Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-09-2022 14:30
Static task
static1
Behavioral task
behavioral1
Sample
Art.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Art.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
banners/inviolability.dll
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
banners/inviolability.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
banners/rehearserAnointed.js
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
banners/rehearserAnointed.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
banners/unservicedValedictory.cmd
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
banners/unservicedValedictory.cmd
Resource
win10v2004-20220901-en
General
-
Target
banners/inviolability.dll
-
Size
1.1MB
-
MD5
e17ff4c8e0da566b6fbe6ce54101eee7
-
SHA1
ed92354f1a9500c9dc07dfe77e23d3193e905559
-
SHA256
0b353412e79686c5185dfdf185747e856f379c863ff41d82ce0ef4b69b31b747
-
SHA512
70b9b4f07b35cf617da318e79999d3593355c126d10ab01a30827cd0daaa0d0fe54bbc9ed8fce80372803573ad2f30ea30e177dbf9ca0eddcf4cafb87e081f30
-
SSDEEP
24576:wVeK7bHY/DS6wku4EmQKyMeRP7IYqsS/HdcoO9u+5w9M4a:wZjMpn6oO
Malware Config
Extracted
qakbot
403.895
BB
1664184863
197.204.227.155:443
123.23.64.230:443
173.218.180.91:443
111.125.157.230:443
70.49.33.200:2222
149.28.38.16:995
86.132.13.105:2078
149.28.38.16:443
45.77.159.252:995
45.77.159.252:443
149.28.63.197:995
144.202.15.58:443
45.63.10.144:443
45.63.10.144:995
149.28.63.197:443
144.202.15.58:995
39.121.226.109:443
177.255.14.99:995
134.35.10.30:443
99.232.140.205:2222
180.180.132.100:443
86.176.180.223:993
41.98.11.74:443
196.64.230.149:8443
68.224.229.42:443
41.111.72.234:995
196.64.237.130:443
190.44.40.48:995
70.51.132.197:2222
88.232.207.24:443
115.247.12.66:443
189.19.189.222:32101
72.88.245.71:443
217.165.97.141:993
191.97.234.238:995
119.82.111.158:443
88.237.6.72:53
100.1.5.250:995
96.234.66.76:995
186.64.67.34:443
66.181.164.43:443
193.3.19.37:443
197.94.84.128:443
41.96.130.46:80
187.205.222.100:443
139.228.33.176:2222
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 992 rundll32.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe 1176 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 992 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 240 wrote to memory of 992 240 rundll32.exe 28 PID 240 wrote to memory of 992 240 rundll32.exe 28 PID 240 wrote to memory of 992 240 rundll32.exe 28 PID 240 wrote to memory of 992 240 rundll32.exe 28 PID 240 wrote to memory of 992 240 rundll32.exe 28 PID 240 wrote to memory of 992 240 rundll32.exe 28 PID 240 wrote to memory of 992 240 rundll32.exe 28 PID 992 wrote to memory of 1176 992 rundll32.exe 29 PID 992 wrote to memory of 1176 992 rundll32.exe 29 PID 992 wrote to memory of 1176 992 rundll32.exe 29 PID 992 wrote to memory of 1176 992 rundll32.exe 29 PID 992 wrote to memory of 1176 992 rundll32.exe 29 PID 992 wrote to memory of 1176 992 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\banners\inviolability.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\banners\inviolability.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1176
-
-