Analysis
-
max time kernel
140s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-10-2020 03:12
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-18949393.xlsb
Resource
win7v20201028
General
-
Target
doc_pack-18949393.xlsb
-
Size
24KB
-
MD5
ca6f7455eb4a8f1d89374e3f1cdc014d
-
SHA1
5f06a605a000b492864107f3dcd671ab83f5df3e
-
SHA256
ce3d15736c66cecd0d5714120e139fab67e8c6dbdc08c81b75a17038d3ce855d
-
SHA512
e5a1cdc4e58b495b8d122b4dd720024b990917d73c85d2659e6b5438c2b51b4901a8857acc1fd892f70758a739a9a33a6b843ce0cba3dce4a59f64868efc763b
Malware Config
Extracted
qakbot
tr01
1603793855
50.104.68.223:443
89.137.211.239:443
95.77.223.148:443
197.37.69.138:993
68.174.15.223:443
103.238.231.35:443
36.77.151.211:443
72.16.56.171:443
45.47.65.191:443
189.231.212.189:443
106.51.52.111:443
24.55.66.125:443
39.37.247.97:995
108.190.151.108:2222
203.198.96.61:443
73.228.1.246:443
35.134.202.234:443
188.50.230.249:995
86.120.64.150:2222
5.14.126.153:443
64.121.114.87:443
108.46.145.30:443
45.77.193.83:443
207.246.75.201:443
94.52.160.116:443
86.98.89.100:2222
47.44.217.98:443
102.186.103.0:443
217.162.149.212:443
92.59.35.196:2222
83.110.80.66:995
5.12.255.109:443
86.121.121.14:2222
45.32.154.10:443
98.26.50.62:995
2.50.57.213:443
77.27.174.49:995
2.7.65.32:2222
98.4.227.199:443
151.73.112.197:443
108.31.15.10:995
78.97.207.104:443
72.66.47.70:443
72.36.59.46:2222
80.240.26.178:443
184.97.134.255:443
216.201.162.158:443
146.200.250.36:2222
94.52.68.72:443
103.206.112.234:443
108.185.113.12:443
75.136.40.155:443
77.159.149.74:443
72.71.230.82:2222
66.215.32.224:443
45.32.155.12:443
203.106.195.67:443
199.247.16.80:443
41.227.67.92:443
173.3.17.223:995
185.19.190.81:443
78.96.199.79:443
173.245.152.231:443
75.137.239.211:443
1.160.141.215:443
217.165.96.127:990
50.244.112.10:995
41.97.179.154:443
134.0.196.46:995
45.32.165.134:443
41.225.13.128:8443
45.63.104.123:443
207.246.70.216:443
176.205.145.61:995
2.50.131.64:443
45.32.155.12:2222
96.30.198.161:443
140.82.27.132:443
45.32.155.12:995
24.43.22.220:993
173.70.165.101:995
202.141.244.118:995
80.195.103.146:2222
184.96.158.62:993
93.113.177.152:443
31.5.21.66:443
24.27.82.216:2222
84.247.55.190:443
188.27.178.166:443
45.32.162.253:443
95.179.247.224:443
199.247.22.145:443
95.76.27.6:443
81.97.154.100:443
174.30.165.242:2222
197.210.96.222:995
203.45.104.33:443
45.46.53.140:2222
189.183.209.130:995
173.21.10.71:2222
47.138.201.136:443
144.139.47.206:443
69.123.179.70:443
69.123.116.167:2222
24.40.173.134:443
173.173.1.164:443
117.199.7.191:443
85.204.189.105:443
72.29.181.78:2222
71.220.164.199:2222
65.102.150.178:995
24.128.117.95:443
69.47.239.10:443
200.38.254.177:443
201.103.145.28:443
74.195.88.59:443
66.97.247.15:443
50.29.166.232:995
83.110.3.77:2078
98.115.243.237:443
99.240.226.2:443
73.200.219.143:443
24.205.42.241:443
72.196.114.129:443
206.183.190.53:993
67.6.55.77:443
68.184.45.73:443
24.28.183.107:995
98.121.187.78:443
98.240.24.57:443
67.165.206.193:993
89.33.87.107:443
96.237.141.134:995
5.193.181.221:2078
24.213.191.38:0
108.30.125.94:443
108.191.28.158:443
71.197.126.250:443
68.46.142.48:995
75.136.26.147:443
72.82.15.220:443
191.84.0.209:443
71.182.142.63:443
36.236.230.253:443
186.31.47.254:443
68.104.6.221:443
74.137.189.78:443
79.117.56.230:443
68.33.206.204:443
187.200.72.253:443
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
exlwhtih.exeexlwhtih.exemofppx.exemofppx.exeexlwhtih.exepid Process 3448 exlwhtih.exe 3360 exlwhtih.exe 2056 mofppx.exe 4032 mofppx.exe 3524 exlwhtih.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
