Analysis
-
max time kernel
90s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2022 12:09
Static task
static1
Behavioral task
behavioral1
Sample
mal.dll
Resource
win7-20221111-en
General
-
Target
mal.dll
-
Size
628KB
-
MD5
0b027723b5af33dad8219cbdcd44ad9a
-
SHA1
b2243901845b163db104ec790b983222f0691a94
-
SHA256
cb5b8365be065ab9870b15a524decf7474575b0b14e796ee77d6f482dfb6d53c
-
SHA512
82bdeb901957d45f9d72705863a3599fdbc57fc0ce2f3c5cd191e47ab754bd899715d290c189a512d0fcb804c6ec3cfe9cef3cb496a45e4eff54b74d1a29692e
-
SSDEEP
12288:8x8IFmbH8yS5XXUrIVcxxn/5IOT2LY/O9bBoY//w:R6y8bRZARhI/LoO9bBoY/4
Malware Config
Extracted
qakbot
404.2
obama218
1666870886
24.206.27.39:443
102.156.146.34:995
152.170.17.136:443
118.174.207.81:995
149.126.159.224:443
64.207.237.118:443
144.202.15.58:443
172.117.139.142:995
181.118.183.124:443
200.233.108.153:995
109.136.174.200:995
188.49.56.189:443
190.74.248.136:443
45.48.36.226:2087
45.35.97.45:443
193.3.19.137:443
14.161.84.145:443
27.110.134.202:995
156.220.47.67:993
142.115.84.88:2222
156.216.134.70:995
58.247.115.126:995
24.9.220.167:443
24.116.45.121:443
186.188.80.134:443
190.199.101.37:2222
181.164.194.228:443
197.204.210.212:443
112.141.184.246:995
118.200.83.226:443
201.68.209.47:32101
167.58.254.85:443
41.96.102.114:443
41.200.117.82:443
117.254.35.107:443
201.223.169.238:32100
181.141.3.126:443
70.187.0.87:2078
190.199.97.108:993
190.24.45.24:995
190.37.174.11:2222
45.230.169.132:995
68.62.199.70:443
190.18.236.175:443
201.210.92.3:2222
186.154.189.162:995
97.118.223.249:443
105.157.133.175:443
151.213.183.141:995
45.49.137.80:443
70.51.139.148:2222
64.123.103.123:443
172.112.37.112:2222
181.56.171.3:995
187.135.132.84:443
109.133.67.116:995
102.159.236.29:443
41.97.169.44:443
186.93.152.82:2222
70.60.142.214:2222
206.1.183.242:443
75.84.234.68:443
186.48.161.130:995
72.88.245.71:443
27.109.19.90:2078
186.188.96.197:443
45.230.169.132:993
78.179.135.247:443
197.244.36.215:443
191.33.187.192:2222
41.100.163.127:443
220.134.54.185:2222
66.170.93.10:443
83.244.63.21:443
154.237.240.209:995
41.47.249.185:443
154.181.228.27:995
175.205.2.54:443
216.131.22.236:995
206.1.251.6:443
201.249.100.208:995
190.33.241.216:443
198.2.51.242:993
90.165.109.4:2222
71.199.168.185:443
41.103.27.50:443
24.207.97.117:443
105.154.219.80:443
47.14.229.4:443
142.181.183.42:2222
41.97.205.96:443
186.18.210.16:443
41.98.248.133:443
160.176.151.70:995
98.207.190.55:443
196.65.217.253:995
78.50.124.220:443
91.171.72.214:32100
97.92.4.205:8443
70.115.104.126:443
181.44.34.172:443
88.240.75.201:443
24.130.228.100:443
41.109.228.108:995
24.177.111.153:443
60.54.65.27:443
189.129.38.158:2222
222.117.141.133:443
105.108.223.181:443
41.104.155.245:443
65.140.11.170:443
184.159.76.47:443
105.98.223.169:443
197.0.225.39:443
105.155.151.29:995
196.207.146.151:443
190.37.112.223:2222
14.54.83.15:443
93.156.96.171:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4992 3756 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3756 rundll32.exe 3756 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4016 wrote to memory of 3756 4016 rundll32.exe 80 PID 4016 wrote to memory of 3756 4016 rundll32.exe 80 PID 4016 wrote to memory of 3756 4016 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\mal.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\mal.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
PID:3756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 7323⤵
- Program crash
PID:4992
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3756 -ip 37561⤵PID:2200