Analysis
-
max time kernel
153s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16-12-2022 17:37
Static task
static1
Behavioral task
behavioral1
Sample
VV.lnk
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
VV.lnk
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
slings/denudes.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
slings/denudes.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
slings/explorations.cmd
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
slings/explorations.cmd
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
slings/mismanagement.cmd
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
slings/mismanagement.cmd
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
slings/denudes.dll
-
Size
730KB
-
MD5
f3f9172ffd30e7583105ed025aa7d69b
-
SHA1
5d2fcc46effa185ccc4e8c06fab5e641f5a31852
-
SHA256
3d01b9929f514e79f9c7f6300adc19276455011ff1b88802b0fe61fc666f75f7
-
SHA512
0f46d5aa70c97898641464ee8c502ce960eab1497b8e57a3219f7ee13abf2a34a54b0dad04068f5b25704a12cd1bc49490026ffda5f09b0106601e6eacbc54ce
-
SSDEEP
6144:B8vIbSUajYBFu5skfyZNI9i7mGHrx1SeOQdHIxF5n2PbLXR+5YJ:sIbAdtKA91GHrxhsnuI5YJ
Malware Config
Extracted
qakbot
404.46
BB10
1671090444
108.6.249.139:443
92.145.203.167:2222
24.206.27.39:443
178.152.25.80:443
87.57.13.215:443
75.143.236.149:443
49.245.119.12:2222
84.35.26.14:995
86.130.9.250:2222
12.172.173.82:995
147.148.234.231:2222
83.114.60.6:2222
213.67.255.57:2222
102.40.202.189:995
149.126.159.106:443
50.68.204.71:995
47.41.154.250:443
50.68.204.71:443
12.172.173.82:465
190.18.236.175:443
79.13.202.140:443
70.55.120.16:2222
123.3.240.16:995
70.115.104.126:995
188.48.116.37:995
87.65.160.87:995
221.161.103.6:443
27.99.45.237:2222
76.80.180.154:995
103.144.201.62:2078
72.80.7.6:995
90.104.22.28:2222
199.83.165.233:443
78.193.176.97:443
76.100.159.250:443
47.34.30.133:443
87.149.127.43:995
108.162.6.34:443
73.161.176.218:443
136.232.184.134:995
124.122.55.7:443
77.86.98.236:443
51.186.2.140:443
109.11.175.42:2222
93.156.97.145:443
88.126.94.4:50000
216.160.116.140:2222
31.167.254.199:995
2.50.44.83:443
89.129.109.27:2222
49.205.231.75:2222
96.246.158.46:995
50.68.204.71:993
216.36.153.248:443
84.219.213.130:6881
184.176.154.83:995
92.207.132.174:2222
142.161.27.232:2222
49.175.72.56:443
184.68.116.146:2078
66.191.69.18:995
90.89.95.158:2222
198.2.51.242:993
73.36.196.11:443
176.151.15.101:443
75.158.15.211:443
69.133.162.35:443
184.68.116.146:61202
12.172.173.82:21
186.64.67.55:443
162.248.14.107:443
86.225.214.138:2222
91.231.172.236:995
83.92.85.93:443
24.142.218.202:443
70.77.116.233:443
75.98.154.19:443
81.248.77.37:2222
12.172.173.82:50001
12.172.173.82:22
172.117.139.142:995
70.120.228.205:443
79.77.142.22:2222
80.44.148.126:2222
78.101.91.215:2222
181.118.206.65:995
92.24.200.226:995
75.141.227.169:443
190.24.45.24:995
174.104.184.149:443
98.187.21.2:443
121.121.100.148:995
172.90.139.138:2222
75.99.125.234:2222
172.248.42.122:443
94.63.65.146:443
98.145.23.67:443
91.68.227.219:443
85.59.61.52:2222
74.66.134.24:443
12.172.173.82:993
150.107.231.59:2222
64.237.240.3:443
173.239.94.212:443
91.169.12.198:32100
67.235.138.14:443
24.71.120.191:443
173.18.126.3:443
60.234.194.12:2222
175.139.130.191:2222
74.92.243.113:50000
213.191.164.70:443
184.153.132.82:443
91.96.249.3:443
69.119.123.159:2222
81.229.117.95:2222
92.189.214.236:2222
73.155.10.79:443
216.82.134.133:443
184.68.116.146:3389
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 896 rundll32.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe 4572 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 896 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 856 wrote to memory of 896 856 rundll32.exe 27 PID 856 wrote to memory of 896 856 rundll32.exe 27 PID 856 wrote to memory of 896 856 rundll32.exe 27 PID 856 wrote to memory of 896 856 rundll32.exe 27 PID 856 wrote to memory of 896 856 rundll32.exe 27 PID 856 wrote to memory of 896 856 rundll32.exe 27 PID 856 wrote to memory of 896 856 rundll32.exe 27 PID 896 wrote to memory of 4572 896 rundll32.exe 28 PID 896 wrote to memory of 4572 896 rundll32.exe 28 PID 896 wrote to memory of 4572 896 rundll32.exe 28 PID 896 wrote to memory of 4572 896 rundll32.exe 28 PID 896 wrote to memory of 4572 896 rundll32.exe 28 PID 896 wrote to memory of 4572 896 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\slings\denudes.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\slings\denudes.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572
-
-