Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-10-2020 04:37
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-2105270240.xlsb
Resource
win7v20201028
General
-
Target
doc_pack-2105270240.xlsb
-
Size
24KB
-
MD5
6f05c1440fe9544cfb6ff685a0cc9aa9
-
SHA1
23520b439cd7a730d5c1b765f8aaeea4fa2220f0
-
SHA256
4f0cbcc4884a858291496a6ddd4fe978bab57ab0d07b168ed866565fba14c58f
-
SHA512
012c8fdf6a99793d39f3badf8ff800a8f48083a2229aef661ed4fa6cb28c0f3ca0758e7f2a658ca3d393858a596e9b4aaaa232b34af26dd938809fbb1b4546cf
Malware Config
Extracted
qakbot
tr01
1603793855
50.104.68.223:443
89.137.211.239:443
95.77.223.148:443
197.37.69.138:993
68.174.15.223:443
103.238.231.35:443
36.77.151.211:443
72.16.56.171:443
45.47.65.191:443
189.231.212.189:443
106.51.52.111:443
24.55.66.125:443
39.37.247.97:995
108.190.151.108:2222
203.198.96.61:443
73.228.1.246:443
35.134.202.234:443
188.50.230.249:995
86.120.64.150:2222
5.14.126.153:443
64.121.114.87:443
108.46.145.30:443
45.77.193.83:443
207.246.75.201:443
94.52.160.116:443
86.98.89.100:2222
47.44.217.98:443
102.186.103.0:443
217.162.149.212:443
92.59.35.196:2222
83.110.80.66:995
5.12.255.109:443
86.121.121.14:2222
45.32.154.10:443
98.26.50.62:995
2.50.57.213:443
77.27.174.49:995
2.7.65.32:2222
98.4.227.199:443
151.73.112.197:443
108.31.15.10:995
78.97.207.104:443
72.66.47.70:443
72.36.59.46:2222
80.240.26.178:443
184.97.134.255:443
216.201.162.158:443
146.200.250.36:2222
94.52.68.72:443
103.206.112.234:443
108.185.113.12:443
75.136.40.155:443
77.159.149.74:443
72.71.230.82:2222
66.215.32.224:443
45.32.155.12:443
203.106.195.67:443
199.247.16.80:443
41.227.67.92:443
173.3.17.223:995
185.19.190.81:443
78.96.199.79:443
173.245.152.231:443
75.137.239.211:443
1.160.141.215:443
217.165.96.127:990
50.244.112.10:995
41.97.179.154:443
134.0.196.46:995
45.32.165.134:443
41.225.13.128:8443
45.63.104.123:443
207.246.70.216:443
176.205.145.61:995
2.50.131.64:443
45.32.155.12:2222
96.30.198.161:443
140.82.27.132:443
45.32.155.12:995
24.43.22.220:993
173.70.165.101:995
202.141.244.118:995
80.195.103.146:2222
184.96.158.62:993
93.113.177.152:443
31.5.21.66:443
24.27.82.216:2222
84.247.55.190:443
188.27.178.166:443
45.32.162.253:443
95.179.247.224:443
199.247.22.145:443
95.76.27.6:443
81.97.154.100:443
174.30.165.242:2222
197.210.96.222:995
203.45.104.33:443
45.46.53.140:2222
189.183.209.130:995
173.21.10.71:2222
47.138.201.136:443
144.139.47.206:443
69.123.179.70:443
69.123.116.167:2222
24.40.173.134:443
173.173.1.164:443
117.199.7.191:443
85.204.189.105:443
72.29.181.78:2222
71.220.164.199:2222
65.102.150.178:995
24.128.117.95:443
69.47.239.10:443
200.38.254.177:443
201.103.145.28:443
74.195.88.59:443
66.97.247.15:443
50.29.166.232:995
83.110.3.77:2078
98.115.243.237:443
99.240.226.2:443
73.200.219.143:443
24.205.42.241:443
72.196.114.129:443
206.183.190.53:993
67.6.55.77:443
68.184.45.73:443
24.28.183.107:995
98.121.187.78:443
98.240.24.57:443
67.165.206.193:993
89.33.87.107:443
96.237.141.134:995
5.193.181.221:2078
24.213.191.38:0
108.30.125.94:443
108.191.28.158:443
71.197.126.250:443
68.46.142.48:995
75.136.26.147:443
72.82.15.220:443
191.84.0.209:443
71.182.142.63:443
36.236.230.253:443
186.31.47.254:443
68.104.6.221:443
74.137.189.78:443
79.117.56.230:443
68.33.206.204:443
187.200.72.253:443
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
exlwhtih.exeexlwhtih.exeflpesemr.exeflpesemr.exepid Process 3512 exlwhtih.exe 1348 exlwhtih.exe 2116 flpesemr.exe 3056 flpesemr.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
