Analysis
-
max time kernel
603s -
max time network
543s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
10-05-2023 17:49
Static task
static1
Behavioral task
behavioral1
Sample
Dropsically.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Dropsically.dll
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
RunDLL-1.bat
Resource
win7-20230220-en
General
-
Target
RunDLL-1.bat
-
Size
38B
-
MD5
270b2579f9f9c0ddad07b81343c3a6f8
-
SHA1
f8dee702280695964fb6ec95dce7f6dccbd4bbd6
-
SHA256
7c88e92b8cccd53631c02f49dd0cf1cd713f590980501328e543f53c3df35140
-
SHA512
0527172b5d5f26b4fcef8fc40ed509c5b39fb7d0c324cd68aeac7b778613da469e77a3b0a4e96b7de6d7594d78919702e72597160a9ac3e204c376ccbc628db7
Malware Config
Extracted
qakbot
404.1038
BB27
1683720157
197.2.238.177:443
78.130.215.67:443
82.127.153.75:2222
96.56.197.26:2083
89.114.140.100:443
2.237.150.131:2222
69.133.162.35:443
73.29.92.128:443
70.160.67.203:443
79.77.142.22:2222
73.207.160.219:443
12.172.173.82:2087
103.212.19.254:995
188.83.251.100:443
173.61.50.155:3389
87.223.95.250:443
66.180.226.58:2222
84.108.200.161:443
81.224.201.143:2222
70.28.50.223:1194
85.53.128.200:3389
213.197.72.89:443
70.28.50.223:2078
103.140.174.20:2222
85.105.207.126:443
12.172.173.82:22
178.175.187.254:443
31.190.210.188:443
41.227.211.88:443
99.230.89.236:2083
85.104.105.67:443
201.208.135.167:2222
66.191.69.18:995
27.109.19.90:2078
76.170.252.153:995
68.229.150.95:443
24.150.188.234:443
90.165.109.4:2222
139.226.47.229:995
94.204.213.230:443
178.167.139.197:995
173.178.151.233:443
171.96.192.178:443
217.165.234.249:443
200.93.26.107:2222
67.70.122.196:2222
151.55.186.41:443
50.5.45.204:443
92.27.86.48:2222
213.91.235.146:443
71.78.95.86:995
92.9.45.20:2222
2.49.63.193:2222
81.229.117.95:2222
201.244.108.183:995
198.2.51.242:993
12.172.173.82:20
105.184.99.42:995
103.123.223.171:443
70.28.50.223:2083
184.182.66.109:443
70.112.206.5:443
122.184.143.86:443
72.134.124.16:443
99.230.89.236:2078
157.119.85.203:443
90.104.151.37:2222
147.219.4.194:443
103.141.50.79:995
47.34.30.133:443
71.38.155.217:443
85.84.222.49:443
88.126.94.4:50000
188.28.72.118:443
41.186.88.38:443
66.35.125.74:2222
119.82.121.87:443
67.10.9.125:995
149.74.159.67:2222
103.144.201.56:2078
114.143.176.236:443
31.53.29.198:2222
217.44.108.89:2222
81.156.1.223:443
50.68.186.195:443
92.188.241.102:443
47.132.248.132:443
47.205.25.170:443
12.172.173.82:465
12.172.173.82:995
75.143.236.149:443
14.192.241.76:995
94.200.183.66:2222
84.35.26.14:995
86.130.9.208:2222
151.65.214.218:443
174.4.89.3:443
47.21.51.138:443
24.69.137.232:2222
76.16.49.134:443
64.121.161.102:443
98.19.224.125:995
87.202.101.164:50000
78.192.109.105:2222
86.140.160.231:2222
74.92.243.115:50000
73.41.215.237:443
83.92.85.93:443
75.109.111.89:443
75.98.154.19:443
69.119.123.159:2222
2.50.16.167:995
12.172.173.82:21
50.68.204.71:993
70.28.50.223:3389
12.172.173.82:32101
173.88.135.179:443
67.219.197.94:443
109.159.119.82:2222
76.64.99.251:2222
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid Process 4548 ipconfig.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid Process 4252 rundll32.exe 4252 rundll32.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe 4292 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid Process 4252 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
whoami.exemsiexec.exedescription pid Process Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeDebugPrivilege 3560 whoami.exe Token: SeSecurityPrivilege 3752 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
cmd.exerundll32.exerundll32.exewermgr.exedescription pid Process procid_target PID 3648 wrote to memory of 2372 3648 cmd.exe 67 PID 3648 wrote to memory of 2372 3648 cmd.exe 67 PID 2372 wrote to memory of 4252 2372 rundll32.exe 68 PID 2372 wrote to memory of 4252 2372 rundll32.exe 68 PID 2372 wrote to memory of 4252 2372 rundll32.exe 68 PID 4252 wrote to memory of 4292 4252 rundll32.exe 69 PID 4252 wrote to memory of 4292 4252 rundll32.exe 69 PID 4252 wrote to memory of 4292 4252 rundll32.exe 69 PID 4252 wrote to memory of 4292 4252 rundll32.exe 69 PID 4252 wrote to memory of 4292 4252 rundll32.exe 69 PID 4292 wrote to memory of 4844 4292 wermgr.exe 70 PID 4292 wrote to memory of 4844 4292 wermgr.exe 70 PID 4292 wrote to memory of 4844 4292 wermgr.exe 70 PID 4292 wrote to memory of 4548 4292 wermgr.exe 73 PID 4292 wrote to memory of 4548 4292 wermgr.exe 73 PID 4292 wrote to memory of 4548 4292 wermgr.exe 73 PID 4292 wrote to memory of 3560 4292 wermgr.exe 75 PID 4292 wrote to memory of 3560 4292 wermgr.exe 75 PID 4292 wrote to memory of 3560 4292 wermgr.exe 75
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\system32\rundll32.exerundll32.exe Dropsically.Spinose print2⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe Dropsically.Spinose print3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com5⤵
- Runs ping.exe
PID:4844
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:4548
-
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3752