Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Resource
win7-20240220-en
General
-
Target
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
-
Size
459KB
-
MD5
0a29918110937641bbe4a2d5ee5e4272
-
SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734
-
SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
-
SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
-
SSDEEP
6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI
Malware Config
Extracted
qakbot
tchk06
1702463600
45.138.74.191:443
65.108.218.24:443
-
camp_date
2023-12-13 10:33:20 +0000 UTC
Signatures
-
Detect Qakbot Payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/2768-1-0x00000000002C0000-0x00000000002EF000-memory.dmp family_qakbot_v5 behavioral1/memory/2768-5-0x0000000000290000-0x00000000002BD000-memory.dmp family_qakbot_v5 behavioral1/memory/2768-6-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral1/memory/2768-7-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral1/memory/2252-9-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2252-16-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2768-29-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral1/memory/2252-30-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2252-31-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2252-32-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2252-33-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2252-34-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2252-37-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 -
Modifies registry class 12 IoCs
Processes:
wermgr.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\fyiyficyyiklx\d3c536e3 = e46f63754ce6027d99c22a2094fd9b50b26bd240d9ddeeb429100af47351bfa3a5f581efdb3011f5851fa5080714004946a86f01f1649132309d0df78ae33c62d9aa31bf15f802a92c72c3e7bb1ee9067a1b62e848663ad36a43d3ce7848153809e5f9402cbb5fafd54b6aaf1970bd349e0f127781d1412365f4851d6cda6610b26a98e2ae4e1ea079722ff83aa5b2e7f44161d26411b8455d134460ad25f2bd178de361c908045fd58c13ce9b8e410802b5704a28811079cdecfb6fd9bbbde190698472b5e4a8df4720c53e81af54102a wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\fyiyficyyiklx\1ee86bfa = 27c3122d44be3e693c50402cee4e9eea99b63e13e7e0373efff6aa775f1217ac2a192a8ddfac0386b5e2ced243056e70e477d86fb90a86feb69a210e8d5bb0837391ecde1ca565cfbda15fd9d698f1382f471b595843d8cdb8d41969a3a4f892562e1550661f15bc1ccafd729b544c686d522a31f69d077da38dc8ea08e0a7e6df wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\fyiyficyyiklx\1f6f367d = 47c65cb7c232bc148be6654f4970bdca59d7f566e51b4c3e4b3c3147fa4b1676db72cf0985901e49e0e9b560f4b8889c00c80c6bd8f370ac8c5759f949a9e12ff8 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\fyiyficyyiklx\846a23ac = 840ac21b0cac112acc93dd467e28fae4c6df40ed5498dcd4a8c3ef4f3e72b14672c8b45f294ae4a1eb0711d6d07f5c5330 wermgr.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\fyiyficyyiklx wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\fyiyficyyiklx\cd0d704f = 072dcf5eaa7ca9d39948e9f8e633309da191b9fd85edf5f43675f9b5e4cc16881025eba41969aa093a2408bebf94768a25b1493b10cee0c94f780df8c03d4ed7a6 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\fyiyficyyiklx\1a770d1 = c4b8f06b2754f4e79717503950876453bd911fec79bcd10859ec2c28bed17114efc9e3f9514088abbd987738131ac3d2ea wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\fyiyficyyiklx\15aa3f64 = 45845d083923de77a0dd2f9c847bbdbe8c4b5fdefb681c63a081cd80d79499379d57aecf73d62b2747c6a7b8a1fa79c342cccf5bbee9b623f56c7aaf3d08fa4343b5491db0ca0d59202d904ab296a3f322019b7cfa1e3d8f6eb4237bb7805b9e1c810f6ce5924d0e6c46d3948b8ab6ca8794cf1d570d4dd89d00fb11c11aacd75a wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\fyiyficyyiklx\baf415fa = a4969a45960741d76f68914823f42ac2ca369a99e8fe49a30381d88f6b0a184b535b3f59b452d600decc48c15ff9c6336c84efb24519fdd8529adce5ddb21f2e7634ced7d5bd0c69dbd153daf6f283446654af76a19795380256cb93d9620bdcf4 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\fyiyficyyiklx\d2426b64 = c411ba1642c75d34f7831befe4a7482ef09d2bbd0b079ba6e788eba1ae7e0cdaa558f07bf5cafc506336939e1282f3e852e6f1bce5844c8edfa7fbe860f45bde45fc4b8ad90f47ba4b21944c5d4812a8d32975803ba3488fe8495651055ddb8383aaff643d9d2ce1eb953ecdbe0dfc2b83 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\fyiyficyyiklx\85ed7e2b = 063790249b431461bd7cf7571b2dde72eb46fabe51828bfb9ee122a36b469d52ac0ef1b4464722efc0e1c99ea5514b8c69794bc6f1867df806b2b318d13dc99317 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\fyiyficyyiklx\85ed7e2b = a49b6f62e34bd5419feea4d47a87e8481066b24dab918e9233a7f6a36b6503fceb wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid process 2768 rundll32.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe 2252 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exedescription pid process target process PID 2768 wrote to memory of 2252 2768 rundll32.exe wermgr.exe PID 2768 wrote to memory of 2252 2768 rundll32.exe wermgr.exe PID 2768 wrote to memory of 2252 2768 rundll32.exe wermgr.exe PID 2768 wrote to memory of 2252 2768 rundll32.exe wermgr.exe PID 2768 wrote to memory of 2252 2768 rundll32.exe wermgr.exe PID 2768 wrote to memory of 2252 2768 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2252
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2252-30-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2252-31-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2252-37-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2252-34-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2252-16-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2252-8-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB
-
memory/2252-33-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2252-32-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2252-9-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2768-7-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/2768-0-0x0000000069140000-0x00000000691BE000-memory.dmpFilesize
504KB
-
memory/2768-29-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/2768-1-0x00000000002C0000-0x00000000002EF000-memory.dmpFilesize
188KB
-
memory/2768-6-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/2768-5-0x0000000000290000-0x00000000002BD000-memory.dmpFilesize
180KB