Analysis
-
max time kernel
187s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 06:30
Static task
static1
Behavioral task
behavioral1
Sample
c18720d5822dd99ff6c259c43ef4edd6d7e6f1205f9dc447a0227306e9de685c.dll
Resource
win7-20230220-en
General
-
Target
c18720d5822dd99ff6c259c43ef4edd6d7e6f1205f9dc447a0227306e9de685c.dll
-
Size
498KB
-
MD5
37197c59a30c7f71637baa8306b3c62b
-
SHA1
513803ac5522f55bd2f07895be504e21bd09b0f0
-
SHA256
c18720d5822dd99ff6c259c43ef4edd6d7e6f1205f9dc447a0227306e9de685c
-
SHA512
65b6993eabcc82ea4a3140020344435351499f81d172d9c0dce0a336e53dbff07b6e2ccc874f0f775f49a80b3c38491320614e69b57971deb84e0cbec0735bee
-
SSDEEP
6144:GzsetYSi0K8xwAXr/fUT7td4HCp6hInogO5cJN2W3MnBJW2WraDOhTKnOF8QAZaR:FeaefiP3O2sK2WraDOhel0WVvKX5H5N
Malware Config
Extracted
qakbot
404.1026
BB25
1682409935
96.56.197.26:2222
151.30.34.144:443
217.165.239.223:443
91.82.4.46:443
151.213.66.34:995
81.111.108.123:443
88.171.156.150:50000
92.149.250.113:2222
92.189.214.236:2222
103.123.223.130:443
67.10.2.240:995
70.112.206.5:443
86.225.214.138:2222
172.248.42.122:443
147.219.4.194:443
24.139.11.137:443
74.92.243.115:50000
198.2.51.242:993
75.98.154.19:443
92.239.81.124:443
92.27.86.48:2222
47.205.25.170:443
76.16.49.134:443
174.118.63.123:443
119.82.121.87:443
70.28.50.223:32100
74.58.71.237:443
14.192.241.76:995
12.172.173.82:2087
76.86.31.59:443
12.172.173.82:995
161.142.98.36:995
91.165.188.74:50000
70.28.50.223:3389
50.68.186.195:443
72.203.216.98:2222
94.207.107.69:443
75.143.236.149:443
31.53.29.207:2222
58.186.75.42:443
75.109.111.89:443
68.173.170.110:8443
105.184.103.214:995
47.21.51.138:443
12.172.173.82:50001
59.28.84.65:443
114.143.176.235:443
73.161.176.218:443
197.94.78.32:443
122.186.210.254:443
50.68.204.71:995
147.147.30.126:2222
27.99.32.26:2222
78.130.215.67:443
2.36.64.159:2078
98.145.23.67:443
85.84.222.49:443
181.4.225.225:443
184.176.35.223:2222
58.162.223.233:443
67.61.61.31:443
96.87.28.170:2222
12.172.173.82:21
91.169.12.198:32100
50.68.204.71:443
70.26.75.148:2222
49.245.95.124:2222
176.142.207.63:443
12.172.173.82:993
79.77.142.22:2222
202.186.177.220:443
92.186.69.229:2222
50.68.204.71:993
70.28.50.223:2078
70.28.50.223:2087
78.192.109.105:2222
123.3.240.16:995
86.45.66.141:2222
64.121.161.102:443
184.182.66.109:443
103.140.174.20:2222
69.242.31.249:443
181.118.183.109:443
49.175.72.99:443
84.215.202.8:443
86.130.9.135:2222
92.9.45.20:2222
200.90.68.166:2222
94.200.183.66:2222
183.87.163.165:443
125.99.76.102:443
109.149.148.20:2222
187.199.153.185:32103
95.60.243.19:995
35.143.97.145:995
124.149.143.189:2222
70.28.50.223:2083
2.82.8.80:443
213.91.235.146:443
104.35.24.154:443
12.172.173.82:32101
174.4.89.3:443
47.34.30.133:443
71.38.155.217:443
109.153.252.176:2222
173.18.122.24:443
70.28.50.223:1194
72.205.104.134:443
86.171.131.244:995
102.159.219.132:443
76.170.252.153:995
72.134.124.16:443
81.229.117.95:2222
201.244.108.183:995
47.199.241.39:443
91.35.212.133:995
12.172.173.82:22
12.172.173.82:20
184.153.132.82:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 220 3364 WerFault.exe 86 -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exebackgroundTaskHost.exepid Process 3736 rundll32.exe 3736 rundll32.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe 2832 backgroundTaskHost.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
rundll32.exepid Process 3736 rundll32.exe 3736 rundll32.exe 3736 rundll32.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
rundll32.exerundll32.exewermgr.exebackgroundTaskHost.exedescription pid Process procid_target PID 5076 wrote to memory of 3736 5076 rundll32.exe 82 PID 5076 wrote to memory of 3736 5076 rundll32.exe 82 PID 5076 wrote to memory of 3736 5076 rundll32.exe 82 PID 3736 wrote to memory of 2268 3736 rundll32.exe 83 PID 3736 wrote to memory of 2268 3736 rundll32.exe 83 PID 3736 wrote to memory of 2268 3736 rundll32.exe 83 PID 3736 wrote to memory of 2268 3736 rundll32.exe 83 PID 3736 wrote to memory of 2268 3736 rundll32.exe 83 PID 2268 wrote to memory of 1760 2268 wermgr.exe 84 PID 2268 wrote to memory of 1760 2268 wermgr.exe 84 PID 2268 wrote to memory of 1760 2268 wermgr.exe 84 PID 3736 wrote to memory of 3364 3736 rundll32.exe 86 PID 3736 wrote to memory of 3364 3736 rundll32.exe 86 PID 3736 wrote to memory of 3364 3736 rundll32.exe 86 PID 3736 wrote to memory of 3364 3736 rundll32.exe 86 PID 3736 wrote to memory of 3364 3736 rundll32.exe 86 PID 3736 wrote to memory of 2832 3736 rundll32.exe 89 PID 3736 wrote to memory of 2832 3736 rundll32.exe 89 PID 3736 wrote to memory of 2832 3736 rundll32.exe 89 PID 3736 wrote to memory of 2832 3736 rundll32.exe 89 PID 3736 wrote to memory of 2832 3736 rundll32.exe 89 PID 2832 wrote to memory of 1540 2832 backgroundTaskHost.exe 90 PID 2832 wrote to memory of 1540 2832 backgroundTaskHost.exe 90 PID 2832 wrote to memory of 1540 2832 backgroundTaskHost.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c18720d5822dd99ff6c259c43ef4edd6d7e6f1205f9dc447a0227306e9de685c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c18720d5822dd99ff6c259c43ef4edd6d7e6f1205f9dc447a0227306e9de685c.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com4⤵
- Runs ping.exe
PID:1760
-
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵PID:3364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 3524⤵
- Program crash
PID:220
-
-
-
C:\Windows\SysWOW64\backgroundTaskHost.exeC:\Windows\SysWOW64\backgroundTaskHost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com4⤵
- Runs ping.exe
PID:1540
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3364 -ip 33641⤵PID:5108