Analysis
-
max time kernel
116s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-10-2020 04:38
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-2079363332.xlsb
Resource
win7v20201028
General
-
Target
doc_pack-2079363332.xlsb
-
Size
24KB
-
MD5
605bc118f7ed585637da7594bf7fcc80
-
SHA1
6a05f59bbf44c9a51f28e951c0bfc9be2d45aaca
-
SHA256
0ea65acd50affbbf02747afc7f76d9e1fd1fc6684302bd89912926ccdd9d4fdb
-
SHA512
be70eef5637d7cab1e192f429bc913d1c0057524a081a7b4d9d138e8186037bd259959a44681e9f0c3f3c96cb9bf45a917438d4c4b3aa098de921458c9d6aaf3
Malware Config
Extracted
qakbot
tr01
1603793855
50.104.68.223:443
89.137.211.239:443
95.77.223.148:443
197.37.69.138:993
68.174.15.223:443
103.238.231.35:443
36.77.151.211:443
72.16.56.171:443
45.47.65.191:443
189.231.212.189:443
106.51.52.111:443
24.55.66.125:443
39.37.247.97:995
108.190.151.108:2222
203.198.96.61:443
73.228.1.246:443
35.134.202.234:443
188.50.230.249:995
86.120.64.150:2222
5.14.126.153:443
64.121.114.87:443
108.46.145.30:443
45.77.193.83:443
207.246.75.201:443
94.52.160.116:443
86.98.89.100:2222
47.44.217.98:443
102.186.103.0:443
217.162.149.212:443
92.59.35.196:2222
83.110.80.66:995
5.12.255.109:443
86.121.121.14:2222
45.32.154.10:443
98.26.50.62:995
2.50.57.213:443
77.27.174.49:995
2.7.65.32:2222
98.4.227.199:443
151.73.112.197:443
108.31.15.10:995
78.97.207.104:443
72.66.47.70:443
72.36.59.46:2222
80.240.26.178:443
184.97.134.255:443
216.201.162.158:443
146.200.250.36:2222
94.52.68.72:443
103.206.112.234:443
108.185.113.12:443
75.136.40.155:443
77.159.149.74:443
72.71.230.82:2222
66.215.32.224:443
45.32.155.12:443
203.106.195.67:443
199.247.16.80:443
41.227.67.92:443
173.3.17.223:995
185.19.190.81:443
78.96.199.79:443
173.245.152.231:443
75.137.239.211:443
1.160.141.215:443
217.165.96.127:990
50.244.112.10:995
41.97.179.154:443
134.0.196.46:995
45.32.165.134:443
41.225.13.128:8443
45.63.104.123:443
207.246.70.216:443
176.205.145.61:995
2.50.131.64:443
45.32.155.12:2222
96.30.198.161:443
140.82.27.132:443
45.32.155.12:995
24.43.22.220:993
173.70.165.101:995
202.141.244.118:995
80.195.103.146:2222
184.96.158.62:993
93.113.177.152:443
31.5.21.66:443
24.27.82.216:2222
84.247.55.190:443
188.27.178.166:443
45.32.162.253:443
95.179.247.224:443
199.247.22.145:443
95.76.27.6:443
81.97.154.100:443
174.30.165.242:2222
197.210.96.222:995
203.45.104.33:443
45.46.53.140:2222
189.183.209.130:995
173.21.10.71:2222
47.138.201.136:443
144.139.47.206:443
69.123.179.70:443
69.123.116.167:2222
24.40.173.134:443
173.173.1.164:443
117.199.7.191:443
85.204.189.105:443
72.29.181.78:2222
71.220.164.199:2222
65.102.150.178:995
24.128.117.95:443
69.47.239.10:443
200.38.254.177:443
201.103.145.28:443
74.195.88.59:443
66.97.247.15:443
50.29.166.232:995
83.110.3.77:2078
98.115.243.237:443
99.240.226.2:443
73.200.219.143:443
24.205.42.241:443
72.196.114.129:443
206.183.190.53:993
67.6.55.77:443
68.184.45.73:443
24.28.183.107:995
98.121.187.78:443
98.240.24.57:443
67.165.206.193:993
89.33.87.107:443
96.237.141.134:995
5.193.181.221:2078
24.213.191.38:0
108.30.125.94:443
108.191.28.158:443
71.197.126.250:443
68.46.142.48:995
75.136.26.147:443
72.82.15.220:443
191.84.0.209:443
71.182.142.63:443
36.236.230.253:443
186.31.47.254:443
68.104.6.221:443
74.137.189.78:443
79.117.56.230:443
68.33.206.204:443
187.200.72.253:443
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
exlwhtih.exeexlwhtih.exeduxoeoi.exeduxoeoi.exeexlwhtih.exepid Process 872 exlwhtih.exe 1640 exlwhtih.exe 1840 duxoeoi.exe 1624 duxoeoi.exe 436 exlwhtih.exe -
Loads dropped DLL 4 IoCs
Processes:
EXCEL.EXEexlwhtih.exepid Process 596 EXCEL.EXE 596 EXCEL.EXE 872 exlwhtih.exe 872 exlwhtih.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 596 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
exlwhtih.exeexlwhtih.exeduxoeoi.exeduxoeoi.exeexplorer.exeexlwhtih.exepid Process 872 exlwhtih.exe 1640 exlwhtih.exe 1640 exlwhtih.exe 1840 duxoeoi.exe 1624 duxoeoi.exe 1624 duxoeoi.exe 1972 explorer.exe 1972 explorer.exe 436 exlwhtih.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
duxoeoi.exepid Process 1840 duxoeoi.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid Process 596 EXCEL.EXE 596 EXCEL.EXE 596 EXCEL.EXE 596 EXCEL.EXE 596 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EXCEL.EXEexlwhtih.exeduxoeoi.exetaskeng.exedescription pid Process procid_target PID 596 wrote to memory of 872 596 EXCEL.EXE 31 PID 596 wrote to memory of 872 596 EXCEL.EXE 31 PID 596 wrote to memory of 872 596 EXCEL.EXE 31 PID 596 wrote to memory of 872 596 EXCEL.EXE 31 PID 872 wrote to memory of 1640 872 exlwhtih.exe 33 PID 872 wrote to memory of 1640 872 exlwhtih.exe 33 PID 872 wrote to memory of 1640 872 exlwhtih.exe 33 PID 872 wrote to memory of 1640 872 exlwhtih.exe 33 PID 872 wrote to memory of 1840 872 exlwhtih.exe 34 PID 872 wrote to memory of 1840 872 exlwhtih.exe 34 PID 872 wrote to memory of 1840 872 exlwhtih.exe 34 PID 872 wrote to memory of 1840 872 exlwhtih.exe 34 PID 872 wrote to memory of 1752 872 exlwhtih.exe 35 PID 872 wrote to memory of 1752 872 exlwhtih.exe 35 PID 872 wrote to memory of 1752 872 exlwhtih.exe 35 PID 872 wrote to memory of 1752 872 exlwhtih.exe 35 PID 1840 wrote to memory of 1624 1840 duxoeoi.exe 37 PID 1840 wrote to memory of 1624 1840 duxoeoi.exe 37 PID 1840 wrote to memory of 1624 1840 duxoeoi.exe 37 PID 1840 wrote to memory of 1624 1840 duxoeoi.exe 37 PID 1840 wrote to memory of 1972 1840 duxoeoi.exe 38 PID 1840 wrote to memory of 1972 1840 duxoeoi.exe 38 PID 1840 wrote to memory of 1972 1840 duxoeoi.exe 38 PID 1840 wrote to memory of 1972 1840 duxoeoi.exe 38 PID 1840 wrote to memory of 1972 1840 duxoeoi.exe 38 PID 952 wrote to memory of 436 952 taskeng.exe 40 PID 952 wrote to memory of 436 952 taskeng.exe 40 PID 952 wrote to memory of 436 952 taskeng.exe 40 PID 952 wrote to memory of 436 952 taskeng.exe 40
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-2079363332.xlsb1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596 -
C:\hgoitk\nkorpy\exlwhtih.exe"C:\hgoitk\nkorpy\exlwhtih.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:872 -
C:\hgoitk\nkorpy\exlwhtih.exeC:\hgoitk\nkorpy\exlwhtih.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1640
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Truhwgukkv\duxoeoi.exeC:\Users\Admin\AppData\Roaming\Microsoft\Truhwgukkv\duxoeoi.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Roaming\Microsoft\Truhwgukkv\duxoeoi.exeC:\Users\Admin\AppData\Roaming\Microsoft\Truhwgukkv\duxoeoi.exe /C4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1624
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tojgdpyumm /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I tojgdpyumm" /SC ONCE /Z /ST 05:49 /ET 06:013⤵
- Creates scheduled task(s)
PID:1752
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {485C18AE-A1D0-4480-8401-90B36363417E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\hgoitk\nkorpy\exlwhtih.exeC:\hgoitk\nkorpy\exlwhtih.exe /I tojgdpyumm2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:436
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8ec39c0b32696a3551e3fbc8a7dc103e
SHA13621cf0489f1e98e4abda9c63a7493013ad7c125
SHA256e84c0fc593ce6f0ffa6b2482b2746925dc875cb39c76b22314eec5e66355b2ac
SHA5126d34d76ea89641bd5d4a96d0ada870b1a8da080982bd2a9371b14e428e8fb615a97da93b1d72c6c76feae3d9706745d0297592189390cc78453298dda1f38361
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2