Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 13:21
Static task
static1
Behavioral task
behavioral1
Sample
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Resource
win7-20240220-en
General
-
Target
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
-
Size
459KB
-
MD5
0a29918110937641bbe4a2d5ee5e4272
-
SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734
-
SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
-
SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
-
SSDEEP
6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI
Malware Config
Extracted
qakbot
tchk06
1702463600
45.138.74.191:443
65.108.218.24:443
-
camp_date
2023-12-13 10:33:20 +0000 UTC
Signatures
-
Detect Qakbot Payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/2868-1-0x00000000002D0000-0x00000000002FF000-memory.dmp family_qakbot_v5 behavioral1/memory/2868-5-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral1/memory/2868-7-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral1/memory/2868-6-0x0000000000190000-0x00000000001BD000-memory.dmp family_qakbot_v5 behavioral1/memory/2904-9-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2904-15-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2868-29-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral1/memory/2904-30-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2904-31-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2904-32-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2904-33-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2904-34-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2904-37-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 -
Modifies registry class 12 IoCs
Processes:
wermgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\eiginmoixy wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\eiginmoixy\13cf78e6 = a43ec27f404417f0c8acc23c17774ea3d5f7200a299b05fe91b4f43d5ea1d212f5484b4f6e41503c0102357ebf1a0858b5 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\eiginmoixy\9785761c = c46b57e3de5760fbc2ae3694dbfa077041b1ff67e400b0d31fc6bad4a9dee4c2d9 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\eiginmoixy\838839a9 = a5603ed7cd74040666722ccea5de9fa609ecc7f7681f3fd213169256775124300acb0f651f6fe0b21ca35e34529662e29939cad50f49d1df7c29f356639c405c68 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\eiginmoixy\2cd61337 = 86c05c32c4ecca433bcf16cb8f2a32562ae2eadb358e840c9629fe03bf1faccf751edd238c3f1b051b14f9081592efc7a055dcd497a131218c84e64d8e2f0632bdf2670cd216dc8cb110625f54f00fec420ba20a7742880262c0681175535f406c6dd40abf797b3ebf563d594cf72ac30e45239074ee1587e10cac422ca2031669 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\eiginmoixy\894d30b0 = 05b18b172ef7fa4a1a2573c235504928128db539f6c657d7c3500176c063682825b835a2094219d5b8d02c82ff813fad5ba374dcbb5ecd09944c5c7004089788c6ad06774923c0dc72e72df0ca01e02576 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\eiginmoixy\45e7302e = 27df4621e86d3bf5038a68d0b0af7c1a14aee7f25381a5eecd99d826e93be18e2857ce46a64c6b451db15f484cf8cc5418d0e00e5e4f2655c030fbd8cb3234581a8f12a70295404db314f811834dddf57f38bd88dbaf0857684d45b445bbbc5208d5a55d5fab687b0975b8665fcf4918a70762ae4f91ee6a11de2d432bbc9bbab9222232817380bc84a116cbff4af57b6264ad747af5ea343043835e0ad86f64935616eafe523e38eb83c187dab08c32efce623716be4d22b70e606808907f749987f300b755ea6f9b980eb19f0d436fd1 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\eiginmoixy\5b2f7682 = e7a4866fc18bf7ef9dccd949034d20be78287b3b50631ba41bc4a999fcd242052132029cf7c498e143ccae68f231bbf0dfdc47e18fc705eff65c9e266972b409c169a74ee788a0c6726014de15efdbfb561ed5da8caa2992c803d9be8ae70d4d06 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\eiginmoixy\88ca6d37 = 24832eef9290fddf6c5c42c9e5310d6d02784f7ed62cbcfc7163dfcaf2b0e412cc4ff7a42477174bfc61868ca0b0b8ef0e37b946447941d811630859f017b00dc448fff00aa99cab4edfabdcc06f894fcd984d275b95def3a87a5350f49a962f21e2b2c359a3e706894dac39dbebdd8002 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\eiginmoixy\44606da9 = 47c584e6b0198b67054f258526968b1861a436a2ab20e03cd3c14cfce9dd67a6be34e2b69fac5b2ad62cd4e266370b8653 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\eiginmoixy\12482561 = 476dc50199614121090bf851ace913d92941febd5685ea5881d6f7c9ff2a9e014b139b311eaa17298252960034a39f1bb712a47fb071c83337cff8234e793fc29356a387e3bd1d1ca1d529925747dfebb9 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\eiginmoixy\13cf78e6 = 262a80ded95421c9472e45564a1beadc26eee50fe2f10099d2ba924d6549a1e9642964d33b48bd98aeb96c18ea405c5d5cabb9eb1fce00f5b686440cf0ef241c88 wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid process 2868 rundll32.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe 2904 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exedescription pid process target process PID 2868 wrote to memory of 2904 2868 rundll32.exe wermgr.exe PID 2868 wrote to memory of 2904 2868 rundll32.exe wermgr.exe PID 2868 wrote to memory of 2904 2868 rundll32.exe wermgr.exe PID 2868 wrote to memory of 2904 2868 rundll32.exe wermgr.exe PID 2868 wrote to memory of 2904 2868 rundll32.exe wermgr.exe PID 2868 wrote to memory of 2904 2868 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2868-0-0x0000000069140000-0x00000000691BE000-memory.dmpFilesize
504KB
-
memory/2868-1-0x00000000002D0000-0x00000000002FF000-memory.dmpFilesize
188KB
-
memory/2868-5-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/2868-7-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/2868-6-0x0000000000190000-0x00000000001BD000-memory.dmpFilesize
180KB
-
memory/2868-29-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/2904-9-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2904-15-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2904-8-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB
-
memory/2904-30-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2904-31-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2904-32-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2904-33-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2904-34-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2904-37-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB