Analysis
-
max time kernel
149s -
max time network
59s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
28/02/2023, 19:07
Static task
static1
General
-
Target
2.dll
-
Size
367KB
-
MD5
362b14cc92b5d30043afae8592197893
-
SHA1
2632b6e5f2856ceed4d5da270d3c97af09ca2c62
-
SHA256
57336ee2e237a32db2e848fb11af6074bf6d155e59b64d67d56a2c02659d3148
-
SHA512
f72825b6707e954e51a0c100d7578c648794831b65e214c2d39466b7e9cd3469ad4f88a59211934043cafd0e2e78933eebf412906c27ebc78c99b871076bc3af
-
SSDEEP
6144:znCkEzy3WOKrHe7EPvIbQP952w7QNlC20wHa8zbC6+fYyf9unVes12qxWCla8aGv:NEyrw2s20wHao+mmeWCl9Vdid
Malware Config
Extracted
qakbot
404.66
BB17
1677576236
73.165.119.20:443
80.13.205.69:2222
202.142.98.62:995
14.192.241.76:995
90.104.22.28:2222
74.92.243.113:50000
184.155.91.69:443
12.172.173.82:990
47.34.30.133:443
73.161.176.218:443
27.0.48.233:443
188.49.116.2:995
24.239.69.244:443
12.172.173.82:21
92.239.81.124:443
84.35.26.14:995
91.165.188.74:50000
12.172.173.82:465
172.248.42.122:443
103.140.174.19:2222
70.160.80.210:443
2.13.73.146:2222
2.98.146.106:995
213.67.255.57:2222
172.90.139.138:2222
72.80.7.6:50003
59.28.84.65:443
87.223.83.119:443
190.191.35.122:443
47.21.51.138:443
116.74.164.35:443
72.80.7.6:995
35.143.97.145:995
161.142.102.110:995
103.123.223.168:443
125.99.69.178:443
116.72.250.18:443
76.170.252.153:995
92.27.86.48:2222
103.141.50.102:995
202.142.98.62:443
89.129.109.27:2222
71.31.101.183:443
98.145.23.67:443
75.158.15.211:443
86.225.214.138:2222
12.172.173.82:2087
103.111.70.115:995
82.127.204.82:2222
103.212.19.254:995
92.154.17.149:2222
2.50.47.74:443
88.171.156.150:50000
37.189.253.91:443
92.154.45.81:2222
201.244.108.183:995
46.27.231.50:2078
82.212.111.19:443
73.22.121.210:443
85.59.61.52:2222
47.21.51.138:995
213.31.90.183:2222
27.109.19.90:2078
184.176.35.223:2222
50.68.186.195:443
69.133.162.35:443
118.250.180.74:995
103.252.7.231:443
12.172.173.82:50001
151.65.177.218:443
180.151.104.240:443
86.190.223.11:2222
86.130.9.136:2222
31.166.48.125:995
119.155.246.94:995
47.196.225.236:443
86.195.14.72:2222
75.98.154.19:443
50.68.204.71:993
114.143.176.235:443
27.0.48.205:443
103.144.201.53:2078
167.56.52.254:995
103.111.70.115:443
87.202.101.164:50000
49.245.82.178:2222
212.69.141.168:995
136.244.25.165:443
80.47.61.240:2222
50.68.204.71:995
124.122.56.144:443
198.2.51.242:993
86.250.10.160:2222
147.219.4.194:443
77.124.9.203:443
109.149.147.104:2222
86.202.48.142:2222
76.80.180.154:995
104.35.24.154:443
73.36.196.11:443
84.215.202.22:443
12.172.173.82:32101
77.86.98.236:443
81.229.117.95:2222
93.147.134.85:443
176.142.207.63:443
202.186.177.88:443
92.186.69.229:2222
66.191.69.18:995
64.237.251.199:443
186.64.87.213:443
108.190.203.42:995
49.175.72.56:443
50.68.204.71:443
75.143.236.149:443
174.104.184.149:443
72.203.216.98:2222
197.92.136.122:443
122.184.143.82:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4552 3448 WerFault.exe 66 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4692 rundll32.exe 4692 rundll32.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe 1304 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4692 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4008 wrote to memory of 3448 4008 rundll32.exe 66 PID 4008 wrote to memory of 3448 4008 rundll32.exe 66 PID 4008 wrote to memory of 3448 4008 rundll32.exe 66 PID 1512 wrote to memory of 3076 1512 cmd.exe 73 PID 1512 wrote to memory of 3076 1512 cmd.exe 73 PID 3076 wrote to memory of 4692 3076 rundll32.exe 74 PID 3076 wrote to memory of 4692 3076 rundll32.exe 74 PID 3076 wrote to memory of 4692 3076 rundll32.exe 74 PID 4692 wrote to memory of 1304 4692 rundll32.exe 75 PID 4692 wrote to memory of 1304 4692 rundll32.exe 75 PID 4692 wrote to memory of 1304 4692 rundll32.exe 75 PID 4692 wrote to memory of 1304 4692 rundll32.exe 75 PID 4692 wrote to memory of 1304 4692 rundll32.exe 75
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2.dll,#12⤵PID:3448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 6163⤵
- Program crash
PID:4552
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:976
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\rundll32.exerundll32 2.dll,N1152⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\rundll32.exerundll32 2.dll,N1153⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304
-
-
-