Analysis
-
max time kernel
149s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-05-2023 14:15
Static task
static1
Behavioral task
behavioral1
Sample
XyU8ZgqTP.dll
Resource
win7-20230220-en
General
-
Target
XyU8ZgqTP.dll
-
Size
627KB
-
MD5
8913a9551b5895bd57370f88274c80c2
-
SHA1
111d5ca894dc029d576a779a4b20ee5728a5db75
-
SHA256
0bb71786dd42fced85fd4d47da823753e83a5cb6af260bf67bb116905c8328d3
-
SHA512
684acadf678a8aee29df09c80d1f121474cc00d316b6f8407bc99e76f20ff7a54d3f1c6b3fdbcd56e494b07a1908fd83c57a3148970da839d6f4668820363e92
-
SSDEEP
12288:qzbDRgCdJy+vKjt/hp2JIdK6DOAj/di+I/dzAwuFQ5fC:qXVgoy+YdbKh6DOAjVi6wuFQ5fC
Malware Config
Extracted
qakbot
404.1038
BB27
1683811051
113.11.92.30:443
86.130.9.208:2222
27.109.19.90:2078
70.28.50.223:32100
89.129.109.27:2222
12.172.173.82:21
70.28.50.223:2087
200.93.26.107:2222
50.68.204.71:993
12.172.173.82:32101
173.88.135.179:443
70.28.50.223:3389
86.99.48.130:2222
67.219.197.94:443
76.64.99.251:2222
86.250.12.86:2222
136.35.241.159:443
69.157.243.204:2222
216.36.153.248:443
173.176.4.133:443
92.154.17.149:2222
178.152.124.169:443
83.114.60.6:2222
24.206.27.39:443
184.153.132.82:443
68.109.240.71:443
208.180.17.32:2222
109.159.119.82:2222
186.52.239.187:995
190.28.74.251:443
86.244.255.82:2222
12.172.173.82:993
50.68.204.71:995
50.68.204.71:443
96.56.197.26:2083
37.14.229.220:2222
162.248.14.107:443
186.64.67.41:443
70.28.50.223:2222
2.82.8.80:443
104.35.24.154:443
35.143.97.145:995
98.145.23.67:443
72.88.245.71:443
86.222.100.184:2222
69.158.56.94:2222
65.190.242.244:443
209.243.10.63:443
92.20.204.198:2222
47.16.75.99:2222
67.70.122.196:2222
62.35.230.21:995
70.24.104.146:2222
12.172.173.82:995
73.29.92.128:443
76.170.252.153:995
116.74.164.175:443
173.22.114.208:443
79.77.142.22:2222
103.123.223.171:443
12.172.173.82:22
12.172.173.82:2087
202.184.123.13:443
71.38.155.217:443
86.176.16.18:443
109.50.128.59:2222
99.230.89.236:2083
92.27.86.48:2222
81.224.201.143:2222
201.208.135.167:2222
66.191.69.18:995
103.42.86.42:995
102.158.154.97:443
70.160.67.203:443
37.14.97.206:2222
139.226.47.229:995
91.68.227.219:443
82.127.153.75:2222
85.104.105.67:443
69.133.162.35:443
43.243.215.210:443
66.35.125.74:2222
173.61.50.155:3389
70.28.50.223:2078
178.175.187.254:443
217.165.234.249:443
217.44.108.89:2222
212.70.98.236:2222
193.253.100.236:2222
84.216.198.201:6881
47.132.248.132:443
173.178.151.233:443
144.64.226.144:443
171.96.192.178:443
105.184.108.82:995
41.227.211.88:443
172.115.17.50:443
70.112.206.5:443
122.184.143.86:443
157.119.85.203:443
47.199.241.39:443
72.134.124.16:443
99.230.89.236:2078
125.99.76.102:443
76.178.148.107:2222
147.219.4.194:443
47.34.30.133:443
192.145.116.194:443
119.82.121.87:443
67.10.9.125:995
41.186.88.38:443
95.242.101.251:995
68.68.170.218:443
213.91.235.146:443
71.78.95.86:995
92.9.45.20:2222
81.229.117.95:2222
201.244.108.183:995
74.33.196.114:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid Process 1496 rundll32.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe 2032 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid Process 1496 rundll32.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rundll32.exerundll32.exewermgr.exedescription pid Process procid_target PID 912 wrote to memory of 1496 912 rundll32.exe 26 PID 912 wrote to memory of 1496 912 rundll32.exe 26 PID 912 wrote to memory of 1496 912 rundll32.exe 26 PID 912 wrote to memory of 1496 912 rundll32.exe 26 PID 912 wrote to memory of 1496 912 rundll32.exe 26 PID 912 wrote to memory of 1496 912 rundll32.exe 26 PID 912 wrote to memory of 1496 912 rundll32.exe 26 PID 1496 wrote to memory of 2032 1496 rundll32.exe 27 PID 1496 wrote to memory of 2032 1496 rundll32.exe 27 PID 1496 wrote to memory of 2032 1496 rundll32.exe 27 PID 1496 wrote to memory of 2032 1496 rundll32.exe 27 PID 1496 wrote to memory of 2032 1496 rundll32.exe 27 PID 1496 wrote to memory of 2032 1496 rundll32.exe 27 PID 2032 wrote to memory of 824 2032 wermgr.exe 28 PID 2032 wrote to memory of 824 2032 wermgr.exe 28 PID 2032 wrote to memory of 824 2032 wermgr.exe 28 PID 2032 wrote to memory of 824 2032 wermgr.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\XyU8ZgqTP.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\XyU8ZgqTP.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com4⤵
- Runs ping.exe
PID:824
-
-
-