Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2023 17:01
Static task
static1
Behavioral task
behavioral1
Sample
msfilter_1005.dll
Resource
win7-20230220-en
General
-
Target
msfilter_1005.dll
-
Size
903KB
-
MD5
d1618372aba92ed60112c6701297c9c7
-
SHA1
0f71ca46a855cc2cd50e1625b6b90258c7c09a35
-
SHA256
385306bbbc5c794c1f8232080c6f990b42b88283f32f582e2f4ba906b9308e80
-
SHA512
dd21d6cbf9dbb596b15e816a26c0e2f476d791811adc27fabfcf50655ee8fc7c30e4497b89dfc72754576422134b6e6946ed4eb82057b32d2c5ff78f9f92f8ea
-
SSDEEP
24576:xHA2XMYABs772W/8vLj/9sgR+OVnh8gt42vCkzeztwPOfQWyBZPPdhbBF91Xe9g:FMYABC8vLj/2jA8gxZPPdhbBP1O9g
Malware Config
Extracted
qakbot
404.1035
BB26
1683279184
27.109.19.90:2078
109.56.235.133:443
92.20.204.198:2222
98.145.23.67:443
50.68.204.71:995
151.55.186.41:443
12.172.173.82:21
70.28.50.223:3389
94.59.122.53:2222
12.172.173.82:32101
24.206.27.39:443
91.169.12.198:32100
12.172.173.82:993
2.82.8.80:443
104.35.24.154:443
5.30.216.183:443
50.68.204.71:443
12.172.173.82:995
103.140.174.20:2222
173.88.135.179:443
71.38.155.217:443
71.34.185.40:443
37.14.229.220:2222
70.28.50.223:1194
161.142.98.36:995
85.53.128.200:3389
24.236.90.196:2078
91.82.3.239:443
45.243.237.211:995
50.68.204.71:993
186.64.67.41:443
172.115.17.50:443
62.35.230.21:995
70.28.50.223:32100
139.226.47.229:995
103.42.86.42:995
35.143.97.145:995
31.53.29.198:2222
211.248.50.162:443
89.114.140.100:443
58.186.75.42:443
82.127.153.75:2222
109.50.128.59:2222
162.248.14.107:443
103.111.70.66:443
100.6.31.96:443
103.141.50.79:995
178.175.187.254:443
125.99.69.178:443
105.184.115.147:995
217.165.234.249:443
12.172.173.82:2087
122.184.143.85:443
69.133.162.35:443
176.142.207.63:443
74.93.148.97:995
12.172.173.82:22
184.182.66.109:443
71.78.95.86:995
70.112.206.5:443
72.134.124.16:443
81.229.117.95:2222
12.172.173.82:20
103.111.70.66:995
201.208.46.165:2222
114.143.176.235:443
103.212.19.254:995
67.10.9.125:995
99.230.89.236:2083
43.243.215.210:443
157.119.85.203:443
12.172.173.82:50001
202.184.123.13:443
77.124.5.149:443
125.99.76.102:443
96.56.197.26:2078
87.243.146.59:443
197.14.179.187:443
197.1.253.66:443
83.92.85.93:443
213.91.235.146:443
90.104.151.37:2222
123.23.65.244:443
78.192.109.105:2222
92.9.45.20:2222
188.28.72.118:443
70.28.50.223:2083
71.104.102.13:2222
122.186.210.254:443
220.240.15.200:443
41.186.88.38:443
85.104.105.67:443
87.57.13.215:443
89.79.229.50:443
2.36.64.159:2078
88.168.199.84:50000
83.114.60.6:2222
92.27.86.48:2222
50.68.186.195:443
92.188.241.102:443
96.87.28.170:2222
92.1.170.110:995
174.4.89.3:443
23.30.173.133:443
70.51.136.238:2222
68.173.170.110:8443
47.21.51.138:443
70.64.77.115:443
76.16.49.134:443
64.121.161.102:443
108.190.115.159:443
98.19.224.125:995
12.172.173.82:465
147.219.4.194:443
86.250.12.86:2222
188.176.171.3:443
88.126.94.4:50000
87.202.101.164:50000
74.92.243.115:50000
98.176.5.56:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
PowerShell.exedescription ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4724 2188 WerFault.exe 83 -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PowerShell.exerundll32.exewermgr.exepid Process 3776 PowerShell.exe 3776 PowerShell.exe 3776 PowerShell.exe 2728 rundll32.exe 2728 rundll32.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe 3408 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid Process 2728 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PowerShell.exedescription pid Process Token: SeDebugPrivilege 3776 PowerShell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exePowerShell.exerundll32.exerundll32.exewermgr.exedescription pid Process procid_target PID 2804 wrote to memory of 2188 2804 rundll32.exe 83 PID 2804 wrote to memory of 2188 2804 rundll32.exe 83 PID 2804 wrote to memory of 2188 2804 rundll32.exe 83 PID 3776 wrote to memory of 3420 3776 PowerShell.exe 102 PID 3776 wrote to memory of 3420 3776 PowerShell.exe 102 PID 3420 wrote to memory of 2728 3420 rundll32.exe 103 PID 3420 wrote to memory of 2728 3420 rundll32.exe 103 PID 3420 wrote to memory of 2728 3420 rundll32.exe 103 PID 2728 wrote to memory of 3408 2728 rundll32.exe 104 PID 2728 wrote to memory of 3408 2728 rundll32.exe 104 PID 2728 wrote to memory of 3408 2728 rundll32.exe 104 PID 2728 wrote to memory of 3408 2728 rundll32.exe 104 PID 2728 wrote to memory of 3408 2728 rundll32.exe 104 PID 3408 wrote to memory of 2572 3408 wermgr.exe 105 PID 3408 wrote to memory of 2572 3408 wermgr.exe 105 PID 3408 wrote to memory of 2572 3408 wermgr.exe 105
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msfilter_1005.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msfilter_1005.dll,#12⤵PID:2188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 5963⤵
- Program crash
PID:4724
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2188 -ip 21881⤵PID:1148
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2600
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" .\msfilter_1005.dll,Time2⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" .\msfilter_1005.dll,Time3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com5⤵
- Runs ping.exe
PID:2572
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82