Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2023, 12:54
Static task
static1
Behavioral task
behavioral1
Sample
myufn.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
myufn.dll
Resource
win10v2004-20220812-en
General
-
Target
myufn.dll
-
Size
812KB
-
MD5
ab774bc383c2873262b3d0e7053dc464
-
SHA1
887c14c6ea122c04bc821a727fc3c439c7b1846d
-
SHA256
c5701af10df111f738ed461f5b071c4165ad6e26446a21daea8accb769b55f26
-
SHA512
f5be764506ef200507e42e78bb866f3365db256fddd00bc1dcca24f663b391309561a423d8f394da6388248f952cc0fb64907f802d81040e53e4bda8d1801d8e
-
SSDEEP
24576:sikjPg+4QceLhb6fMYaq4RPaOFmyjAjX:Bk0YBq6fjqX
Malware Config
Extracted
qakbot
404.432
BB12
1675161160
114.143.176.234:443
88.126.94.4:50000
103.252.7.228:443
87.10.205.117:443
82.15.58.109:2222
72.80.7.6:995
90.162.45.154:2222
47.34.30.133:443
50.68.204.71:993
112.141.184.246:995
73.165.119.20:443
91.169.12.198:32100
173.18.126.3:443
87.56.238.53:443
85.241.180.94:443
12.172.173.82:50001
92.154.17.149:2222
103.42.86.246:995
12.172.173.82:990
91.254.132.23:443
121.121.100.207:995
74.92.243.113:50000
69.119.123.159:2222
156.217.247.173:995
50.68.204.71:995
76.170.252.153:995
92.8.190.175:2222
69.159.158.183:2222
172.248.42.122:443
12.172.173.82:2087
197.148.17.17:2078
75.143.236.149:443
69.133.162.35:443
50.68.204.71:443
125.20.112.94:443
206.188.201.143:2222
92.27.86.48:2222
71.46.234.171:443
85.59.61.52:2222
12.172.173.82:995
71.112.212.166:443
27.0.48.233:443
130.43.172.217:2222
98.175.176.254:995
200.109.207.186:2222
103.141.50.151:995
107.146.12.26:2222
136.232.184.134:995
181.118.183.2:443
136.244.25.165:443
197.204.184.160:443
183.87.163.165:443
5.163.163.51:995
102.156.154.112:443
87.223.87.126:443
91.165.188.74:50000
89.115.196.99:443
87.221.197.113:2222
89.79.229.50:443
84.108.200.161:443
123.3.240.16:995
161.142.104.187:995
173.76.49.61:443
47.21.51.138:995
175.139.129.94:2222
58.247.115.126:995
60.254.51.168:443
184.153.132.82:443
116.75.63.184:443
70.66.199.12:443
162.248.14.107:443
75.98.154.19:443
202.142.98.62:995
93.24.192.142:20
202.142.98.62:443
78.193.176.97:443
87.202.101.164:50000
82.121.195.187:2222
88.169.33.180:2222
89.129.109.27:2222
85.7.61.22:2222
86.130.9.182:2222
24.228.132.224:2222
86.96.72.139:2222
24.9.220.167:443
91.231.173.199:995
217.128.91.196:2222
102.156.174.28:443
213.67.255.57:2222
176.202.38.188:443
98.145.23.67:443
217.128.200.114:2222
70.77.116.233:443
67.10.175.47:2222
74.33.196.114:443
31.53.29.161:2222
12.172.173.82:20
90.104.22.28:2222
27.0.48.205:443
103.212.19.254:995
86.195.14.72:2222
119.82.122.226:443
92.154.45.81:2222
151.65.168.222:443
2.98.146.106:995
213.31.90.183:2222
47.61.70.188:2078
27.109.19.90:2078
173.178.151.233:443
198.2.51.242:993
86.194.156.14:2222
76.80.180.154:995
174.104.184.149:443
12.172.173.82:465
12.172.173.82:32101
171.97.42.67:443
73.36.196.11:443
71.31.101.183:443
81.229.117.95:2222
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a96ae988-57f1-430f-b270-341cffb40e4c.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230203135633.pma setup.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4960 2584 WerFault.exe 82 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2584 rundll32.exe 2584 rundll32.exe 2632 msedge.exe 2632 msedge.exe 4648 msedge.exe 4648 msedge.exe 5956 identity_helper.exe 5956 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4648 msedge.exe 4648 msedge.exe 4648 msedge.exe 4648 msedge.exe 4648 msedge.exe 4648 msedge.exe 4648 msedge.exe 4648 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 5348 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5348 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4648 msedge.exe 4648 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4844 wrote to memory of 2584 4844 rundll32.exe 82 PID 4844 wrote to memory of 2584 4844 rundll32.exe 82 PID 4844 wrote to memory of 2584 4844 rundll32.exe 82 PID 4648 wrote to memory of 1064 4648 msedge.exe 104 PID 4648 wrote to memory of 1064 4648 msedge.exe 104 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 3144 4648 msedge.exe 105 PID 4648 wrote to memory of 2632 4648 msedge.exe 106 PID 4648 wrote to memory of 2632 4648 msedge.exe 106 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108 PID 4648 wrote to memory of 1208 4648 msedge.exe 108
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\myufn.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\myufn.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
PID:2584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 6243⤵
- Program crash
PID:4960
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2584 -ip 25841⤵PID:4972
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?launchContext1=Microsoft.Windows.Cortana_cw5n1h2txyewy&url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dmyufn%26form%3DWNSGPH%26qs%3DSW%26cvid%3D3c89bcd9ba264ed4ba31968d9a7c8a46%26pq%3Dmyufn%26cc%3DUS%26setlang%3Den-US%26nclid%3D9C0DA10A27A69B5F4DC9FC093B60234D%26ts%3D1675432578104%26nclidts%3D1675432578%26tsms%3D1041⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdf15d46f8,0x7ffdf15d4708,0x7ffdf15d47182⤵PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:22⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵PID:1208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:12⤵PID:100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:12⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3548 /prefetch:82⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:3036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:3308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:12⤵PID:5276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3688 /prefetch:82⤵PID:5292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:12⤵PID:5464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 /prefetch:82⤵PID:5552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵PID:5616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵PID:5632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:82⤵PID:5776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:5824 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff678205460,0x7ff678205470,0x7ff6782054803⤵PID:5872
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,11360349330415230897,12137279347078103570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5956
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4004
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:3508
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x374 0x3201⤵
- Suspicious use of AdjustPrivilegeToken
PID:5348