Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    29-10-2020 04:37

General

  • Target

    doc_pack-2105270240.xlsb

  • Size

    24KB

  • MD5

    6f05c1440fe9544cfb6ff685a0cc9aa9

  • SHA1

    23520b439cd7a730d5c1b765f8aaeea4fa2220f0

  • SHA256

    4f0cbcc4884a858291496a6ddd4fe978bab57ab0d07b168ed866565fba14c58f

  • SHA512

    012c8fdf6a99793d39f3badf8ff800a8f48083a2229aef661ed4fa6cb28c0f3ca0758e7f2a658ca3d393858a596e9b4aaaa232b34af26dd938809fbb1b4546cf

Malware Config

Extracted

Family

qakbot

Botnet

tr01

Campaign

1603793855

C2

50.104.68.223:443

89.137.211.239:443

95.77.223.148:443

197.37.69.138:993

68.174.15.223:443

103.238.231.35:443

36.77.151.211:443

72.16.56.171:443

45.47.65.191:443

189.231.212.189:443

106.51.52.111:443

24.55.66.125:443

39.37.247.97:995

108.190.151.108:2222

203.198.96.61:443

73.228.1.246:443

35.134.202.234:443

188.50.230.249:995

86.120.64.150:2222

5.14.126.153:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Executes dropped EXE 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-2105270240.xlsb"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\hgoitk\nkorpy\exlwhtih.exe
      "C:\hgoitk\nkorpy\exlwhtih.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\hgoitk\nkorpy\exlwhtih.exe
        C:\hgoitk\nkorpy\exlwhtih.exe /C
        3⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:1348
      • C:\Users\Admin\AppData\Roaming\Microsoft\Qellegwniyym\flpesemr.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Qellegwniyym\flpesemr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Users\Admin\AppData\Roaming\Microsoft\Qellegwniyym\flpesemr.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Qellegwniyym\flpesemr.exe /C
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:3056
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4000
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nsljlzluv /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I nsljlzluv" /SC ONCE /Z /ST 05:47 /ET 05:59
        3⤵
        • Creates scheduled task(s)
        PID:3816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Qellegwniyym\flpesemr.dat

    MD5

    d14fc448a9907dce170d2f1abdf33155

    SHA1

    2316281f25c78902da601d28b57bb701d65c4666

    SHA256

    7dbd2ed9a85706e14ff3feac4a3b120b2fef5e4aa2c158228be63c845d07ef08

    SHA512

    ec0d1d25f91b0ff6761af01df04eefdd5b288ec7170ac6daf9c266624c99cee63bf499a79866efc2ff67355997566f9476ecfc16646c5bb3054c69b8691c2b83

  • C:\Users\Admin\AppData\Roaming\Microsoft\Qellegwniyym\flpesemr.exe

    MD5

    96967658deb7d88da248e077dc383eca

    SHA1

    475c6525bf12dc043e8e20fac9b73b5e5c43165b

    SHA256

    926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342

    SHA512

    542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Qellegwniyym\flpesemr.exe

    MD5

    96967658deb7d88da248e077dc383eca

    SHA1

    475c6525bf12dc043e8e20fac9b73b5e5c43165b

    SHA256

    926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342

    SHA512

    542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Qellegwniyym\flpesemr.exe

    MD5

    96967658deb7d88da248e077dc383eca

    SHA1

    475c6525bf12dc043e8e20fac9b73b5e5c43165b

    SHA256

    926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342

    SHA512

    542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

  • C:\hgoitk\nkorpy\exlwhtih.exe

    MD5

    96967658deb7d88da248e077dc383eca

    SHA1

    475c6525bf12dc043e8e20fac9b73b5e5c43165b

    SHA256

    926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342

    SHA512

    542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

  • C:\hgoitk\nkorpy\exlwhtih.exe

    MD5

    96967658deb7d88da248e077dc383eca

    SHA1

    475c6525bf12dc043e8e20fac9b73b5e5c43165b

    SHA256

    926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342

    SHA512

    542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

  • C:\hgoitk\nkorpy\exlwhtih.exe

    MD5

    96967658deb7d88da248e077dc383eca

    SHA1

    475c6525bf12dc043e8e20fac9b73b5e5c43165b

    SHA256

    926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342

    SHA512

    542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

  • memory/648-0-0x00007FFA31DE0000-0x00007FFA32417000-memory.dmp

    Filesize

    6.2MB

  • memory/1348-5-0x0000000000000000-mapping.dmp

  • memory/1348-7-0x00000000026E0000-0x00000000026E1000-memory.dmp

    Filesize

    4KB

  • memory/2116-8-0x0000000000000000-mapping.dmp

  • memory/2116-15-0x0000000002260000-0x0000000002297000-memory.dmp

    Filesize

    220KB

  • memory/3056-12-0x0000000000000000-mapping.dmp

  • memory/3056-14-0x00000000028C0000-0x00000000028C1000-memory.dmp

    Filesize

    4KB

  • memory/3512-1-0x0000000000000000-mapping.dmp

  • memory/3816-11-0x0000000000000000-mapping.dmp

  • memory/4000-16-0x0000000000000000-mapping.dmp