Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 13:38
Static task
static1
Behavioral task
behavioral1
Sample
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Resource
win7-20240221-en
General
-
Target
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
-
Size
459KB
-
MD5
0a29918110937641bbe4a2d5ee5e4272
-
SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734
-
SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
-
SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
-
SSDEEP
6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI
Malware Config
Extracted
qakbot
tchk06
1702463600
45.138.74.191:443
65.108.218.24:443
-
camp_date
2023-12-13 10:33:20 +0000 UTC
Signatures
-
Detect Qakbot Payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/2488-1-0x00000000001C0000-0x00000000001EF000-memory.dmp family_qakbot_v5 behavioral1/memory/2488-4-0x0000000000190000-0x00000000001BD000-memory.dmp family_qakbot_v5 behavioral1/memory/2488-6-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral1/memory/2488-7-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral1/memory/2152-9-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2152-15-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2152-30-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2488-29-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral1/memory/2152-31-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2152-32-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2152-33-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2152-34-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 behavioral1/memory/2152-37-0x0000000000060000-0x000000000008E000-memory.dmp family_qakbot_v5 -
Modifies registry class 12 IoCs
Processes:
wermgr.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\zitatuuipmiean\838fc7ff = a4f15f5e3784909a5fe3fe5ab647c472b30fee96455cda7a53e1c5df27ae48d2b694e9b095311a71f23a7beef9fd1af871107f09bc8b0769bc965e5e3764cbcc8ea1e2ef293bfb32ec6aee38a1c4b681444ebb4fb358bf82af65f711434290702b3a0812694a880968bd856d2ebd4abea1de7feeb4d18c3092968e8fe3096d7d8a756bc723efe79a8cc4b5a399b88d2add wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\zitatuuipmiean\838fc7ff = 6656ba2b5421b729117dd8e9c3e2bc2ef7253f514b9b3772942566008152aed4538e9d76417dd975a586b6399e764c03466ede4a70f1a6ee84d792e7d4a5fe03bf627f96088dfa88fd7780c440f2ba7fccaab2697061e62e2e33d85552c607c32cbe1596710f9c7eeeaa32cd4fb8a46586 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\zitatuuipmiean\d5a78f37 = 865930e054ae64d935df4af99671ced9716073f435102acca95abb847e6b67775c431f2dadccdd6c655fe99cf86852f109ef3d1da5a599dcd034442ddeabf2bcb0a07f4442c141819fcfcc10746019a2aaeab97fd053dd1dee4c7ef9ac42b99fcaac550672d1960f333aaa4610789c598434b7910b19e444a5f6eb4f3f1cf10a2e0cdee2e9a3ea821c4b625df4a1580505083e92badbd0a9e7c9c3523620f2478a868f2916c407b6d310cb62a7584f56d4 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\zitatuuipmiean\7c5c905 = 04ad018878ac2c41ba0359a6400b87685818050428d8108d7d430bce79ad8669f120c2c4218e5f2c5eca870537b695f7dbd83de2e6332e34b396d337159617d0adb12e40b811077a911971647a9bc1339686f097f9621c045adf513c4815ecc3c2 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\zitatuuipmiean\bc96ac2e = e7c3b8e310e02c51b4db443006a5064d0b92b8a3759a7a82495d7ce0e2857fdffef8d5879eb2c539bd47d3bb9e06bfd9576610d8f8c41d0ab1ad907c78dfe4dcee wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\zitatuuipmiean\d420d2b0 = a6925d9be705d27dc0886a5f987ad3f0a5b433c2976cf9745524510a2761c058c9 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\zitatuuipmiean\82089a78 = 44ae1e85065923921a0a2c01ac0c395926a0d64c1a4fbdb57c52456655f323d920dda9a12a1295b763193e21999a2df4334c61620039dc63556ce29ebb42d968e59de9b2aa371f6521048f8ea7f138114f780e3805186805ed053fb62502afdaef601e4bc4cc13aaad6971dfc6e14d1e61d8bdab7b46b7144af2ae1b43a6cb16e6 wermgr.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\zitatuuipmiean wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\zitatuuipmiean\cb6fc99b = 07d9cf10722a1019b16f79410d8830ec54c7297e93dc0337ab784f3b343694d09cc2fe592f4bbf62248222e3e19581bc3bfa79f791085aa78808c3ca08c15630b2 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\zitatuuipmiean\13c886b0 = 05fbe8c7e60e53948d8bcc6fc6cbc74977de9ece354c1e1eadaa00e241a5a5cad3936a1573ec356b76b84baf9a12b602754869afd7adc3eed094f616e5b2ab1c68ce56535e9dbc74ae5ca876a8ea5c4a566aebecbdb5f788a2cb76c925ea20dc564239eeb796179d1a5ff5db85322284e8eb6eedbae133352a54345c31fb7e17f2d5907c1a4c932c7bc511d41fe5bff66e wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\zitatuuipmiean\188ad22e = c402e9d47ecc064705e6b354b02133c75b13e628aba00fae764341e6f536f703461db48a02509539b54619cadfaccd20a69453b0d60b122ff30c05fd67902a50be wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\zitatuuipmiean\190d8fa9 = a44a563572943b9a16b8702ba97b72f0e8b9c07b0c76da9179b780fd4881067ce4bf1dcc3df0a43ffb9d5a1c2081b668c5f2cddb073e3214aa2ca567347ce0e154e92fb3b39f8053147582867fe3132d72 wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid process 2488 rundll32.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe 2152 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exedescription pid process target process PID 2488 wrote to memory of 2152 2488 rundll32.exe wermgr.exe PID 2488 wrote to memory of 2152 2488 rundll32.exe wermgr.exe PID 2488 wrote to memory of 2152 2488 rundll32.exe wermgr.exe PID 2488 wrote to memory of 2152 2488 rundll32.exe wermgr.exe PID 2488 wrote to memory of 2152 2488 rundll32.exe wermgr.exe PID 2488 wrote to memory of 2152 2488 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2152-31-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2152-37-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2152-34-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2152-33-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2152-32-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2152-8-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB
-
memory/2152-9-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2152-15-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2152-30-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2488-6-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/2488-29-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/2488-7-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/2488-0-0x0000000069140000-0x00000000691BE000-memory.dmpFilesize
504KB
-
memory/2488-4-0x0000000000190000-0x00000000001BD000-memory.dmpFilesize
180KB
-
memory/2488-1-0x00000000001C0000-0x00000000001EF000-memory.dmpFilesize
188KB