Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll
Resource
win7-20231129-en
windows7-x64
4 signatures
150 seconds
General
-
Target
12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll
-
Size
898KB
-
MD5
88bbf2a743baaf81f7a312be61f90d76
-
SHA1
3719aabc29d5eb58d5d2d2a37066047c67bfc2c6
-
SHA256
12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305
-
SHA512
b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70
-
SSDEEP
24576:qTm4c0TXhxdmVQGn88R7XM3Ljluc9KEaJqCjh0LmK8:6jP8Q13LjluSrCj+q/
Malware Config
Extracted
Family
qakbot
Botnet
tchk07
Campaign
1702975817
C2
116.203.56.11:443
109.107.181.8:443
Attributes
-
camp_date
2023-12-19 08:50:17 +0000 UTC
Signatures
-
Detect Qakbot Payload 13 IoCs
Processes:
resource yara_rule behavioral2/memory/1508-1-0x0000025E4E000000-0x0000025E4E02D000-memory.dmp family_qakbot_v5 behavioral2/memory/1508-0-0x0000025E4F7F0000-0x0000025E4F81F000-memory.dmp family_qakbot_v5 behavioral2/memory/1508-5-0x0000025E4F820000-0x0000025E4F84E000-memory.dmp family_qakbot_v5 behavioral2/memory/1508-6-0x0000025E4F820000-0x0000025E4F84E000-memory.dmp family_qakbot_v5 behavioral2/memory/184-8-0x0000020DBA450000-0x0000020DBA47E000-memory.dmp family_qakbot_v5 behavioral2/memory/184-14-0x0000020DBA450000-0x0000020DBA47E000-memory.dmp family_qakbot_v5 behavioral2/memory/1508-23-0x0000025E4F820000-0x0000025E4F84E000-memory.dmp family_qakbot_v5 behavioral2/memory/184-24-0x0000020DBA450000-0x0000020DBA47E000-memory.dmp family_qakbot_v5 behavioral2/memory/184-26-0x0000020DBA450000-0x0000020DBA47E000-memory.dmp family_qakbot_v5 behavioral2/memory/184-25-0x0000020DBA450000-0x0000020DBA47E000-memory.dmp family_qakbot_v5 behavioral2/memory/184-27-0x0000020DBA450000-0x0000020DBA47E000-memory.dmp family_qakbot_v5 behavioral2/memory/184-28-0x0000020DBA450000-0x0000020DBA47E000-memory.dmp family_qakbot_v5 behavioral2/memory/184-30-0x0000020DBA450000-0x0000020DBA47E000-memory.dmp family_qakbot_v5 -
Modifies registry class 10 IoCs
Processes:
wermgr.exedescription ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\yrcptylfqfnm\8327a602 = e566b74bde22e5078a524f1b5d2139e37099f0b5046ac82e22b881058392833ffc359771aa4d7d51ea208f583768fc0832d6351f75d6145a7fce9bd6fbcaa94f38e7eefd03a709ff7a8734c40dd7e83450273768d68214aca3a7ca69b538331578e00815e4b2fd8cdd9ba5d4898c5c97a1 wermgr.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\yrcptylfqfnm wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\yrcptylfqfnm\d50feeca = c6887cdd2ebf923eb2812e834294bf17db7b8c40cb5aac3836cbb3dc4d33299b6febb0a6103d788790811786a5be8569b23189dfa158aa5fd236ff14523dd063b6225f576717153949dc909e469506a4c9c1f8e1a2bca702f17db51982614e602371b722e758ffadf455fa0866f40265c58abf68570b5590ebd1cd2b2f144600fc25f78272d939bb97ebc7328aaf6fcc7079c3adb867ebbbb4fc165789457ca50c wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\yrcptylfqfnm\cbc7a866 = a5593112518c193ebae4f2fa9c2d1abf4e75e8d867aec7d4de27c79b397ed8dac65956a6a00f7e608e0d0921d271750eb09cd2d91c62c916eacd30c729edcb7e81 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\yrcptylfqfnm\1822b3d3 = e69b2b28e627963a081aca247b28d56264cb6d3d895e207b9f6c6aafe97e4af7be1703b419c8b654e2c73506389a749fb6ea68685f53c7076eac0a5536c813147514b21308b6537607078d2164e42437daa528c797c23aaef96e157eec71239953abb6237f1fe623953b1fafe859904327 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\yrcptylfqfnm\d488b34d = 0572e4a461d7d462373cd008307213778ddd5be230634c6f022ff6983121686b27d87e34c0142967f033817b725ca365685a165d00e11b816bf6f9ba9276c3d86df99eaad0f05cabdb282fa4729a75898d wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\yrcptylfqfnm\8327a602 = 06fe7626882b0a2c1a8c8d80fbef7389a0d41e2bed28c252523b35df7fb033ea9a1e7db4a894dedd4bd30bdec2b61cd4c113b8d8c5f3db3b0b276960ae03430cb485ef0895961ff2e891976ad483d9570077454d642b63924c4d3b14227f24d052 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\yrcptylfqfnm\76da8f8 = a5de7d2027dfc35f644e76b66d73c0d4773eb7f40b6c59bd95f31dece19fb912c2a81217854341ab27ac4b1194e11da9917f930bb9f90142f5266c0fa3b9c9677e453d3d6d78f82a40aed28d008d3ac68b wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\yrcptylfqfnm\19a5ee54 = 87f1299cb5aa10f6b602707d2e80814374faca7d78ba0bbd5c698f7c1c8b3edeb007740f0e44a7e72f6f1d37fde155da2e3b35d4444faabdbf6eddd5bf58df81dcd4b85bbac8c68957295989fcb2c6adab wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\yrcptylfqfnm\82a0fb85 = e4441b1b9991740d6e561cfc9f1eb10d206b64b2ab0f67ec12011cb918e19f2bedd7c26e4bf28635197879eb779a3208138e63d7c2b7775330de5dbd665f18d81802b26876d2bf2728d8c87b82d6db560ec0a04fe2473e5296f4dae517b07c4ab641f0a2dc91d26194d498fd77ba344dc4 wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid Process 1508 rundll32.exe 1508 rundll32.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe 184 wermgr.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 1508 wrote to memory of 184 1508 rundll32.exe 83 PID 1508 wrote to memory of 184 1508 rundll32.exe 83 PID 1508 wrote to memory of 184 1508 rundll32.exe 83 PID 1508 wrote to memory of 184 1508 rundll32.exe 83 PID 1508 wrote to memory of 184 1508 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:184
-