Analysis
-
max time kernel
123s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 22:20
Static task
static1
Behavioral task
behavioral1
Sample
7965/3601.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7965/3601.js
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
7965/6388.cmd
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
7965/6388.cmd
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
7965/usurpers.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
7965/usurpers.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
ContractCopy.lnk
Resource
win7-20220812-en
General
-
Target
7965/usurpers.dll
-
Size
743KB
-
MD5
0d34c7cc649e41ed139210cff4f0f6b2
-
SHA1
2aa5538a31b7367ced7ce55dbf68c93490f7eff9
-
SHA256
7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a
-
SHA512
8ac448a6bdf86ad781aa386895df83cb9d48536bf00140ac0c05ea55df0f783815cc8600a5e76cd38d84f980caf5ec758b46d489370d0a49dce9c0a638ebafbb
-
SSDEEP
12288:zxnt9hlMvNICAY0KEkAOl7G79zEXjGOyw3MW:tt9+JFEkAmG0j26M
Malware Config
Extracted
qakbot
15.114.17.14:1442
56.9.100.20:53368
88.117.146.12:40265
200.215.143.195:52771
134.133.152.217:5132
227.189.195.57:42370
76.219.151.168:17454
17.1.24.235:65225
217.27.142.33:46036
13.16.220.0:0
156.36.22.250:12263
73.225.210.175:40922
19.138.81.187:38748
191.101.43.136:10968
145.20.244.169:39814
74.30.254.35:15530
138.94.26.23:49965
218.175.98.133:15428
181.245.40.43:1982
24.10.174.212:30807
253.219.195.173:1546
51.182.7.163:21304
191.68.117.56:28754
246.29.132.217:16625
149.181.112.217:33637
136.20.21.112:41199
80.65.15.199:35765
0.222.227.111:63041
209.240.1.52:53226
66.57.60.202:19263
204.187.37.185:59783
177.172.2.9:36791
98.78.50.99:11939
11.5.197.37:32044
75.234.214.212:7741
49.66.110.196:42474
97.107.137.246:58239
0.141.208.192:39992
185.156.9.78:29812
219.151.188.60:3622
28.86.80.9:6038
138.226.185.49:25801
99.128.65.72:12277
90.175.231.93:54035
198.125.102.127:36652
148.215.17.55:16834
211.255.222.125:38939
198.140.91.23:0
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 888 3808 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3808 rundll32.exe 3808 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1812 wrote to memory of 3808 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 3808 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 3808 1812 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7965\usurpers.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7965\usurpers.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
PID:3808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 6683⤵
- Program crash
PID:888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3808 -ip 38081⤵PID:3508