Analysis
-
max time kernel
150s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03/02/2023, 12:54
Static task
static1
Behavioral task
behavioral1
Sample
myufn.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
myufn.dll
Resource
win10v2004-20220812-en
General
-
Target
myufn.dll
-
Size
812KB
-
MD5
ab774bc383c2873262b3d0e7053dc464
-
SHA1
887c14c6ea122c04bc821a727fc3c439c7b1846d
-
SHA256
c5701af10df111f738ed461f5b071c4165ad6e26446a21daea8accb769b55f26
-
SHA512
f5be764506ef200507e42e78bb866f3365db256fddd00bc1dcca24f663b391309561a423d8f394da6388248f952cc0fb64907f802d81040e53e4bda8d1801d8e
-
SSDEEP
24576:sikjPg+4QceLhb6fMYaq4RPaOFmyjAjX:Bk0YBq6fjqX
Malware Config
Extracted
qakbot
404.432
BB12
1675161160
114.143.176.234:443
88.126.94.4:50000
103.252.7.228:443
87.10.205.117:443
82.15.58.109:2222
72.80.7.6:995
90.162.45.154:2222
47.34.30.133:443
50.68.204.71:993
112.141.184.246:995
73.165.119.20:443
91.169.12.198:32100
173.18.126.3:443
87.56.238.53:443
85.241.180.94:443
12.172.173.82:50001
92.154.17.149:2222
103.42.86.246:995
12.172.173.82:990
91.254.132.23:443
121.121.100.207:995
74.92.243.113:50000
69.119.123.159:2222
156.217.247.173:995
50.68.204.71:995
76.170.252.153:995
92.8.190.175:2222
69.159.158.183:2222
172.248.42.122:443
12.172.173.82:2087
197.148.17.17:2078
75.143.236.149:443
69.133.162.35:443
50.68.204.71:443
125.20.112.94:443
206.188.201.143:2222
92.27.86.48:2222
71.46.234.171:443
85.59.61.52:2222
12.172.173.82:995
71.112.212.166:443
27.0.48.233:443
130.43.172.217:2222
98.175.176.254:995
200.109.207.186:2222
103.141.50.151:995
107.146.12.26:2222
136.232.184.134:995
181.118.183.2:443
136.244.25.165:443
197.204.184.160:443
183.87.163.165:443
5.163.163.51:995
102.156.154.112:443
87.223.87.126:443
91.165.188.74:50000
89.115.196.99:443
87.221.197.113:2222
89.79.229.50:443
84.108.200.161:443
123.3.240.16:995
161.142.104.187:995
173.76.49.61:443
47.21.51.138:995
175.139.129.94:2222
58.247.115.126:995
60.254.51.168:443
184.153.132.82:443
116.75.63.184:443
70.66.199.12:443
162.248.14.107:443
75.98.154.19:443
202.142.98.62:995
93.24.192.142:20
202.142.98.62:443
78.193.176.97:443
87.202.101.164:50000
82.121.195.187:2222
88.169.33.180:2222
89.129.109.27:2222
85.7.61.22:2222
86.130.9.182:2222
24.228.132.224:2222
86.96.72.139:2222
24.9.220.167:443
91.231.173.199:995
217.128.91.196:2222
102.156.174.28:443
213.67.255.57:2222
176.202.38.188:443
98.145.23.67:443
217.128.200.114:2222
70.77.116.233:443
67.10.175.47:2222
74.33.196.114:443
31.53.29.161:2222
12.172.173.82:20
90.104.22.28:2222
27.0.48.205:443
103.212.19.254:995
86.195.14.72:2222
119.82.122.226:443
92.154.45.81:2222
151.65.168.222:443
2.98.146.106:995
213.31.90.183:2222
47.61.70.188:2078
27.109.19.90:2078
173.178.151.233:443
198.2.51.242:993
86.194.156.14:2222
76.80.180.154:995
174.104.184.149:443
12.172.173.82:465
12.172.173.82:32101
171.97.42.67:443
73.36.196.11:443
71.31.101.183:443
81.229.117.95:2222
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1576 rundll32.exe 1576 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1576 rundll32.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe 1692 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1576 rundll32.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1516 wrote to memory of 1576 1516 rundll32.exe 27 PID 1516 wrote to memory of 1576 1516 rundll32.exe 27 PID 1516 wrote to memory of 1576 1516 rundll32.exe 27 PID 1516 wrote to memory of 1576 1516 rundll32.exe 27 PID 1516 wrote to memory of 1576 1516 rundll32.exe 27 PID 1516 wrote to memory of 1576 1516 rundll32.exe 27 PID 1516 wrote to memory of 1576 1516 rundll32.exe 27 PID 1576 wrote to memory of 1704 1576 rundll32.exe 28 PID 1576 wrote to memory of 1704 1576 rundll32.exe 28 PID 1576 wrote to memory of 1704 1576 rundll32.exe 28 PID 1576 wrote to memory of 1704 1576 rundll32.exe 28 PID 1576 wrote to memory of 1692 1576 rundll32.exe 29 PID 1576 wrote to memory of 1692 1576 rundll32.exe 29 PID 1576 wrote to memory of 1692 1576 rundll32.exe 29 PID 1576 wrote to memory of 1692 1576 rundll32.exe 29 PID 1576 wrote to memory of 1692 1576 rundll32.exe 29 PID 1576 wrote to memory of 1692 1576 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\myufn.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\myufn.dll,#12⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵PID:1704
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD553bb811ed12d2c867b354390fabf9612
SHA181b29c540c0e2a09385cf7e821639ff64fbffd91
SHA256a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133
SHA5125f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24
-
Filesize
268KB
MD553bb811ed12d2c867b354390fabf9612
SHA181b29c540c0e2a09385cf7e821639ff64fbffd91
SHA256a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133
SHA5125f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24