Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2023, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
60852.dll
Resource
win7-20221111-en
General
-
Target
60852.dll
-
Size
414KB
-
MD5
e72a2c94e84a6457842987623b38505f
-
SHA1
697d305ac202375be260c81612a72adf4da73dc4
-
SHA256
6decda40aeeccbcb423bcf2b34cf19840e127ebfeb9d79022a891b1f2e1518c3
-
SHA512
d8f56c170faec5c4e9beec19507a177de74f8c6d33b3b9772d7e81ab9cc3f2542fda78410d3981568a7491ae3ab42da59d37f97453abe40006299bf41cd3df06
-
SSDEEP
6144:Iubpx1ymed01f3UBRxFoNgKIlp6Ydc2Zo5QLxZ8Ex6kmh08PfJO8L:XN8d0dkfxFoNgKIlbdc2WQLy28
Malware Config
Extracted
qakbot
404.492
obama237
1675763776
12.172.173.82:465
98.145.23.67:443
47.34.30.133:443
14.184.97.194:443
181.118.206.65:995
220.245.150.33:443
162.248.14.107:443
75.98.154.19:443
12.172.173.82:995
92.177.204.2:2222
47.21.51.138:995
27.0.48.233:443
2.82.8.80:443
193.154.201.125:443
24.239.69.244:443
73.165.119.20:443
202.186.177.88:443
173.18.126.3:443
24.71.120.191:443
156.217.208.137:995
95.94.41.77:2222
27.0.48.205:443
92.27.86.48:2222
85.241.180.94:443
150.107.231.59:2222
2.99.47.198:2222
69.119.123.159:2222
172.248.42.122:443
91.165.188.74:50000
81.111.108.123:443
201.211.197.241:2222
105.184.103.182:995
88.169.33.180:2222
84.35.26.14:995
73.36.196.11:443
12.172.173.82:990
103.123.221.16:443
86.225.214.138:2222
92.207.132.174:2222
121.121.100.207:995
74.92.243.113:50000
100.10.72.114:443
71.31.101.183:443
198.2.51.242:993
92.8.191.120:2222
86.250.12.217:2222
201.244.108.183:995
50.68.204.71:995
202.142.98.62:995
93.190.140.122:32100
183.87.163.165:443
116.72.250.18:443
202.142.98.62:443
76.80.180.154:995
213.67.255.57:2222
123.3.240.16:995
87.221.197.113:2222
12.172.173.82:32101
86.236.114.212:2222
114.79.180.14:995
72.203.216.98:2222
86.208.35.220:2222
31.53.29.161:2222
81.229.117.95:2222
12.172.173.82:2087
76.170.252.153:995
58.247.115.126:995
116.75.63.203:443
149.74.159.67:2222
47.61.70.188:2078
174.58.146.57:443
93.24.192.142:20
82.121.195.187:2222
217.128.200.114:2222
86.172.79.135:443
217.128.91.196:2222
62.35.67.88:443
59.28.84.65:443
217.165.186.116:2222
47.21.51.138:443
103.212.19.254:995
136.232.184.134:995
86.130.9.197:2222
84.108.200.161:443
197.148.17.17:2078
5.109.75.32:995
89.79.229.50:443
151.65.168.222:443
188.49.124.57:995
93.156.100.20:443
197.0.104.172:443
87.223.87.126:443
89.129.109.27:2222
92.239.81.124:443
90.92.177.180:2222
27.109.19.90:2078
86.207.227.152:2222
176.202.38.188:443
24.228.132.224:2222
208.187.122.74:443
75.156.125.215:995
70.77.116.233:443
184.155.91.69:443
50.68.186.195:443
69.242.31.249:443
88.126.112.14:50000
73.161.176.218:443
87.149.176.97:443
92.154.45.81:2222
50.68.204.71:443
86.195.14.72:2222
136.244.25.165:443
75.143.236.149:443
109.149.147.177:2222
171.97.42.67:443
86.96.72.139:2222
87.202.101.164:50000
104.35.24.154:443
174.104.184.149:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4176 4144 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2824 rundll32.exe 2824 rundll32.exe 4648 rundll32.exe 4648 rundll32.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe 4536 msra.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2824 rundll32.exe 4648 rundll32.exe 4648 rundll32.exe 2824 rundll32.