Analysis
-
max time kernel
149s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03/03/2023, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll
Resource
win10v2004-20230220-en
General
-
Target
987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll
-
Size
352KB
-
MD5
4e57bc503140d50f5937444aa7719ad2
-
SHA1
d44dbfe2f0112a72969e7dcd97e969a2d1bf7cb4
-
SHA256
987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48
-
SHA512
4cb22c31bd3e170763d45ad3816d12884232625a41aa7462c45337ddd4be7635cdbb94ef177be8ca8e3a895ff1122e6fc16068d4cd4a1c8a33151cbce44b59b9
-
SSDEEP
6144:dlZfHJBfoMMiKYYXytfltzOWsDGCitOiXfG5iIZE90:btHJtoMMiYXytflttsDGCitZf6iIO9
Malware Config
Extracted
qakbot
404.74
BB17
1677767634
81.157.206.138:2222
50.68.186.195:443
184.176.110.61:61202
71.31.101.183:443
85.231.105.49:2222
62.35.100.38:443
190.141.133.204:443
109.158.144.102:995
82.212.115.116:443
47.21.51.138:995
208.180.17.32:2222
86.130.9.136:2222
184.189.41.80:443
23.242.20.21:443
103.12.133.134:2222
86.225.214.138:2222
12.172.173.82:50001
142.118.243.5:2222
86.208.35.220:2222
47.21.51.138:443
184.174.138.70:2222
84.219.213.130:6881
201.130.119.176:443
47.203.229.168:443
86.152.112.216:2222
12.172.173.82:2087
72.80.7.6:995
35.143.97.145:995
103.252.7.231:443
86.10.146.216:443
50.68.204.71:995
74.58.71.237:443
49.245.82.178:2222
73.36.196.11:443
12.172.173.82:32101
81.229.117.95:2222
109.149.147.104:2222
213.31.90.183:2222
83.114.60.6:2222
212.69.141.168:995
75.156.125.215:995
50.68.204.71:993
190.75.95.164:2222
74.92.243.113:50000
80.47.61.240:2222
85.241.180.94:443
212.70.98.183:2222
88.126.94.4:50000
198.2.51.242:993
86.250.10.160:2222
86.196.12.21:2222
85.59.61.52:2222
122.184.143.82:443
47.196.225.236:443
77.124.9.203:443
105.186.229.134:995
80.3.209.218:443
92.154.45.81:2222
76.80.180.154:995
104.35.24.154:443
86.202.48.142:2222
190.191.35.122:443
87.221.197.34:2222
47.34.30.133:443
45.50.233.214:443
136.35.241.159:443
64.237.212.162:443
93.147.134.85:443
76.64.202.44:2222
70.27.163.177:2222
176.142.207.63:443
209.142.97.83:995
72.88.245.71:443
190.28.86.103:443
65.92.221.105:2222
142.118.23.130:2222
183.87.163.165:443
47.16.69.185:2222
90.104.22.28:2222
86.151.244.117:443
103.169.83.89:443
162.248.14.107:443
50.68.204.71:443
12.172.173.82:995
12.172.173.82:20
173.18.126.3:443
66.191.69.18:995
31.53.29.205:2222
108.190.203.42:995
75.143.236.149:443
174.104.184.149:443
72.203.216.98:2222
197.92.136.122:443
78.192.109.105:2222
174.4.89.3:443
187.199.238.208:32103
73.161.176.218:443
109.11.175.42:2222
66.35.125.42:2222
45.243.201.24:995
87.223.83.119:443
109.218.13.132:2222
172.248.42.122:443
24.239.69.244:443
12.172.173.82:21
84.35.26.14:995
202.142.98.62:995
92.27.86.48:2222
73.165.119.20:443
69.133.162.35:443
151.65.177.218:443
49.37.96.184:2222
116.74.164.176:443
193.253.100.236:2222
75.158.15.211:443
14.192.241.76:995
190.11.198.73:443
123.3.240.16:995
12.172.173.82:990
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 548 rundll32.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe 1792 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 548 rundll32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1104 wrote to memory of 1300 1104 rundll32.exe 27 PID 1104 wrote to memory of 1300 1104 rundll32.exe 27 PID 1104 wrote to memory of 1300 1104 rundll32.exe 27 PID 1104 wrote to memory of 1300 1104 rundll32.exe 27 PID 1104 wrote to memory of 1300 1104 rundll32.exe 27 PID 1104 wrote to memory of 1300 1104 rundll32.exe 27 PID 1104 wrote to memory of 1300 1104 rundll32.exe 27 PID 432 wrote to memory of 268 432 cmd.exe 30 PID 432 wrote to memory of 268 432 cmd.exe 30 PID 432 wrote to memory of 268 432 cmd.exe 30 PID 268 wrote to memory of 548 268 rundll32.exe 31 PID 268 wrote to memory of 548 268 rundll32.exe 31 PID 268 wrote to memory of 548 268 rundll32.exe 31 PID 268 wrote to memory of 548 268 rundll32.exe 31 PID 268 wrote to memory of 548 268 rundll32.exe 31 PID 268 wrote to memory of 548 268 rundll32.exe 31 PID 268 wrote to memory of 548 268 rundll32.exe 31 PID 548 wrote to memory of 1792 548 rundll32.exe 32 PID 548 wrote to memory of 1792 548 rundll32.exe 32 PID 548 wrote to memory of 1792 548 rundll32.exe 32 PID 548 wrote to memory of 1792 548 rundll32.exe 32 PID 548 wrote to memory of 1792 548 rundll32.exe 32 PID 548 wrote to memory of 1792 548 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,#12⤵PID:1300
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\Windows\System32\rundll32.exerundll32.exe c:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,RS322⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,RS323⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1792
-
-
-