Analysis
-
max time kernel
600s -
max time network
600s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-05-2023 17:49
Static task
static1
Behavioral task
behavioral1
Sample
Dropsically.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Dropsically.dll
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
RunDLL-1.bat
Resource
win7-20230220-en
General
-
Target
RunDLL-1.bat
-
Size
38B
-
MD5
270b2579f9f9c0ddad07b81343c3a6f8
-
SHA1
f8dee702280695964fb6ec95dce7f6dccbd4bbd6
-
SHA256
7c88e92b8cccd53631c02f49dd0cf1cd713f590980501328e543f53c3df35140
-
SHA512
0527172b5d5f26b4fcef8fc40ed509c5b39fb7d0c324cd68aeac7b778613da469e77a3b0a4e96b7de6d7594d78919702e72597160a9ac3e204c376ccbc628db7
Malware Config
Extracted
qakbot
404.1038
BB27
1683720157
197.2.238.177:443
78.130.215.67:443
82.127.153.75:2222
96.56.197.26:2083
89.114.140.100:443
2.237.150.131:2222
69.133.162.35:443
73.29.92.128:443
70.160.67.203:443
79.77.142.22:2222
73.207.160.219:443
12.172.173.82:2087
103.212.19.254:995
188.83.251.100:443
173.61.50.155:3389
87.223.95.250:443
66.180.226.58:2222
84.108.200.161:443
81.224.201.143:2222
70.28.50.223:1194
85.53.128.200:3389
213.197.72.89:443
70.28.50.223:2078
103.140.174.20:2222
85.105.207.126:443
12.172.173.82:22
178.175.187.254:443
31.190.210.188:443
41.227.211.88:443
99.230.89.236:2083
85.104.105.67:443
201.208.135.167:2222
66.191.69.18:995
27.109.19.90:2078
76.170.252.153:995
68.229.150.95:443
24.150.188.234:443
90.165.109.4:2222
139.226.47.229:995
94.204.213.230:443
178.167.139.197:995
173.178.151.233:443
171.96.192.178:443
217.165.234.249:443
200.93.26.107:2222
67.70.122.196:2222
151.55.186.41:443
50.5.45.204:443
92.27.86.48:2222
213.91.235.146:443
71.78.95.86:995
92.9.45.20:2222
2.49.63.193:2222
81.229.117.95:2222
201.244.108.183:995
198.2.51.242:993
12.172.173.82:20
105.184.99.42:995
103.123.223.171:443
70.28.50.223:2083
184.182.66.109:443
70.112.206.5:443
122.184.143.86:443
72.134.124.16:443
99.230.89.236:2078
157.119.85.203:443
90.104.151.37:2222
147.219.4.194:443
103.141.50.79:995
47.34.30.133:443
71.38.155.217:443
85.84.222.49:443
88.126.94.4:50000
188.28.72.118:443
41.186.88.38:443
66.35.125.74:2222
119.82.121.87:443
67.10.9.125:995
149.74.159.67:2222
103.144.201.56:2078
114.143.176.236:443
31.53.29.198:2222
217.44.108.89:2222
81.156.1.223:443
50.68.186.195:443
92.188.241.102:443
47.132.248.132:443
47.205.25.170:443
12.172.173.82:465
12.172.173.82:995
75.143.236.149:443
14.192.241.76:995
94.200.183.66:2222
84.35.26.14:995
86.130.9.208:2222
151.65.214.218:443
174.4.89.3:443
47.21.51.138:443
24.69.137.232:2222
76.16.49.134:443
64.121.161.102:443
98.19.224.125:995
87.202.101.164:50000
78.192.109.105:2222
86.140.160.231:2222
74.92.243.115:50000
73.41.215.237:443
83.92.85.93:443
75.109.111.89:443
75.98.154.19:443
69.119.123.159:2222
2.50.16.167:995
12.172.173.82:21
50.68.204.71:993
70.28.50.223:3389
12.172.173.82:32101
173.88.135.179:443
67.219.197.94:443
109.159.119.82:2222
76.64.99.251:2222
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid Process 2036 ipconfig.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid Process 1236 rundll32.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe 1504 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid Process 1236 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
whoami.exemsiexec.exedescription pid Process Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeDebugPrivilege 900 whoami.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeSecurityPrivilege 1540 msiexec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
cmd.exerundll32.exerundll32.exewermgr.exedescription pid Process procid_target PID 1932 wrote to memory of 1596 1932 cmd.exe 29 PID 1932 wrote to memory of 1596 1932 cmd.exe 29 PID 1932 wrote to memory of 1596 1932 cmd.exe 29 PID 1596 wrote to memory of 1236 1596 rundll32.exe 30 PID 1596 wrote to memory of 1236 1596 rundll32.exe 30 PID 1596 wrote to memory of 1236 1596 rundll32.exe 30 PID 1596 wrote to memory of 1236 1596 rundll32.exe 30 PID 1596 wrote to memory of 1236 1596 rundll32.exe 30 PID 1596 wrote to memory of 1236 1596 rundll32.exe 30 PID 1596 wrote to memory of 1236 1596 rundll32.exe 30 PID 1236 wrote to memory of 1504 1236 rundll32.exe 31 PID 1236 wrote to memory of 1504 1236 rundll32.exe 31 PID 1236 wrote to memory of 1504 1236 rundll32.exe 31 PID 1236 wrote to memory of 1504 1236 rundll32.exe 31 PID 1236 wrote to memory of 1504 1236 rundll32.exe 31 PID 1236 wrote to memory of 1504 1236 rundll32.exe 31 PID 1504 wrote to memory of 980 1504 wermgr.exe 32 PID 1504 wrote to memory of 980 1504 wermgr.exe 32 PID 1504 wrote to memory of 980 1504 wermgr.exe 32 PID 1504 wrote to memory of 980 1504 wermgr.exe 32 PID 1504 wrote to memory of 2036 1504 wermgr.exe 37 PID 1504 wrote to memory of 2036 1504 wermgr.exe 37 PID 1504 wrote to memory of 2036 1504 wermgr.exe 37 PID 1504 wrote to memory of 2036 1504 wermgr.exe 37 PID 1504 wrote to memory of 900 1504 wermgr.exe 39 PID 1504 wrote to memory of 900 1504 wermgr.exe 39 PID 1504 wrote to memory of 900 1504 wermgr.exe 39 PID 1504 wrote to memory of 900 1504 wermgr.exe 39
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\system32\rundll32.exerundll32.exe Dropsically.Spinose print2⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe Dropsically.Spinose print3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com5⤵
- Runs ping.exe
PID:980
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:2036
-
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD5081bf738abe7efb6687ff2a64fd44cc5
SHA19418a60156038f22c57734c5105fad3aa530e3fc
SHA25669b53a80286ddc02c3ce2191abe63388de7732fc42886b03caa77bab17e62e65
SHA512552dba8f8069274dae2cd6c6c2a6821ef7076c62d885bcdae6d91294211c6a07fd396a2599acb9bbd5e8c83a6acc23d465678218f3f27d37bc146b5b76ab6774
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5e21eed460985b69dae4c53ef60ced22c
SHA16119e6c4634ac155ce5e2f1844bc4adcf25cf442
SHA2568e9d0a5cdbf6dbd65844587293b9ff7bb183a0a40742ff54ec135f7624cb232e
SHA51212d8a73d4aa203001aa8fb4fa93c6dd150f8394b105a862cb5e608013d1e4459cee02f3850d82e63cf401e8e4f6dadd41563a7a8caec084676f2f44fa04f8933
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27