exlwhtih.exemofppx.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc exlwhtih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 mofppx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service mofppx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 mofppx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service mofppx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc exlwhtih.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service exlwhtih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 exlwhtih.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service exlwhtih.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc mofppx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc mofppx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 exlwhtih.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 584 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
exlwhtih.exeexlwhtih.exemofppx.exemofppx.exeexplorer.exeexlwhtih.exepid Process 3448 exlwhtih.exe 3448 exlwhtih.exe 3360 exlwhtih.exe 3360 exlwhtih.exe 3360 exlwhtih.exe 3360 exlwhtih.exe 2056 mofppx.exe 2056 mofppx.exe 4032 mofppx.exe 4032 mofppx.exe 4032 mofppx.exe 4032 mofppx.exe 1492 explorer.exe 1492 explorer.exe 1492 explorer.exe 1492 explorer.exe 3524 exlwhtih.exe 3524 exlwhtih.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
mofppx.exepid Process 2056 mofppx.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid Process 584 EXCEL.EXE 584 EXCEL.EXE 584 EXCEL.EXE 584 EXCEL.EXE 584 EXCEL.EXE 584 EXCEL.EXE 584 EXCEL.EXE 584 EXCEL.EXE 584 EXCEL.EXE 584 EXCEL.EXE 584 EXCEL.EXE 584 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EXCEL.EXEexlwhtih.exemofppx.exedescription pid Process procid_target PID 584 wrote to memory of 3448 584 EXCEL.EXE 76 PID 584 wrote to memory of 3448 584 EXCEL.EXE 76 PID 584 wrote to memory of 3448 584 EXCEL.EXE 76 PID 3448 wrote to memory of 3360 3448 exlwhtih.exe 77 PID 3448 wrote to memory of 3360 3448 exlwhtih.exe 77 PID 3448 wrote to memory of 3360 3448 exlwhtih.exe 77 PID 3448 wrote to memory of 2056 3448 exlwhtih.exe 78 PID 3448 wrote to memory of 2056 3448 exlwhtih.exe 78 PID 3448 wrote to memory of 2056 3448 exlwhtih.exe 78 PID 3448 wrote to memory of 3856 3448 exlwhtih.exe 79 PID 3448 wrote to memory of 3856 3448 exlwhtih.exe 79 PID 3448 wrote to memory of 3856 3448 exlwhtih.exe 79 PID 2056 wrote to memory of 4032 2056 mofppx.exe 81 PID 2056 wrote to memory of 4032 2056 mofppx.exe 81 PID 2056 wrote to memory of 4032 2056 mofppx.exe 81 PID 2056 wrote to memory of 1492 2056 mofppx.exe 82 PID 2056 wrote to memory of 1492 2056 mofppx.exe 82 PID 2056 wrote to memory of 1492 2056 mofppx.exe 82 PID 2056 wrote to memory of 1492 2056 mofppx.exe 82
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-18949393.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584 -
C:\hgoitk\nkorpy\exlwhtih.exe"C:\hgoitk\nkorpy\exlwhtih.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\hgoitk\nkorpy\exlwhtih.exeC:\hgoitk\nkorpy\exlwhtih.exe /C3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3360
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aijogpyno\mofppx.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aijogpyno\mofppx.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\Microsoft\Aijogpyno\mofppx.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aijogpyno\mofppx.exe /C4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gzjawmvdgr /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I gzjawmvdgr" /SC ONCE /Z /ST 04:48 /ET 05:003⤵
- Creates scheduled task(s)
PID:3856
-
-
-
C:\hgoitk\nkorpy\exlwhtih.exeC:\hgoitk\nkorpy\exlwhtih.exe /I gzjawmvdgr1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bdf72dbb9bae6aae987be6501d4fb101
SHA12521f07cd9be1f97ab5089c220468de148ab5164
SHA256ef644fe8ee18e9a36d88eaa9459e7b180f3ab11d281aebb40ca36d0fe08e4843
SHA5126cd39fb881baee73194d38b27cf62784b10c415e899de07ec94577ef81a3464a03c8663f8d3d6989dc08c40ab51342bb9c579834534055050e2f05d9d5e8adfa
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e