Analysis
-
max time kernel
151s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-06-2023 18:53
Static task
static1
Behavioral task
behavioral1
Sample
qak.bat
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
qak.bat
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
qak.dll
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
qak.dll
Resource
win10v2004-20230220-en
General
-
Target
qak.bat
-
Size
25B
-
MD5
424453ad642c8ce93f83050149acf5fd
-
SHA1
f4a96928b74f7f3ff0166d4994f9655212e0dabc
-
SHA256
5235bde4a41039070e2bb59ab109bc9fd131fe3a407f5efa59f9165c3f638e96
-
SHA512
9b2cce8aeda846fac949f1e209c76f0f60025ab8bff14e3277e1800864e53374e845adda77f4db37de3b28c2e13d5a2986b9f3f50642093421e5217e501fc4c7
Malware Config
Extracted
qakbot
404.1346
BB31
1685959443
77.126.99.230:443
24.234.220.88:465
151.62.238.176:443
85.57.212.13:3389
199.27.66.213:443
12.172.173.82:21
12.172.173.82:50001
12.172.173.82:465
105.184.209.117:995
193.80.73.200:995
86.208.35.220:2222
93.187.148.45:995
37.189.89.196:443
182.75.189.42:995
65.95.141.84:2222
84.216.198.201:6881
105.102.10.220:443
124.246.122.199:2222
83.249.198.100:2222
1.221.179.74:443
114.143.176.236:443
174.58.146.57:443
12.172.173.82:2087
73.207.160.219:443
82.36.36.76:443
86.173.2.12:2222
92.98.55.221:2222
223.166.13.95:995
103.42.86.42:995
176.133.4.230:995
70.49.205.198:2222
81.229.117.95:2222
92.20.204.198:2222
183.87.163.165:443
147.147.30.126:2222
184.181.75.148:443
201.244.108.183:995
94.59.123.30:2222
184.182.66.109:443
64.121.161.102:443
103.140.174.20:2222
70.28.50.223:3389
125.63.121.38:2078
66.241.183.99:443
50.68.186.195:443
89.115.200.234:443
47.205.25.170:443
12.172.173.82:993
2.82.8.80:443
12.172.173.82:22
93.187.148.45:443
70.28.50.223:32100
79.168.224.165:2222
121.121.108.120:995
74.12.146.221:2222
78.159.146.65:995
116.74.164.17:443
59.88.174.146:993
92.184.102.115:2078
31.53.29.216:2222
72.205.104.134:443
116.120.145.170:995
217.165.233.122:443
193.253.100.236:2222
27.0.48.233:443
103.123.223.133:443
37.14.229.220:2222
75.109.111.89:443
24.234.220.88:995
92.239.81.124:443
12.172.173.82:20
90.29.86.138:2222
70.160.67.203:443
92.9.45.20:2222
95.45.50.93:2222
100.4.163.158:2222
201.143.215.69:443
213.64.33.92:2222
75.98.154.19:443
103.139.242.6:443
103.141.50.43:995
178.175.187.254:443
88.126.94.4:50000
79.77.142.22:2222
197.2.173.77:443
74.14.39.7:2222
70.28.50.223:2083
174.4.89.3:443
213.91.235.146:443
78.130.215.67:443
24.234.220.88:993
188.28.19.84:443
74.12.146.221:2083
82.131.141.209:443
70.28.50.223:2087
24.234.220.88:990
12.172.173.82:995
41.227.190.59:443
192.143.255.159:443
82.127.153.75:2222
122.184.143.86:443
59.28.84.65:443
103.144.201.48:2078
103.87.128.228:443
125.99.69.178:443
122.186.210.254:443
190.75.72.44:2222
123.3.240.16:6881
176.142.207.63:443
12.172.173.82:32101
94.207.125.252:443
45.62.70.33:443
81.111.108.123:443
68.227.249.138:443
41.186.88.38:443
86.195.14.72:2222
165.120.169.171:2222
49.175.72.188:443
Signatures
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exetaskmgr.exewermgr.exepid process 1968 rundll32.exe 1448 taskmgr.exe 1448 taskmgr.exe 1452 wermgr.exe 1448 taskmgr.exe 1452 wermgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1452 wermgr.exe 1448 taskmgr.exe 1452 wermgr.exe 1448 taskmgr.exe 1452 wermgr.exe 1448 taskmgr.exe 1452 wermgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1452 wermgr.exe 1448 taskmgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe 1452 wermgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1448 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 1448 taskmgr.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
taskmgr.exepid process 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe -
Suspicious use of SendNotifyMessage 37 IoCs
Processes:
taskmgr.exepid process 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe 1448 taskmgr.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
cmd.exerundll32.exerundll32.exedescription pid process target process PID 2000 wrote to memory of 1996 2000 cmd.exe rundll32.exe PID 2000 wrote to memory of 1996 2000 cmd.exe rundll32.exe PID 2000 wrote to memory of 1996 2000 cmd.exe rundll32.exe PID 1996 wrote to memory of 1968 1996 rundll32.exe rundll32.exe PID 1996 wrote to memory of 1968 1996 rundll32.exe rundll32.exe PID 1996 wrote to memory of 1968 1996 rundll32.exe rundll32.exe PID 1996 wrote to memory of 1968 1996 rundll32.exe rundll32.exe PID 1996 wrote to memory of 1968 1996 rundll32.exe rundll32.exe PID 1996 wrote to memory of 1968 1996 rundll32.exe rundll32.exe PID 1996 wrote to memory of 1968 1996 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1452 1968 rundll32.exe wermgr.exe PID 1968 wrote to memory of 1452 1968 rundll32.exe wermgr.exe PID 1968 wrote to memory of 1452 1968 rundll32.exe wermgr.exe PID 1968 wrote to memory of 1452 1968 rundll32.exe wermgr.exe PID 1968 wrote to memory of 1452 1968 rundll32.exe wermgr.exe PID 1968 wrote to memory of 1452 1968 rundll32.exe wermgr.exe PID 1968 wrote to memory of 1452 1968 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\qak.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\rundll32.exerundll32.exe qak.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe qak.dll,next3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1452
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1448