Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-12-2020 16:02
Static task
static1
Behavioral task
behavioral1
Sample
Complaint-Letter_1492841762_12042020.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Complaint-Letter_1492841762_12042020.xls
Resource
win10v20201028
General
-
Target
Complaint-Letter_1492841762_12042020.xls
-
Size
43KB
-
MD5
e1bddad335af1cbf14788dfd3b898a59
-
SHA1
1bbc9138c1f5fbd83c0484b2e00fc7d0ec03bb4d
-
SHA256
bcc1731e3f2dc4772be5ad445247f717b82ec84eda5f86adc57824241dc77823
-
SHA512
7aaf789e6fbdea965773046e966ae57d097c8b07fd5ccdf3ed90a380160c56ea105dfe6da48fb7981b618180f22976e9db0d3f6edd46cec23f83ac0d78526e51
Malware Config
Extracted
qakbot
abc107
1607078484
32.212.117.188:443
109.205.204.229:2222
72.36.59.46:2222
173.18.126.193:2222
96.225.88.23:443
89.137.211.239:443
110.142.205.182:443
82.76.47.211:443
193.83.25.177:995
67.40.253.209:995
73.244.83.199:443
2.90.186.243:995
189.252.62.238:995
141.237.135.194:443
82.78.70.128:443
185.125.151.172:443
79.117.239.22:2222
86.189.252.131:2222
83.114.243.80:2222
2.50.56.81:443
191.84.4.150:443
83.202.68.220:2222
184.98.97.227:995
96.21.251.127:2222
58.179.21.147:995
200.75.136.78:443
37.21.231.245:995
81.97.154.100:443
185.105.131.233:443
45.32.165.134:443
140.82.27.132:443
45.32.162.253:443
201.127.76.175:2222
86.122.248.164:2222
67.141.11.98:443
73.51.245.231:995
37.116.152.122:2078
111.95.212.237:2222
172.87.157.235:3389
116.240.78.45:995
68.131.19.52:443
93.149.253.201:2222
78.187.125.116:2222
86.121.43.200:443
82.76.238.65:2222
84.232.252.202:2222
184.21.136.237:995
37.234.175.105:995
80.14.22.234:2222
24.179.13.119:443
46.209.237.214:995
71.163.223.144:443
86.98.34.84:995
41.239.180.69:993
195.97.101.40:443
2.7.202.106:2222
103.102.100.78:2222
65.131.47.74:995
37.171.1.224:0
79.166.96.86:2222
83.110.74.173:443
120.150.218.241:443
161.142.217.62:443
180.233.150.134:443
182.161.6.57:3389
164.155.230.98:443
85.105.29.218:443
151.27.126.133:443
217.162.149.212:443
92.154.83.96:2087
105.198.236.99:443
72.66.47.70:443
211.24.72.253:443
118.160.160.116:443
72.28.255.159:995
86.97.162.141:2222
92.154.83.96:2222
68.46.142.48:995
47.196.192.184:443
24.218.181.15:443
24.43.22.220:993
193.248.154.174:2222
173.21.10.71:2222
75.136.40.155:443
67.61.157.208:443
125.63.101.62:443
2.51.246.190:995
98.121.187.78:443
172.78.30.215:443
160.3.184.253:443
78.162.70.119:443
80.11.5.65:2222
78.63.226.32:443
81.214.126.173:2222
80.195.103.146:2222
174.87.65.179:443
136.232.34.70:443
86.245.87.251:2078
47.146.34.236:443
24.95.61.62:443
87.218.53.206:2222
176.45.218.26:995
197.86.204.84:443
78.101.145.96:61201
174.62.13.151:443
37.106.7.7:443
81.150.181.168:2222
94.69.112.148:2222
151.33.226.156:443
109.154.193.21:2222
69.181.191.232:443
96.40.175.33:443
79.115.171.106:2222
217.128.117.218:2222
87.115.120.176:2222
89.137.77.237:443
47.21.192.182:2222
81.133.234.36:2222
62.38.114.12:2222
94.52.160.116:443
181.129.155.10:443
84.117.176.32:443
151.75.13.83:443
45.63.107.192:2222
197.135.156.41:443
78.181.19.134:443
71.10.43.79:443
92.154.83.96:2078
144.202.38.185:995
149.28.99.97:2222
149.28.98.196:443
144.202.38.185:443
149.28.98.196:995
92.154.83.96:1194
149.28.99.97:443
89.137.211.72:443
45.63.107.192:995
149.28.98.196:2222
144.202.38.185:2222
203.106.195.67:443
162.157.19.33:2222
98.124.76.187:443
122.59.40.31:443
199.116.241.147:443
121.58.199.24:443
120.151.95.167:443
85.132.36.111:2222
75.136.26.147:443
24.27.82.216:2222
94.69.242.254:2222
