Resubmissions
15-03-2023 18:20
230315-wyy47sef87 1015-03-2023 18:16
230315-wwhz7sgh31 1015-03-2023 17:46
230315-wcmjaagg5w 1015-03-2023 15:52
230315-tbkxysgc6v 1015-03-2023 10:08
230315-l6bc1acf68 10Analysis
-
max time kernel
116s -
max time network
70s -
platform
windows10-1703_x64 -
resource
win10-20230220-de -
resource tags
arch:x64arch:x86image:win10-20230220-delocale:de-deos:windows10-1703-x64systemwindows -
submitted
15-03-2023 18:20
Static task
static1
Behavioral task
behavioral1
Sample
c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll
Resource
win10-20230220-de
Behavioral task
behavioral2
Sample
c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll
Resource
win7-20230220-de
General
-
Target
c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll
-
Size
2.1MB
-
MD5
adfa9e13af7bff7b9304de834dc620e6
-
SHA1
1eceee464aefad0708f1e5ddcd0550b25da32fe0
-
SHA256
c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1
-
SHA512
c3e459751cd7d36c6fe6934d03144536a3d0f6f85318bf14f798a6ea9d5bee2adf68cb20d2c9ecf861a9bd96b5fd75750fcf283f8fe17a878f19ab7706692c66
-
SSDEEP
3072:DNoM+4+Kci5Cbw8IsklTVhKAgUbV6RWWuZ:DW0NHmt9klHb4
Malware Config
Extracted
qakbot
401.62
abc107
1607078484
32.212.117.188:443
109.205.204.229:2222
72.36.59.46:2222
173.18.126.193:2222
96.225.88.23:443
89.137.211.239:443
110.142.205.182:443
82.76.47.211:443
193.83.25.177:995
67.40.253.209:995
73.244.83.199:443
2.90.186.243:995
189.252.62.238:995
141.237.135.194:443
82.78.70.128:443
185.125.151.172:443
79.117.239.22:2222
86.189.252.131:2222
83.114.243.80:2222
2.50.56.81:443
191.84.4.150:443
83.202.68.220:2222
184.98.97.227:995
96.21.251.127:2222
58.179.21.147:995
200.75.136.78:443
37.21.231.245:995
81.97.154.100:443
185.105.131.233:443
45.32.165.134:443
140.82.27.132:443
45.32.162.253:443
201.127.76.175:2222
86.122.248.164:2222
67.141.11.98:443
73.51.245.231:995
37.116.152.122:2078
111.95.212.237:2222
172.87.157.235:3389
116.240.78.45:995
68.131.19.52:443
93.149.253.201:2222
78.187.125.116:2222
86.121.43.200:443
82.76.238.65:2222
84.232.252.202:2222
184.21.136.237:995
37.234.175.105:995
80.14.22.234:2222
24.179.13.119:443
46.209.237.214:995
71.163.223.144:443
86.98.34.84:995
41.239.180.69:993
195.97.101.40:443
2.7.202.106:2222
103.102.100.78:2222
65.131.47.74:995
37.171.1.224:0
79.166.96.86:2222
83.110.74.173:443
120.150.218.241:443
161.142.217.62:443
180.233.150.134:443
182.161.6.57:3389
164.155.230.98:443
85.105.29.218:443
151.27.126.133:443
217.162.149.212:443
92.154.83.96:2087
105.198.236.99:443
72.66.47.70:443
211.24.72.253:443
118.160.160.116:443
72.28.255.159:995
86.97.162.141:2222
92.154.83.96:2222
68.46.142.48:995
47.196.192.184:443
24.218.181.15:443
24.43.22.220:993
193.248.154.174:2222
173.21.10.71:2222
75.136.40.155:443
67.61.157.208:443
125.63.101.62:443
2.51.246.190:995
98.121.187.78:443
172.78.30.215:443
160.3.184.253:443
78.162.70.119:443
80.11.5.65:2222
78.63.226.32:443
81.214.126.173:2222
80.195.103.146:2222
174.87.65.179:443
136.232.34.70:443
86.245.87.251:2078
47.146.34.236:443
24.95.61.62:443
87.218.53.206:2222
176.45.218.26:995
197.86.204.84:443
