Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2023 01:43
Static task
static1
Behavioral task
behavioral1
Sample
consumptions.dll
Resource
win7-20230220-en
General
-
Target
consumptions.dll
-
Size
850KB
-
MD5
8512b9f61020a48cd2ddc13877c1b21c
-
SHA1
ad55d9ac7fa46cb4281579764a5e20bcf7684671
-
SHA256
3926f35d483cd224e107a1167844dbe872fd28a7bebfcca3492e9da4ebbe98e8
-
SHA512
b79a7f7c5b25f76fb9541edb4bf45f37c68003eaea75f74cdffaba617a60b495aeec8bd64abc82296123d62095dcf319ae7ae196e75e99fa51b8fe34ed922328
-
SSDEEP
12288:ovXYcP7kXn89DhAw1aUN3RFEycMFSDXxqEbHXeL/Lt72G3v0ch:mvTkXnyD6ORDccmEs3M/Lt72G3v0
Malware Config
Extracted
qakbot
404.1346
BB30
1685604052
47.199.241.39:443
93.147.235.8:443
75.141.227.169:443
45.243.142.31:995
79.92.15.6:443
85.104.105.67:443
89.129.109.27:2222
86.176.83.44:2222
24.234.220.88:993
89.32.156.5:995
12.172.173.82:22
103.101.203.177:443
70.28.50.223:2083
98.187.21.2:443
70.49.205.198:2222
96.56.197.26:2222
92.9.45.20:2222
86.195.14.72:2222
172.115.17.50:443
100.4.163.158:2222
80.12.88.148:2222
213.64.33.92:2222
113.11.92.30:443
78.192.109.105:2222
47.34.30.133:443
122.184.143.86:443
198.2.51.242:993
165.120.169.171:2222
88.126.94.4:50000
82.125.44.236:2222
117.195.16.105:993
147.219.4.194:443
80.167.196.79:443
92.154.17.149:2222
184.181.75.148:443
95.45.50.93:2222
84.35.26.14:995
201.143.215.69:443
12.172.173.82:2087
50.68.204.71:443
64.121.161.102:443
2.82.8.80:443
79.77.142.22:2222
12.172.173.82:995
223.166.13.95:995
72.134.124.16:443
213.55.33.103:443
183.87.163.165:443
174.4.89.3:443
27.253.11.10:2222
2.49.63.160:2222
92.186.69.229:2222
69.133.162.35:443
81.111.108.123:443
12.172.173.82:20
188.28.19.84:443
90.29.86.138:2222
70.160.67.203:443
186.64.67.30:443
5.107.153.132:2222
125.63.125.205:2078
2.36.64.159:2078
71.38.155.217:443
205.237.67.69:995
70.64.77.115:443
24.234.220.88:990
96.56.197.26:2083
70.28.50.223:2078
103.123.223.133:443
199.27.66.213:443
83.249.198.100:2222
94.204.202.106:443
77.126.99.230:443
72.205.104.134:443
65.95.141.84:2222
173.88.135.179:443
220.240.164.182:443
96.87.28.170:2222
176.142.207.63:443
12.172.173.82:32101
70.50.83.216:2222
161.142.103.187:995
45.62.70.33:443
24.234.220.88:465
103.141.50.43:995
90.7.72.46:2222
76.178.148.107:2222
116.74.163.130:443
46.246.254.242:995
70.28.50.223:2087
12.172.173.82:465
178.175.187.254:443
27.0.48.233:443
83.110.223.61:443
184.182.66.109:443
70.28.50.223:32100
50.68.204.71:993
70.28.50.223:3389
50.68.186.195:443
47.205.25.170:443
12.172.173.82:993
76.170.252.153:995
69.242.31.249:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
81.229.117.95:2222
98.145.23.67:443
98.37.25.99:443
69.160.121.6:61201
12.172.173.82:21
75.109.111.89:443
76.86.31.59:443
80.6.50.34:443
116.120.145.170:995
201.244.108.183:995
58.186.75.42:443
68.203.69.96:443
47.149.134.231:443
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
PowerShell.exedescription ioc process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1472 3536 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PowerShell.exerundll32.exewermgr.exepid process 4376 PowerShell.exe 4376 PowerShell.exe 3272 rundll32.exe 3272 rundll32.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe 4764 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PowerShell.exedescription pid process Token: SeDebugPrivilege 4376 PowerShell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exePowerShell.exerundll32.exerundll32.exedescription pid process target process PID 4376 wrote to memory of 3536 4376 rundll32.exe rundll32.exe PID 4376 wrote to memory of 3536 4376 rundll32.exe rundll32.exe PID 4376 wrote to memory of 3536 4376 rundll32.exe rundll32.exe PID 4376 wrote to memory of 2768 4376 PowerShell.exe rundll32.exe PID 4376 wrote to memory of 2768 4376 PowerShell.exe rundll32.exe PID 2768 wrote to memory of 3272 2768 rundll32.exe rundll32.exe PID 2768 wrote to memory of 3272 2768 rundll32.exe rundll32.exe PID 2768 wrote to memory of 3272 2768 rundll32.exe rundll32.exe PID 3272 wrote to memory of 4764 3272 rundll32.exe wermgr.exe PID 3272 wrote to memory of 4764 3272 rundll32.exe wermgr.exe PID 3272 wrote to memory of 4764 3272 rundll32.exe wermgr.exe PID 3272 wrote to memory of 4764 3272 rundll32.exe wermgr.exe PID 3272 wrote to memory of 4764 3272 rundll32.exe wermgr.exe PID 3272 wrote to memory of 4764 3272 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\consumptions.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\consumptions.dll,#12⤵PID:3536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 6003⤵
- Program crash
PID:1472
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3536 -ip 35361⤵PID:4456
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2300
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" .\consumptions.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" .\consumptions.dll,next3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82