Malware Analysis Report

2024-11-30 13:49

Sample ID 201029-d77ygx18ne
Target doc_pack-2067814132.xlsb
SHA256 4063b6a7f6da00e76caab51e6b8a1f5197cc92b44e9ff00f97a33327cb93b88e
Tags
qakbot tr01 1603793855 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4063b6a7f6da00e76caab51e6b8a1f5197cc92b44e9ff00f97a33327cb93b88e

Threat Level: Known bad

The file doc_pack-2067814132.xlsb was found to be: Known bad.

Malicious Activity Summary

qakbot tr01 1603793855 banker stealer trojan

Qakbot/Qbot

Executes dropped EXE

Loads dropped DLL

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-10-29 04:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-10-29 04:37

Reported

2020-10-29 04:40

Platform

win7v20201028

Max time kernel

111s

Max time network

137s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-2067814132.xlsb

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 484 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 1056 wrote to memory of 484 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 1056 wrote to memory of 484 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 1056 wrote to memory of 484 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 484 wrote to memory of 1144 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 484 wrote to memory of 1144 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 484 wrote to memory of 1144 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 484 wrote to memory of 1144 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 484 wrote to memory of 1820 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe
PID 484 wrote to memory of 1820 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe
PID 484 wrote to memory of 1820 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe
PID 484 wrote to memory of 1820 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe
PID 484 wrote to memory of 368 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 484 wrote to memory of 368 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 484 wrote to memory of 368 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 484 wrote to memory of 368 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe
PID 1820 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe
PID 1820 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe
PID 1820 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe
PID 1820 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe C:\Windows\SysWOW64\explorer.exe
PID 1820 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe C:\Windows\SysWOW64\explorer.exe
PID 1820 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe C:\Windows\SysWOW64\explorer.exe
PID 1820 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe C:\Windows\SysWOW64\explorer.exe
PID 1820 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe C:\Windows\SysWOW64\explorer.exe
PID 1004 wrote to memory of 328 N/A C:\Windows\system32\taskeng.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1004 wrote to memory of 328 N/A C:\Windows\system32\taskeng.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1004 wrote to memory of 328 N/A C:\Windows\system32\taskeng.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1004 wrote to memory of 328 N/A C:\Windows\system32\taskeng.exe C:\hgoitk\nkorpy\exlwhtih.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-2067814132.xlsb

C:\hgoitk\nkorpy\exlwhtih.exe

"C:\hgoitk\nkorpy\exlwhtih.exe"

C:\hgoitk\nkorpy\exlwhtih.exe

C:\hgoitk\nkorpy\exlwhtih.exe /C

C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ozryjayl /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I ozryjayl" /SC ONCE /Z /ST 05:36 /ET 05:48

C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe /C

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {9B044788-7F2A-4FCA-B913-397DE9A0278D} S-1-5-18:NT AUTHORITY\System:Service:

C:\hgoitk\nkorpy\exlwhtih.exe

C:\hgoitk\nkorpy\exlwhtih.exe /I ozryjayl

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 live-now.club udp
N/A 162.213.253.56:443 live-now.club tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 205.185.216.42:80 www.download.windowsupdate.com tcp

Files

memory/876-0-0x000007FEF6B20000-0x000007FEF6D9A000-memory.dmp

\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/484-3-0x0000000000000000-mapping.dmp

\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1144-6-0x0000000000000000-mapping.dmp

memory/1144-8-0x0000000002550000-0x0000000002561000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1820-11-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/368-13-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1520-15-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1520-17-0x00000000024D0000-0x00000000024E1000-memory.dmp

memory/1820-18-0x0000000000450000-0x0000000000487000-memory.dmp

memory/2012-19-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Yfdcrek\apwgd.dat

MD5 2347850a4616338b22af23cbaeb29990
SHA1 8d56c4428911a6e8078b39f145e1b86ae7d2d6b2
SHA256 a8c9e31d44c73a5992308f962177ad7c0d9fde21790b431e95794017ca20e941
SHA512 c9133bb771e311ecdef72155324c5a195265d7b0029c308b5d56349c30c2a949337e4d9729601e6cb461b93b96ea5a0e3690a93322fab77062973a09fb82d9cb

memory/328-21-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

Analysis: behavioral2

Detonation Overview

Submitted

2020-10-29 04:37

Reported

2020-10-29 04:40

Platform

win10v20201028

Max time kernel

151s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-2067814132.xlsb"

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service C:\hgoitk\nkorpy\exlwhtih.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 632 wrote to memory of 3660 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 632 wrote to memory of 3660 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 632 wrote to memory of 3660 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 3660 wrote to memory of 3732 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 3660 wrote to memory of 3732 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 3660 wrote to memory of 3732 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 3660 wrote to memory of 2120 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe
PID 3660 wrote to memory of 2120 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe
PID 3660 wrote to memory of 2120 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe
PID 3660 wrote to memory of 2204 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 3660 wrote to memory of 2204 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 3660 wrote to memory of 2204 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 2120 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe
PID 2120 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe
PID 2120 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe
PID 2120 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe C:\Windows\SysWOW64\explorer.exe
PID 2120 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe C:\Windows\SysWOW64\explorer.exe
PID 2120 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe C:\Windows\SysWOW64\explorer.exe
PID 2120 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-2067814132.xlsb"

C:\hgoitk\nkorpy\exlwhtih.exe

"C:\hgoitk\nkorpy\exlwhtih.exe"

C:\hgoitk\nkorpy\exlwhtih.exe

C:\hgoitk\nkorpy\exlwhtih.exe /C

C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ofwsaxlo /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I ofwsaxlo" /SC ONCE /Z /ST 05:37 /ET 05:49

C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe /C

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 live-now.club udp
N/A 162.213.253.56:443 live-now.club tcp

Files

memory/632-0-0x00007FF9E73C0000-0x00007FF9E79F7000-memory.dmp

memory/3660-1-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/3732-4-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/3732-6-0x00000000028E0000-0x00000000028E1000-memory.dmp

memory/2120-7-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/2204-10-0x0000000000000000-mapping.dmp

memory/2192-11-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/2192-13-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/2120-14-0x00000000022B0000-0x00000000022E7000-memory.dmp

memory/3892-15-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Whiynunzic\abecdbf.dat

MD5 cefdca62902f286161827c93cfafd3d7
SHA1 bc56519b0f1e59d898d805f066185c2f403701bb
SHA256 702d0e920b5d86f4a68b4cccfacdf79656004a603147544ac702a92b9d45c0e8
SHA512 1ef82c8709286452611417419f537630d4261a7369e16bd9c78c6c7049206358ec493f056673d870f1b847229d2ed0cda1d0cc690e5125e07f6bb08b00631208