Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
31/01/2023, 18:30
230131-w5xvqahf27 1031/01/2023, 18:16
230131-wwy2eshe77 331/01/2023, 17:51
230131-wfchgsbd2v 331/01/2023, 17:49
230131-wd521shd85 3Analysis
-
max time kernel
720s -
max time network
691s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
31/01/2023, 18:30
Static task
static1
General
-
Target
Qakbot.dll
-
Size
713KB
-
MD5
ea01b105c2c1bb90559bea2cd3df26fe
-
SHA1
cf73e2502f7976288857d81adf812b1b0c7c55d0
-
SHA256
4a990b2e48bc3a48a93ec155feb21d79201f6bf8b248ecd16367dc14bd2bce75
-
SHA512
698e72e18a4312b128989068a79869ec58a3e234e4af0516c98ccd0b839397e7bc1e534f316aa97f360dee2f9ce1bb119519010bb4566374ed333325eb84df5c
-
SSDEEP
12288:9qwFxm3G6H4RyuHbR1MxnuTV/iV1SdURA8s2Q5Qp:QwFxm3G6H4IuHbR1MxnuTV/iV1QTQ
Malware Config
Extracted
qakbot
404.432
BB12
1675161116
103.252.7.228:443
87.10.205.117:443
82.15.58.109:2222
72.80.7.6:995
90.162.45.154:2222
47.34.30.133:443
50.68.204.71:993
112.141.184.246:995
73.165.119.20:443
91.169.12.198:32100
173.18.126.3:443
87.56.238.53:443
85.241.180.94:443
12.172.173.82:50001
92.154.17.149:2222
103.42.86.246:995
12.172.173.82:990
91.254.132.23:443
121.121.100.207:995
74.92.243.113:50000
69.119.123.159:2222
156.217.247.173:995
50.68.204.71:995
76.170.252.153:995
92.8.190.175:2222
69.159.158.183:2222
172.248.42.122:443
12.172.173.82:2087
197.148.17.17:2078
75.143.236.149:443
69.133.162.35:443
50.68.204.71:443
125.20.112.94:443
206.188.201.143:2222
92.27.86.48:2222
71.46.234.171:443
85.59.61.52:2222
12.172.173.82:995
71.112.212.166:443
27.0.48.233:443
130.43.172.217:2222
98.175.176.254:995
200.109.207.186:2222
103.141.50.151:995
107.146.12.26:2222
136.232.184.134:995
181.118.183.2:443
136.244.25.165:443
197.204.184.160:443
183.87.163.165:443
5.163.163.51:995
102.156.154.112:443
87.223.87.126:443
91.165.188.74:50000
89.115.196.99:443
87.221.197.113:2222
89.79.229.50:443
84.108.200.161:443
123.3.240.16:995
161.142.104.187:995
173.76.49.61:443
47.21.51.138:995
175.139.129.94:2222
58.247.115.126:995
60.254.51.168:443
184.153.132.82:443
116.75.63.184:443
70.66.199.12:443
162.248.14.107:443
75.98.154.19:443
202.142.98.62:995
93.24.192.142:20
202.142.98.62:443
78.193.176.97:443
87.202.101.164:50000
82.121.195.187:2222
88.169.33.180:2222
89.129.109.27:2222
85.7.61.22:2222
86.130.9.182:2222
24.228.132.224:2222
86.96.72.139:2222
24.9.220.167:443
91.231.173.199:995
217.128.91.196:2222
102.156.174.28:443
213.67.255.57:2222
176.202.38.188:443
98.145.23.67:443
217.128.200.114:2222
70.77.116.233:443
67.10.175.47:2222
74.33.196.114:443
31.53.29.161:2222
12.172.173.82:20
90.104.22.28:2222
27.0.48.205:443
103.212.19.254:995
86.195.14.72:2222
119.82.122.226:443
92.154.45.81:2222
151.65.168.222:443
2.98.146.106:995
213.31.90.183:2222
47.61.70.188:2078
27.109.19.90:2078
173.178.151.233:443
198.2.51.242:993
86.194.156.14:2222
76.80.180.154:995
174.104.184.149:443
12.172.173.82:465
12.172.173.82:32101
171.97.42.67:443
73.36.196.11:443
71.31.101.183:443
81.229.117.95:2222
92.186.69.229:2222
