Malware Analysis Report

2024-11-30 13:45

Sample ID 201029-kk53mggrje
Target doc_pack-2020497947.xlsb
SHA256 44b652324713b7ab802e17574c2ce7f609ac91a59485584cd737abafb4cdaae0
Tags
qakbot tr01 1603793855 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44b652324713b7ab802e17574c2ce7f609ac91a59485584cd737abafb4cdaae0

Threat Level: Known bad

The file doc_pack-2020497947.xlsb was found to be: Known bad.

Malicious Activity Summary

qakbot tr01 1603793855 banker stealer trojan

Qakbot/Qbot

Executes dropped EXE

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-10-29 04:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-10-29 04:00

Reported

2020-10-29 04:09

Platform

win7v20201028

Max time kernel

68s

Max time network

79s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-2020497947.xlsb

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-2020497947.xlsb

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 mindsup.in udp
N/A 166.62.28.128:443 mindsup.in tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 72.21.81.240:80 www.download.windowsupdate.com tcp

Files

memory/1964-0-0x000007FEF7D30000-0x000007FEF7FAA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-10-29 04:00

Reported

2020-10-29 04:09

Platform

win10v20201028

Max time kernel

150s

Max time network

141s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-2020497947.xlsb"

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3336 wrote to memory of 2096 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 3336 wrote to memory of 2096 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 3336 wrote to memory of 2096 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 2096 wrote to memory of 3900 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 2096 wrote to memory of 3900 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 2096 wrote to memory of 3900 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 2096 wrote to memory of 2220 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe
PID 2096 wrote to memory of 2220 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe
PID 2096 wrote to memory of 2220 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe
PID 2096 wrote to memory of 1660 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 2096 wrote to memory of 1660 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 2096 wrote to memory of 1660 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe
PID 2220 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe
PID 2220 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe
PID 2220 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe C:\Windows\SysWOW64\explorer.exe
PID 2220 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe C:\Windows\SysWOW64\explorer.exe
PID 2220 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe C:\Windows\SysWOW64\explorer.exe
PID 2220 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-2020497947.xlsb"

C:\hgoitk\nkorpy\exlwhtih.exe

"C:\hgoitk\nkorpy\exlwhtih.exe"

C:\hgoitk\nkorpy\exlwhtih.exe

C:\hgoitk\nkorpy\exlwhtih.exe /C

C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xowwzhuahs /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I xowwzhuahs" /SC ONCE /Z /ST 05:13 /ET 05:25

C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe /C

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\hgoitk\nkorpy\exlwhtih.exe

C:\hgoitk\nkorpy\exlwhtih.exe /I xowwzhuahs

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 mindsup.in udp
N/A 166.62.28.128:443 mindsup.in tcp

Files

memory/3336-0-0x00007FFD88A90000-0x00007FFD890C7000-memory.dmp

memory/2096-1-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e

memory/3900-4-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e

memory/3900-6-0x00000000026B0000-0x00000000026B1000-memory.dmp

memory/2220-7-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e

C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e

memory/1660-10-0x0000000000000000-mapping.dmp

memory/3468-11-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e

memory/3468-13-0x0000000002760000-0x0000000002761000-memory.dmp

memory/2220-14-0x0000000002200000-0x0000000002237000-memory.dmp

memory/3516-15-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Oifxixok\hxewqsa.dat

MD5 f6d5cad86da9b617ee4717d92b6e232f
SHA1 0ca3fb827cb73c1b2c2db87efeb7b1de8db41a55
SHA256 9df3c702db8031268272cf53c37c7c857446f78e0b4aefeb7eeac8dfcab7e396
SHA512 b5303449172e11f6acf68ea5a8c0dbb54ce5707d6c41b65f05fcaf14dc17f8e32580b1ba248f6aa2ab07753e052730fda7d7664ab3d4ad585d296d72aa790f82

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e