Analysis
-
max time kernel
100s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 15:40
Static task
static1
Behavioral task
behavioral1
Sample
Art.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Art.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
banners/codifyingEndowments.js
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
banners/codifyingEndowments.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
banners/muddled.dll
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
banners/muddled.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
banners/sapientLashings.cmd
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
banners/sapientLashings.cmd
Resource
win10v2004-20220812-en
General
-
Target
banners/muddled.dll
-
Size
1.1MB
-
MD5
e17ff4c8e0da566b6fbe6ce54101eee7
-
SHA1
ed92354f1a9500c9dc07dfe77e23d3193e905559
-
SHA256
0b353412e79686c5185dfdf185747e856f379c863ff41d82ce0ef4b69b31b747
-
SHA512
70b9b4f07b35cf617da318e79999d3593355c126d10ab01a30827cd0daaa0d0fe54bbc9ed8fce80372803573ad2f30ea30e177dbf9ca0eddcf4cafb87e081f30
-
SSDEEP
24576:wVeK7bHY/DS6wku4EmQKyMeRP7IYqsS/HdcoO9u+5w9M4a:wZjMpn6oO
Malware Config
Extracted
qakbot
403.895
BB
1664184863
197.204.227.155:443
123.23.64.230:443
173.218.180.91:443
111.125.157.230:443
70.49.33.200:2222
149.28.38.16:995
86.132.13.105:2078
149.28.38.16:443
45.77.159.252:995
45.77.159.252:443
149.28.63.197:995
144.202.15.58:443
45.63.10.144:443
45.63.10.144:995
149.28.63.197:443
144.202.15.58:995
39.121.226.109:443
177.255.14.99:995
134.35.10.30:443
99.232.140.205:2222
180.180.132.100:443
86.176.180.223:993
41.98.11.74:443
196.64.230.149:8443
68.224.229.42:443
41.111.72.234:995
196.64.237.130:443
190.44.40.48:995
70.51.132.197:2222
88.232.207.24:443
115.247.12.66:443
189.19.189.222:32101
72.88.245.71:443
217.165.97.141:993
191.97.234.238:995
119.82.111.158:443
88.237.6.72:53
100.1.5.250:995
96.234.66.76:995
186.64.67.34:443
66.181.164.43:443
193.3.19.37:443
197.94.84.128:443
41.96.130.46:80
187.205.222.100:443
139.228.33.176:2222
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4928 3048 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3048 rundll32.exe 3048 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4632 wrote to memory of 3048 4632 rundll32.exe rundll32.exe PID 4632 wrote to memory of 3048 4632 rundll32.exe rundll32.exe PID 4632 wrote to memory of 3048 4632 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\banners\muddled.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\banners\muddled.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
PID:3048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 6923⤵
- Program crash
PID:4928
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3048 -ip 30481⤵PID:2828