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1972 wrote to memory of 4144 1972 rundll32.exe 81 PID 1972 wrote to memory of 4144 1972 rundll32.exe 81 PID 1972 wrote to memory of 4144 1972 rundll32.exe 81 PID 3056 wrote to memory of 332 3056 cmd.exe 99 PID 3056 wrote to memory of 332 3056 cmd.exe 99 PID 3056 wrote to memory of 1904 3056 cmd.exe 103 PID 3056 wrote to memory of 1904 3056 cmd.exe 103 PID 332 wrote to memory of 2824 332 rundll32.exe 104 PID 332 wrote to memory of 2824 332 rundll32.exe 104 PID 332 wrote to memory of 2824 332 rundll32.exe 104 PID 1904 wrote to memory of 4648 1904 rundll32.exe 105 PID 1904 wrote to memory of 4648 1904 rundll32.exe 105 PID 1904 wrote to memory of 4648 1904 rundll32.exe 105 PID 4648 wrote to memory of 912 4648 rundll32.exe 107 PID 4648 wrote to memory of 912 4648 rundll32.exe 107 PID 4648 wrote to memory of 912 4648 rundll32.exe 107 PID 2824 wrote to memory of 1732 2824 rundll32.exe 108 PID 2824 wrote to memory of 1732 2824 rundll32.exe 108 PID 2824 wrote to memory of 1732 2824 rundll32.exe 108 PID 2824 wrote to memory of 1420 2824 rundll32.exe 110 PID 2824 wrote to memory of 1420 2824 rundll32.exe 110 PID 2824 wrote to memory of 1420 2824 rundll32.exe 110 PID 4648 wrote to memory of 4192 4648 rundll32.exe 109 PID 4648 wrote to memory of 4192 4648 rundll32.exe 109 PID 4648 wrote to memory of 4192 4648 rundll32.exe 109 PID 2824 wrote to memory of 1420 2824 rundll32.exe 110 PID 4648 wrote to memory of 4192 4648 rundll32.exe 109 PID 4648 wrote to memory of 4192 4648 rundll32.exe 109 PID 2824 wrote to memory of 1420 2824 rundll32.exe 110 PID 2824 wrote to memory of 4536 2824 rundll32.exe 114 PID 2824 wrote to memory of 4536 2824 rundll32.exe 114 PID 2824 wrote to memory of 4536 2824 rundll32.exe 114 PID 4648 wrote to memory of 5080 4648 rundll32.exe 113 PID 4648 wrote to memory of 5080 4648 rundll32.exe 113 PID 4648 wrote to memory of 5080 4648 rundll32.exe 113 PID 2824 wrote to memory of 4536 2824 rundll32.exe 114 PID 4648 wrote to memory of 5080 4648 rundll32.exe 113 PID 2824 wrote to memory of 4536 2824 rundll32.exe 114 PID 4648 wrote to memory of 5080 4648 rundll32.exe 113
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\60852.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\60852.dll,#12⤵PID:4144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 6003⤵
- Program crash
PID:4176
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4144 -ip 41441⤵PID:1724
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\system32\rundll32.exerundll32.exe 60852.dll,Wind2⤵
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe 60852.dll,Wind3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:1732
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:1420
-
-
C:\Windows\SysWOW64\msra.exeC:\Windows\SysWOW64\msra.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe 60852.dll,Wind2⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe 60852.dll,Wind3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:912
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:4192
-
-
C:\Windows\SysWOW64\msra.exeC:\Windows\SysWOW64\msra.exe4⤵PID:5080
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5ffd8f30a0e9e989b1eece2153710e605
SHA11859a59c4123596702e9ecd1eb4cb4fee3dd8bfb
SHA25699380a83c65d0e9333b62bd487b96e011070fce7fe74598ba484383f19aaddbf
SHA5123b7fa1e57d417f35cf2bf051b1f297f01fc9f3a8d2d5fd4fd9b3fa61b85eb4ca4202531fdc4fdd85625828c07fb2332fa9687fb8dda6afeba5d8caba47421699