Analysis
-
max time kernel
600s -
max time network
588s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
03/02/2023, 02:48
Static task
static1
Behavioral task
behavioral1
Sample
RunDLL-1.bat
Resource
win10-20220812-en
General
-
Target
RunDLL-1.bat
-
Size
28B
-
MD5
707a85392304853a2f2c42e1e39cafd4
-
SHA1
d5d67d2dbcfa5f4061ca32da36cfbee9f3c2a213
-
SHA256
06b1fc756f405efb9f1ef0446bfe9366315ed9e25cfeb98750475e7ed4266161
-
SHA512
3cedae886b9a658f0c566226c5633358d8571fc494a95c968d9df08c40183e206eaeae12860e1c56bcaebde236af4a9b885b7b2760edc38ae34780cc463d7416
Malware Config
Extracted
qakbot
404.432
BB12
1675352134
213.67.255.57:2222
86.96.72.139:2222
119.82.122.226:443
86.96.34.182:2222
12.172.173.82:50001
107.146.12.26:2222
97.116.78.96:443
47.61.70.188:2078
197.148.17.17:2078
82.127.204.82:2222
82.121.195.187:2222
73.155.10.79:443
91.231.173.199:995
86.196.12.21:2222
90.78.51.182:2222
90.165.109.4:2222
202.186.177.88:443
92.27.86.48:2222
88.171.156.150:50000
78.130.215.67:443
70.66.199.12:443
47.203.227.114:443
162.248.14.107:443
75.98.154.19:443
83.248.199.56:443
64.237.207.9:443
82.36.36.76:443
183.82.112.209:443
98.145.23.67:443
70.77.116.233:443
49.245.127.223:2222
105.99.105.0:443
209.142.97.83:995
74.33.196.114:443
75.156.125.215:995
189.222.55.8:443
70.160.80.210:443
194.166.90.227:443
12.172.173.82:20
12.172.173.82:995
91.68.227.219:443
91.170.115.68:32100
70.51.133.160:2222
90.104.22.28:2222
86.161.143.7:2222
173.76.49.61:443
24.64.112.40:2222
92.154.45.81:2222
84.219.213.130:6881
47.21.51.138:995
86.130.9.182:2222
78.16.206.181:443
217.128.91.196:2222
74.214.61.68:443
92.239.81.124:443
72.188.121.121:443
181.118.206.65:995
200.109.207.186:2222
12.172.173.82:465
86.165.225.227:2222
208.180.17.32:2222
24.64.112.40:50010
184.153.132.82:443
151.65.168.222:443
72.80.7.6:995
79.9.64.37:995
174.104.184.149:443
24.64.112.40:3389
81.151.102.224:443
108.2.111.66:995
47.34.30.133:443
50.68.204.71:993
123.3.240.16:995
103.12.133.134:2222
47.196.203.73:443
73.165.119.20:443
86.172.79.135:443
41.250.182.207:443
217.128.200.114:2222
47.6.243.7:443
156.217.208.137:995
12.172.173.82:32101
73.36.196.11:443
173.18.126.3:443
81.229.117.95:2222
190.191.35.122:443
84.35.26.14:995
37.14.229.220:2222
90.162.45.154:2222
24.71.120.191:443
86.225.214.138:2222
172.90.139.138:2222
92.207.132.174:2222
217.165.235.126:443
104.35.24.154:443
69.159.158.183:2222
24.123.211.131:443
67.61.71.201:443
86.194.156.14:2222
197.14.77.92:443
184.189.41.80:443
103.169.83.89:443
86.151.21.134:2222
23.251.92.57:2222
71.31.101.183:443
99.254.167.145:443
198.2.51.242:993
76.80.180.154:995
92.11.194.53:995
88.126.94.4:50000
121.121.100.207:995
92.154.17.149:2222
74.92.243.113:50000
68.150.18.161:443
69.119.123.159:2222
50.68.204.71:995
93.238.63.3:995
201.244.108.183:995
92.8.190.175:2222
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 5084 rundll32.exe 5084 rundll32.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 4992 net.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1700 ipconfig.exe 3968 netstat.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5084 rundll32.exe 5084 rundll32.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe 2672 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 5084 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 3968 netstat.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeDebugPrivilege 3532 whoami.exe Token: SeSecurityPrivilege 1020 msiexec.