Analysis
-
max time kernel
149s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25/03/2023, 10:07
Static task
static1
Behavioral task
behavioral1
Sample
62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll
Resource
win10v2004-20230220-en
General
-
Target
62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll
-
Size
337KB
-
MD5
1bcb097de905cbe1e9fc9683e1dea036
-
SHA1
df042b4a2c65a0d761f93baeb8ee4d06fbd33229
-
SHA256
62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1
-
SHA512
89f6de104a2dd12040492d8836ac1819a4f857c4e6554848b68d5ca51fe7b2bd5d860403954af45a67cad42bc9909ef94fa9175e20580cfe5c6a8d14d2386b29
-
SSDEEP
6144:BTfmt7eZAPOyKmLrLqGvHr0nNK11G9DMQyaViFwRun:Bbi7/xZrkNK11G9AQyOi6Q
Malware Config
Extracted
qakbot
401.51
abc106m
1606921461
94.69.242.254:2222
189.140.45.48:995
37.182.244.124:2222
73.136.242.114:443
187.149.126.53:443
189.210.115.207:443
96.27.47.70:2222
185.163.221.77:2222
85.132.36.111:2222
178.87.10.110:443
120.150.218.241:995
68.224.121.148:993
78.101.145.96:61201
47.146.34.236:443
24.95.61.62:443
72.29.181.78:2222
93.113.177.152:443
87.218.53.206:2222
106.51.85.162:443
2.90.33.130:443
187.145.100.209:443
81.150.181.168:2222
98.240.24.57:443
109.154.193.21:2222
96.40.175.33:443
72.240.200.181:2222
2.7.202.106:2222
173.21.10.71:2222
187.213.136.249:995
189.252.72.41:995
66.97.247.15:443
75.109.180.221:443
72.252.201.69:443
109.209.94.165:2222
65.29.116.74:443
172.87.134.226:443
69.11.247.242:443
87.27.110.90:2222
217.133.54.140:32100
181.129.155.10:443
187.213.199.54:443
174.104.31.209:443
67.8.103.21:443
71.182.142.63:443
149.28.98.196:443
45.77.193.83:443
68.116.193.239:443
197.45.110.165:995
149.28.98.196:2222
149.28.99.97:443
144.202.38.185:2222
174.62.13.151:443
144.202.38.185:443
149.28.98.196:995
45.63.107.192:995
144.202.38.185:995
45.63.107.192:2222
189.150.40.192:2222
149.28.99.97:2222
72.79.79.92:0
116.240.78.45:995
45.118.216.157:443
95.77.223.148:443
83.202.68.220:2222
92.154.83.96:2087
41.227.82.102:443
41.205.16.89:443
86.98.89.173:2222
156.194.205.151:995
47.44.217.98:443
24.27.82.216:2222
24.229.150.54:995
71.14.110.199:443
5.15.225.109:443
47.187.49.3:2222
78.97.207.104:443
67.6.54.180:443
178.222.114.132:995
89.3.198.238:443
109.205.204.229:2222
143.178.135.25:2222
90.53.228.60:2222
95.76.27.6:443
184.89.71.68:443
85.204.189.105:443
197.161.154.132:443
176.45.233.94:995
50.244.112.10:995
75.170.145.25:443
72.28.255.159:995
108.190.151.108:2222
51.235.24.196:443
94.59.236.155:995
78.187.125.116:2222
85.52.72.32:2222
174.54.24.110:995
189.231.3.63:443
86.121.43.200:443
193.248.154.174:2222
105.103.33.188:443
37.210.133.63:995
102.185.242.27:443
39.36.30.92:995
73.244.83.199:443
2.90.186.243:995
68.15.109.125:443
86.245.87.251:2222
197.135.54.239:443
90.101.117.122:2222
96.225.88.23:443
2.50.56.81:443
47.21.192.182:2222
93.146.133.102:2222
72.66.47.70:443
96.21.251.127:2222
184.98.97.227:995
58.179.21.147:995
201.152.69.198:995
74.129.26.119:443
67.82.244.199:2222
80.14.22.234:2222
189.157.3.12:443
83.196.50.197:2222
90.23.117.67:2222
208.93.202.41:443
47.22.148.6:443
197.86.204.38:443
45.32.162.253:443
120.150.60.189:995
110.142.205.182:443
72.36.59.46:2222
196.204.207.111:443
181.208.249.141:443
140.82.27.132:443
45.32.165.134:443
71.226.140.73:443
85.98.177.32:443
87.238.133.187:995
92.137.138.52:2222
24.179.13.119:443
78.63.226.32:443
71.163.223.144:443
68.131.19.52:443
86.98.34.84:995
65.131.47.74:995
92.154.83.96:1194
217.162.149.212:443
78.181.19.134:443
151.33.226.156:443
73.51.245.231:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