78.101.145.96:61201
174.62.13.151:443
37.106.7.7:443
81.150.181.168:2222
94.69.112.148:2222
151.33.226.156:443
109.154.193.21:2222
69.181.191.232:443
96.40.175.33:443
79.115.171.106:2222
217.128.117.218:2222
87.115.120.176:2222
89.137.77.237:443
47.21.192.182:2222
81.133.234.36:2222
62.38.114.12:2222
94.52.160.116:443
181.129.155.10:443
84.117.176.32:443
151.75.13.83:443
45.63.107.192:2222
197.135.156.41:443
78.181.19.134:443
71.10.43.79:443
92.154.83.96:2078
144.202.38.185:995
149.28.99.97:2222
149.28.98.196:443
144.202.38.185:443
149.28.98.196:995
92.154.83.96:1194
149.28.99.97:443
89.137.211.72:443
45.63.107.192:995
149.28.98.196:2222
144.202.38.185:2222
203.106.195.67:443
162.157.19.33:2222
98.124.76.187:443
122.59.40.31:443
199.116.241.147:443
121.58.199.24:443
120.151.95.167:443
85.132.36.111:2222
75.136.26.147:443
24.27.82.216:2222
94.69.242.254:2222
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 5024 regsvr32.exe -
Drops file in Windows directory 35 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\INF\ndisvirtualbus.PNF rundll32.exe File opened for modification C:\Windows\INF\volmgr.PNF rundll32.exe File opened for modification C:\Windows\INF\c_swdevice.PNF rundll32.exe File opened for modification C:\Windows\INF\display.PNF rundll32.exe File opened for modification C:\Windows\INF\hdaudbus.PNF rundll32.exe File opened for modification C:\Windows\INF\acpi.PNF rundll32.exe File opened for modification C:\Windows\INF\basicdisplay.PNF rundll32.exe File opened for modification C:\Windows\INF\vdrvroot.PNF rundll32.exe File opened for modification C:\Windows\INF\spaceport.PNF rundll32.exe File opened for modification C:\Windows\INF\hal.PNF rundll32.exe File opened for modification C:\Windows\INF\pci.PNF rundll32.exe File opened for modification C:\Windows\INF\audioendpoint.PNF rundll32.exe File opened for modification C:\Windows\INF\monitor.PNF rundll32.exe File opened for modification C:\Windows\INF\kdnic.PNF rundll32.exe File opened for modification C:\Windows\INF\compositebus.PNF rundll32.exe File opened for modification C:\Windows\INF\usbport.PNF rundll32.exe File opened for modification C:\Windows\INF\basicrender.PNF rundll32.exe File opened for modification C:\Windows\INF\rdpbus.PNF rundll32.exe File opened for modification C:\Windows\INF\cdrom.PNF rundll32.exe File opened for modification C:\Windows\INF\volume.PNF rundll32.exe File opened for modification C:\Windows\INF\mshdc.PNF rundll32.exe File opened for modification C:\Windows\INF\vhdmp.PNF rundll32.exe File opened for modification C:\Windows\INF\swenum.PNF rundll32.exe File opened for modification C:\Windows\INF\printqueue.PNF rundll32.exe File opened for modification C:\Windows\INF\umbus.PNF rundll32.exe File opened for modification C:\Windows\INF\hdaudio.PNF rundll32.exe File opened for modification C:\Windows\INF\keyboard.PNF rundll32.exe File opened for modification C:\Windows\INF\volsnap.PNF rundll32.exe File opened for modification C:\Windows\INF\msmouse.PNF rundll32.exe File opened for modification C:\Windows\INF\cpu.PNF rundll32.exe File opened for