Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2023, 16:41
Static task
static1
Behavioral task
behavioral1
Sample
bbbbbboris.dll
Resource
win7-20230220-en
General
-
Target
bbbbbboris.dll
-
Size
355KB
-
MD5
45d887273f56b2154f46fa13f5ba29aa
-
SHA1
2806aedca48e7ab8fdeb507debb93e9c29c2f4b2
-
SHA256
7193cff8c047bcb00743121f4f90a7df786c93da0b68366bb40d927215f6907b
-
SHA512
c50c7c27bff12d777c3cc00e0b17fa9cd348a6aaf978b5973d37a982ce84da0c2f83ac7308ba055c4afbccc9103e91be1073603430de353087d9b32142649891
-
SSDEEP
6144:znCkEzy3WOKrHe7EPvIbQP952w7QNlC20wHa8zbC6+fYyf9unVes12qxWCla8aGV:NEyrw2s20wHao+mmeWCl9VdAd
Malware Config
Extracted
qakbot
404.66
BB17
1677576236
73.165.119.20:443
80.13.205.69:2222
202.142.98.62:995
14.192.241.76:995
90.104.22.28:2222
74.92.243.113:50000
184.155.91.69:443
12.172.173.82:990
47.34.30.133:443
73.161.176.218:443
27.0.48.233:443
188.49.116.2:995
24.239.69.244:443
12.172.173.82:21
92.239.81.124:443
84.35.26.14:995
91.165.188.74:50000
12.172.173.82:465
172.248.42.122:443
103.140.174.19:2222
70.160.80.210:443
2.13.73.146:2222
2.98.146.106:995
213.67.255.57:2222
172.90.139.138:2222
72.80.7.6:50003
59.28.84.65:443
87.223.83.119:443
190.191.35.122:443
47.21.51.138:443
116.74.164.35:443
72.80.7.6:995
35.143.97.145:995
161.142.102.110:995
103.123.223.168:443
125.99.69.178:443
116.72.250.18:443
76.170.252.153:995
92.27.86.48:2222
103.141.50.102:995
202.142.98.62:443
89.129.109.27:2222
71.31.101.183:443
98.145.23.67:443
75.158.15.211:443
86.225.214.138:2222
12.172.173.82:2087
103.111.70.115:995
82.127.204.82:2222
103.212.19.254:995
92.154.17.149:2222
2.50.47.74:443
88.171.156.150:50000
37.189.253.91:443
92.154.45.81:2222
201.244.108.183:995
46.27.231.50:2078
82.212.111.19:443
73.22.121.210:443
85.59.61.52:2222
47.21.51.138:995
213.31.90.183:2222
27.109.19.90:2078
184.176.35.223:2222
50.68.186.195:443
69.133.162.35:443
118.250.180.74:995
103.252.7.231:443
12.172.173.82:50001
151.65.177.218:443
180.151.104.240:443
86.190.223.11:2222
86.130.9.136:2222
31.166.48.125:995
119.155.246.94:995
47.196.225.236:443
86.195.14.72:2222
75.98.154.19:443
50.68.204.71:993
114.143.176.235:443
27.0.48.205:443
103.144.201.53:2078
167.56.52.254:995
103.111.70.115:443
87.202.101.164:50000
49.245.82.178:2222
212.69.141.168:995
136.244.25.165:443
80.47.61.240:2222
50.68.204.71:995
124.122.56.144:443
198.2.51.242:993
86.250.10.160:2222
147.219.4.194:443
77.124.9.203:443
109.149.147.104:2222
86.202.48.142:2222
76.80.180.154:995
104.35.24.154:443
73.36.196.11:443
84.215.202.22:443
12.172.173.82:32101
77.86.98.236:443
81.229.117.95:2222
93.147.134.85:443
176.142.207.63:443
202.186.177.88:443
92.186.69.229:2222
66.191.69.18:995
64.237.251.199:443
186.64.87.213:443
108.190.203.42:995
49.175.72.56:443
50.68.204.71:443
75.143.236.149:443
174.104.184.149:443
72.203.216.98:2222
197.92.136.122:443
122.184.143.82:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 3736 1964 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1792 rundll32.exe 1792 rundll32.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe 1416 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1792 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2708 wrote to memory of 1964 2708 rundll32.exe 86 PID 2708 wrote to memory of 1964 2708 rundll32.exe 86 PID 2708 wrote to memory of 1964 2708 rundll32.exe 86 PID 3632 wrote to memory of 2356 3632 cmd.exe 101 PID 3632 wrote to memory of 2356 3632 cmd.exe 101 PID 2356 wrote to memory of 1792 2356 rundll32.exe 103 PID 2356 wrote to memory of 1792 2356 rundll32.exe 103 PID 2356 wrote to memory of 1792 2356 rundll32.exe 103 PID 3632 wrote to memory of 1572 3632 cmd.exe 104 PID 3632 wrote to memory of 1572 3632 cmd.exe 104 PID 1792 wrote to memory of 1416 1792 rundll32.exe 105 PID 1792 wrote to memory of 1416 1792 rundll32.exe 105 PID 1792 wrote to memory of 1416 1792 rundll32.exe 105 PID 1792 wrote to memory of 1416 1792 rundll32.exe 105 PID 1792 wrote to memory of 1416 1792 rundll32.exe 105
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bbbbbboris.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bbbbbboris.dll,#12⤵PID:1964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 6043⤵
- Program crash
PID:3736
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1964 -ip 19641⤵PID:3204
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\system32\rundll32.exerundll32 bbbbbboris.dll,N1152⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\rundll32.exerundll32 bbbbbboris.dll,N1153⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416
-
-
-
-
C:\Windows\system32\rundll32.exerundll32 bbbbbboris.dll,N1152⤵PID:1572
-