Analysis
-
max time kernel
600s -
max time network
603s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12-06-2023 18:08
Behavioral task
behavioral1
Sample
66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll
Resource
win7-20230220-en
General
-
Target
66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll
-
Size
131KB
-
MD5
c46fef76655df08967c3056cdbc67c15
-
SHA1
5724e8f56359ef60b146a99c978224ddcbdb6b81
-
SHA256
66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67
-
SHA512
702d51ff95504797ac06d3569a07f8db3fd3835563f26dd11f9bf98b83438d2908a45223d6ecc2a1c11665241bce435836813ed5063612789e9f56996f447056
-
SSDEEP
3072:hg0KGh5Z8j3EzihlFsUA9QJb4VMHT8TBff5BQ:dKGJGEz+lOB2JEVMHT8TB3bQ
Malware Config
Extracted
qakbot
404.1035
obama261
1683268508
174.4.89.3:443
23.30.173.133:443
70.51.136.238:2222
68.173.170.110:8443
47.21.51.138:443
70.64.77.115:443
76.16.49.134:443
64.121.161.102:443
108.190.115.159:443
98.19.224.125:995
12.172.173.82:465
147.219.4.194:443
86.250.12.86:2222
188.176.171.3:443
88.126.94.4:50000
87.202.101.164:50000
74.92.243.115:50000
98.176.5.56:443
198.2.51.242:993
75.98.154.19:443
86.130.9.128:2222
92.186.69.229:2222
85.61.165.153:2222
24.69.137.232:2222
173.184.44.185:443
99.230.89.236:2078
47.205.25.170:443
147.147.30.126:2222
75.109.111.89:443
197.94.78.32:443
96.56.197.26:2222
12.172.173.82:995
93.150.183.229:2222
75.143.236.149:443
14.192.241.76:995
76.86.31.59:443
80.6.50.34:443
184.153.132.82:443
201.244.108.183:995
193.253.53.157:2078
89.129.109.27:2222
102.157.51.147:443
109.159.119.82:2222
103.123.223.171:443
70.28.50.223:1194
161.142.98.36:995
50.68.204.71:993
186.64.67.41:443
172.115.17.50:443
68.229.150.95:443
70.28.50.223:32100
98.145.23.67:443
50.68.204.71:995
96.56.197.26:2083
12.172.173.82:21
110.226.182.175:443
70.28.50.223:3389
85.53.128.200:3389
12.172.173.82:32101
176.133.4.230:995
94.59.122.53:2222
24.206.27.39:443
91.169.12.198:32100
151.55.186.41:443
12.172.173.82:993
2.82.8.80:443
104.35.24.154:443
103.140.174.20:2222
5.30.216.183:443
50.68.204.71:443
173.88.135.179:443
71.38.155.217:443
71.34.185.40:443
35.143.97.145:995
211.248.50.162:443
98.147.155.235:443
162.248.14.107:443
103.111.70.66:443
139.226.47.229:995
103.42.86.42:995
27.0.48.233:443
174.58.146.57:443
103.141.50.79:995
178.175.187.254:443
125.99.69.178:443
217.165.234.249:443
83.92.85.93:443
213.91.235.146:443
90.104.151.37:2222
78.192.109.105:2222
92.9.45.20:2222
70.28.50.223:2083
12.172.173.82:2087
122.184.143.85:443
76.178.148.107:2222
69.133.162.35:443
74.93.148.97:995
184.182.66.109:443
71.78.95.86:995
70.112.206.5:443
58.162.223.233:443
81.229.117.95:2222
72.134.124.16:443
12.172.173.82:20
201.208.46.165:2222
67.10.9.125:995
188.28.72.118:443
99.230.89.236:2083
43.243.215.210:443
157.119.85.203:443
12.172.173.82:50001
77.124.5.149:443
98.37.25.99:443
96.56.197.26:2078
103.113.68.33:443
176.142.207.63:443
58.186.75.42:443
12.172.173.82:22
114.143.176.235:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid process 1700 rundll32.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe 1108 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1700 rundll32.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rundll32.exerundll32.exewermgr.exedescription pid process target process PID 904 wrote to memory of 1700 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1700 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1700 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1700 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1700 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1700 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1700 904 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1108 1700 rundll32.exe wermgr.exe PID 1700 wrote to memory of 1108 1700 rundll32.exe wermgr.exe PID 1700 wrote to memory of 1108 1700 rundll32.exe wermgr.exe PID 1700 wrote to memory of 1108 1700 rundll32.exe wermgr.exe PID 1700 wrote to memory of 1108 1700 rundll32.exe wermgr.exe PID 1700 wrote to memory of 1108 1700 rundll32.exe wermgr.exe PID 1108 wrote to memory of 1008 1108 wermgr.exe ping.exe PID 1108 wrote to memory of 1008 1108 wermgr.exe ping.exe PID 1108 wrote to memory of 1008 1108 wermgr.exe ping.exe PID 1108 wrote to memory of 1008 1108 wermgr.exe ping.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com4⤵
- Runs ping.exe
PID:1008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5b5fcc55cffd66f38d548e8b63206c5e6
SHA179db08ababfa33a4f644fa8fe337195b5aba44c7
SHA2567730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1
SHA512aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d