Analysis
-
max time kernel
133s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-10-2020 03:39
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-1961863602.xlsb
Resource
win7v20201028
General
-
Target
doc_pack-1961863602.xlsb
-
Size
24KB
-
MD5
1ca4a001503068561c7f16a9a4f91bc5
-
SHA1
810516a02926c0e93d5dd170517f7224e2b60801
-
SHA256
957cb34d8587be7a0a82eb27d1c9983547e36910149f41a59c76d3334c729942
-
SHA512
b0a3c60102d8bccb88bac8d693ca42191450998abf23c937fec03ce8b0bb0bf058342a315ae9179edaa4954f69bbbf84db94a5c375f43e2139d4baac35b9bcbf
Malware Config
Extracted
qakbot
tr01
1603793855
50.104.68.223:443
89.137.211.239:443
95.77.223.148:443
197.37.69.138:993
68.174.15.223:443
103.238.231.35:443
36.77.151.211:443
72.16.56.171:443
45.47.65.191:443
189.231.212.189:443
106.51.52.111:443
24.55.66.125:443
39.37.247.97:995
108.190.151.108:2222
203.198.96.61:443
73.228.1.246:443
35.134.202.234:443
188.50.230.249:995
86.120.64.150:2222
5.14.126.153:443
64.121.114.87:443
108.46.145.30:443
45.77.193.83:443
207.246.75.201:443
94.52.160.116:443
86.98.89.100:2222
47.44.217.98:443
102.186.103.0:443
217.162.149.212:443
92.59.35.196:2222
83.110.80.66:995
5.12.255.109:443
86.121.121.14:2222
45.32.154.10:443
98.26.50.62:995
2.50.57.213:443
77.27.174.49:995
2.7.65.32:2222
98.4.227.199:443
151.73.112.197:443
108.31.15.10:995
78.97.207.104:443
72.66.47.70:443
72.36.59.46:2222
80.240.26.178:443
184.97.134.255:443
216.201.162.158:443
146.200.250.36:2222
94.52.68.72:443
103.206.112.234:443
108.185.113.12:443
75.136.40.155:443
77.159.149.74:443
72.71.230.82:2222
66.215.32.224:443
45.32.155.12:443
203.106.195.67:443
199.247.16.80:443
41.227.67.92:443
173.3.17.223:995
185.19.190.81:443
78.96.199.79:443
173.245.152.231:443
75.137.239.211:443
1.160.141.215:443
217.165.96.127:990
50.244.112.10:995
41.97.179.154:443
134.0.196.46:995
45.32.165.134:443
41.225.13.128:8443
45.63.104.123:443
207.246.70.216:443
176.205.145.61:995
2.50.131.64:443
45.32.155.12:2222
96.30.198.161:443
140.82.27.132:443
45.32.155.12:995
24.43.22.220:993
173.70.165.101:995
202.141.244.118:995
80.195.103.146:2222
184.96.158.62:993
93.113.177.152:443
31.5.21.66:443
24.27.82.216:2222
84.247.55.190:443
188.27.178.166:443
45.32.162.253:443
95.179.247.224:443
199.247.22.145:443
95.76.27.6:443
81.97.154.100:443
174.30.165.242:2222
197.210.96.222:995
203.45.104.33:443
45.46.53.140:2222
189.183.209.130:995
173.21.10.71:2222
47.138.201.136:443
144.139.47.206:443
69.123.179.70:443
69.123.116.167:2222
24.40.173.134:443
173.173.1.164:443
117.199.7.191:443
85.204.189.105:443
72.29.181.78:2222
71.220.164.199:2222
65.102.150.178:995
24.128.117.95:443
69.47.239.10:443
200.38.254.177:443
201.103.145.28:443
74.195.88.59:443
66.97.247.15:443
50.29.166.232:995
83.110.3.77:2078
98.115.243.237:443
99.240.226.2:443
73.200.219.143:443
24.205.42.241:443
72.196.114.129:443
206.183.190.53:993
67.6.55.77:443
68.184.45.73:443
24.28.183.107:995
98.121.187.78:443
98.240.24.57:443
67.165.206.193:993
89.33.87.107:443
96.237.141.134:995
5.193.181.221:2078
24.213.191.38:0
108.30.125.94:443
108.191.28.158:443
71.197.126.250:443
68.46.142.48:995
75.136.26.147:443
72.82.15.220:443
191.84.0.209:443
71.182.142.63:443
36.236.230.253:443
186.31.47.254:443
68.104.6.221:443
74.137.189.78:443
79.117.56.230:443
68.33.206.204:443
187.200.72.253:443
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
exlwhtih.exeexlwhtih.exeekpkpeyl.exeekpkpeyl.exeexlwhtih.exepid Process 1620 exlwhtih.exe 1008 exlwhtih.exe 1540 ekpkpeyl.exe 1556 ekpkpeyl.exe 1100 exlwhtih.exe -
Loads dropped DLL 4 IoCs
Processes:
EXCEL.EXEexlwhtih.exepid Process 308 EXCEL.EXE 308 EXCEL.EXE 1620 exlwhtih.exe 1620 exlwhtih.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 308 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
