Analysis
-
max time kernel
130s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2023, 11:20
Static task
static1
Behavioral task
behavioral1
Sample
StrangulatorySubduedness.dll
Resource
win7-20230220-en
General
-
Target
StrangulatorySubduedness.dll
-
Size
348KB
-
MD5
842ff3818aab3bc168f997aa43163434
-
SHA1
ba69ce91bcc57883ed2989749a9c05c2ef8bd899
-
SHA256
628b7be2f1bb39f173458d0595ddfed907157ef25a574d34faaa4bfd80129071
-
SHA512
57c7ce4fd461e0b6d8599f68cd9dedf382f5cec1c70cb599a90964fa1a8d2c07e6397587bb69b65662de2bc45e582acbe723e0909282fb2a7bf4ec5243434282
-
SSDEEP
6144:znCkEzy3WOKrHe7EPvIbQP952w7QNlC20wHa8zbC6+fYyf9unVes12qxWCla8aGN:NEyrw2s20wHao+mmeWCl9Vdsd
Malware Config
Extracted
qakbot
404.66
BB17
1677576236
73.165.119.20:443
80.13.205.69:2222
202.142.98.62:995
14.192.241.76:995
90.104.22.28:2222
74.92.243.113:50000
184.155.91.69:443
12.172.173.82:990
47.34.30.133:443
73.161.176.218:443
27.0.48.233:443
188.49.116.2:995
24.239.69.244:443
12.172.173.82:21
92.239.81.124:443
84.35.26.14:995
91.165.188.74:50000
12.172.173.82:465
172.248.42.122:443
103.140.174.19:2222
70.160.80.210:443
2.13.73.146:2222
2.98.146.106:995
213.67.255.57:2222
172.90.139.138:2222
72.80.7.6:50003
59.28.84.65:443
87.223.83.119:443
190.191.35.122:443
47.21.51.138:443
116.74.164.35:443
72.80.7.6:995
35.143.97.145:995
161.142.102.110:995
103.123.223.168:443
125.99.69.178:443
116.72.250.18:443
76.170.252.153:995
92.27.86.48:2222
103.141.50.102:995
202.142.98.62:443
89.129.109.27:2222
71.31.101.183:443
98.145.23.67:443
75.158.15.211:443
86.225.214.138:2222
12.172.173.82:2087
103.111.70.115:995
82.127.204.82:2222
103.212.19.254:995
92.154.17.149:2222
2.50.47.74:443
88.171.156.150:50000
37.189.253.91:443
92.154.45.81:2222
201.244.108.183:995
46.27.231.50:2078
82.212.111.19:443
73.22.121.210:443
85.59.61.52:2222
47.21.51.138:995
213.31.90.183:2222
27.109.19.90:2078
184.176.35.223:2222
50.68.186.195:443
69.133.162.35:443
118.250.180.74:995
103.252.7.231:443
12.172.173.82:50001
151.65.177.218:443
180.151.104.240:443
86.190.223.11:2222
86.130.9.136:2222
31.166.48.125:995
119.155.246.94:995
47.196.225.236:443
86.195.14.72:2222
75.98.154.19:443
50.68.204.71:993
114.143.176.235:443
27.0.48.205:443
103.144.201.53:2078
167.56.52.254:995
103.111.70.115:443
87.202.101.164:50000
49.245.82.178:2222
212.69.141.168:995
136.244.25.165:443
80.47.61.240:2222
50.68.204.71:995
124.122.56.144:443
198.2.51.242:993
86.250.10.160:2222
147.219.4.194:443
77.124.9.203:443
109.149.147.104:2222
86.202.48.142:2222
76.80.180.154:995
104.35.24.154:443
73.36.196.11:443
84.215.202.22:443
12.172.173.82:32101
77.86.98.236:443
81.229.117.95:2222
93.147.134.85:443
176.142.207.63:443
202.186.177.88:443
92.186.69.229:2222
66.191.69.18:995
64.237.251.199:443
186.64.87.213:443
108.190.203.42:995
49.175.72.56:443
50.68.204.71:443
75.143.236.149:443
174.104.184.149:443
72.203.216.98:2222
197.92.136.122:443
122.184.143.82:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1008 1344 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1640 rundll32.exe 3440 rundll32.exe 1640 rundll32.exe 3440 rundll32.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe 788 wermgr.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1640 rundll32.exe 3440 rundll32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3424 wrote to memory of 1344 3424 rundll32.exe 87 PID 3424 wrote to memory of 1344 3424 rundll32.exe 87 PID 3424 wrote to memory of 1344 3424 rundll32.exe 87 PID 4964 wrote to memory of 2616 4964 cmd.exe 111 PID 4964 wrote to memory of 2616 4964 cmd.exe 111 PID 2616 wrote to memory of 1640 2616 rundll32.exe 113 PID 2616 wrote to memory of 1640 2616 rundll32.exe 113 PID 2616 wrote to memory of 1640 2616 rundll32.exe 113 PID 4964 wrote to memory of 3600 4964 cmd.exe 114 PID 4964 wrote to memory of 3600 4964 cmd.exe 114 PID 3600 wrote to memory of 3440 3600 rundll32.exe 115 PID 3600 wrote to memory of 3440 3600 rundll32.exe 115 PID 3600 wrote to memory of 3440 3600 rundll32.exe 115 PID 1640 wrote to memory of 2352 1640 rundll32.exe 117 PID 1640 wrote to memory of 2352 1640 rundll32.exe 117 PID 1640 wrote to memory of 2352 1640 rundll32.exe 117 PID 3440 wrote to memory of 788 3440 rundll32.exe 116 PID 3440 wrote to memory of 788 3440 rundll32.exe 116 PID 3440 wrote to memory of 788 3440 rundll32.exe 116 PID 1640 wrote to memory of 2352 1640 rundll32.exe 117 PID 3440 wrote to memory of 788 3440 rundll32.exe 116 PID 1640 wrote to memory of 2352 1640 rundll32.exe 117 PID 3440 wrote to memory of 788 3440 rundll32.exe 116
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\StrangulatorySubduedness.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\StrangulatorySubduedness.dll,#12⤵PID:1344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 6003⤵
- Program crash
PID:1008
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1344 -ip 13441⤵PID:1892
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\system32\rundll32.exerundll32 StrangulatorySubduedness.dll,N1152⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\rundll32.exerundll32 StrangulatorySubduedness.dll,N1153⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:2352
-
-
-
-
C:\Windows\system32\rundll32.exerundll32 StrangulatorySubduedness.dll,N1152⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\rundll32.exerundll32 StrangulatorySubduedness.dll,N1153⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:788
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b356f2f09b3cc78822ec9e4458338087
SHA1a27152f549445c8bdac3133d97cfe332c3f0516d
SHA256184063cf0a1c430e8c789d5d181061353bbfab16b8c2dc0eed40f486611b0372
SHA5121b5677da6ee0f72dffcdb92e32d6acadf40d3a3f1179fc8921f75c19861489d3b55c3e66aae7d05cddaf8c688fdcbef1fc6d39ff6faa96795c2da9a1047ffa96