resource yara_rule behavioral1/memory/1720-59-0x0000000000080000-0x00000000000A1000-memory.dmp MAL_RANSOM_Crime_QakBot_Mar2023 behavioral1/memory/1720-60-0x0000000000080000-0x00000000000A1000-memory.dmp MAL_RANSOM_Crime_QakBot_Mar2023 behavioral1/memory/1720-61-0x0000000000080000-0x00000000000A1000-memory.dmp MAL_RANSOM_Crime_QakBot_Mar2023 behavioral1/memory/1720-62-0x0000000000080000-0x00000000000A1000-memory.dmp MAL_RANSOM_Crime_QakBot_Mar2023 behavioral1/memory/1720-64-0x0000000000080000-0x00000000000A1000-memory.dmp MAL_RANSOM_Crime_QakBot_Mar2023 -
Loads dropped DLL 1 IoCs
pid Process 1852 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1104 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1752 rundll32.exe 1752 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1752 rundll32.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1808 wrote to memory of 1752 1808 rundll32.exe 28 PID 1808 wrote to memory of 1752 1808 rundll32.exe 28 PID 1808 wrote to memory of 1752 1808 rundll32.exe 28 PID 1808 wrote to memory of 1752 1808 rundll32.exe 28 PID 1808 wrote to memory of 1752 1808 rundll32.exe 28 PID 1808 wrote to memory of 1752 1808 rundll32.exe 28 PID 1808 wrote to memory of 1752 1808 rundll32.exe 28 PID 1752 wrote to memory of 1720 1752 rundll32.exe 29 PID 1752 wrote to memory of 1720 1752 rundll32.exe 29 PID 1752 wrote to memory of 1720 1752 rundll32.exe 29 PID 1752 wrote to memory of 1720 1752 rundll32.exe 29 PID 1752 wrote to memory of 1720 1752 rundll32.exe 29 PID 1752 wrote to memory of 1720 1752 rundll32.exe 29 PID 1720 wrote to memory of 1104 1720 explorer.exe 30 PID 1720 wrote to memory of 1104 1720 explorer.exe 30 PID 1720 wrote to memory of 1104 1720 explorer.exe 30 PID 1720 wrote to memory of 1104 1720 explorer.exe 30 PID 1164 wrote to memory of 792 1164 taskeng.exe 33 PID 1164 wrote to memory of 792 1164 taskeng.exe 33 PID 1164 wrote to memory of 792 1164 taskeng.exe 33 PID 1164 wrote to memory of 792 1164 taskeng.exe 33 PID 1164 wrote to memory of 792 1164 taskeng.exe 33 PID 792 wrote to memory of 1852 792 regsvr32.exe 34 PID 792 wrote to memory of 1852 792 regsvr32.exe 34 PID 792 wrote to memory of 1852 792 regsvr32.exe 34 PID 792 wrote to memory of 1852 792 regsvr32.exe 34 PID 792 wrote to memory of 1852 792 regsvr32.exe 34 PID 792 wrote to memory of 1852 792 regsvr32.exe 34 PID 792 wrote to memory of 1852 792 regsvr32.exe 34
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn eszpbcx /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll\"" /SC ONCE /Z /ST 11:12 /ET 11:244⤵
- Creates scheduled task(s)
PID:1104
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CF13420E-1295-4D93-98BC-802D3A1ED3A6} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll"3⤵
- Loads dropped DLL
PID:1852
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll
Filesize337KB
MD54e202f90dee218c94027b88c2ec7c037
SHA1a0116397e29d28b5cd52e026698da3b2b6bb881f
SHA25689f9d5e5c806f33e5f1c5c6a1fc8401fb8fd5514f40589c49bd8ee40ad746d98
SHA5128e140a9b1e8b56a660334d5b622a7e22260c31fee6708457feef1d8e71e39d445926839eaa5941870a2f23ce3add7448e7f733bfa474cd4fe9b219f4e684d19b
-
\Users\Admin\AppData\Local\Temp\62b038f2dc2ab995d036930a2eaa5f2dc67fb0ab884459d3fa6df653eec307e1.dll
Filesize337KB
MD54e202f90dee218c94027b88c2ec7c037
SHA1a0116397e29d28b5cd52e026698da3b2b6bb881f
SHA25689f9d5e5c806f33e5f1c5c6a1fc8401fb8fd5514f40589c49bd8ee40ad746d98
SHA5128e140a9b1e8b56a660334d5b622a7e22260c31fee6708457feef1d8e71e39d445926839eaa5941870a2f23ce3add7448e7f733bfa474cd4fe9b219f4e684d19b