Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2023 16:30
Static task
static1
Behavioral task
behavioral1
Sample
cultivation.dll
Resource
win7-20230220-en
General
-
Target
cultivation.dll
-
Size
608KB
-
MD5
1158d283b86f29437b945dcbff15d271
-
SHA1
d0ca7f3b857ba502282a82ae999f9cb16252221b
-
SHA256
7e4d95082a010230aa024ac125e0adfffcfa914152219b2ef32b6893fe5ab9d7
-
SHA512
6c69233ce82b1d9794cd995748b634060f2205ca16729f571cc997d35e4034ea6738d0169efec66248e3828a152356d66b27fd7dfe41a7e187ca63fd3b00d1e5
-
SSDEEP
12288:zDxy+2MIBYYimb3oG11xfTUUk0uU7/GQ4vbnWj6:Pg+2MIBYkb4G11hTQ05bGM
Malware Config
Extracted
qakbot
404.1346
BB30
1685686808
86.173.2.12:2222
92.9.45.20:2222
100.4.163.158:2222
213.64.33.92:2222
75.98.154.19:443
78.192.109.105:2222
88.126.94.4:50000
70.28.50.223:2083
92.154.17.149:2222
24.234.220.88:993
87.252.106.39:995
174.4.89.3:443
12.172.173.82:20
90.29.86.138:2222
70.160.67.203:443
223.166.13.95:995
184.181.75.148:443
95.45.50.93:2222
201.143.215.69:443
64.121.161.102:443
2.82.8.80:443
188.28.19.84:443
81.101.185.146:443
79.77.142.22:2222
84.215.202.8:443
183.87.163.165:443
74.12.147.139:2078
74.12.147.139:2222
74.12.147.139:2083
70.28.50.223:2078
94.204.202.106:443
87.221.153.182:2222
70.28.50.223:2087
24.234.220.88:990
2.49.63.160:2222
72.205.104.134:443
199.27.66.213:443
83.249.198.100:2222
90.104.151.37:2222
116.75.63.183:443
117.195.17.148:993
77.126.99.230:443
45.62.70.33:443
24.234.220.88:465
203.109.44.236:995
75.109.111.89:443
161.142.103.187:995
77.86.98.236:443
147.147.30.126:2222
124.246.122.199:2222
103.123.223.133:443
180.151.19.13:2078
176.142.207.63:443
12.172.173.82:32101
103.140.174.20:2222
70.50.83.216:2222
12.172.173.82:465
38.2.18.164:443
93.187.148.45:995
70.64.77.115:443
12.172.173.82:21
70.49.205.198:2222
27.0.48.233:443
12.172.173.82:50001
83.110.223.61:443
103.141.50.43:995
85.101.239.116:443
103.42.86.42:995
92.1.170.110:995
81.229.117.95:2222
124.122.47.148:443
103.212.19.254:995
103.139.242.6:443
125.99.76.102:443
50.68.186.195:443
47.205.25.170:443
12.172.173.82:993
12.172.173.82:22
70.28.50.223:32100
79.168.224.165:2222
121.121.108.120:995
69.160.121.6:61201
200.84.211.255:2222
201.244.108.183:995
93.187.148.45:443
85.61.165.153:2222
184.182.66.109:443
175.156.217.7:2222
70.28.50.223:3389
114.143.176.236:443
65.95.141.84:2222
80.6.50.34:443
12.172.173.82:2087
47.199.241.39:443
66.241.183.99:443
113.11.92.30:443
186.75.95.6:443
125.99.69.178:443
109.130.247.84:2222
96.56.197.26:2222
70.50.1.252:2222
91.160.70.68:32100
67.70.120.249:2222
209.171.160.69:995
98.163.227.79:443
176.133.4.230:995
24.234.220.88:995
45.62.75.250:443
200.44.198.47:2222
173.17.45.60:443
5.192.141.228:2222
184.63.133.131:995
78.82.143.154:2222
73.88.173.113:443
181.4.225.225:443
24.234.220.88:443
174.58.146.57:443
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
PowerShell.exedescription ioc process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4332 1436 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
Processes:
PowerShell.exerundll32.exewermgr.exepid process 4848 PowerShell.exe 4848 PowerShell.exe 4848 PowerShell.exe 4704 rundll32.exe 4704 rundll32.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe 4396 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PowerShell.exesvchost.exedescription pid process Token: SeDebugPrivilege 4848 PowerShell.exe Token: SeManageVolumePrivilege 2796 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exePowerShell.exerundll32.exerundll32.exedescription pid process target process PID 1400 wrote to memory of 1436 1400 rundll32.exe rundll32.exe PID 1400 wrote to memory of 1436 1400 rundll32.exe rundll32.exe PID 1400 wrote to memory of 1436 1400 rundll32.exe rundll32.exe PID 4848 wrote to memory of 1416 4848 PowerShell.exe rundll32.exe PID 4848 wrote to memory of 1416 4848 PowerShell.exe rundll32.exe PID 1416 wrote to memory of 4704 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 4704 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 4704 1416 rundll32.exe rundll32.exe PID 4704 wrote to memory of 4396 4704 rundll32.exe wermgr.exe PID 4704 wrote to memory of 4396 4704 rundll32.exe wermgr.exe PID 4704 wrote to memory of 4396 4704 rundll32.exe wermgr.exe PID 4704 wrote to memory of 4396 4704 rundll32.exe wermgr.exe PID 4704 wrote to memory of 4396 4704 rundll32.exe wermgr.exe PID 4704 wrote to memory of 4396 4704 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cultivation.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cultivation.dll,#12⤵PID:1436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 6003⤵
- Program crash
PID:4332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1436 -ip 14361⤵PID:856
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3564
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" .\cultivation.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" .\cultivation.dll,next3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4976
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82