Malware Analysis Report

2024-11-30 13:47

Sample ID 201029-9jjxfrbj86
Target doc_pack-2091612926.xlsb
SHA256 5f6d5564a38e3b983fc45fb01e67d75f921629290a8b26adc1c62a4e20558c11
Tags
qakbot tr01 1603793855 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f6d5564a38e3b983fc45fb01e67d75f921629290a8b26adc1c62a4e20558c11

Threat Level: Known bad

The file doc_pack-2091612926.xlsb was found to be: Known bad.

Malicious Activity Summary

qakbot tr01 1603793855 banker stealer trojan

Qakbot/Qbot

Executes dropped EXE

Loads dropped DLL

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Creates scheduled task(s)

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-10-29 04:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-10-29 04:30

Reported

2020-10-29 04:35

Platform

win7v20201028

Max time kernel

112s

Max time network

142s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-2091612926.xlsb

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 444 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 756 wrote to memory of 444 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 756 wrote to memory of 444 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 756 wrote to memory of 444 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 444 wrote to memory of 816 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 444 wrote to memory of 816 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 444 wrote to memory of 816 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 444 wrote to memory of 816 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 444 wrote to memory of 1700 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe
PID 444 wrote to memory of 1700 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe
PID 444 wrote to memory of 1700 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe
PID 444 wrote to memory of 1700 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe
PID 444 wrote to memory of 1776 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 444 wrote to memory of 1776 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 444 wrote to memory of 1776 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 444 wrote to memory of 1776 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 1700 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe
PID 1700 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe
PID 1700 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe
PID 1700 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe
PID 1700 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe C:\Windows\SysWOW64\explorer.exe
PID 1700 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe C:\Windows\SysWOW64\explorer.exe
PID 1700 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe C:\Windows\SysWOW64\explorer.exe
PID 1700 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe C:\Windows\SysWOW64\explorer.exe
PID 1700 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe C:\Windows\SysWOW64\explorer.exe
PID 956 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 956 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 956 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 956 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\hgoitk\nkorpy\exlwhtih.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-2091612926.xlsb

C:\hgoitk\nkorpy\exlwhtih.exe

"C:\hgoitk\nkorpy\exlwhtih.exe"

C:\hgoitk\nkorpy\exlwhtih.exe

C:\hgoitk\nkorpy\exlwhtih.exe /C

C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ejogtluz /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I ejogtluz" /SC ONCE /Z /ST 05:31 /ET 05:43

C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe /C

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {B0CC7DE2-DDAE-4C98-BA4A-8B134A2A4D0C} S-1-5-18:NT AUTHORITY\System:Service:

C:\hgoitk\nkorpy\exlwhtih.exe

C:\hgoitk\nkorpy\exlwhtih.exe /I ejogtluz

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 live-now.club udp
N/A 162.213.253.56:443 live-now.club tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 205.185.216.10:80 www.download.windowsupdate.com tcp

Files

memory/576-0-0x000007FEF7E30000-0x000007FEF80AA000-memory.dmp

\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/444-3-0x0000000000000000-mapping.dmp

\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/816-6-0x0000000000000000-mapping.dmp

memory/816-8-0x00000000025B0000-0x00000000025C1000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1700-11-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1776-13-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1632-15-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1632-17-0x00000000025A0000-0x00000000025B1000-memory.dmp

memory/1700-18-0x0000000000450000-0x0000000000487000-memory.dmp

memory/980-19-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Ltyxslwhaxee\hbpbxv.dat

MD5 29aacebeb2e67a9febacd11c9f91ce7b
SHA1 d611a098adf3866e9b1a2253761551cdc7bd8b86
SHA256 5541660210bd33f90fdeaf533ffed1ae3d7c4382b7bd3952973ed97dfe9dfc9c
SHA512 d0f57edee4a2cf47e35ea30edea42470bec7a2bb510a1a3564e568e6118faf0fdb6f2e07792d9861d7d71e4581b9080e72d045253ee7a685ed0c00bb76dcc413

memory/1512-21-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

Analysis: behavioral2

Detonation Overview

Submitted

2020-10-29 04:30

Reported

2020-10-29 04:35

Platform

win10v20201028

Max time kernel

148s

Max time network

141s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-2091612926.xlsb"

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C:\hgoitk\nkorpy\exlwhtih.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 580 wrote to memory of 1372 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 580 wrote to memory of 1372 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 580 wrote to memory of 1372 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 1372 wrote to memory of 3704 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1372 wrote to memory of 3704 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1372 wrote to memory of 3704 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1372 wrote to memory of 2196 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe
PID 1372 wrote to memory of 2196 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe
PID 1372 wrote to memory of 2196 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe
PID 1372 wrote to memory of 3468 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 1372 wrote to memory of 3468 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 1372 wrote to memory of 3468 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe
PID 2196 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe
PID 2196 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe
PID 2196 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe C:\Windows\SysWOW64\explorer.exe
PID 2196 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe C:\Windows\SysWOW64\explorer.exe
PID 2196 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe C:\Windows\SysWOW64\explorer.exe
PID 2196 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-2091612926.xlsb"

C:\hgoitk\nkorpy\exlwhtih.exe

"C:\hgoitk\nkorpy\exlwhtih.exe"

C:\hgoitk\nkorpy\exlwhtih.exe

C:\hgoitk\nkorpy\exlwhtih.exe /C

C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn peybobxps /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I peybobxps" /SC ONCE /Z /ST 05:32 /ET 05:44

C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe /C

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 live-now.club udp
N/A 162.213.253.56:443 live-now.club tcp

Files

memory/580-0-0x00007FF91E6D0000-0x00007FF91ED07000-memory.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1372-1-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/3704-4-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/3704-6-0x0000000002750000-0x0000000002751000-memory.dmp

memory/2196-7-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/3468-10-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/3668-11-0x0000000000000000-mapping.dmp

memory/3668-13-0x00000000026C0000-0x00000000026C1000-memory.dmp

memory/2196-14-0x0000000000720000-0x0000000000757000-memory.dmp

memory/3844-15-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Iqckjovd\lhchxu.dat

MD5 cd6b16002588292a093c6791d35ff74c
SHA1 d35b41d05837d0e6496dc8f1a384ac6396082ed3
SHA256 efb12e6d36d32a422ee3e6637c3c6aa9a5a78766fa5f9182e5b65fd617385e08
SHA512 27b63b7aed40152f554281768f5aa889f02c70991fa2d63fe49529101d015fd544e06873786023fb00f0db3dbd657d2998f89054553d038221cc7fd05597ec88