Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:06
Static task
static1
Behavioral task
behavioral1
Sample
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Resource
win7-20231129-en
General
-
Target
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
-
Size
459KB
-
MD5
0a29918110937641bbe4a2d5ee5e4272
-
SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734
-
SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
-
SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
-
SSDEEP
6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI
Malware Config
Extracted
qakbot
tchk06
1702463600
45.138.74.191:443
65.108.218.24:443
-
camp_date
2023-12-13 10:33:20 +0000 UTC
Signatures
-
Detect Qakbot Payload 13 IoCs
Processes:
resource yara_rule behavioral2/memory/4104-1-0x000001C91A2B0000-0x000001C91A2DF000-memory.dmp family_qakbot_v5 behavioral2/memory/4104-4-0x000001C91A280000-0x000001C91A2AD000-memory.dmp family_qakbot_v5 behavioral2/memory/4104-6-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral2/memory/4104-7-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral2/memory/4824-9-0x00000261670C0000-0x00000261670EE000-memory.dmp family_qakbot_v5 behavioral2/memory/4824-16-0x00000261670C0000-0x00000261670EE000-memory.dmp family_qakbot_v5 behavioral2/memory/4104-17-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral2/memory/4824-26-0x00000261670C0000-0x00000261670EE000-memory.dmp family_qakbot_v5 behavioral2/memory/4824-27-0x00000261670C0000-0x00000261670EE000-memory.dmp family_qakbot_v5 behavioral2/memory/4824-28-0x00000261670C0000-0x00000261670EE000-memory.dmp family_qakbot_v5 behavioral2/memory/4824-29-0x00000261670C0000-0x00000261670EE000-memory.dmp family_qakbot_v5 behavioral2/memory/4824-30-0x00000261670C0000-0x00000261670EE000-memory.dmp family_qakbot_v5 behavioral2/memory/4824-32-0x00000261670C0000-0x00000261670EE000-memory.dmp family_qakbot_v5 -
Modifies registry class 12 IoCs
Processes:
wermgr.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ztdzexkcc\2dedbf24 = 8562778686ba9f2cbeaa1c4d9e7a0f89cc643c2610a45139eb6d7b1606dac3619d787cfe4f1fee849e58fed4618e87c8b50c2bc279f7df8404ce0dc53dcc10533abb4ea321bae52cab73350c3c969e6c19e6cad84c7b5f761d550b519bbd4e1ed0 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ztdzexkcc\5a14da91 = 865b8b9079b759949262f4bb58078d22c18c3300a8b7abb3890c616d33dcc77b47c316b0be608fe422b287b020ae9a571fc78091da9a37b48e47c8fd6fac51f1e3c4c5c23004cef56c5d558fa29047275fdb7b892c2bb450e9087a40b8fe49338c5265909156181c4721ded5b1e154a012 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ztdzexkcc\fe08a491 = 26bb3d8c5e40f92d4af8b919068400ced2fb0c6ef7ff5a761d50099eb0e16450a7834f37169308bf7a614ba3e6d39aacccb518d288c40f391388b4b07f5983019232faa8c4ee1c01a7e6f53d4e3522454bc039412b241819b194313aac695c9ab1 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ztdzexkcc\32a2a40f = 05746798c6384f5c96744b67babdd4a2834d4fa822f3586a1e1eabaed0d5d08a0d27176bbabc50d7923cabf8b1cc10db70 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ztdzexkcc\ff8ff916 = e51975bd5c13a1666d49a25bfa84a92677e2d0b1c96a35c80399e144ff4f98a920bce5c33ec8ff1d2e0216c765491715ee1c622a4f6dba9cb7df4f7061c108d49878bb4b814ddfa584f8fb073f66f78966 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ztdzexkcc\648aecc7 = c744a41938e192affd1e1043b6a25c724a936c332ac41032c3d871ec2908ecc1d3 