Analysis
-
max time kernel
154s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10/02/2023, 10:01
Static task
static1
Behavioral task
behavioral1
Sample
01.png.dll
Resource
win7-20221111-en
windows7-x64
General
-
Target
01.png.dll
-
Size
792KB
-
MD5
757bb7210f85c61287ea483ffeba6047
-
SHA1
4e765ed8d01a04d409b3e627e95328057b4a553e
-
SHA256
7e17200c8df5260abb995b32da65dfb50cca19ddc087236865d41f80d7fe1923
-
SHA512
d59b760836e7e5246fd1accba41e5eb67d8cc99d9936670f9b7ab19e38e8a1466be179647bfb85eabc0bbb84e4897dc3712f74ca46ad757fcbe87c9f0ca13a91
-
SSDEEP
24576:bH8Xsmt4vyVjXe1ikZdtjMsc7MscXMscktkTNdi+Y0zs:qefBtkf9zs
Malware Config
Extracted
qakbot
404.506
BB14
1675933835
50.20.171.2:443
73.36.196.11:443
12.172.173.82:990
86.225.214.138:2222
67.253.226.137:995
84.108.200.161:443
121.121.100.207:995
86.169.203.116:443
150.107.231.59:2222
201.244.108.183:995
81.111.108.123:443
85.241.180.94:443
37.14.229.220:2222
24.64.112.40:50010
91.68.227.219:443
71.112.212.166:443
82.121.195.187:2222
101.184.161.86:2222
81.157.227.223:2222
103.141.50.102:995
76.80.180.154:995
12.172.173.82:32101
58.247.115.126:995
116.72.250.18:443
136.232.184.134:995
103.123.221.16:443
72.203.216.98:2222
37.56.105.165:995
202.142.98.62:995
81.229.117.95:2222
116.75.63.229:443
86.195.14.72:2222
90.213.146.227:443
86.207.227.152:2222
88.171.156.150:50000
74.92.243.113:50000
213.67.255.57:2222
87.221.215.41:2222
24.228.132.224:2222
2.13.73.146:2222
45.246.235.113:995
103.71.21.107:443
71.31.101.183:443
103.42.86.238:995
62.35.67.88:443
198.2.51.242:993
87.223.82.41:443
92.239.81.124:443
59.28.84.65:443
88.111.182.118:2222
50.68.204.71:995
86.189.211.104:443
87.57.13.215:443
24.64.112.40:2222
217.165.186.116:2222
47.21.51.138:443
136.244.25.165:443
125.99.69.178:443
70.160.80.210:443
109.218.233.202:2222
87.243.146.59:443
89.129.109.27:2222
213.31.90.183:2222
70.59.2.118:443
91.170.115.68:32100
184.176.35.223:2222
27.109.19.90:2078
217.128.200.114:2222
46.24.103.218:2078
93.24.192.142:20
72.80.7.6:995
12.172.173.82:995
208.187.122.74:443
70.77.116.233:443
103.252.7.228:443
50.68.186.195:443
50.68.204.71:443
85.61.165.153:2222
87.149.176.97:443
73.161.176.218:443
12.172.173.82:50001
86.250.12.217:2222
109.149.147.177:2222
176.142.207.63:443
86.130.9.197:2222
92.154.17.149:2222
41.230.210.157:995
24.64.112.40:3389
86.181.41.193:2222
75.143.236.149:443
174.104.184.149:443
76.170.252.153:995
171.97.42.67:443
27.0.48.205:443
83.114.60.6:2222
87.202.101.164:50000
88.126.112.14:50000
35.143.97.145:995
104.35.24.154:443
98.145.23.67:443
98.147.155.235:443
24.64.112.40:61202
114.143.176.234:443
85.231.105.49:2222
181.118.206.65:995
82.127.204.82:2222
86.194.156.14:2222
108.2.111.66:995
156.217.208.137:995
71.52.53.166:443
162.248.14.107:443
45.50.233.214:443
24.239.69.244:443
47.21.51.138:995
73.165.119.20:443
197.204.13.52:443
74.33.196.114:443
50.68.204.71:993
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 3 IoCs
pid pid_target Process procid_target 2808 4992 WerFault.exe 80 3616 2040 WerFault.exe 104 1664 1268 WerFault.exe 103 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4896 rundll32.exe 536 rundll32.exe 536 rundll32.exe 4896 rundll32.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe 3924 msra.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 4896 rundll32.exe 536 rundll32.exe 536 rundll32.exe 4896 rundll32.