exlwhtih.exeexlwhtih.exeekpkpeyl.exeekpkpeyl.exeexplorer.exeexlwhtih.exepid Process 1620 exlwhtih.exe 1008 exlwhtih.exe 1008 exlwhtih.exe 1540 ekpkpeyl.exe 1556 ekpkpeyl.exe 1556 ekpkpeyl.exe 1960 explorer.exe 1960 explorer.exe 1100 exlwhtih.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ekpkpeyl.exepid Process 1540 ekpkpeyl.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid Process 308 EXCEL.EXE 308 EXCEL.EXE 308 EXCEL.EXE 308 EXCEL.EXE 308 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EXCEL.EXEexlwhtih.exeekpkpeyl.exetaskeng.exedescription pid Process procid_target PID 308 wrote to memory of 1620 308 EXCEL.EXE 31 PID 308 wrote to memory of 1620 308 EXCEL.EXE 31 PID 308 wrote to memory of 1620 308 EXCEL.EXE 31 PID 308 wrote to memory of 1620 308 EXCEL.EXE 31 PID 1620 wrote to memory of 1008 1620 exlwhtih.exe 33 PID 1620 wrote to memory of 1008 1620 exlwhtih.exe 33 PID 1620 wrote to memory of 1008 1620 exlwhtih.exe 33 PID 1620 wrote to memory of 1008 1620 exlwhtih.exe 33 PID 1620 wrote to memory of 1540 1620 exlwhtih.exe 34 PID 1620 wrote to memory of 1540 1620 exlwhtih.exe 34 PID 1620 wrote to memory of 1540 1620 exlwhtih.exe 34 PID 1620 wrote to memory of 1540 1620 exlwhtih.exe 34 PID 1620 wrote to memory of 1536 1620 exlwhtih.exe 35 PID 1620 wrote to memory of 1536 1620 exlwhtih.exe 35 PID 1620 wrote to memory of 1536 1620 exlwhtih.exe 35 PID 1620 wrote to memory of 1536 1620 exlwhtih.exe 35 PID 1540 wrote to memory of 1556 1540 ekpkpeyl.exe 37 PID 1540 wrote to memory of 1556 1540 ekpkpeyl.exe 37 PID 1540 wrote to memory of 1556 1540 ekpkpeyl.exe 37 PID 1540 wrote to memory of 1556 1540 ekpkpeyl.exe 37 PID 1540 wrote to memory of 1960 1540 ekpkpeyl.exe 38 PID 1540 wrote to memory of 1960 1540 ekpkpeyl.exe 38 PID 1540 wrote to memory of 1960 1540 ekpkpeyl.exe 38 PID 1540 wrote to memory of 1960 1540 ekpkpeyl.exe 38 PID 1540 wrote to memory of 1960 1540 ekpkpeyl.exe 38 PID 560 wrote to memory of 1100 560 taskeng.exe 40 PID 560 wrote to memory of 1100 560 taskeng.exe 40 PID 560 wrote to memory of 1100 560 taskeng.exe 40 PID 560 wrote to memory of 1100 560 taskeng.exe 40
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_pack-1961863602.xlsb1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308 -
C:\hgoitk\nkorpy\exlwhtih.exe"C:\hgoitk\nkorpy\exlwhtih.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\hgoitk\nkorpy\exlwhtih.exeC:\hgoitk\nkorpy\exlwhtih.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1008
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Zeinaemtk\ekpkpeyl.exeC:\Users\Admin\AppData\Roaming\Microsoft\Zeinaemtk\ekpkpeyl.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Roaming\Microsoft\Zeinaemtk\ekpkpeyl.exeC:\Users\Admin\AppData\Roaming\Microsoft\Zeinaemtk\ekpkpeyl.exe /C4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1556
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1960
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn alslwqzdd /tr "\"C:\hgoitk\nkorpy\exlwhtih.exe\" /I alslwqzdd" /SC ONCE /Z /ST 04:59 /ET 05:113⤵
- Creates scheduled task(s)
PID:1536
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {40C216F6-F533-4C8B-A251-C14D36DCE5BA} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\hgoitk\nkorpy\exlwhtih.exeC:\hgoitk\nkorpy\exlwhtih.exe /I alslwqzdd2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1100
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
549e451c4405428fe0f5041f90e1911d
SHA17b0340f14a8d1cfe85f9691ba6d5a6734017bea5
SHA256966c65672d9d6f72898fa643ee3a889c582e1a199a828fea2e3bb93ad4c26624
SHA51296d70d14fdabf03584415468bb4b6c9ed9d6c17d1deb9125f08d44c9600e72154edb69086ab559aa6e9df4fc159733585dbd5738d31547b7b2237543ff1e4f76
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e
-
MD5
e7fb89ff479959bedf84eed00a642f07
SHA1fa31fb2d426f237ccd67a78b848b40ee1c001166
SHA2569089e9c57d46d65745dce684b639571617890c5ddabdf049122314cd7b1c7b13
SHA512328f29767511d3f5d61e3d6462282bc7f8919ec02c9cd82c94c25018d9004af773cfe3734a9524dfad9909c7c0147d086dfa52931432241a0fd801ccaceeda6e