Analysis
-
max time kernel
600s -
max time network
564s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2023 18:08
Behavioral task
behavioral1
Sample
66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll
Resource
win7-20230220-en
General
-
Target
66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll
-
Size
131KB
-
MD5
c46fef76655df08967c3056cdbc67c15
-
SHA1
5724e8f56359ef60b146a99c978224ddcbdb6b81
-
SHA256
66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67
-
SHA512
702d51ff95504797ac06d3569a07f8db3fd3835563f26dd11f9bf98b83438d2908a45223d6ecc2a1c11665241bce435836813ed5063612789e9f56996f447056
-
SSDEEP
3072:hg0KGh5Z8j3EzihlFsUA9QJb4VMHT8TBff5BQ:dKGJGEz+lOB2JEVMHT8TB3bQ
Malware Config
Extracted
qakbot
404.1035
obama261
1683268508
174.4.89.3:443
23.30.173.133:443
70.51.136.238:2222
68.173.170.110:8443
47.21.51.138:443
70.64.77.115:443
76.16.49.134:443
64.121.161.102:443
108.190.115.159:443
98.19.224.125:995
12.172.173.82:465
147.219.4.194:443
86.250.12.86:2222
188.176.171.3:443
88.126.94.4:50000
87.202.101.164:50000
74.92.243.115:50000
98.176.5.56:443
198.2.51.242:993
75.98.154.19:443
86.130.9.128:2222
92.186.69.229:2222
85.61.165.153:2222
24.69.137.232:2222
173.184.44.185:443
99.230.89.236:2078
47.205.25.170:443
147.147.30.126:2222
75.109.111.89:443
197.94.78.32:443
96.56.197.26:2222
12.172.173.82:995
93.150.183.229:2222
75.143.236.149:443
14.192.241.76:995
76.86.31.59:443
80.6.50.34:443
184.153.132.82:443
201.244.108.183:995
193.253.53.157:2078
89.129.109.27:2222
102.157.51.147:443
109.159.119.82:2222
103.123.223.171:443
70.28.50.223:1194
161.142.98.36:995
50.68.204.71:993
186.64.67.41:443
172.115.17.50:443
68.229.150.95:443
70.28.50.223:32100
98.145.23.67:443
50.68.204.71:995
96.56.197.26:2083
12.172.173.82:21
110.226.182.175:443
70.28.50.223:3389
85.53.128.200:3389
12.172.173.82:32101
176.133.4.230:995
94.59.122.53:2222
24.206.27.39:443
91.169.12.198:32100
151.55.186.41:443
12.172.173.82:993
2.82.8.80:443
104.35.24.154:443
103.140.174.20:2222
5.30.216.183:443
50.68.204.71:443
173.88.135.179:443
71.38.155.217:443
71.34.185.40:443
35.143.97.145:995
211.248.50.162:443
98.147.155.235:443
162.248.14.107:443
103.111.70.66:443
139.226.47.229:995
103.42.86.42:995
27.0.48.233:443
174.58.146.57:443
103.141.50.79:995
178.175.187.254:443
125.99.69.178:443
217.165.234.249:443
83.92.85.93:443
213.91.235.146:443
90.104.151.37:2222
78.192.109.105:2222
92.9.45.20:2222
70.28.50.223:2083
12.172.173.82:2087
122.184.143.85:443
76.178.148.107:2222
69.133.162.35:443
74.93.148.97:995
184.182.66.109:443
71.78.95.86:995
70.112.206.5:443
58.162.223.233:443
81.229.117.95:2222
72.134.124.16:443
12.172.173.82:20
201.208.46.165:2222
67.10.9.125:995
188.28.72.118:443
99.230.89.236:2083
43.243.215.210:443
157.119.85.203:443
12.172.173.82:50001
77.124.5.149:443
98.37.25.99:443
96.56.197.26:2078
103.113.68.33:443
176.142.207.63:443
58.186.75.42:443
12.172.173.82:22
114.143.176.235:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 70 1916 rundll32.exe 72 1916 rundll32.exe 74 1916 rundll32.exe 76 1916 rundll32.exe 80 1916 rundll32.exe 81 1916 rundll32.exe 82 1916 rundll32.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 980 1772 WerFault.exe wermgr.exe 1344 1744 WerFault.exe backgroundTaskHost.exe 4116 388 WerFault.exe dxdiag.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
ping.exeping.exeping.exepid process 4636 ping.exe 3480 ping.exe 4992 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
rundll32.exepid process 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
