Malware Analysis Report

2024-11-30 13:52

Sample ID 201029-lms7b4kp2e
Target doc_pack-1951371048.xlsb
SHA256 915f11a002bc07f3eecedff61d93bddc393bd078c86f2c9e77dc5e8f79589025
Tags
qakbot tr01 1603793855 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

915f11a002bc07f3eecedff61d93bddc393bd078c86f2c9e77dc5e8f79589025

Threat Level: Known bad

The file doc_pack-1951371048.xlsb was found to be: Known bad.

Malicious Activity Summary

qakbot tr01 1603793855 banker stealer trojan

Qakbot/Qbot

Executes dropped EXE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Checks processor information in registry

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-10-29 03:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-10-29 03:39

Reported

2020-10-29 03:56

Platform

win7v20201028

Max time kernel

63s

Max time network

68s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-1951371048.xlsb

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-1951371048.xlsb

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 mindsup.in udp
N/A 166.62.28.128:443 mindsup.in tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 8.238.23.254:80 www.download.windowsupdate.com tcp

Files

memory/1408-0-0x000007FEF6580000-0x000007FEF67FA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-10-29 03:39

Reported

2020-10-29 03:56

Platform

win10v20201028

Max time kernel

103s

Max time network

144s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-1951371048.xlsb"

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 492 wrote to memory of 3292 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 492 wrote to memory of 3292 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 492 wrote to memory of 3292 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 3292 wrote to memory of 1324 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 3292 wrote to memory of 1324 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 3292 wrote to memory of 1324 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 3292 wrote to memory of 3448 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe
PID 3292 wrote to memory of 3448 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe
PID 3292 wrote to memory of 3448 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe
PID 3292 wrote to memory of 2164 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 3292 wrote to memory of 2164 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 3292 wrote to memory of 2164 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 3448 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe
PID 3448 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe
PID 3448 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe
PID 3448 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe C:\Windows\SysWOW64\explorer.exe
PID 3448 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe C:\Windows\SysWOW64\explorer.exe
PID 3448 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe C:\Windows\SysWOW64\explorer.exe
PID 3448 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-1951371048.xlsb"

C:\hgoitk\nkorpy\exlwhtih.exe

"C:\hgoitk\nkorpy\exlwhtih.exe"

C:\hgoitk\nkorpy\exlwhtih.exe

C:\hgoitk\nkorpy\exlwhtih.exe /C

C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fmsrfkp /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I fmsrfkp" /SC ONCE /Z /ST 05:00 /ET 05:12

C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe /C

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 mindsup.in udp
N/A 166.62.28.128:443 mindsup.in tcp

Files

memory/492-0-0x00007FF9A7130000-0x00007FF9A7767000-memory.dmp

memory/3292-1-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e

memory/1324-4-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e

memory/1324-6-0x0000000002690000-0x0000000002691000-memory.dmp

memory/3448-7-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e

C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e

memory/2164-10-0x0000000000000000-mapping.dmp

memory/2340-11-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe

MD5 e7fb89ff479959bedf84eed00a642f07
SHA1 fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA256 9089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512 328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e

memory/2340-13-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/3448-14-0x0000000000720000-0x0000000000757000-memory.dmp

memory/2364-15-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.dat

MD5 af91c1087ef861962d5017a3104c3ab9
SHA1 7ff323fdb6370394d43e28c7d8bd3c11da579fed
SHA256 527ff9cb2140f32a14f9a3ddede81fbdf44d5e9a2db3c2705b05b01b128ebe03
SHA512 acd53b2cf33bf895ff453fd17debdf89941ad68961532d6ab7c8b634d3529a424a21aaa7a416bc4eb6b6b444f7f578d7f4ca0e4621e2d0adb7605a6dcef14249