Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2023 16:47
Static task
static1
Behavioral task
behavioral1
Sample
signed.dll
Resource
win7-20230220-en
General
-
Target
signed.dll
-
Size
741KB
-
MD5
a2534bda086138188454ffa0886a172e
-
SHA1
535690ce12e70a1e4c27e73c9647448e723ebd7d
-
SHA256
b1b051dc581d66254abf6b827d521f0dd840838f558bee7645185955cbecc9a1
-
SHA512
c62cd1c3a065dbcf74256abbae7786e29ebbde5cc1a3c8039c5512d9c7bfd9c06c5e4da571a5c65884a5cbcc4ff2a308ee021c796984b14aeeeb79d87ae06f07
-
SSDEEP
12288:zDxy+2MIBYYimb3oG11xfTUUk0uU7/GQ4vbnWj69N:Pg+2MIBYkb4G11hTQ05bGM
Malware Config
Extracted
qakbot
404.1346
BB30
1685686808
86.173.2.12:2222
92.9.45.20:2222
100.4.163.158:2222
213.64.33.92:2222
75.98.154.19:443
78.192.109.105:2222
88.126.94.4:50000
70.28.50.223:2083
92.154.17.149:2222
24.234.220.88:993
87.252.106.39:995
174.4.89.3:443
12.172.173.82:20
90.29.86.138:2222
70.160.67.203:443
223.166.13.95:995
184.181.75.148:443
95.45.50.93:2222
201.143.215.69:443
64.121.161.102:443
2.82.8.80:443
188.28.19.84:443
81.101.185.146:443
79.77.142.22:2222
84.215.202.8:443
183.87.163.165:443
74.12.147.139:2078
74.12.147.139:2222
74.12.147.139:2083
70.28.50.223:2078
94.204.202.106:443
87.221.153.182:2222
70.28.50.223:2087
24.234.220.88:990
2.49.63.160:2222
72.205.104.134:443
199.27.66.213:443
83.249.198.100:2222
90.104.151.37:2222
116.75.63.183:443
117.195.17.148:993
77.126.99.230:443
45.62.70.33:443
24.234.220.88:465
203.109.44.236:995
75.109.111.89:443
161.142.103.187:995
77.86.98.236:443
147.147.30.126:2222
124.246.122.199:2222
103.123.223.133:443
180.151.19.13:2078
176.142.207.63:443
12.172.173.82:32101
103.140.174.20:2222
70.50.83.216:2222
12.172.173.82:465
38.2.18.164:443
93.187.148.45:995
70.64.77.115:443
12.172.173.82:21
70.49.205.198:2222
27.0.48.233:443
12.172.173.82:50001
83.110.223.61:443
103.141.50.43:995
85.101.239.116:443
103.42.86.42:995
92.1.170.110:995
81.229.117.95:2222
124.122.47.148:443
103.212.19.254:995
103.139.242.6:443
125.99.76.102:443
50.68.186.195:443
47.205.25.170:443
12.172.173.82:993
12.172.173.82:22
70.28.50.223:32100
79.168.224.165:2222
121.121.108.120:995
69.160.121.6:61201
200.84.211.255:2222
201.244.108.183:995
93.187.148.45:443
85.61.165.153:2222
184.182.66.109:443
175.156.217.7:2222
70.28.50.223:3389
114.143.176.236:443
65.95.141.84:2222
80.6.50.34:443
12.172.173.82:2087
47.199.241.39:443
66.241.183.99:443
113.11.92.30:443
186.75.95.6:443
125.99.69.178:443
109.130.247.84:2222
96.56.197.26:2222
70.50.1.252:2222
91.160.70.68:32100
67.70.120.249:2222
209.171.160.69:995
98.163.227.79:443
176.133.4.230:995
24.234.220.88:995
45.62.75.250:443
200.44.198.47:2222
173.17.45.60:443
5.192.141.228:2222
184.63.133.131:995
78.82.143.154:2222
73.88.173.113:443
181.4.225.225:443
24.234.220.88:443
174.58.146.57:443
Signatures
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid process 4124 rundll32.exe 4124 rundll32.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe 3068 wermgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4996 wrote to memory of 4124 4996 rundll32.exe rundll32.exe PID 4996 wrote to memory of 4124 4996 rundll32.exe rundll32.exe PID 4996 wrote to memory of 4124 4996 rundll32.exe rundll32.exe PID 4124 wrote to memory of 3068 4124 rundll32.exe wermgr.exe PID 4124 wrote to memory of 3068 4124 rundll32.exe wermgr.exe PID 4124 wrote to memory of 3068 4124 rundll32.exe wermgr.exe PID 4124 wrote to memory of 3068 4124 rundll32.exe wermgr.exe PID 4124 wrote to memory of 3068 4124 rundll32.exe wermgr.exe PID 4124 wrote to memory of 3068 4124 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\signed.dll,next1⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\signed.dll,next2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3068