wermgr.exe Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ztdzexkcc wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ztdzexkcc\3325f988 = 46f55ff60982a1db5353174942ce11cdebc9dd8f38f84b9185f95fa0af4e28c67e92307f37fbf45f554348bcc21b8bbec2b0f029ed6dd8179f6bc33e52c7a0daa82e2406cb2b1daa77cd10014e9a3cb16fdbdb25bd4e1b67d506c92efe2e9bd754382a45c11b7bb8f84f35f9d1d504b6f7ff12ee88c57d86f7dafe5b20c122f47b08f3df9df4b697911aaacdcccfd036f39ec6f150ec82d3007a0ce6ed1b032ba6ebf96d32b1cb770d8b198189e830e46861f7d87e4acc3d5c2c17b1de1f5b48a5 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ztdzexkcc\f54af00f = 85b1565ab35c570896d39e61056769d4d1cc6ee763860659eafe5e5b929dd3dfc9f46972797c0a3ba66de191f64d2ca0746683caedb7372aa6d8a7b288e92d4a9b9dd42110d4acb66875b9fd27731a3787 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ztdzexkcc\650db140 = 46abd0f8345df41d76c0939419b0c5d8c063d41457a58de8ffbbfee42e22f39ef3887efda7528f300647aa733f4aaf8d76a2844bf2dbc034dc85f885ef1475790c7a1935110794d7674f289068e79e8826d7509251a635264466e88a6e1da85f0e358f42644af4d337ca63e53329b26bd43dfd4689f699020c7a20a8eb92d5c104 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ztdzexkcc\650db140 = 47d0ceaca896a5c76c52609900d505e0d4f39b3334e9fcd816858f5e525885e8c72e1070f08440c9d90ca3d38cd4c5e38948054ade181934f04fa50120e7f1cb6ea73826ee6be6a35d3d175efdf9c92a43d6dce2f41c7950b94d9fd6564f0bc710 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ztdzexkcc\e147bfba = c57a5f4d1f5e5c1901fb992edd729ef633fd61c47dcca0f60210c3006262e4467c2a189ef9d36b3562e86a5151f852a103a99e49547f3ff5594dd934ee3b8800735c66aa54d329003c3e319bafbb536f2ff49de4454637e0371df097e3ff8f8488 wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid process 4104 rundll32.exe 4104 rundll32.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe 4824 wermgr.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exedescription pid process target process PID 4104 wrote to memory of 4824 4104 rundll32.exe wermgr.exe PID 4104 wrote to memory of 4824 4104 rundll32.exe wermgr.exe PID 4104 wrote to memory of 4824 4104 rundll32.exe wermgr.exe PID 4104 wrote to memory of 4824 4104 rundll32.exe wermgr.exe PID 4104 wrote to memory of 4824 4104 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4104-0-0x0000000069140000-0x00000000691BE000-memory.dmpFilesize
504KB
-
memory/4104-1-0x000001C91A2B0000-0x000001C91A2DF000-memory.dmpFilesize
188KB
-
memory/4104-4-0x000001C91A280000-0x000001C91A2AD000-memory.dmpFilesize
180KB
-
memory/4104-6-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/4104-7-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/4104-17-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/4824-9-0x00000261670C0000-0x00000261670EE000-memory.dmpFilesize
184KB
-
memory/4824-16-0x00000261670C0000-0x00000261670EE000-memory.dmpFilesize
184KB
-
memory/4824-8-0x00000261670F0000-0x00000261670F2000-memory.dmpFilesize
8KB
-
memory/4824-26-0x00000261670C0000-0x00000261670EE000-memory.dmpFilesize
184KB
-
memory/4824-27-0x00000261670C0000-0x00000261670EE000-memory.dmpFilesize
184KB
-
memory/4824-28-0x00000261670C0000-0x00000261670EE000-memory.dmpFilesize
184KB
-
memory/4824-29-0x00000261670C0000-0x00000261670EE000-memory.dmpFilesize
184KB
-
memory/4824-30-0x00000261670C0000-0x00000261670EE000-memory.dmpFilesize
184KB
-
memory/4824-32-0x00000261670C0000-0x00000261670EE000-memory.dmpFilesize
184KB