Analysis Overview
SHA256
8c133984ec41e6e39d6f7be92c49494bd9243518a75e3ea5be34cca954600dfa
Threat Level: Known bad
The file doc_pack-276427548.xlsb was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Executes dropped EXE
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-10-29 05:01
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2020-10-29 05:01
Reported
2020-10-29 05:07
Platform
win10v20201028
Max time kernel
152s
Max time network
148s
Command Line
Signatures
Qakbot/Qbot
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| N/A | N/A | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| N/A | N/A | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| N/A | N/A | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| N/A | N/A | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| N/A | N/A | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| N/A | N/A | C:\hgoitk\nkorpy\exlwhtih.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-276427548.xlsb"
C:\hgoitk\nkorpy\exlwhtih.exe
"C:\hgoitk\nkorpy\exlwhtih.exe"
C:\hgoitk\nkorpy\exlwhtih.exe
C:\hgoitk\nkorpy\exlwhtih.exe /C
C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nelkywz /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I nelkywz" /SC ONCE /Z /ST 06:11 /ET 06:23
C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe /C
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | missglamourcosmeticos.com.br | udp |
| N/A | 108.179.252.19:443 | missglamourcosmeticos.com.br | tcp |
Files
memory/648-0-0x00007FF99EAB0000-0x00007FF99F0E7000-memory.dmp
memory/2676-1-0x0000000000000000-mapping.dmp
C:\hgoitk\nkorpy\exlwhtih.exe
| MD5 | dc74418cb12da976f9e2c67d4905ae78 |
| SHA1 | b73854012dfe7db44b6ceb6bf4a706aebcddab42 |
| SHA256 | 573c470f4ab4e300303c820021682ec3312b3a92d1c462cd3af0711a20fa203a |
| SHA512 | 2de382f2c236cae8250c1e683a34ff5cd7e8e94f95ab02d023db8fdb4ff9dca31558a0d93adef673daa0bd60774c23c74bd804847f43e549fffcbbd214be8fc8 |
C:\hgoitk\nkorpy\exlwhtih.exe
| MD5 | dc74418cb12da976f9e2c67d4905ae78 |
| SHA1 | b73854012dfe7db44b6ceb6bf4a706aebcddab42 |
| SHA256 | 573c470f4ab4e300303c820021682ec3312b3a92d1c462cd3af0711a20fa203a |
| SHA512 | 2de382f2c236cae8250c1e683a34ff5cd7e8e94f95ab02d023db8fdb4ff9dca31558a0d93adef673daa0bd60774c23c74bd804847f43e549fffcbbd214be8fc8 |
memory/2240-4-0x0000000000000000-mapping.dmp
C:\hgoitk\nkorpy\exlwhtih.exe
| MD5 | dc74418cb12da976f9e2c67d4905ae78 |
| SHA1 | b73854012dfe7db44b6ceb6bf4a706aebcddab42 |
| SHA256 | 573c470f4ab4e300303c820021682ec3312b3a92d1c462cd3af0711a20fa203a |
| SHA512 | 2de382f2c236cae8250c1e683a34ff5cd7e8e94f95ab02d023db8fdb4ff9dca31558a0d93adef673daa0bd60774c23c74bd804847f43e549fffcbbd214be8fc8 |
memory/2240-6-0x0000000002660000-0x0000000002661000-memory.dmp
memory/1976-7-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe
| MD5 | dc74418cb12da976f9e2c67d4905ae78 |
| SHA1 | b73854012dfe7db44b6ceb6bf4a706aebcddab42 |
| SHA256 | 573c470f4ab4e300303c820021682ec3312b3a92d1c462cd3af0711a20fa203a |
| SHA512 | 2de382f2c236cae8250c1e683a34ff5cd7e8e94f95ab02d023db8fdb4ff9dca31558a0d93adef673daa0bd60774c23c74bd804847f43e549fffcbbd214be8fc8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe
| MD5 | dc74418cb12da976f9e2c67d4905ae78 |
| SHA1 | b73854012dfe7db44b6ceb6bf4a706aebcddab42 |
| SHA256 | 573c470f4ab4e300303c820021682ec3312b3a92d1c462cd3af0711a20fa203a |
| SHA512 | 2de382f2c236cae8250c1e683a34ff5cd7e8e94f95ab02d023db8fdb4ff9dca31558a0d93adef673daa0bd60774c23c74bd804847f43e549fffcbbd214be8fc8 |
memory/3176-10-0x0000000000000000-mapping.dmp
memory/1152-11-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.exe
| MD5 | dc74418cb12da976f9e2c67d4905ae78 |
| SHA1 | b73854012dfe7db44b6ceb6bf4a706aebcddab42 |
| SHA256 | 573c470f4ab4e300303c820021682ec3312b3a92d1c462cd3af0711a20fa203a |
| SHA512 | 2de382f2c236cae8250c1e683a34ff5cd7e8e94f95ab02d023db8fdb4ff9dca31558a0d93adef673daa0bd60774c23c74bd804847f43e549fffcbbd214be8fc8 |
memory/1152-13-0x0000000002670000-0x0000000002671000-memory.dmp
memory/1976-14-0x0000000000630000-0x0000000000667000-memory.dmp
memory/2128-15-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Izsarvj\aylbiiay.dat
| MD5 | f58b288e2efb5dbc28770e1c06102987 |
| SHA1 | a828cbb0ccb8bcc76151e33b65c4867aed46cad7 |
| SHA256 | 9b9bbaa66f07af2a38af80a00e4d6e9d44b4b906cc7cb4cf503df4e68fdce309 |
| SHA512 | dcfd0ecef3f00f97d2b2054df371bad8b9300ff0d3c39e3f8e48bf4225155f59400db3110f42862bc0fbcf61ff386c4b7157f98aa57037175d25932e560ed63d |
Analysis: behavioral1
Detonation Overview
Submitted
2020-10-29 05:01
Reported
2020-10-29 05:06
Platform
win7v20201028
Max time kernel
63s
Max time network
9s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-276427548.xlsb
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | missglamourcosmeticos.com.br | udp |
| N/A | 108.179.252.19:443 | missglamourcosmeticos.com.br | tcp |
| N/A | 108.179.252.19:443 | missglamourcosmeticos.com.br | tcp |
| N/A | 108.179.252.19:443 | missglamourcosmeticos.com.br | tcp |
| N/A | 108.179.252.19:443 | missglamourcosmeticos.com.br | tcp |
Files
memory/1676-0-0x000007FEF77D0000-0x000007FEF7A4A000-memory.dmp