Malware Analysis Report

2024-11-30 13:42

Sample ID 201029-vnk8vkb3d2
Target doc_pack-206720380.xlsb
SHA256 85dc565ef69ea5489ac8f5a326977dee60abba13df7311ccc173b901babb8315
Tags
qakbot tr01 1603793855 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85dc565ef69ea5489ac8f5a326977dee60abba13df7311ccc173b901babb8315

Threat Level: Known bad

The file doc_pack-206720380.xlsb was found to be: Known bad.

Malicious Activity Summary

qakbot tr01 1603793855 banker stealer trojan

Qakbot/Qbot

Executes dropped EXE

Loads dropped DLL

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-10-29 04:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-10-29 04:38

Reported

2020-10-29 04:48

Platform

win7v20201028

Max time kernel

136s

Max time network

145s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-206720380.xlsb

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 1096 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 1632 wrote to memory of 1096 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 1632 wrote to memory of 1096 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 1632 wrote to memory of 1096 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 1096 wrote to memory of 1968 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1096 wrote to memory of 1968 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1096 wrote to memory of 1968 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1096 wrote to memory of 1968 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1096 wrote to memory of 292 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe
PID 1096 wrote to memory of 292 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe
PID 1096 wrote to memory of 292 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe
PID 1096 wrote to memory of 292 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe
PID 1096 wrote to memory of 1536 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 1096 wrote to memory of 1536 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 1096 wrote to memory of 1536 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 1096 wrote to memory of 1536 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 292 wrote to memory of 480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe
PID 292 wrote to memory of 480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe
PID 292 wrote to memory of 480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe
PID 292 wrote to memory of 480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe
PID 292 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe C:\Windows\SysWOW64\explorer.exe
PID 292 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe C:\Windows\SysWOW64\explorer.exe
PID 292 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe C:\Windows\SysWOW64\explorer.exe
PID 292 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe C:\Windows\SysWOW64\explorer.exe
PID 292 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe C:\Windows\SysWOW64\explorer.exe
PID 1856 wrote to memory of 580 N/A C:\Windows\system32\taskeng.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1856 wrote to memory of 580 N/A C:\Windows\system32\taskeng.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1856 wrote to memory of 580 N/A C:\Windows\system32\taskeng.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1856 wrote to memory of 580 N/A C:\Windows\system32\taskeng.exe C:\hgoitk\nkorpy\exlwhtih.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-206720380.xlsb

C:\hgoitk\nkorpy\exlwhtih.exe

"C:\hgoitk\nkorpy\exlwhtih.exe"

C:\hgoitk\nkorpy\exlwhtih.exe

C:\hgoitk\nkorpy\exlwhtih.exe /C

C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn daoxxhh /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I daoxxhh" /SC ONCE /Z /ST 05:44 /ET 05:56

C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe /C

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {DD5E750E-E72A-4E18-A804-A74D64585B15} S-1-5-18:NT AUTHORITY\System:Service:

C:\hgoitk\nkorpy\exlwhtih.exe

C:\hgoitk\nkorpy\exlwhtih.exe /I daoxxhh

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 live-now.club udp
N/A 162.213.253.56:443 live-now.club tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 72.21.81.240:80 www.download.windowsupdate.com tcp

Files

memory/872-0-0x000007FEF7540000-0x000007FEF77BA000-memory.dmp

\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1096-3-0x0000000000000000-mapping.dmp

\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1968-6-0x0000000000000000-mapping.dmp

memory/1968-8-0x0000000002460000-0x0000000002471000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/292-11-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1536-13-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/480-15-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/480-17-0x00000000024C0000-0x00000000024D1000-memory.dmp

memory/292-18-0x0000000001D60000-0x0000000001D97000-memory.dmp

memory/1680-19-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Iiankpe\gqjospo.dat

