Analysis Overview
SHA256
88a2725a387dec6b5402c3597642c6085aef187aad75f241915445adfc99263d
Threat Level: Known bad
The file ayjbrprbkbxm.dll was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Unsigned PE
Program crash
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-07 05:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-07 05:48
Reported
2023-05-07 15:47
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Qakbot/Qbot
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3012 wrote to memory of 1292 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3012 wrote to memory of 1292 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3012 wrote to memory of 1292 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ayjbrprbkbxm.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ayjbrprbkbxm.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1292 -ip 1292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 680
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.150.43.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| FR | 51.11.192.49:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp |
Files
memory/1292-133-0x0000000002510000-0x0000000002511000-memory.dmp
memory/1292-134-0x0000000002A70000-0x0000000002A94000-memory.dmp
memory/1292-135-0x0000000002A70000-0x0000000002A94000-memory.dmp
memory/1292-136-0x00000000025B0000-0x00000000025D7000-memory.dmp
memory/1292-137-0x0000000002A70000-0x0000000002A94000-memory.dmp
memory/1292-139-0x0000000000400000-0x00000000004CD000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-07 05:48
Reported
2023-05-07 15:47
Platform
win7-20230220-en
Max time kernel
151s
Max time network
34s
Command Line
Signatures
Qakbot/Qbot
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ayjbrprbkbxm.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ayjbrprbkbxm.dll,#1
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\ping.exe
ping -n 3 yahoo.com
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yahoo.com | udp |
Files
memory/1312-54-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/1312-55-0x00000000003C0000-0x00000000003E4000-memory.dmp
memory/1312-56-0x00000000003C0000-0x00000000003E4000-memory.dmp
memory/1312-57-0x00000000003C0000-0x00000000003E4000-memory.dmp
memory/1312-58-0x00000000003C0000-0x00000000003E4000-memory.dmp
memory/1312-59-0x0000000000270000-0x0000000000297000-memory.dmp
memory/1312-60-0x00000000003C0000-0x00000000003E4000-memory.dmp
memory/1312-61-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1608-63-0x00000000000B0000-0x00000000000B2000-memory.dmp
memory/1608-64-0x0000000000080000-0x00000000000A4000-memory.dmp
memory/1608-65-0x0000000000080000-0x00000000000A4000-memory.dmp
memory/1608-67-0x0000000000080000-0x00000000000A4000-memory.dmp
memory/1312-66-0x00000000003C0000-0x00000000003E4000-memory.dmp
memory/1608-69-0x0000000000080000-0x00000000000A4000-memory.dmp
memory/1608-70-0x0000000000080000-0x00000000000A4000-memory.dmp
memory/1608-71-0x0000000000080000-0x00000000000A4000-memory.dmp
memory/1608-72-0x0000000000080000-0x00000000000A4000-memory.dmp
memory/1608-74-0x0000000000080000-0x00000000000A4000-memory.dmp