Analysis Overview
SHA256
f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Threat Level: Known bad
The file r.png was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Loads dropped DLL
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-02-03 20:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-03 20:44
Reported
2023-02-03 20:46
Platform
win7-20221111-en
Max time kernel
28s
Max time network
30s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\r.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\r.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 228
Network
Files
memory/1452-54-0x0000000000000000-mapping.dmp
memory/1452-55-0x0000000076941000-0x0000000076943000-memory.dmp
memory/1696-56-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-03 20:44
Reported
2023-02-03 20:46
Platform
win10v2004-20220901-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Qakbot/Qbot
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\r.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\r.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3940 -ip 3940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 600
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 5052 -ip 5052
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5052 -s 788
C:\Windows\system32\rundll32.exe
rundll32.exe r.dll,Wind
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe r.dll,Wind
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | r.bing.com | udp |
| FR | 2.16.165.154:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | dual-s-ring-fallback.msedge.net | udp |
| US | 52.123.130.254:443 | dual-s-ring-fallback.msedge.net | tcp |
| US | 8.8.8.8:53 | k-ring-fallback.msedge.net | udp |
| US | 13.107.19.254:443 | k-ring-fallback.msedge.net | tcp |
| US | 8.8.8.8:53 | spo-ring.msedge.net | udp |
| US | 13.107.136.254:443 | spo-ring.msedge.net | tcp |
| US | 20.42.72.131:443 | tcp | |
| US | 67.24.25.254:80 | tcp | |
| US | 67.24.25.254:80 | tcp | |
| US | 67.24.25.254:80 | tcp |
Files
memory/3940-132-0x0000000000000000-mapping.dmp
memory/2248-133-0x0000000000000000-mapping.dmp
memory/3444-134-0x0000000000000000-mapping.dmp
memory/3444-135-0x0000000002610000-0x0000000002633000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5EEBDDAD.dll
| MD5 | f530495445432d6ae00f2b0f08f7c804 |
| SHA1 | f66f538b95b1a924c8392fbe7743d193d78eb50c |
| SHA256 | 5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b |
| SHA512 | 2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8 |
C:\Users\Admin\AppData\Local\Temp\9BF2D3E0.dll
| MD5 | f530495445432d6ae00f2b0f08f7c804 |
| SHA1 | f66f538b95b1a924c8392fbe7743d193d78eb50c |
| SHA256 | 5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b |
| SHA512 | 2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8 |
memory/1812-142-0x0000000000000000-mapping.dmp
memory/1812-143-0x0000000000640000-0x0000000000663000-memory.dmp
memory/1812-144-0x0000000000640000-0x0000000000663000-memory.dmp