modification C:\Windows\INF\mssmbios.PNF rundll32.exe File opened for modification C:\Windows\INF\netrtl64.PNF rundll32.exe File opened for modification C:\Windows\INF\input.PNF rundll32.exe File opened for modification C:\Windows\INF\machine.PNF rundll32.exe File opened for modification C:\Windows\INF\disk.PNF rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3348 5024 WerFault.exe regsvr32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service rundll32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 2592 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exeregsvr32.exedescription pid process target process PID 2336 wrote to memory of 2592 2336 rundll32.exe rundll32.exe PID 2336 wrote to memory of 2592 2336 rundll32.exe rundll32.exe PID 2336 wrote to memory of 2592 2336 rundll32.exe rundll32.exe PID 2592 wrote to memory of 3996 2592 rundll32.exe explorer.exe PID 2592 wrote to memory of 3996 2592 rundll32.exe explorer.exe PID 2592 wrote to memory of 3996 2592 rundll32.exe explorer.exe PID 2592 wrote to memory of 3996 2592 rundll32.exe explorer.exe PID 2592 wrote to memory of 3996 2592 rundll32.exe explorer.exe PID 3996 wrote to memory of 4316 3996 explorer.exe schtasks.exe PID 3996 wrote to memory of 4316 3996 explorer.exe schtasks.exe PID 3996 wrote to memory of 4316 3996 explorer.exe schtasks.exe PID 1428 wrote to memory of 5024 1428 regsvr32.exe regsvr32.exe PID 1428 wrote to memory of 5024 1428 regsvr32.exe regsvr32.exe PID 1428 wrote to memory of 5024 1428 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll,#12⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vzpoelxb /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll\"" /SC ONCE /Z /ST 18:23 /ET 18:354⤵
- Creates scheduled task(s)
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dll"2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 5963⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dllFilesize
2.1MB
MD5001206b3d00447bf8e35c8bf1348b0fe
SHA14e84143258b698c9f6e2a39ab74162b6cc81bf3f
SHA256e5fbbf228db0d4955d893cecc39008438b608ef0ae4977246f5a0431e5d78619
SHA512c98bdaf23844a01ee4a0edbee632ca88f2d362b32a8f06e7821aa09193d8ac7a7a17af7dc431ff449519539d0f957db196bbf72923d4640c672088a353dfb54d
-
C:\Windows\INF\audioendpoint.PNFFilesize
5KB
MD5ee3b48c5098e33c9a39135a4d46ded2f
SHA1530ef41e01468d4e52d3835e7a794bb2d89a0976
SHA25689c30ae017009b5f3cb37045e53e68c6eb378fe6e3e8fa9bcaa0a4c4ca6103ca
SHA51297a0edbabbf5ec4ba23cdf8cc9e18c54f2a47c631536d6ec109a1c93c1a732f2e030194d065e51e14a2b63ba02e96c76754ffc016f142fec699b60d6ec84331b
-
C:\Windows\INF\c_swdevice.PNFFilesize
6KB
MD52d3ce0165fe67a0cc7f0bf31929c51c8
SHA105ba716ab38db5d6398a1f55af1b3ab60db0fdd3
SHA2564bc4df8476ff34b14bdc48593508c9ed60b6ea581e38bae8cda8900be3d4958f
SHA5129bd00ba67020bfa4bc2415feeb48f046849313404d53a41876aed4769e6843adcd4a9b9c18048d4d86b243f40d21f10af340edc7a10ee5330920ba2b1f8058f1
-
C:\Windows\INF\cpu.PNFFilesize
19KB
MD5c9b4337390178d0115c52b33eab56f9f
SHA1f3893481c4e7b44b4d04fa90c21e148ee562089f
SHA256bcac253f17681b87cf8ead1092189b79d723d4e52266127689a0358231ee0c30
