Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 13:09
Static task
static1
Behavioral task
behavioral1
Sample
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Resource
win7-20240319-en
General
-
Target
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
-
Size
459KB
-
MD5
0a29918110937641bbe4a2d5ee5e4272
-
SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734
-
SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
-
SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
-
SSDEEP
6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI
Malware Config
Extracted
qakbot
tchk06
1702463600
45.138.74.191:443
65.108.218.24:443
-
camp_date
2023-12-13 10:33:20 +0000 UTC
Signatures
-
Detect Qakbot Payload 13 IoCs
Processes:
resource yara_rule behavioral2/memory/3076-1-0x00000266E1390000-0x00000266E13BF000-memory.dmp family_qakbot_v5 behavioral2/memory/3076-6-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral2/memory/3076-5-0x00000266E1360000-0x00000266E138D000-memory.dmp family_qakbot_v5 behavioral2/memory/3076-7-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral2/memory/2004-9-0x000001F2E0980000-0x000001F2E09AE000-memory.dmp family_qakbot_v5 behavioral2/memory/3076-17-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral2/memory/2004-16-0x000001F2E0980000-0x000001F2E09AE000-memory.dmp family_qakbot_v5 behavioral2/memory/2004-26-0x000001F2E0980000-0x000001F2E09AE000-memory.dmp family_qakbot_v5 behavioral2/memory/2004-27-0x000001F2E0980000-0x000001F2E09AE000-memory.dmp family_qakbot_v5 behavioral2/memory/2004-29-0x000001F2E0980000-0x000001F2E09AE000-memory.dmp family_qakbot_v5 behavioral2/memory/2004-28-0x000001F2E0980000-0x000001F2E09AE000-memory.dmp family_qakbot_v5 behavioral2/memory/2004-30-0x000001F2E0980000-0x000001F2E09AE000-memory.dmp family_qakbot_v5 behavioral2/memory/2004-32-0x000001F2E0980000-0x000001F2E09AE000-memory.dmp family_qakbot_v5 -
Modifies registry class 12 IoCs
Processes:
wermgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\uxsfzobsyqqkmt wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\uxsfzobsyqqkmt\b992eeb4 = e5a39ef523d3c4871bb0f6de6c9d2fb16c08b3d0189e50785f416efd776c498922fe079318efb603c575e2f28bedc211807ccea09ec5dc72a62db24ac55313ce22a022955c5fbc79d3629ebe94981391343e5d7c37f45c59b06fd33e862de697cf8387000266916a24c84f65b9d13c8de4 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\uxsfzobsyqqkmt\f172e0d0 = 441deac90a0c73e02e8b7a0c7c496b572a299738615a2eeb50f0381e5527b10ef82748178ba8ded1cb17967b0e6997c3b713e169e9be1e9661e2a593cd8167a48e2469224c72e3b1d4ff59d6aebce1f0e71906e50831953f55fe123068418ba824 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\uxsfzobsyqqkmt\3dd8e04e = 8645a284eb29c9ff93f9f036fab01108ce6e0f46b876fd90568f6253f034b6adf6e940ee75ae2efc61a3280a5b89bbbb9c40e06a32e5ff37f060e20d39030d674ee55198e4728c09ed3c795e97d5beafdef763a906d270e36b9b312b6bb664c77061ecc3a5ed272c0a438c734b5c7aaa785e18d9dfc02d7474e16d676501043fb7 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\uxsfzobsyqqkmt\2297fb65 = 04ead2233cdd986257a015ef83b80d23d1caee81b41196ed7e2d21ab5e38a182d47ac0f439ab0dbd48f5bd563dbf00d1b3888bbeaf47e9e31bda9c63ddb309f4893f2d50d095e36c8576d4db35eea2e0f6 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\uxsfzobsyqqkmt\b815b333 = c7ed70537aadfbae19c745bf79a86216af8f5f1a6738db8867e3cc73bf6e4636aadafbb135f589030697c90191d0789319e91df49c6de2a99828b362d3745e064627e100225cdded05ac82f22aa8fc3e6206d3c22b961bd79faf466433ddad79de wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\uxsfzobsyqqkmt\b992eeb4 = a5d47a182f7dc705a33481a3bff0541c3141154a105e607853c99e60eb66b773c4ccfc1d3d87286b881f19c53f2106e60b95810825cc82746bba77ec363519e8a42319b3a285bd0086c97f138446e430f1d84fad8178f57b2f51377ff9f1d58fd8555f5cf8fc579eb042ea6b5337da2d8d6c77c177e035579d200b34dd0d390898f664f0deba34fabf96652889ee46ce44 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\uxsfzobsyqqkmt\efbaa67c = 85f01a7ae5335a76692c248ed917741b13e0b0a24a7715bcb665ab6b3aa568b325941240bc1d52c147879e2055953a9bba1ea994e93646ecfaf62a0ea94969e2c3ba5870d411eb02df8d305db0bdfc97e967937b24803c270ca3e56de01c5a4aa8818fd9c0b40e32d101a99404b5960038 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\uxsfzobsyqqkmt\29d5affb = c68e8ce1572e54ec483f3bf09a59b2f664caf04048c82a4bf306fe86f5925dd64b9c0af6948f1182ffc345a18761133b8e7d21e8370b6668bc51d8121922e1c1b559db5235070885cd33a8e49b51ab6391ed7014415bec479d153bbd44fbc15a911f80ae5843930a6f413c47fa331d52f6d1f9d6b086adddc7d0f6d781df15730c wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\uxsfzobsyqqkmt\868b8565 = a49cf59b8a72cc0eddca93edf48fef43cff519d9bffcd8888ee7dd7adf8cfccd87b07ef64de5170e0521eb2b0a26daaec7a7c82912cece70f1128536b997bb0df31b33ac5d255278893160969e7c96deaecb8174e4a7acb3ed41d9a1068c5d8e71 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\uxsfzobsyqqkmt\ee3dfbfb = 051ca107740d988c07ad2328412c7333dfe9aaf0719930985d13ea3ae16c1b7b82bd772ebe5023499223948f5ef3ed026f0d4c9b443e747dc138fdeb9890a263de4bfb3be8d0f9e2c6586f355896857c81 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\uxsfzobsyqqkmt\2310a6e2 = c67e6e200323e766f78e78efdc33110c52b9a80bce5f35e567a111d32ef11f6df7 wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid process 3076 rundll32.exe 3076 rundll32.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe 2004 wermgr.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exedescription pid process target process PID 3076 wrote to memory of 2004 3076 rundll32.exe wermgr.exe PID 3076 wrote to memory of 2004 3076 rundll32.exe wermgr.exe PID 3076 wrote to memory of 2004 3076 rundll32.exe wermgr.exe PID 3076 wrote to memory of 2004 3076 rundll32.exe wermgr.exe PID 3076 wrote to memory of 2004 3076 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2004-26-0x000001F2E0980000-0x000001F2E09AE000-memory.dmpFilesize
184KB
-
memory/2004-27-0x000001F2E0980000-0x000001F2E09AE000-memory.dmpFilesize
184KB
-
memory/2004-32-0x000001F2E0980000-0x000001F2E09AE000-memory.dmpFilesize
184KB
-
memory/2004-30-0x000001F2E0980000-0x000001F2E09AE000-memory.dmpFilesize
184KB
-
memory/2004-28-0x000001F2E0980000-0x000001F2E09AE000-memory.dmpFilesize
184KB
-
memory/2004-8-0x000001F2E09B0000-0x000001F2E09B2000-memory.dmpFilesize
8KB
-
memory/2004-29-0x000001F2E0980000-0x000001F2E09AE000-memory.dmpFilesize
184KB
-
memory/2004-16-0x000001F2E0980000-0x000001F2E09AE000-memory.dmpFilesize
184KB
-
memory/2004-9-0x000001F2E0980000-0x000001F2E09AE000-memory.dmpFilesize
184KB
-
memory/3076-0-0x0000000069140000-0x00000000691BE000-memory.dmpFilesize
504KB
-
memory/3076-17-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/3076-1-0x00000266E1390000-0x00000266E13BF000-memory.dmpFilesize
188KB
-
memory/3076-7-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/3076-5-0x00000266E1360000-0x00000266E138D000-memory.dmpFilesize
180KB
-
memory/3076-6-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB