Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 13:38
Static task
static1
Behavioral task
behavioral1
Sample
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Resource
win7-20240221-en
General
-
Target
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
-
Size
459KB
-
MD5
0a29918110937641bbe4a2d5ee5e4272
-
SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734
-
SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
-
SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
-
SSDEEP
6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI
Malware Config
Extracted
qakbot
tchk06
1702463600
45.138.74.191:443
65.108.218.24:443
-
camp_date
2023-12-13 10:33:20 +0000 UTC
Signatures
-
Detect Qakbot Payload 13 IoCs
Processes:
resource yara_rule behavioral2/memory/3360-1-0x0000015CADED0000-0x0000015CADEFF000-memory.dmp family_qakbot_v5 behavioral2/memory/3360-5-0x0000015CADEA0000-0x0000015CADECD000-memory.dmp family_qakbot_v5 behavioral2/memory/3360-6-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral2/memory/3360-7-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral2/memory/4424-9-0x0000026B65D00000-0x0000026B65D2E000-memory.dmp family_qakbot_v5 behavioral2/memory/4424-15-0x0000026B65D00000-0x0000026B65D2E000-memory.dmp family_qakbot_v5 behavioral2/memory/3360-25-0x0000000180000000-0x000000018002E000-memory.dmp family_qakbot_v5 behavioral2/memory/4424-26-0x0000026B65D00000-0x0000026B65D2E000-memory.dmp family_qakbot_v5 behavioral2/memory/4424-27-0x0000026B65D00000-0x0000026B65D2E000-memory.dmp family_qakbot_v5 behavioral2/memory/4424-28-0x0000026B65D00000-0x0000026B65D2E000-memory.dmp family_qakbot_v5 behavioral2/memory/4424-29-0x0000026B65D00000-0x0000026B65D2E000-memory.dmp family_qakbot_v5 behavioral2/memory/4424-30-0x0000026B65D00000-0x0000026B65D2E000-memory.dmp family_qakbot_v5 behavioral2/memory/4424-32-0x0000026B65D00000-0x0000026B65D2E000-memory.dmp family_qakbot_v5 -
Modifies registry class 12 IoCs
Processes:
wermgr.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ylvmzevzfp\89dba1bf = c63ac10208d16e5d6b6ca3bfba7cd549776f9aa39ef947d013bbecf5947c6da27bc4acc46a394ae38a4cea44503be3abeb359f5943dd059c8a0dd2d35e235a4284a8b2491e44d8d4be8cc6e7fea8f6a6788f33c5f13b0ae18099892cb9d85ea414 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ylvmzevzfp\fe22c40a = 05c6db8c7271a2206c5d4e6a795c5a411531877380ad87f6c8f27029a5c05b2f0a4de9ed817efb763e1978c10428913131 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ylvmzevzfp\5a3eba0a = 05ee17ce20da9d0438b641ca58b9c3d5f2c6b594db1a165891e95a626db347873c7502a6d14b8dc745068684d00416413f9f87e22acf1c726481abb34799f4056a wermgr.exe Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ylvmzevzfp wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ylvmzevzfp\c13bafdb = e5fb879fce2eca16d78c865b8ded1c80d06617c9ab81c9ddf4e051b9c1aeb4529be582f828d512812e10a1e4b318ab8766 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ylvmzevzfp\9713e713 = c41c34430f682482a9f4ec15be6aff690c67055744eed1c065c93ac816b619b8a289c86df993c07bafcdf244f5d8683612e2cb21e528105eea32191f9935f3ff48849dd1829733e27a2b6592c2788d2f057a44c259558de8cf390b5ba120b8e50b2cb9d6e8014544841e9749512799410f62875408e648773fefc80d41412573da89a63aec71262eec8553bd2865842e5905636cb05769a311cd1f56ba1123b7d7 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ylvmzevzfp\4571a121 = 