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4208 wrote to memory of 4992 4208 rundll32.exe 80 PID 4208 wrote to memory of 4992 4208 rundll32.exe 80 PID 4208 wrote to memory of 4992 4208 rundll32.exe 80 PID 1284 wrote to memory of 1380 1284 cmd.exe 97 PID 1284 wrote to memory of 1380 1284 cmd.exe 97 PID 1284 wrote to memory of 4944 1284 cmd.exe 98 PID 1284 wrote to memory of 4944 1284 cmd.exe 98 PID 1380 wrote to memory of 4896 1380 rundll32.exe 99 PID 1380 wrote to memory of 4896 1380 rundll32.exe 99 PID 1380 wrote to memory of 4896 1380 rundll32.exe 99 PID 4944 wrote to memory of 536 4944 rundll32.exe 100 PID 4944 wrote to memory of 536 4944 rundll32.exe 100 PID 4944 wrote to memory of 536 4944 rundll32.exe 100 PID 536 wrote to memory of 4912 536 rundll32.exe 102 PID 536 wrote to memory of 4912 536 rundll32.exe 102 PID 536 wrote to memory of 4912 536 rundll32.exe 102 PID 4896 wrote to memory of 1648 4896 rundll32.exe 101 PID 4896 wrote to memory of 1648 4896 rundll32.exe 101 PID 4896 wrote to memory of 1648 4896 rundll32.exe 101 PID 4896 wrote to memory of 2040 4896 rundll32.exe 104 PID 4896 wrote to memory of 2040 4896 rundll32.exe 104 PID 4896 wrote to memory of 2040 4896 rundll32.exe 104 PID 536 wrote to memory of 1268 536 rundll32.exe 103 PID 536 wrote to memory of 1268 536 rundll32.exe 103 PID 536 wrote to memory of 1268 536 rundll32.exe 103 PID 4896 wrote to memory of 2040 4896 rundll32.exe 104 PID 536 wrote to memory of 1268 536 rundll32.exe 103 PID 4896 wrote to memory of 2040 4896 rundll32.exe 104 PID 536 wrote to memory of 1268 536 rundll32.exe 103 PID 1268 wrote to memory of 1664 1268 wermgr.exe 108 PID 1268 wrote to memory of 1664 1268 wermgr.exe 108 PID 1268 wrote to memory of 1664 1268 wermgr.exe 108 PID 536 wrote to memory of 3924 536 rundll32.exe 111 PID 536 wrote to memory of 3924 536 rundll32.exe 111 PID 536 wrote to memory of 3924 536 rundll32.exe 111 PID 536 wrote to memory of 3924 536 rundll32.exe 111 PID 536 wrote to memory of 3924 536 rundll32.exe 111 PID 4896 wrote to memory of 4140 4896 rundll32.exe 112 PID 4896 wrote to memory of 4140 4896 rundll32.exe 112 PID 4896 wrote to memory of 4140 4896 rundll32.exe 112 PID 4896 wrote to memory of 4140 4896 rundll32.exe 112 PID 4896 wrote to memory of 4140 4896 rundll32.exe 112
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\01.png.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\01.png.dll,#12⤵PID:4992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 6403⤵
- Program crash
PID:2808
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4992 -ip 49921⤵PID:3912
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\rundll32.exerundll32 01.png.dll,Wind2⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\rundll32.exerundll32 01.png.dll,Wind3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:1648
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:2040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 3525⤵
- Program crash
PID:3616
-
-
-
C:\Windows\SysWOW64\msra.exeC:\Windows\SysWOW64\msra.exe4⤵PID:4140
-
-
-
-
C:\Windows\system32\rundll32.exerundll32 01.png.dll,Wind2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\rundll32.exerundll32 01.png.dll,Wind3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:4912
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 3525⤵
- Program crash
PID:1664
-
-
-
C:\Windows\SysWOW64\msra.exeC:\Windows\SysWOW64\msra.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1268 -ip 12681⤵PID:616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2040 -ip 20401⤵PID:1048
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD53b9ca5ddde25a75f39ca62634495c6a9
SHA1154be9302723129ee69f6595e541b5d26a46d958
SHA256f3db5491984df74e5cc08e853328b2764fb8b3a46a98315094dfb505f7cd1c1d
SHA5129d8508b5a261d6b13ab39f78bde61d1bca726755c252651ab9953e75b4b6006e789f9443c959f0e3e15461160638c945cf162a21074b305cc78355666ccd4a92