MD5 31b7f73f89cf7f08b753584d14d9f18a
SHA1 e375fcc54e060ace0e044cb255bf2ec6f84f4d43
SHA256 cf492905e71639146e2d5619b785c6fa97ec58dd39929875ea51a36ac12afae6
SHA512 b17644a40c9300771c041bbbaf5f5faaf214a05601929a01335ff4bb98937ba0f12345c4d897e66ce258efa36c248c9bdecdbaceb10227ad4045957840ff3f1e

memory/580-21-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

Analysis: behavioral2

Detonation Overview

Submitted

2020-10-29 04:38

Reported

2020-10-29 04:48

Platform

win10v20201028

Max time kernel

110s

Max time network

144s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-206720380.xlsb"

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C:\hgoitk\nkorpy\exlwhtih.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service C:\hgoitk\nkorpy\exlwhtih.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3304 wrote to memory of 1412 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 3304 wrote to memory of 1412 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 3304 wrote to memory of 1412 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\hgoitk\nkorpy\exlwhtih.exe
PID 1412 wrote to memory of 1540 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1412 wrote to memory of 1540 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1412 wrote to memory of 1540 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\hgoitk\nkorpy\exlwhtih.exe
PID 1412 wrote to memory of 2668 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe
PID 1412 wrote to memory of 2668 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe
PID 1412 wrote to memory of 2668 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe
PID 1412 wrote to memory of 3444 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 1412 wrote to memory of 3444 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 1412 wrote to memory of 3444 N/A C:\hgoitk\nkorpy\exlwhtih.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe
PID 2668 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe
PID 2668 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe
PID 2668 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe C:\Windows\SysWOW64\explorer.exe
PID 2668 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe C:\Windows\SysWOW64\explorer.exe
PID 2668 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe C:\Windows\SysWOW64\explorer.exe
PID 2668 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-206720380.xlsb"

C:\hgoitk\nkorpy\exlwhtih.exe

"C:\hgoitk\nkorpy\exlwhtih.exe"

C:\hgoitk\nkorpy\exlwhtih.exe

C:\hgoitk\nkorpy\exlwhtih.exe /C

C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wmhkjnirbz /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I wmhkjnirbz" /SC ONCE /Z /ST 05:45 /ET 05:57

C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe /C

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 live-now.club udp
N/A 162.213.253.56:443 live-now.club tcp

Files

memory/3304-0-0x00007FF8C7470000-0x00007FF8C7AA7000-memory.dmp

memory/1412-1-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1540-4-0x0000000000000000-mapping.dmp

C:\hgoitk\nkorpy\exlwhtih.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/1540-6-0x00000000027A0000-0x00000000027A1000-memory.dmp

memory/2668-7-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/3444-10-0x0000000000000000-mapping.dmp

memory/3152-11-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.exe

MD5 96967658deb7d88da248e077dc383eca
SHA1 475c6525bf12dc043e8e20fac9b73b5e5c43165b
SHA256 926a329dedbfa54478aae338e79e8c6861e345084173b2bd54d677ba73ce4342
SHA512 542781099dc56c2cc7c685e87c3962cd65405a5b2e3ec24655e26f9156b2fdbebfd8f550d959b08bfb044cfd49e8bfcff6b3ccef891257177a71dafe7750cba2

memory/3152-13-0x0000000002730000-0x0000000002731000-memory.dmp

memory/2668-14-0x0000000000830000-0x0000000000867000-memory.dmp

memory/3120-15-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Qlouebycijup\erdzx.dat

MD5 3a4e96bcf1afe2775c18e33b1ec72e60
SHA1 e85122816338f23c8dacaf47a158042212d3844c
SHA256 599304c454b489643786df72ef0c7fe1bb9e88888ecc8e935b42bd4a3aa316e0
SHA512 7f1b14d7668aea4bf41e1cd405885846242e238273df58c2eb7dfbc57fb1cd3526579af6483e28f924242f71e800fed240f83644dce9a8da9360bcc4191f05ca