Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28/02/2023, 17:37
Static task
static1
Behavioral task
behavioral1
Sample
RunDLL-1.bat
Resource
win7-20230220-en
General
-
Target
RunDLL-1.bat
-
Size
41B
-
MD5
5476a6e670d4e6f718eea43367a85dd9
-
SHA1
4955c094fe8b30e948fc2726aac74c4bd279fbdd
-
SHA256
679ed7fed33321412ed59c47bf09b1a1a22e3dc067312927d418ee16e20ec313
-
SHA512
0c6871b8738e3305200e2b4d09d91d492a854dc2dad17d7546d62a347089080213f67dd797419f2257ac3f80a38f8dbcbdf6dc2ec127c4b2561c11eb87f0bc2d
Malware Config
Extracted
qakbot
404.66
BB17
1677576236
73.165.119.20:443
80.13.205.69:2222
202.142.98.62:995
14.192.241.76:995
90.104.22.28:2222
74.92.243.113:50000
184.155.91.69:443
12.172.173.82:990
47.34.30.133:443
73.161.176.218:443
27.0.48.233:443
188.49.116.2:995
24.239.69.244:443
12.172.173.82:21
92.239.81.124:443
84.35.26.14:995
91.165.188.74:50000
12.172.173.82:465
172.248.42.122:443
103.140.174.19:2222
70.160.80.210:443
2.13.73.146:2222
2.98.146.106:995
213.67.255.57:2222
172.90.139.138:2222
72.80.7.6:50003
59.28.84.65:443
87.223.83.119:443
190.191.35.122:443
47.21.51.138:443
116.74.164.35:443
72.80.7.6:995
35.143.97.145:995
161.142.102.110:995
103.123.223.168:443
125.99.69.178:443
116.72.250.18:443
76.170.252.153:995
92.27.86.48:2222
103.141.50.102:995
202.142.98.62:443
89.129.109.27:2222
71.31.101.183:443
98.145.23.67:443
75.158.15.211:443
86.225.214.138:2222
12.172.173.82:2087
103.111.70.115:995
82.127.204.82:2222
103.212.19.254:995
92.154.17.149:2222
2.50.47.74:443
88.171.156.150:50000
37.189.253.91:443
92.154.45.81:2222
201.244.108.183:995
46.27.231.50:2078
82.212.111.19:443
73.22.121.210:443
85.59.61.52:2222
47.21.51.138:995
213.31.90.183:2222
27.109.19.90:2078
184.176.35.223:2222
50.68.186.195:443
69.133.162.35:443
118.250.180.74:995
103.252.7.231:443
12.172.173.82:50001
151.65.177.218:443
180.151.104.240:443
86.190.223.11:2222
86.130.9.136:2222
31.166.48.125:995
119.155.246.94:995
47.196.225.236:443
86.195.14.72:2222
75.98.154.19:443
50.68.204.71:993
114.143.176.235:443
27.0.48.205:443
103.144.201.53:2078
167.56.52.254:995
103.111.70.115:443
87.202.101.164:50000
49.245.82.178:2222
212.69.141.168:995
136.244.25.165:443
80.47.61.240:2222
50.68.204.71:995
124.122.56.144:443
198.2.51.242:993
86.250.10.160:2222
147.219.4.194:443
77.124.9.203:443
109.149.147.104:2222
86.202.48.142:2222
76.80.180.154:995
104.35.24.154:443
73.36.196.11:443
84.215.202.22:443
12.172.173.82:32101
77.86.98.236:443
81.229.117.95:2222
93.147.134.85:443
176.142.207.63:443
202.186.177.88:443
92.186.69.229:2222
66.191.69.18:995
64.237.251.199:443
186.64.87.213:443
108.190.203.42:995
49.175.72.56:443
50.68.204.71:443
75.143.236.149:443
174.104.184.149:443
72.203.216.98:2222
197.92.136.122:443
122.184.143.82:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1112 rundll32.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe 1524 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1112 rundll32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1296 1204 cmd.exe 29 PID 1204 wrote to memory of 1296 1204 cmd.exe 29 PID 1204 wrote to memory of 1296 1204 cmd.exe 29 PID 1296 wrote to memory of 1112 1296 rundll32.exe 30 PID 1296 wrote to memory of 1112 1296 rundll32.exe 30 PID 1296 wrote to memory of 1112 1296 rundll32.exe 30 PID 1296 wrote to memory of 1112 1296 rundll32.exe 30 PID 1296 wrote to memory of 1112 1296 rundll32.exe 30 PID 1296 wrote to memory of 1112 1296 rundll32.exe 30 PID 1296 wrote to memory of 1112 1296 rundll32.exe 30 PID 1112 wrote to memory of 1524 1112 rundll32.exe 31 PID 1112 wrote to memory of 1524 1112 rundll32.exe 31 PID 1112 wrote to memory of 1524 1112 rundll32.exe 31 PID 1112 wrote to memory of 1524 1112 rundll32.exe 31 PID 1112 wrote to memory of 1524 1112 rundll32.exe 31 PID 1112 wrote to memory of 1524 1112 rundll32.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\rundll32.exerundll32.exe hybridityJudicature.dll,N1152⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe hybridityJudicature.dll,N1153⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
-