Analysis Overview
SHA256
012747575632a83c77d73b90450612446664d78c5a6a1af082c5da1485f6e9e1
Threat Level: Known bad
The file nequ_020B0000.bin.dll was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Loads dropped DLL
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-25 10:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-25 10:18
Reported
2022-12-25 10:20
Platform
win7-20220812-en
Max time kernel
150s
Max time network
45s
Command Line
Signatures
Qakbot/Qbot
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\nequ_020B0000.bin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\nequ_020B0000.bin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\jnsqclsfxra.dll",Updt
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Roaming\jnsqclsfxra.bat
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
Files
memory/540-54-0x0000000000000000-mapping.dmp
memory/540-55-0x0000000076171000-0x0000000076173000-memory.dmp
memory/1736-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\jnsqclsfxra.dll
| MD5 | 35dfa07872a3f66411c07c952c38e6a2 |
| SHA1 | 4d73d0c3824cc3d2c4743c8df8d1f32ea32d7f90 |
| SHA256 | 103c930565aea6c69e118a16d1618e1d34a816623efd549ed09161d00de4568a |
| SHA512 | 66ca19883bc3fb8d30845b66b910d16242eab856c98b7783c3cedd1dad9f08a0390686950814c39ed7dcb50012b4503c8026f13f723fdd2dd39c56054945860b |
\Users\Admin\AppData\Roaming\jnsqclsfxra.dll
| MD5 | 35dfa07872a3f66411c07c952c38e6a2 |
| SHA1 | 4d73d0c3824cc3d2c4743c8df8d1f32ea32d7f90 |
| SHA256 | 103c930565aea6c69e118a16d1618e1d34a816623efd549ed09161d00de4568a |
| SHA512 | 66ca19883bc3fb8d30845b66b910d16242eab856c98b7783c3cedd1dad9f08a0390686950814c39ed7dcb50012b4503c8026f13f723fdd2dd39c56054945860b |
\Users\Admin\AppData\Roaming\jnsqclsfxra.dll
| MD5 | 35dfa07872a3f66411c07c952c38e6a2 |
| SHA1 | 4d73d0c3824cc3d2c4743c8df8d1f32ea32d7f90 |
| SHA256 | 103c930565aea6c69e118a16d1618e1d34a816623efd549ed09161d00de4568a |
| SHA512 | 66ca19883bc3fb8d30845b66b910d16242eab856c98b7783c3cedd1dad9f08a0390686950814c39ed7dcb50012b4503c8026f13f723fdd2dd39c56054945860b |
\Users\Admin\AppData\Roaming\jnsqclsfxra.dll
| MD5 | 35dfa07872a3f66411c07c952c38e6a2 |
| SHA1 | 4d73d0c3824cc3d2c4743c8df8d1f32ea32d7f90 |
| SHA256 | 103c930565aea6c69e118a16d1618e1d34a816623efd549ed09161d00de4568a |
| SHA512 | 66ca19883bc3fb8d30845b66b910d16242eab856c98b7783c3cedd1dad9f08a0390686950814c39ed7dcb50012b4503c8026f13f723fdd2dd39c56054945860b |
\Users\Admin\AppData\Roaming\jnsqclsfxra.dll
| MD5 | 35dfa07872a3f66411c07c952c38e6a2 |
| SHA1 | 4d73d0c3824cc3d2c4743c8df8d1f32ea32d7f90 |
| SHA256 | 103c930565aea6c69e118a16d1618e1d34a816623efd549ed09161d00de4568a |
| SHA512 | 66ca19883bc3fb8d30845b66b910d16242eab856c98b7783c3cedd1dad9f08a0390686950814c39ed7dcb50012b4503c8026f13f723fdd2dd39c56054945860b |
memory/1736-63-0x0000000000880000-0x00000000008F3000-memory.dmp
memory/1736-64-0x00000000001F0000-0x000000000021A000-memory.dmp
memory/1768-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\jnsqclsfxra.bat
| MD5 | 761133c5c6e784c5c0fd4aaa2a5ff098 |
| SHA1 | ca026ff9f9b72e474bb2b7c6d13482f70d633f85 |
| SHA256 | cb11cb8ab32947189ba764189506789bcb73cc3355f9f40f74944a1fe60f5477 |
| SHA512 | 8a5461bafcda1e5bffe4b104c9c272c3d5ca3f198b1655abf9f55c48aa970a6ec5b7da815f6a7d941f98a512fca1b448a0948f40678e43fcce8198753cc2a609 |