24.71.120.191:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 4492 rundll32.exe 4492 rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1264 2804 WerFault.exe 66 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 5052 net.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 4744 ipconfig.exe 4848 netstat.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4492 rundll32.exe 4492 rundll32.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 3388 wermgr.exe 528 taskmgr.exe 528 taskmgr.exe 3388 wermgr.exe 3388 wermgr.exe 528 taskmgr.exe 3388 wermgr.exe 3388 wermgr.exe 528 taskmgr.exe 3388 wermgr.exe 3388 wermgr.exe 528 taskmgr.exe 3388 wermgr.exe 3388 wermgr.exe 528 taskmgr.exe 3388 wermgr.exe 3388 wermgr.exe 528 taskmgr.exe 3388 wermgr.exe 3388 wermgr.exe 528 taskmgr.exe 3388 wermgr.exe 3388 wermgr.exe 528 taskmgr.exe 3388 wermgr.exe 3388 wermgr.exe 528 taskmgr.exe 3388 wermgr.exe 3388 wermgr.exe 528 taskmgr.exe 3388 wermgr.exe 3388 wermgr.exe 528 taskmgr.exe 3388 wermgr.exe 3388 wermgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 528 taskmgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4492 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 528 taskmgr.exe Token: SeSystemProfilePrivilege 528 taskmgr.exe Token: SeCreateGlobalPrivilege 528 taskmgr.exe Token: SeDebugPrivilege 4848 netstat.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeDebugPrivilege 816 whoami.exe Token: SeSecurityPrivilege 1312 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe 528 taskmgr.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2804 2500 rundll32.exe 66 PID 2500 wrote to memory of 2804 2500 rundll32.exe 66 PID 2500 wrote to memory of 2804 2500 rundll32.exe 66 PID 3460 wrote to memory of 2308 3460 cmd.exe 74 PID 3460 wrote to memory of 2308 3460 cmd.exe 74 PID 2308 wrote to memory of 4492 2308 rundll32.exe 75 PID 2308 wrote to memory of 4492 2308 rundll32.exe 75 PID 2308 wrote to memory of 4492 2308 rundll32.exe 75 PID 4492 wrote to memory of 4544 4492 rundll32.exe 76 PID 4492 wrote to memory of 4544 4492 rundll32.exe 76 PID 4492 wrote to memory of 4544 4492 rundll32.exe 76 PID 4492 wrote to memory of 3388 4492 rundll32.exe 77 PID 4492 wrote to memory of 3388 4492 rundll32.exe 77 PID 4492 wrote to memory of 3388 4492 rundll32.exe 77 PID 4492 wrote to memory of 3388 4492 rundll32.exe 77 PID 4492 wrote to memory of 3388 4492 rundll32.exe 77 PID 3460 wrote to memory of 1640 3460 cmd.exe 79 PID 3460 wrote to memory of 1640 3460 cmd.exe 79 PID 1640 wrote to memory of 476 1640 rundll32.exe 80 PID 1640 wrote to memory of 476 1640 rundll32.exe 80 PID 1640 wrote to memory of 476 1640 rundll32.exe 80 PID 3388 wrote to memory of 5052 3388 wermgr.exe 82 PID 3388 wrote to memory of 5052 3388 wermgr.exe 82 PID 3388 wrote to memory of 5052 3388 wermgr.exe 82 PID 3388 wrote to memory of 2780 3388 wermgr.exe 84 PID 3388 wrote to memory of 2780 3388 wermgr.exe 84 PID 3388 wrote to memory of 2780 3388 wermgr.exe 84 PID 3388 wrote to memory of 4812 3388 wermgr.exe 86 PID 3388 wrote to memory of 4812 3388 wermgr.exe 86 PID 3388 wrote to memory of 4812 3388 wermgr.exe 86 PID 3388 wrote to memory of 4744 3388 wermgr.exe 88 PID 3388 wrote to memory of 4744 3388 wermgr.exe 88 PID 3388 wrote to memory of 4744 3388 wermgr.exe 88 PID 3388 wrote to memory of 4128 3388 wermgr.exe 90 PID 3388 wrote to memory of 4128 3388 wermgr.exe 90 PID 3388 wrote to memory of 4128 3388 wermgr.exe 90 PID 3388 wrote to memory of 3952 3388 wermgr.exe 92 PID 3388 wrote to memory