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 3856 wrote to memory of 5060 3856 cmd.exe 68 PID 3856 wrote to memory of 5060 3856 cmd.exe 68 PID 5060 wrote to memory of 5084 5060 rundll32.exe 69 PID 5060 wrote to memory of 5084 5060 rundll32.exe 69 PID 5060 wrote to memory of 5084 5060 rundll32.exe 69 PID 5084 wrote to memory of 2736 5084 rundll32.exe 70 PID 5084 wrote to memory of 2736 5084 rundll32.exe 70 PID 5084 wrote to memory of 2736 5084 rundll32.exe 70 PID 5084 wrote to memory of 2672 5084 rundll32.exe 71 PID 5084 wrote to memory of 2672 5084 rundll32.exe 71 PID 5084 wrote to memory of 2672 5084 rundll32.exe 71 PID 5084 wrote to memory of 2672 5084 rundll32.exe 71 PID 5084 wrote to memory of 2672 5084 rundll32.exe 71 PID 2672 wrote to memory of 4992 2672 wermgr.exe 73 PID 2672 wrote to memory of 4992 2672 wermgr.exe 73 PID 2672 wrote to memory of 4992 2672 wermgr.exe 73 PID 2672 wrote to memory of 4820 2672 wermgr.exe 75 PID 2672 wrote to memory of 4820 2672 wermgr.exe 75 PID 2672 wrote to memory of 4820 2672 wermgr.exe 75 PID 2672 wrote to memory of 4868 2672 wermgr.exe 77 PID 2672 wrote to memory of 4868 2672 wermgr.exe 77 PID 2672 wrote to memory of 4868 2672 wermgr.exe 77 PID 2672 wrote to memory of 1700 2672 wermgr.exe 79 PID 2672 wrote to memory of 1700 2672 wermgr.exe 79 PID 2672 wrote to memory of 1700 2672 wermgr.exe 79 PID 2672 wrote to memory of 2236 2672 wermgr.exe 81 PID 2672 wrote to memory of 2236 2672 wermgr.exe 81 PID 2672 wrote to memory of 2236 2672 wermgr.exe 81 PID 2672 wrote to memory of 2276 2672 wermgr.exe 83 PID 2672 wrote to memory of 2276 2672 wermgr.exe 83 PID 2672 wrote to memory of 2276 2672 wermgr.exe 83 PID 2276 wrote to memory of 1840 2276 net.exe 85 PID 2276 wrote to memory of 1840 2276 net.exe 85 PID 2276 wrote to memory of 1840 2276 net.exe 85 PID 2672 wrote to memory of 2936 2672 wermgr.exe 86 PID 2672 wrote to memory of 2936 2672 wermgr.exe 86 PID 2672 wrote to memory of 2936 2672 wermgr.exe 86 PID 2672 wrote to memory of 3968 2672 wermgr.exe 88 PID 2672 wrote to memory of 3968 2672 wermgr.exe 88 PID 2672 wrote to memory of 3968 2672 wermgr.exe 88 PID 2672 wrote to memory of 2164 2672 wermgr.exe 90 PID 2672 wrote to memory of 2164 2672 wermgr.exe 90 PID 2672 wrote to memory of 2164 2672 wermgr.exe 90 PID 2164 wrote to memory of 5068 2164 net.exe 92 PID 2164 wrote to memory of 5068 2164 net.exe 92 PID 2164 wrote to memory of 5068 2164 net.exe 92 PID 2672 wrote to memory of 3532 2672 wermgr.exe 93 PID 2672 wrote to memory of 3532 2672 wermgr.exe 93 PID 2672 wrote to memory of 3532 2672 wermgr.exe 93
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\rundll32.exerundll32.exe index1.png,Wind2⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe index1.png,Wind3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:2736
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
PID:4992
-
-
C:\Windows\SysWOW64\cmd.execmd /c set5⤵PID:4820
-
-
C:\Windows\SysWOW64\arp.exearp -a5⤵PID:4868
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:1700
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP5⤵PID:2236
-
-
C:\Windows\SysWOW64\net.exenet share5⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share6⤵PID:1840
-
-
-
C:\Windows\SysWOW64\route.exeroute print5⤵PID:2936
-
-
C:\Windows\SysWOW64\netstat.exenetstat -nao5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
C:\Windows\SysWOW64\net.exenet localgroup5⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup6⤵PID:5068
-
-
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5f7202e522a8901da566cbd69d7b195e0
SHA13990af71966ceab9bf73636fcd845dac0b269942
SHA256772c5718a6ddaa89d6e6144f275b76046477306afdf8ad3f46c4749845e4248a
SHA512a58ca60cbe37c8b0cc195d1bbe8ee9c986392f8781187378d1f2aa96bff1834e4c24f76580d779f6024c0841fc826146d8d4aa909defc7639c95edda079ae124
-
Filesize
1.8MB
MD5f7202e522a8901da566cbd69d7b195e0
SHA13990af71966ceab9bf73636fcd845dac0b269942
SHA256772c5718a6ddaa89d6e6144f275b76046477306afdf8ad3f46c4749845e4248a
SHA512a58ca60cbe37c8b0cc195d1bbe8ee9c986392f8781187378d1f2aa96bff1834e4c24f76580d779f6024c0841fc826146d8d4aa909defc7639c95edda079ae124