memory/648-67-0x0000000000000000-mapping.dmp
memory/784-68-0x0000000000000000-mapping.dmp
memory/688-69-0x0000000000000000-mapping.dmp
memory/432-70-0x0000000000000000-mapping.dmp
memory/316-71-0x0000000000000000-mapping.dmp
memory/804-72-0x0000000000000000-mapping.dmp
memory/1380-73-0x0000000000000000-mapping.dmp
memory/1740-74-0x0000000000000000-mapping.dmp
memory/1636-75-0x0000000000000000-mapping.dmp
memory/744-76-0x0000000000000000-mapping.dmp
memory/992-77-0x0000000000000000-mapping.dmp
memory/1736-79-0x00000000001F0000-0x000000000021A000-memory.dmp
memory/992-80-0x0000000000080000-0x00000000000AA000-memory.dmp
memory/992-81-0x0000000000080000-0x00000000000AA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-25 10:18
Reported
2022-12-25 10:20
Platform
win10v2004-20221111-en
Max time kernel
151s
Max time network
127s
Command Line
Signatures
Qakbot/Qbot
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\nequ_020B0000.bin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\nequ_020B0000.bin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\nnvuaunqzezko.dll",Updt
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Roaming\nnvuaunqzezko.bat
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/4844-132-0x0000000000000000-mapping.dmp
memory/4836-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\nnvuaunqzezko.dll
| MD5 | be8307c97004a2cebabfade41c6bcdba |
| SHA1 | adf76bafee3a191169217a039b1bbae08786acb0 |
| SHA256 | 2a009bea32f5c812417d8c9d91bd06f0b10e877356a82930a87dbdfb3f4a705e |
| SHA512 | f96cef3c2f6b64f381392443e14aafedec43285e7d0c335f28b88fdd7b9a5e13311a113a024dcfcf4ccc0b2f9a58bac01a22137d3077b684ab6643a4289d8609 |
C:\Users\Admin\AppData\Roaming\nnvuaunqzezko.dll
| MD5 | be8307c97004a2cebabfade41c6bcdba |
| SHA1 | adf76bafee3a191169217a039b1bbae08786acb0 |
| SHA256 | 2a009bea32f5c812417d8c9d91bd06f0b10e877356a82930a87dbdfb3f4a705e |
| SHA512 | f96cef3c2f6b64f381392443e14aafedec43285e7d0c335f28b88fdd7b9a5e13311a113a024dcfcf4ccc0b2f9a58bac01a22137d3077b684ab6643a4289d8609 |
memory/4836-136-0x00000000023B0000-0x0000000002423000-memory.dmp
memory/4836-137-0x0000000002560000-0x000000000258A000-memory.dmp
memory/4688-138-0x0000000000000000-mapping.dmp
memory/4836-139-0x0000000002560000-0x000000000258A000-memory.dmp
memory/4688-140-0x0000000000790000-0x00000000007BA000-memory.dmp
memory/2284-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\nnvuaunqzezko.bat
| MD5 | 761133c5c6e784c5c0fd4aaa2a5ff098 |
| SHA1 | ca026ff9f9b72e474bb2b7c6d13482f70d633f85 |
| SHA256 | cb11cb8ab32947189ba764189506789bcb73cc3355f9f40f74944a1fe60f5477 |
| SHA512 | 8a5461bafcda1e5bffe4b104c9c272c3d5ca3f198b1655abf9f55c48aa970a6ec5b7da815f6a7d941f98a512fca1b448a0948f40678e43fcce8198753cc2a609 |
memory/4268-143-0x0000000000000000-mapping.dmp
memory/4720-144-0x0000000000000000-mapping.dmp
memory/2448-145-0x0000000000000000-mapping.dmp
memory/400-146-0x0000000000000000-mapping.dmp
memory/3080-147-0x0000000000000000-mapping.dmp
memory/2224-148-0x0000000000000000-mapping.dmp
memory/3616-149-0x0000000000000000-mapping.dmp
memory/3496-150-0x0000000000000000-mapping.dmp
memory/4536-151-0x0000000000000000-mapping.dmp
memory/4688-152-0x0000000000790000-0x00000000007BA000-memory.dmp
memory/1628-153-0x0000000000000000-mapping.dmp