SHA512aecfd16d19e2d94ca54811c4a40cfdfd1809ab54b068503112b0cceddbed471826576a2b1372a0ec4baa0c33ed8f906d01574c850acbcc809873d3d2caae1a7b
-
C:\Windows\INF\machine.PNFFilesize
152KB
MD5624a1a353893fb0f121ebc3fb3007c4d
SHA1336b5cfd5328380559f202aaf0241d6a97ca698d
SHA256f119104cfbd166668cc0f6c3cd0ff55ace21bc17798b2f5e73cb3f1ad24669b1
SHA512cd111143cd15abedf7bd34ce1eb8f8810df0f8bfdc3c6f31c695cf8ad1e337a6561cf9209821d21a9b27c0bad44d1f955dc3e6a38d49c6284c46893ace717492
-
C:\Windows\INF\mshdc.PNFFilesize
67KB
MD5193f1bfe81d6823864d5d283146c2a12
SHA13d0c4726358842d7bd89588e6d20b8d85efa30eb
SHA25665e42e929c11b9ae6b6d80f29fc931780f467f827cabe6fccf59dd7ef4e9f077
SHA51254530c56d3193f818e33bf4dc698022e384da5697146e2abc9d79b07ceb14941284be5a5ec82327350dd30dd14761c4577dec07cb3e8bf771a5741ec785dead4
-
C:\Windows\INF\msmouse.PNFFilesize
96KB
MD51e12f538ad5892392294a03e34921a6b
SHA1384a1709d12a841f83c1e1d5a069c3bf25f73567
SHA2565f6b0265a871554135286bff03dc4374c599bdf7028a506884f881b9ca49d879
SHA51267d5a56d31551fa7c47b951bdc1cc1282cc8db00d8a171099165cb26d3655e66172d3757baed4c70fd0309800afd6efd57836c02ecf81970d3abc20158087d23
-
C:\Windows\INF\printqueue.PNFFilesize
7KB
MD54f4f26d4e3dcea866324372db113ba5a
SHA100580631d329b449959da2f556539e5953df6cda
SHA25695249316e2c531502cfacccb856751d6a29787eaa53ad284bc8cc9184d8da489
SHA512e2176262caba9899eb7d972b548a4c263c311941c388013506e572365d8e9cde12141e04e0772d1b614b61f78c0dbe94d4c6c94be592210f31c68b97cf0b0566
-
C:\Windows\INF\usbport.PNFFilesize
146KB
MD59901c1e79809e9ff03f2e8821080861a
SHA193abc4894166972cebb4a3ace7a11ba40d1b49fd
SHA256bb78d1dbf245fb02e3c98550bfddf14621a7919a42bd483f52a3b75bdc0df347
SHA5127e2a9d21fe6c4f035fb37fc50c4f58ba5e497b10944305f7ea5510db1aa4c9c705ed66aa504ac2c0051cde32192861b6ba3bdd7f3ee8d6dfd405cc0824fe1708
-
C:\Windows\INF\volume.PNFFilesize
5KB
MD5b16d16a171cfe99aae4c5c4f64c2c0f5
SHA1be2193bd620a8725e2aec7ca7062422a2a845e2c
SHA25698988d7707efa81c4f2264372b74239edd04034c6c0b13e2cd7c7092819a7268
SHA5120a4bac2fbb10e545cecc9ed2972918b341b7ad9699b3a494dee05af09420eef0a3834493112b7b1524804a30b23e4e79b97f8dfa909562ce061c0e383373468a
-
\Users\Admin\AppData\Local\Temp\c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1.dllFilesize
2.1MB
MD5001206b3d00447bf8e35c8bf1348b0fe
SHA14e84143258b698c9f6e2a39ab74162b6cc81bf3f
SHA256e5fbbf228db0d4955d893cecc39008438b608ef0ae4977246f5a0431e5d78619
SHA512c98bdaf23844a01ee4a0edbee632ca88f2d362b32a8f06e7821aa09193d8ac7a7a17af7dc431ff449519539d0f957db196bbf72923d4640c672088a353dfb54d
-
memory/2592-121-0x0000000000AE0000-0x0000000000CCA000-memory.dmpFilesize
1.9MB
-
memory/2592-349-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/2592-122-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/3996-352-0x0000000000B40000-0x0000000000B61000-memory.dmpFilesize
132KB
-
memory/3996-353-0x0000000000B40000-0x0000000000B61000-memory.dmpFilesize
132KB
-
memory/3996-354-0x0000000000B40000-0x0000000000B61000-memory.dmpFilesize
132KB
-
memory/3996-356-0x0000000000B40000-0x0000000000B61000-memory.dmpFilesize
132KB
-
memory/3996-357-0x0000000000B40000-0x0000000000B61000-memory.dmpFilesize
132KB