsvr32.exe PID 3612 wrote to memory of 3604 3612 cmd.exe regsvr32.exe PID 3604 wrote to memory of 3832 3604 regsvr32.exe regsvr32.exe PID 3604 wrote to memory of 3832 3604 regsvr32.exe regsvr32.exe PID 3604 wrote to memory of 3832 3604 regsvr32.exe regsvr32.exe PID 3832 wrote to memory of 4304 3832 regsvr32.exe wermgr.exe PID 3832 wrote to memory of 4304 3832 regsvr32.exe wermgr.exe PID 3832 wrote to memory of 4304 3832 regsvr32.exe wermgr.exe PID 3832 wrote to memory of 4304 3832 regsvr32.exe wermgr.exe PID 3832 wrote to memory of 4304 3832 regsvr32.exe wermgr.exe PID 4304 wrote to memory of 3336 4304 wermgr.exe net.exe PID 4304 wrote to memory of 3336 4304 wermgr.exe net.exe PID 4304 wrote to memory of 3336 4304 wermgr.exe net.exe PID 4304 wrote to memory of 908 4304 wermgr.exe cmd.exe PID 4304 wrote to memory of 908 4304 wermgr.exe cmd.exe PID 4304 wrote to memory of 908 4304 wermgr.exe cmd.exe PID 4304 wrote to memory of 4928 4304 wermgr.exe arp.exe PID 4304 wrote to memory of 4928 4304 wermgr.exe arp.exe PID 4304 wrote to memory of 4928 4304 wermgr.exe arp.exe PID 4304 wrote to memory of 1020 4304 wermgr.exe ipconfig.exe PID 4304 wrote to memory of 1020 4304 wermgr.exe ipconfig.exe PID 4304 wrote to memory of 1020 4304 wermgr.exe ipconfig.exe PID 4304 wrote to memory of 3944 4304 wermgr.exe nslookup.exe PID 4304 wrote to memory of 3944 4304 wermgr.exe nslookup.exe PID 4304 wrote to memory of 3944 4304 wermgr.exe nslookup.exe PID 4304 wrote to memory of 5036 4304 wermgr.exe net.exe PID 4304 wrote to memory of 5036 4304 wermgr.exe net.exe PID 4304 wrote to memory of 5036 4304 wermgr.exe net.exe PID 5036 wrote to memory of 3380 5036 net.exe net1.exe PID 5036 wrote to memory of 3380 5036 net.exe net1.exe PID 5036 wrote to memory of 3380 5036 net.exe net1.exe PID 4304 wrote to memory of 4560 4304 wermgr.exe route.exe PID 4304 wrote to memory of 4560 4304 wermgr.exe route.exe PID 4304 wrote to memory of 4560 4304 wermgr.exe route.exe PID 4304 wrote to memory of 3000 4304 wermgr.exe netstat.exe PID 4304 wrote to memory of 3000 4304 wermgr.exe netstat.exe PID 4304 wrote to memory of 3000 4304 wermgr.exe netstat.exe PID 4304 wrote to memory of 4024 4304 wermgr.exe net.exe PID 4304 wrote to memory of 4024 4304 wermgr.exe net.exe PID 4304 wrote to memory of 4024 4304 wermgr.exe net.exe PID 4024 wrote to memory of 4728 4024 net.exe net1.exe PID 4024 wrote to memory of 4728 4024 net.exe net1.exe PID 4024 wrote to memory of 4728 4024 net.exe net1.exe PID 4304 wrote to memory of 3516 4304 wermgr.exe whoami.exe PID 4304 wrote to memory of 3516 4304 wermgr.exe whoami.exe PID 4304 wrote to memory of 3516 4304 wermgr.exe whoami.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aggravates.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aggravates.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 7083⤵
- Program crash
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32 aggravates.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeaggravates.dll3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\cmd.execmd /c set5⤵
-
C:\Windows\SysWOW64\arp.exearp -a5⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP5⤵
-
C:\Windows\SysWOW64\net.exenet share5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share6⤵
-
C:\Windows\SysWOW64\route.exeroute print5⤵
-
C:\Windows\SysWOW64\netstat.exenetstat -nao5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exenet localgroup5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup6⤵
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/348-164-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-151-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-122-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-123-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-124-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-125-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-126-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-127-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-128-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-129-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-131-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-130-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-132-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-133-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-134-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-135-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-136-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-138-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-139-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-162-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-142-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-144-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-145-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-147-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-149-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-163-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-153-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-155-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-157-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-158-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-156-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-154-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-152-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-150-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-148-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-146-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-143-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-141-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-137-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-159-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-160-0x0000000004040000-0x000000000411A000-memory.dmpFilesize
872KB
-
memory/348-161-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-140-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-121-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-120-0x0000000000000000-mapping.dmp
-
memory/348-165-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-166-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-167-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-168-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-169-0x00000000047F0000-0x0000000004812000-memory.dmpFilesize
136KB
-
memory/348-170-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-171-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-172-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-174-0x0000000004370000-0x00000000043B1000-memory.dmpFilesize
260KB
-
memory/348-176-0x00000000047F0000-0x0000000004812000-memory.dmpFilesize
136KB
-
memory/348-175-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-177-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-178-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-173-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/348-179-0x00000000047F0000-0x0000000004812000-memory.dmpFilesize
136KB
-
memory/908-344-0x0000000000000000-mapping.dmp
-
memory/1020-368-0x0000000000000000-mapping.dmp
-
memory/3000-473-0x0000000000000000-mapping.dmp
-
memory/3336-321-0x0000000000000000-mapping.dmp
-
memory/3380-437-0x0000000000000000-mapping.dmp
-
memory/3516-534-0x0000000000000000-mapping.dmp
-
memory/3604-180-0x0000000000000000-mapping.dmp
-
memory/3832-184-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/3832-182-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/3832-186-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/3832-281-0x0000000004B40000-0x0000000004B62000-memory.dmpFilesize
136KB
-
memory/3832-188-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/3832-189-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/3832-183-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/3832-181-0x0000000000000000-mapping.dmp
-
memory/3832-187-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/3832-232-0x0000000004B40000-0x0000000004B62000-memory.dmpFilesize
136KB
-
memory/3832-230-0x0000000004AF0000-0x0000000004B31000-memory.dmpFilesize
260KB
-
memory/3832-185-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1MB
-
memory/3944-386-0x0000000000000000-mapping.dmp
-
memory/4024-493-0x0000000000000000-mapping.dmp
-
memory/4304-280-0x00000000007B0000-0x00000000007D2000-memory.dmpFilesize
136KB
-
memory/4304-282-0x00000000007B0000-0x00000000007D2000-memory.dmpFilesize
136KB
-
memory/4304-238-0x0000000000000000-mapping.dmp
-
memory/4560-457-0x0000000000000000-mapping.dmp
-
memory/4728-513-0x0000000000000000-mapping.dmp
-
memory/4928-350-0x0000000000000000-mapping.dmp
-
memory/5036-417-0x0000000000000000-mapping.dmp