Analysis
-
max time kernel
600s -
max time network
598s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/02/2023, 02:48
Static task
static1
Behavioral task
behavioral1
Sample
RunDLL-1.bat
Resource
win10-20220812-en
General
-
Target
RunDLL-1.bat
-
Size
28B
-
MD5
707a85392304853a2f2c42e1e39cafd4
-
SHA1
d5d67d2dbcfa5f4061ca32da36cfbee9f3c2a213
-
SHA256
06b1fc756f405efb9f1ef0446bfe9366315ed9e25cfeb98750475e7ed4266161
-
SHA512
3cedae886b9a658f0c566226c5633358d8571fc494a95c968d9df08c40183e206eaeae12860e1c56bcaebde236af4a9b885b7b2760edc38ae34780cc463d7416
Malware Config
Extracted
qakbot
404.432
BB12
1675352134
213.67.255.57:2222
86.96.72.139:2222
119.82.122.226:443
86.96.34.182:2222
12.172.173.82:50001
107.146.12.26:2222
97.116.78.96:443
47.61.70.188:2078
197.148.17.17:2078
82.127.204.82:2222
82.121.195.187:2222
73.155.10.79:443
91.231.173.199:995
86.196.12.21:2222
90.78.51.182:2222
90.165.109.4:2222
202.186.177.88:443
92.27.86.48:2222
88.171.156.150:50000
78.130.215.67:443
70.66.199.12:443
47.203.227.114:443
162.248.14.107:443
75.98.154.19:443
83.248.199.56:443
64.237.207.9:443
82.36.36.76:443
183.82.112.209:443
98.145.23.67:443
70.77.116.233:443
49.245.127.223:2222
105.99.105.0:443
209.142.97.83:995
74.33.196.114:443
75.156.125.215:995
189.222.55.8:443
70.160.80.210:443
194.166.90.227:443
12.172.173.82:20
12.172.173.82:995
91.68.227.219:443
91.170.115.68:32100
70.51.133.160:2222
90.104.22.28:2222
86.161.143.7:2222
173.76.49.61:443
24.64.112.40:2222
92.154.45.81:2222
84.219.213.130:6881
47.21.51.138:995
86.130.9.182:2222
78.16.206.181:443
217.128.91.196:2222
74.214.61.68:443
92.239.81.124:443
72.188.121.121:443
181.118.206.65:995
200.109.207.186:2222
12.172.173.82:465
86.165.225.227:2222
208.180.17.32:2222
24.64.112.40:50010
184.153.132.82:443
151.65.168.222:443
72.80.7.6:995
79.9.64.37:995
174.104.184.149:443
24.64.112.40:3389
81.151.102.224:443
108.2.111.66:995
47.34.30.133:443
50.68.204.71:993
123.3.240.16:995
103.12.133.134:2222
47.196.203.73:443
73.165.119.20:443
86.172.79.135:443
41.250.182.207:443
217.128.200.114:2222
47.6.243.7:443
156.217.208.137:995
12.172.173.82:32101
73.36.196.11:443
173.18.126.3:443
81.229.117.95:2222
190.191.35.122:443
84.35.26.14:995
37.14.229.220:2222
90.162.45.154:2222
24.71.120.191:443
86.225.214.138:2222
172.90.139.138:2222
92.207.132.174:2222
217.165.235.126:443
104.35.24.154:443
69.159.158.183:2222
24.123.211.131:443
67.61.71.201:443
86.194.156.14:2222
197.14.77.92:443
184.189.41.80:443
103.169.83.89:443
86.151.21.134:2222
23.251.92.57:2222
71.31.101.183:443
99.254.167.145:443
198.2.51.242:993
76.80.180.154:995
92.11.194.53:995
88.126.94.4:50000
121.121.100.207:995
92.154.17.149:2222
74.92.243.113:50000
68.150.18.161:443
69.119.123.159:2222
50.68.204.71:995
93.238.63.3:995
201.244.108.183:995
92.8.190.175:2222
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 948 rundll32.exe 948 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 948 rundll32.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe 556 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 948 rundll32.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1312 wrote to memory of 960 1312 cmd.exe 29 PID 1312 wrote to memory of 960 1312 cmd.exe 29 PID 1312 wrote to memory of 960 1312 cmd.exe 29 PID 960 wrote to memory of 948 960 rundll32.exe 30 PID 960 wrote to memory of 948 960 rundll32.exe 30 PID 960 wrote to memory of 948 960 rundll32.exe 30 PID 960 wrote to memory of 948 960 rundll32.exe 30 PID 960 wrote to memory of 948 960 rundll32.exe 30 PID 960 wrote to memory of 948 960 rundll32.exe 30 PID 960 wrote to memory of 948 960 rundll32.exe 30 PID 948 wrote to memory of 516 948 rundll32.exe 31 PID 948 wrote to memory of 516 948 rundll32.exe 31 PID 948 wrote to memory of 516 948 rundll32.exe 31 PID 948 wrote to memory of 516 948 rundll32.exe 31 PID 948 wrote to memory of 556 948 rundll32.exe 32 PID 948 wrote to memory of 556 948 rundll32.exe 32 PID 948 wrote to memory of 556 948 rundll32.exe 32 PID 948 wrote to memory of 556 948 rundll32.exe 32 PID 948 wrote to memory of 556 948 rundll32.exe 32 PID 948 wrote to memory of 556 948 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\system32\rundll32.exerundll32.exe index1.png,Wind2⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe index1.png,Wind3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:516
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:556
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD553bb811ed12d2c867b354390fabf9612
SHA181b29c540c0e2a09385cf7e821639ff64fbffd91
SHA256a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133
SHA5125f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24
-
Filesize
268KB
MD553bb811ed12d2c867b354390fabf9612
SHA181b29c540c0e2a09385cf7e821639ff64fbffd91
SHA256a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133
SHA5125f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24