of 3952 3388 wermgr.exe 92 PID 3388 wrote to memory of 3952 3388 wermgr.exe 92 PID 3952 wrote to memory of 2976 3952 net.exe 94 PID 3952 wrote to memory of 2976 3952 net.exe 94 PID 3952 wrote to memory of 2976 3952 net.exe 94 PID 3388 wrote to memory of 60 3388 wermgr.exe 95 PID 3388 wrote to memory of 60 3388 wermgr.exe 95 PID 3388 wrote to memory of 60 3388 wermgr.exe 95 PID 3388 wrote to memory of 4848 3388 wermgr.exe 97 PID 3388 wrote to memory of 4848 3388 wermgr.exe 97 PID 3388 wrote to memory of 4848 3388 wermgr.exe 97 PID 3388 wrote to memory of 1076 3388 wermgr.exe 99 PID 3388 wrote to memory of 1076 3388 wermgr.exe 99 PID 3388 wrote to memory of 1076 3388 wermgr.exe 99 PID 1076 wrote to memory of 304 1076 net.exe 101 PID 1076 wrote to memory of 304 1076 net.exe 101 PID 1076 wrote to memory of 304 1076 net.exe 101 PID 3388 wrote to memory of 816 3388 wermgr.exe 102 PID 3388 wrote to memory of 816 3388 wermgr.exe 102 PID 3388 wrote to memory of 816 3388 wermgr.exe 102
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Qakbot.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Qakbot.dll,#12⤵PID:2804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 6163⤵
- Program crash
PID:1264
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\system32\rundll32.exerundll32.exe Qakbot.dll,Wind2⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe Qakbot.dll,Wind3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:4544
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
PID:5052
-
-
C:\Windows\SysWOW64\cmd.execmd /c set5⤵PID:2780
-
-
C:\Windows\SysWOW64\arp.exearp -a5⤵PID:4812
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:4744
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP5⤵PID:4128
-
-
C:\Windows\SysWOW64\net.exenet share5⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share6⤵PID:2976
-
-
-
C:\Windows\SysWOW64\route.exeroute print5⤵PID:60
-
-
C:\Windows\SysWOW64\netstat.exenetstat -nao5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\SysWOW64\net.exenet localgroup5⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup6⤵PID:304
-
-
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe Qakbot.dll,Wind2⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe Qakbot.dll,Wind3⤵PID:476
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:528
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD550fac674a6cd38635b1cf56c1674877e
SHA1d6d5ff9a9d8fa202e99db614d25c5d9045adfdca
SHA256d146add3ce16e16d692e0f1332599a8075f0127c3e260d046fc44a1c572f1e48
SHA512157ae564860b792037be80d14680e0d52071e24183b0de491cc88cea88475a2925c7b86e2fd63b9715aa2344a4dfea329326a556b7c03aab953ac9797d2c0051
-
Filesize
1.8MB
MD5f7202e522a8901da566cbd69d7b195e0
SHA13990af71966ceab9bf73636fcd845dac0b269942
SHA256772c5718a6ddaa89d6e6144f275b76046477306afdf8ad3f46c4749845e4248a
SHA512a58ca60cbe37c8b0cc195d1bbe8ee9c986392f8781187378d1f2aa96bff1834e4c24f76580d779f6024c0841fc826146d8d4aa909defc7639c95edda079ae124
-
Filesize
1.8MB
MD5f7202e522a8901da566cbd69d7b195e0
SHA13990af71966ceab9bf73636fcd845dac0b269942
SHA256772c5718a6ddaa89d6e6144f275b76046477306afdf8ad3f46c4749845e4248a
SHA512a58ca60cbe37c8b0cc195d1bbe8ee9c986392f8781187378d1f2aa96bff1834e4c24f76580d779f6024c0841fc826146d8d4aa909defc7639c95edda079ae124