rundll32.exerundll32.exewermgr.exebackgroundTaskHost.exedxdiag.exedescription pid process target process PID 3884 wrote to memory of 1916 3884 rundll32.exe rundll32.exe PID 3884 wrote to memory of 1916 3884 rundll32.exe rundll32.exe PID 3884 wrote to memory of 1916 3884 rundll32.exe rundll32.exe PID 1916 wrote to memory of 3272 1916 rundll32.exe wermgr.exe PID 1916 wrote to memory of 3272 1916 rundll32.exe wermgr.exe PID 1916 wrote to memory of 3272 1916 rundll32.exe wermgr.exe PID 1916 wrote to memory of 3272 1916 rundll32.exe wermgr.exe PID 1916 wrote to memory of 3272 1916 rundll32.exe wermgr.exe PID 3272 wrote to memory of 4636 3272 wermgr.exe ping.exe PID 3272 wrote to memory of 4636 3272 wermgr.exe ping.exe PID 3272 wrote to memory of 4636 3272 wermgr.exe ping.exe PID 1916 wrote to memory of 1772 1916 rundll32.exe wermgr.exe PID 1916 wrote to memory of 1772 1916 rundll32.exe wermgr.exe PID 1916 wrote to memory of 1772 1916 rundll32.exe wermgr.exe PID 1916 wrote to memory of 1772 1916 rundll32.exe wermgr.exe PID 1916 wrote to memory of 1772 1916 rundll32.exe wermgr.exe PID 1916 wrote to memory of 4908 1916 rundll32.exe backgroundTaskHost.exe PID 1916 wrote to memory of 4908 1916 rundll32.exe backgroundTaskHost.exe PID 1916 wrote to memory of 4908 1916 rundll32.exe backgroundTaskHost.exe PID 1916 wrote to memory of 4908 1916 rundll32.exe backgroundTaskHost.exe PID 1916 wrote to memory of 4908 1916 rundll32.exe backgroundTaskHost.exe PID 4908 wrote to memory of 3480 4908 backgroundTaskHost.exe ping.exe PID 4908 wrote to memory of 3480 4908 backgroundTaskHost.exe ping.exe PID 4908 wrote to memory of 3480 4908 backgroundTaskHost.exe ping.exe PID 1916 wrote to memory of 1744 1916 rundll32.exe backgroundTaskHost.exe PID 1916 wrote to memory of 1744 1916 rundll32.exe backgroundTaskHost.exe PID 1916 wrote to memory of 1744 1916 rundll32.exe backgroundTaskHost.exe PID 1916 wrote to memory of 1744 1916 rundll32.exe backgroundTaskHost.exe PID 1916 wrote to memory of 1744 1916 rundll32.exe backgroundTaskHost.exe PID 1916 wrote to memory of 5076 1916 rundll32.exe dxdiag.exe PID 1916 wrote to memory of 5076 1916 rundll32.exe dxdiag.exe PID 1916 wrote to memory of 5076 1916 rundll32.exe dxdiag.exe PID 1916 wrote to memory of 5076 1916 rundll32.exe dxdiag.exe PID 1916 wrote to memory of 5076 1916 rundll32.exe dxdiag.exe PID 5076 wrote to memory of 4992 5076 dxdiag.exe ping.exe PID 5076 wrote to memory of 4992 5076 dxdiag.exe ping.exe PID 5076 wrote to memory of 4992 5076 dxdiag.exe ping.exe PID 1916 wrote to memory of 388 1916 rundll32.exe dxdiag.exe PID 1916 wrote to memory of 388 1916 rundll32.exe dxdiag.exe PID 1916 wrote to memory of 388 1916 rundll32.exe dxdiag.exe PID 1916 wrote to memory of 388 1916 rundll32.exe dxdiag.exe PID 1916 wrote to memory of 388 1916 rundll32.exe dxdiag.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com4⤵
- Runs ping.exe
PID:4636 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵PID:1772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 3524⤵
- Program crash
PID:980 -
C:\Windows\SysWOW64\backgroundTaskHost.exeC:\Windows\SysWOW64\backgroundTaskHost.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com4⤵
- Runs ping.exe
PID:3480 -
C:\Windows\SysWOW64\backgroundTaskHost.exeC:\Windows\SysWOW64\backgroundTaskHost.exe3⤵PID:1744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 2884⤵
- Program crash
PID:1344 -
C:\Windows\SysWOW64\dxdiag.exeC:\Windows\SysWOW64\dxdiag.exe3⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\ping.exeping -n 3 yahoo.com4⤵
- Runs ping.exe
PID:4992 -
C:\Windows\SysWOW64\dxdiag.exeC:\Windows\SysWOW64\dxdiag.exe3⤵PID:388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 4644⤵
- Program crash
PID:4116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1772 -ip 17721⤵PID:3856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1744 -ip 17441⤵PID:696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 388 -ip 3881⤵PID:3348