Analysis Overview
SHA256
14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
Threat Level: Known bad
The file sqx.dll.exe was found to be: Known bad.
Malicious Activity Summary
Bruteratel family
Detects Latrodectus
Latrodectus family
Latrodectus loader
Brute Ratel C4
Detect BruteRatel badger
Blocklisted process makes network request
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-20 06:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 06:32
Reported
2024-11-20 06:37
Platform
win10v2004-20241007-en
Max time kernel
283s
Max time network
272s
Command Line
Signatures
Brute Ratel C4
Bruteratel family
Detect BruteRatel badger
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Latrodectus
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Latrodectus family
Latrodectus loader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1472 wrote to memory of 3496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\Explorer.EXE |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqx.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | guaaug.com | udp |
| NL | 46.249.49.83:4438 | guaaug.com | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 88.221.135.105:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 83.49.249.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uayyau.com | udp |
| NL | 94.232.40.38:4438 | uayyau.com | tcp |
| US | 8.8.8.8:53 | 38.40.232.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 46.249.49.83:4438 | guaaug.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| NL | 46.249.49.83:4438 | guaaug.com | tcp |
| NL | 46.249.49.83:4438 | guaaug.com | tcp |
| US | 8.8.8.8:53 | bestmarsgood.com | udp |
| US | 104.21.6.232:443 | bestmarsgood.com | tcp |
| US | 8.8.8.8:53 | cerwintifed.com | udp |
| US | 104.21.78.35:443 | cerwintifed.com | tcp |
| US | 8.8.8.8:53 | 35.78.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.6.21.104.in-addr.arpa | udp |
| NL | 46.249.49.83:4438 | guaaug.com | tcp |
| NL | 94.232.40.38:4438 | uayyau.com | tcp |
Files
memory/1472-0-0x00000160472F0000-0x000001604732E000-memory.dmp
memory/1472-1-0x0000016047330000-0x000001604737C000-memory.dmp
memory/1472-20-0x00007FF4DE290000-0x00007FF4DE2A5000-memory.dmp
memory/1472-22-0x00007FF4DE270000-0x00007FF4DE271000-memory.dmp
memory/3496-25-0x0000000001550000-0x0000000001565000-memory.dmp
memory/1472-24-0x00007FF4DE250000-0x00007FF4DE251000-memory.dmp
memory/1472-23-0x00007FF4DE260000-0x00007FF4DE261000-memory.dmp
memory/1472-21-0x00007FF4DE280000-0x00007FF4DE281000-memory.dmp
memory/1472-19-0x00007FF4DE2B0000-0x00007FF4DE2B1000-memory.dmp
memory/3496-26-0x0000000001550000-0x0000000001565000-memory.dmp
memory/1472-29-0x0000016047330000-0x000001604737C000-memory.dmp