275298bf6f666d836510504e23efe0d0507f2e4356d60c5bcbf7363193b083ceaea9d16c714defceae93155ae98d254e37239acd45e5903caf346f112f2db7638f2ed12eb029ffb87aa5479163c44c19c71db1aef5652ed127d67610d407001d2744d7d83bc8892dc279e3b2798bc15992b214de0b4bfced09b6ded220c1f799c9 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ylvmzevzfp\517cee94 = 453de14fb4500a55328dc6160552e7dbbd672533435c857810fbc6c811257860f8db5f2eaf307836cbbd16e321992268544cd43b72324b829b2d7c3abf500f8105e0219bb4c8c365036953b0cf6d2469b1ef47b25775133682b74ced7066d802318b6519482da0c222ca8b38604b743bd6 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ylvmzevzfp\9694ba94 = a73ad2f91d23989c7971b3cb0d96b8ace94af0810ec708702294be95d7465ac898c1e13d913bb563b329b45e54718400e94b8ad29cccc1d01b941eb8ce5eed19dc5182e99ac617a9822e51de42e4d4c47acb227d52c4b53d8b900f577fec5b22110f1eac1973a9ba996b441d844496b8ba wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ylvmzevzfp\5bb9e78d = 47ad22ae163f90bd46ee15d9d8025a7050d22fec3d5fb974d8b29655fdd014c1e2755aac7b4fe0f151db67f1a304b459b9653df3fd29bf3ba647bb6390de8ce4ff2426b52f42f054696794b3c9c88a5e4281fb4110c14c1e0776b0b1f485ca495d1a225f5a0e57267424d2f5a8e9e72838 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ylvmzevzfp\c0bcf25c = e7917350b5bcabcf518932ee9b9774e113bf8977240d58d3e8bf5143af316476c41233316dfe22a4ca91e21694f13a0174e3aba90bf187cebcc329a5700ad8a0eb wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ylvmzevzfp\c13bafdb = 0439eb3c63f30335fd53a3df52c7fda5026701547022b669862e2f4f871aa30c1be2cf2ffa8eba5be43984635c4dabfa855c58311e230fdcc4c9d33fccdae8f8f20e6595b01e4586d9daacc9bfcbeb9820 wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewermgr.exepid process 3360 rundll32.exe 3360 rundll32.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe 4424 wermgr.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exedescription pid process target process PID 3360 wrote to memory of 4424 3360 rundll32.exe wermgr.exe PID 3360 wrote to memory of 4424 3360 rundll32.exe wermgr.exe PID 3360 wrote to memory of 4424 3360 rundll32.exe wermgr.exe PID 3360 wrote to memory of 4424 3360 rundll32.exe wermgr.exe PID 3360 wrote to memory of 4424 3360 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3360-0-0x0000000069140000-0x00000000691BE000-memory.dmpFilesize
504KB
-
memory/3360-1-0x0000015CADED0000-0x0000015CADEFF000-memory.dmpFilesize
188KB
-
memory/3360-5-0x0000015CADEA0000-0x0000015CADECD000-memory.dmpFilesize
180KB
-
memory/3360-6-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/3360-7-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/3360-25-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/4424-9-0x0000026B65D00000-0x0000026B65D2E000-memory.dmpFilesize
184KB
-
memory/4424-15-0x0000026B65D00000-0x0000026B65D2E000-memory.dmpFilesize
184KB
-
memory/4424-8-0x0000026B65D30000-0x0000026B65D32000-memory.dmpFilesize
8KB
-
memory/4424-26-0x0000026B65D00000-0x0000026B65D2E000-memory.dmpFilesize
184KB
-
memory/4424-27-0x0000026B65D00000-0x0000026B65D2E000-memory.dmpFilesize
184KB
-
memory/4424-28-0x0000026B65D00000-0x0000026B65D2E000-memory.dmpFilesize
184KB
-
memory/4424-29-0x0000026B65D00000-0x0000026B65D2E000-memory.dmpFilesize
184KB
-
memory/4424-30-0x0000026B65D00000-0x0000026B65D2E000-memory.dmpFilesize
184KB
-
memory/4424-32-0x0000026B65D00000-0x0000026B65D2E000-memory.dmpFilesize
184KB