Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 05:48
Static task
static1
Behavioral task
behavioral1
Sample
ayjbrprbkbxm.dll
Resource
win7-20230220-en
General
-
Target
ayjbrprbkbxm.dll
-
Size
803KB
-
MD5
45f241fd144ec617a7610cb4edc51f30
-
SHA1
2e72fecc72365b0082f589ff3825addc7e2cecef
-
SHA256
88a2725a387dec6b5402c3597642c6085aef187aad75f241915445adfc99263d
-
SHA512
2a25de03f045b85bd34e01024e21cf63cacd6980876bedc155f3a454e02508933def413037da832df5ce19f225d76b1b42fb0c8cca8c5c2a61cdeddffc1c9815
-
SSDEEP
12288:DSzKApsXlCgKu33OA5kXnLiu+quwbubFDY8/Ck0FL2kd9IVJpfnEoHuHe/pEj:o1psShG8rmLKG+FqkQpP3HuHe/pEj
Malware Config
Extracted
qakbot
404.999
notset
1681806702
67.10.2.240:995
172.248.42.122:443
12.172.173.82:21
76.86.31.59:443
24.139.11.137:443
74.66.134.24:443
86.178.33.125:2222
198.2.51.242:993
124.246.122.199:2222
50.68.204.71:995
12.172.173.82:465
184.182.66.109:443
105.184.209.7:995
100.6.31.96:443
139.226.47.229:995
175.156.65.126:2222
161.142.104.40:995
122.184.143.85:443
125.99.69.178:443
86.99.49.64:2222
103.140.174.20:2222
41.227.217.128:443
92.20.204.198:2222
86.171.131.244:995
88.164.20.177:21
78.192.109.105:2222
76.170.252.153:995
79.77.142.22:2222
64.121.161.102:443
70.28.50.223:1194
72.205.104.134:443
213.91.235.146:443
75.115.14.189:443
70.28.50.223:3389
70.28.50.223:2087
103.111.70.66:443
92.186.69.229:2222
81.229.117.95:2222
72.134.124.16:443
103.111.70.66:995
103.144.201.56:2078
68.68.170.218:443
70.28.50.223:2078
95.60.243.102:995
69.123.4.221:2222
92.27.86.48:2222
35.143.97.145:995
50.68.186.195:443
76.178.148.107:2222
213.67.139.53:2222
125.99.76.102:443
91.169.12.198:32100
173.88.135.179:443
50.68.204.71:993
98.145.23.67:443
71.31.232.156:995
49.245.95.124:2222
50.68.204.71:443
69.133.162.35:443
12.172.173.82:993
70.28.50.223:2083
12.172.173.82:995
174.4.89.3:443
12.172.173.82:32101
122.186.210.254:443
114.143.176.235:443
23.30.22.225:993
93.238.52.211:995
94.63.65.146:443
23.30.22.225:50003
24.206.27.39:443
103.42.86.42:995
90.211.192.113:443
92.239.81.124:443
209.93.207.224:2222
41.62.5.69:443
151.62.97.204:443
27.109.19.90:2078
190.199.245.138:2222
91.35.212.133:995
70.160.80.210:443
12.172.173.82:20
70.112.206.5:443
187.199.234.229:32103
23.30.22.225:443
88.126.94.4:50000
23.30.22.225:995
112.222.83.147:6881
90.55.106.37:2222
90.104.151.37:2222
77.126.185.173:443
92.154.17.149:2222
86.130.9.214:2222
2.36.64.159:2078
93.150.183.229:2222
202.186.177.220:443
41.227.79.177:995
92.9.45.20:2222
201.244.108.183:995
49.175.72.99:443
91.231.173.14:995
47.205.25.170:443
147.219.4.194:443
12.172.173.82:22
172.90.139.138:2222
74.92.243.115:50000
75.109.111.89:443
71.171.83.69:443
71.38.155.217:443
12.172.173.82:2087
14.192.241.76:995
124.149.143.189:2222
176.202.45.209:443
72.203.216.98:2222
136.232.184.134:995
183.87.163.165:443
2.82.8.80:443
68.173.170.110:8443
100.10.72.114:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2756 1292 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid Process 1292 rundll32.exe 1292 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 3012 wrote to memory of 1292 3012 rundll32.exe 83 PID 3012 wrote to memory of 1292 3012 rundll32.exe 83 PID 3012 wrote to memory of 1292 3012 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ayjbrprbkbxm.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ayjbrprbkbxm.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
PID:1292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 6803⤵
- Program crash
PID:2756
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1292 -ip 12921⤵PID:1840