exlwhtih.exeflpesemr.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service exlwhtih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 flpesemr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc flpesemr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service flpesemr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service flpesemr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service exlwhtih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 exlwhtih.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc exlwhtih.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc flpesemr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 exlwhtih.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc exlwhtih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 flpesemr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 648 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
exlwhtih.exeexlwhtih.exeflpesemr.exeflpesemr.exeexplorer.exepid Process 3512 exlwhtih.exe 3512 exlwhtih.exe 1348 exlwhtih.exe 1348 exlwhtih.exe 1348 exlwhtih.exe 1348 exlwhtih.exe 2116 flpesemr.exe 2116 flpesemr.exe 3056 flpesemr.exe 3056 flpesemr.exe 3056 flpesemr.exe 3056 flpesemr.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
flpesemr.exepid Process 2116 flpesemr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid Process 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EXCEL.EXEexlwhtih.exeflpesemr.exedescription pid Process procid_target PID 648 wrote to memory of 3512 648 EXCEL.EXE 77 PID 648 wrote to memory of 3512 648 EXCEL.EXE 77 PID 648 wrote to memory of 3512 648 EXCEL.EXE 77 PID 3512 wrote to memory of 1348 3512 exlwhtih.exe 78 PID 3512 wrote to memory of 1348 3512 exlwhtih.exe 78 PID 3512 wrote to memory of 1348 3512 exlwhtih.exe 78 PID 3512 wrote to memory of 2116 3512 exlwhtih.exe 79 PID 3512 wrote to memory of 2116 3512 exlwhtih.exe 79 PID 3512 wrote to memory of 2116 3512 exlwhtih.exe 79 PID 3512 wrote to memory of 3816 3512 exlwhtih.exe 80 PID 3512 wrote to memory of 3816 3512 exlwhtih.exe 80 PID 3512 wrote to memory of 3816 3512 exlwhtih.exe 80 PID 2116 wrote to memory of 3056 2116 flpesemr.exe 82 PID 2116 wrote to memory of 3056 2116 flpesemr.exe 82 PID 2116 wrote to memory of 3056 2116 flpesemr.exe 82 PID 2116 wrote to memory of 4000 2116 flpesemr.exe 83 PID 2116 wrote to memory of 4000 2116 flpesemr.exe 83 PID 2116 wrote to memory of 4000 2116 flpesemr.exe 83 PID 2116 wrote to memory of 4000 2116 flpesemr.exe 83
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-2105270240.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648 -
C:\hgoitk\nkorpy\exlwhtih.exe"C:\hgoitk\nkorpy\exlwhtih.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\hgoitk\nkorpy\exlwhtih.exeC:\hgoitk\nkorpy\exlwhtih.exe /C3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Qellegwniyym\flpesemr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Qellegwniyym\flpesemr.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Roaming\Microsoft\Qellegwniyym\flpesemr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Qellegwniyym\flpesemr.exe /C4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3056
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4000
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nsljlzluv /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I nsljlzluv" /SC ONCE /Z /ST 05:47 /ET 05:593⤵
- Creates scheduled task(s)
PID:3816
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d14fc448a9907dce170d2f1abdf33155
SHA12316281f25c78902da601d28b57bb701d65c4666
SHA2567dbd2ed9a85706e14ff3feac4a3b120b2fef5e4aa2c158228be63c845d07ef08
SHA512ec0d1d25f91b0ff6761af01df04eefdd5b288ec7170ac6daf9c266624c99cee63bf499a79866efc2ff67355997566f9476ecfc16646c5bb3054c69b8691c2b83
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2
-
MD5
96967658deb7d88da248e077dc383eca
SHA1475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2