Analysis
-
max time kernel
151s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-05-2023 05:48
Static task
static1
Behavioral task
behavioral1
Sample
agfINAaJSdj4m12.tmp.dll
Resource
win7-20230220-en
General
-
Target
agfINAaJSdj4m12.tmp.dll
-
Size
492KB
-
MD5
3ccf3868418307024448cbbe855bf191
-
SHA1
deccde6b25a960cbf01ab7719c87988f26d57c07
-
SHA256
82da02480d326beb2cad44c37f6a42f1153bfef8fb41e375787ff058a5affbc3
-
SHA512
5ab13a0859ad76c9a25dbbc289769bd177533b84be78d2a6f7bfdf491e55d47b72be0f79bb4b3130abdce615accf09c48479877d2360aa7def4c3552e94bf4e2
-
SSDEEP
6144:GzsetY7i0K8xwAXr/fUT7td4HCp6hInogO5cJN2W3MnBJW2WraDOhTKnOF8QAZaR:FeaffiP3O2sK2WraDOhel0WVvKX5H5N
Malware Config
Extracted
qakbot
404.1026
BB25
1682409935
96.56.197.26:2222
151.30.34.144:443
217.165.239.223:443
91.82.4.46:443
151.213.66.34:995
81.111.108.123:443
88.171.156.150:50000
92.149.250.113:2222
92.189.214.236:2222
103.123.223.130:443
67.10.2.240:995
70.112.206.5:443
86.225.214.138:2222
172.248.42.122:443
147.219.4.194:443
24.139.11.137:443
74.92.243.115:50000
198.2.51.242:993
75.98.154.19:443
92.239.81.124:443
92.27.86.48:2222
47.205.25.170:443
76.16.49.134:443
174.118.63.123:443
119.82.121.87:443
70.28.50.223:32100
74.58.71.237:443
14.192.241.76:995
12.172.173.82:2087
76.86.31.59:443
12.172.173.82:995
161.142.98.36:995
91.165.188.74:50000
70.28.50.223:3389
50.68.186.195:443
72.203.216.98:2222
94.207.107.69:443
75.143.236.149:443
31.53.29.207:2222
58.186.75.42:443
75.109.111.89:443
68.173.170.110:8443
105.184.103.214:995
47.21.51.138:443
12.172.173.82:50001
59.28.84.65:443
114.143.176.235:443
73.161.176.218:443
197.94.78.32:443
122.186.210.254:443
50.68.204.71:995
147.147.30.126:2222
27.99.32.26:2222
78.130.215.67:443
2.36.64.159:2078
98.145.23.67:443
85.84.222.49:443
181.4.225.225:443
184.176.35.223:2222
58.162.223.233:443
67.61.61.31:443
96.87.28.170:2222
12.172.173.82:21
91.169.12.198:32100
50.68.204.71:443
70.26.75.148:2222
49.245.95.124:2222
176.142.207.63:443
12.172.173.82:993
79.77.142.22:2222
202.186.177.220:443
92.186.69.229:2222
50.68.204.71:993
70.28.50.223:2078
70.28.50.223:2087
78.192.109.105:2222
123.3.240.16:995
86.45.66.141:2222
64.121.161.102:443
184.182.66.109:443
103.140.174.20:2222
69.242.31.249:443
181.118.183.109:443
49.175.72.99:443
84.215.202.8:443
86.130.9.135:2222
92.9.45.20:2222
200.90.68.166:2222
94.200.183.66:2222
183.87.163.165:443
125.99.76.102:443
109.149.148.20:2222
187.199.153.185:32103
95.60.243.19:995
35.143.97.145:995
124.149.143.189:2222
70.28.50.223:2083
2.82.8.80:443
213.91.235.146:443
104.35.24.154:443
12.172.173.82:32101
174.4.89.3:443
47.34.30.133:443
71.38.155.217:443
109.153.252.176:2222
173.18.122.24:443
70.28.50.223:1194
72.205.104.134:443
86.171.131.244:995
102.159.219.132:443
76.170.252.153:995
72.134.124.16:443
81.229.117.95:2222
201.244.108.183:995
47.199.241.39:443
91.35.212.133:995
12.172.173.82:22
12.172.173.82:20
184.153.132.82:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid Process 1380 rundll32.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe 664 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid Process 1380 rundll32.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rundll32.exerundll32.exewermgr.exedescription pid Process procid_target PID 1932 wrote to memory of 1380 1932 rundll32.exe 27 PID 1932 wrote to memory of 1380 1932 rundll32.exe 27 PID 1932 wrote to memory of 1380 1932 rundll32.exe 27 PID 1932 wrote to memory of 1380 1932 rundll32.exe 27 PID 1932 wrote to memory of 1380 1932 rundll32.exe 27 PID 1932 wrote to memory of 1380 1932 rundll32.exe 27 PID 1932 wrote to memory of 1380 1932 rundll32.exe 27 PID 1380 wrote to memory of 664 1380 rundll32.exe 28 PID 1380 wrote to memory of 664 1380 rundll32.exe 28 PID 1380 wrote to memory of 664 1380 rundll32.exe 28 PID 1380 wrote to memory of 664 1380 rundll32.exe 28 PID 1380 wrote to memory of 664 1380 rundll32.exe 28 PID 1380 wrote to memory of 664 1380 rundll32.exe 28 PID 664 wrote to memory of 520 664 wermgr.exe 29 PID 664 wrote to memory of 520 664 wermgr.exe 29 PID 664 wrote to memory of 520 664 wermgr.exe 29 PID 664 wrote to memory of 520 664 wermgr.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\agfINAaJSdj4m12.tmp.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\agfINAaJSdj4m12.tmp.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com4⤵
- Runs ping.exe
PID:520
-
-
-