Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09-05-2023 17:01
Static task
static1
Behavioral task
behavioral1
Sample
msfilter_1005.dll
Resource
win7-20230220-en
General
-
Target
msfilter_1005.dll
-
Size
903KB
-
MD5
d1618372aba92ed60112c6701297c9c7
-
SHA1
0f71ca46a855cc2cd50e1625b6b90258c7c09a35
-
SHA256
385306bbbc5c794c1f8232080c6f990b42b88283f32f582e2f4ba906b9308e80
-
SHA512
dd21d6cbf9dbb596b15e816a26c0e2f476d791811adc27fabfcf50655ee8fc7c30e4497b89dfc72754576422134b6e6946ed4eb82057b32d2c5ff78f9f92f8ea
-
SSDEEP
24576:xHA2XMYABs772W/8vLj/9sgR+OVnh8gt42vCkzeztwPOfQWyBZPPdhbBF91Xe9g:FMYABC8vLj/2jA8gxZPPdhbBP1O9g
Malware Config
Extracted
qakbot
404.1035
BB26
1683279184
27.109.19.90:2078
109.56.235.133:443
92.20.204.198:2222
98.145.23.67:443
50.68.204.71:995
151.55.186.41:443
12.172.173.82:21
70.28.50.223:3389
94.59.122.53:2222
12.172.173.82:32101
24.206.27.39:443
91.169.12.198:32100
12.172.173.82:993
2.82.8.80:443
104.35.24.154:443
5.30.216.183:443
50.68.204.71:443
12.172.173.82:995
103.140.174.20:2222
173.88.135.179:443
71.38.155.217:443
71.34.185.40:443
37.14.229.220:2222
70.28.50.223:1194
161.142.98.36:995
85.53.128.200:3389
24.236.90.196:2078
91.82.3.239:443
45.243.237.211:995
50.68.204.71:993
186.64.67.41:443
172.115.17.50:443
62.35.230.21:995
70.28.50.223:32100
139.226.47.229:995
103.42.86.42:995
35.143.97.145:995
31.53.29.198:2222
211.248.50.162:443
89.114.140.100:443
58.186.75.42:443
82.127.153.75:2222
109.50.128.59:2222
162.248.14.107:443
103.111.70.66:443
100.6.31.96:443
103.141.50.79:995
178.175.187.254:443
125.99.69.178:443
105.184.115.147:995
217.165.234.249:443
12.172.173.82:2087
122.184.143.85:443
69.133.162.35:443
176.142.207.63:443
74.93.148.97:995
12.172.173.82:22
184.182.66.109:443
71.78.95.86:995
70.112.206.5:443
72.134.124.16:443
81.229.117.95:2222
12.172.173.82:20
103.111.70.66:995
201.208.46.165:2222
114.143.176.235:443
103.212.19.254:995
67.10.9.125:995
99.230.89.236:2083
43.243.215.210:443
157.119.85.203:443
12.172.173.82:50001
202.184.123.13:443
77.124.5.149:443
125.99.76.102:443
96.56.197.26:2078
87.243.146.59:443
197.14.179.187:443
197.1.253.66:443
83.92.85.93:443
213.91.235.146:443
90.104.151.37:2222
123.23.65.244:443
78.192.109.105:2222
92.9.45.20:2222
188.28.72.118:443
70.28.50.223:2083
71.104.102.13:2222
122.186.210.254:443
220.240.15.200:443
41.186.88.38:443
85.104.105.67:443
87.57.13.215:443
89.79.229.50:443
2.36.64.159:2078
88.168.199.84:50000
83.114.60.6:2222
92.27.86.48:2222
50.68.186.195:443
92.188.241.102:443
96.87.28.170:2222
92.1.170.110:995
174.4.89.3:443
23.30.173.133:443
70.51.136.238:2222
68.173.170.110:8443
47.21.51.138:443
70.64.77.115:443
76.16.49.134:443
64.121.161.102:443
108.190.115.159:443
98.19.224.125:995
12.172.173.82:465
147.219.4.194:443
86.250.12.86:2222
188.176.171.3:443
88.126.94.4:50000
87.202.101.164:50000
74.92.243.115:50000
98.176.5.56:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
rundll32.exewermgr.exepid Process 1976 rundll32.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe 580 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid Process 1976 rundll32.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
rundll32.execmd.exerundll32.exerundll32.exewermgr.exedescription pid Process procid_target PID 1220 wrote to memory of 2036 1220 rundll32.exe 28 PID 1220 wrote to memory of 2036 1220 rundll32.exe 28 PID 1220 wrote to memory of 2036 1220 rundll32.exe 28 PID 1220 wrote to memory of 2036 1220 rundll32.exe 28 PID 1220 wrote to memory of 2036 1220 rundll32.exe 28 PID 1220 wrote to memory of 2036 1220 rundll32.exe 28 PID 1220 wrote to memory of 2036 1220 rundll32.exe 28 PID 1500 wrote to memory of 1352 1500 cmd.exe 32 PID 1500 wrote to memory of 1352 1500 cmd.exe 32 PID 1500 wrote to memory of 1352 1500 cmd.exe 32 PID 1352 wrote to memory of 1976 1352 rundll32.exe 33 PID 1352 wrote to memory of 1976 1352 rundll32.exe 33 PID 1352 wrote to memory of 1976 1352 rundll32.exe 33 PID 1352 wrote to memory of 1976 1352 rundll32.exe 33 PID 1352 wrote to memory of 1976 1352 rundll32.exe 33 PID 1352 wrote to memory of 1976 1352 rundll32.exe 33 PID 1352 wrote to memory of 1976 1352 rundll32.exe 33 PID 1976 wrote to memory of 580 1976 rundll32.exe 34 PID 1976 wrote to memory of 580 1976 rundll32.exe 34 PID 1976 wrote to memory of 580 1976 rundll32.exe 34 PID 1976 wrote to memory of 580 1976 rundll32.exe 34 PID 1976 wrote to memory of 580 1976 rundll32.exe 34 PID 1976 wrote to memory of 580 1976 rundll32.exe 34 PID 580 wrote to memory of 1552 580 wermgr.exe 35 PID 580 wrote to memory of 1552 580 wermgr.exe 35 PID 580 wrote to memory of 1552 580 wermgr.exe 35 PID 580 wrote to memory of 1552 580 wermgr.exe 35
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msfilter_1005.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msfilter_1005.dll,#12⤵PID:2036
-
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵PID:1508
-
C:\Windows\system32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Admin\AppData\Local\Temp"1⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\rundll32.exerundll32 msfilter_1005.dll,Time2⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\rundll32.exerundll32 msfilter_1005.dll,Time3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com5⤵
- Runs ping.exe
PID:1552
-
-
-
-