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1680 1744 rundll32.exe EXCEL.EXE -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 1680 rundll32.exe 1472 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1744 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1680 rundll32.exe 1680 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1680 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1744 EXCEL.EXE 1744 EXCEL.EXE 1744 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exedescription pid process target process PID 1744 wrote to memory of 1680 1744 EXCEL.EXE rundll32.exe PID 1744 wrote to memory of 1680 1744 EXCEL.EXE rundll32.exe PID 1744 wrote to memory of 1680 1744 EXCEL.EXE rundll32.exe PID 1744 wrote to memory of 1680 1744 EXCEL.EXE rundll32.exe PID 1744 wrote to memory of 1680 1744 EXCEL.EXE rundll32.exe PID 1744 wrote to memory of 1680 1744 EXCEL.EXE rundll32.exe PID 1744 wrote to memory of 1680 1744 EXCEL.EXE rundll32.exe PID 1680 wrote to memory of 928 1680 rundll32.exe explorer.exe PID 1680 wrote to memory of 928 1680 rundll32.exe explorer.exe PID 1680 wrote to memory of 928 1680 rundll32.exe explorer.exe PID 1680 wrote to memory of 928 1680 rundll32.exe explorer.exe PID 1680 wrote to memory of 928 1680 rundll32.exe explorer.exe PID 1680 wrote to memory of 928 1680 rundll32.exe explorer.exe PID 928 wrote to memory of 988 928 explorer.exe schtasks.exe PID 928 wrote to memory of 988 928 explorer.exe schtasks.exe PID 928 wrote to memory of 988 928 explorer.exe schtasks.exe PID 928 wrote to memory of 988 928 explorer.exe schtasks.exe PID 1596 wrote to memory of 1376 1596 taskeng.exe regsvr32.exe PID 1596 wrote to memory of 1376 1596 taskeng.exe regsvr32.exe PID 1596 wrote to memory of 1376 1596 taskeng.exe regsvr32.exe PID 1596 wrote to memory of 1376 1596 taskeng.exe regsvr32.exe PID 1596 wrote to memory of 1376 1596 taskeng.exe regsvr32.exe PID 1376 wrote to memory of 1472 1376 regsvr32.exe regsvr32.exe PID 1376 wrote to memory of 1472 1376 regsvr32.exe regsvr32.exe PID 1376 wrote to memory of 1472 1376 regsvr32.exe regsvr32.exe PID 1376 wrote to memory of 1472 1376 regsvr32.exe regsvr32.exe PID 1376 wrote to memory of 1472 1376 regsvr32.exe regsvr32.exe PID 1376 wrote to memory of 1472 1376 regsvr32.exe regsvr32.exe PID 1376 wrote to memory of 1472 1376 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Complaint-Letter_1492841762_12042020.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\rundll32.exerundll32 ..\AppData\Roaming\Herti.klaciiaa,DllRegisterServer2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rpiocrpl /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Roaming\Herti.klaciiaa\"" /SC ONCE /Z /ST 17:08 /ET 17:204⤵
- Creates scheduled task(s)
PID:988
-
C:\Windows\system32\taskeng.exetaskeng.exe {8268D2D6-6FA7-47CB-B14A-57EC9986FF8E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Roaming\Herti.klaciiaa"2⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Roaming\Herti.klaciiaa"3⤵
- Loads dropped DLL
PID:1472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Herti.klaciiaaMD5
62f22aeaeaa3a2d7ea7143746c307bea
SHA1b93d53494d7ca2d6fbb753f23ee4b6a3c48d0f67
SHA2564263d7a580a32040b17edca153a90feb2bf43962a5b6f5e931e1eb5915a3a748
SHA512cef5d889ede6e5d41cd2f19212b05c1cb39f61c57720a995066fc547b6492697b89d9f2870e37897ae7983758ad5409008fa7aba12d48cd9a8f1f8476e5cd564
-
C:\Users\Admin\AppData\Roaming\Herti.klaciiaaMD5
e824660bd9cdbd13c57a6d18cbfd05be
SHA10445446c25600aacad41cef204abd85f573f6fb0
SHA2568614f431ffea53bde4b1da6e4b015925bb35a33d7098381c8199b832feb72b99
SHA512f2c739f98aeca94dc88925f6fe88bca4b75c74549f97b19a7ba97acce99989a5eba976cd2d9812fa07e2190c11911a86547aa9d46a1f4704a7f53ab3165fc4ec
-
\Users\Admin\AppData\Roaming\Herti.klaciiaaMD5
62f22aeaeaa3a2d7ea7143746c307bea
SHA1b93d53494d7ca2d6fbb753f23ee4b6a3c48d0f67
SHA2564263d7a580a32040b17edca153a90feb2bf43962a5b6f5e931e1eb5915a3a748
SHA512cef5d889ede6e5d41cd2f19212b05c1cb39f61c57720a995066fc547b6492697b89d9f2870e37897ae7983758ad5409008fa7aba12d48cd9a8f1f8476e5cd564
-
\Users\Admin\AppData\Roaming\Herti.klaciiaaMD5
e824660bd9cdbd13c57a6d18cbfd05be
SHA10445446c25600aacad41cef204abd85f573f6fb0
SHA2568614f431ffea53bde4b1da6e4b015925bb35a33d7098381c8199b832feb72b99
SHA512f2c739f98aeca94dc88925f6fe88bca4b75c74549f97b19a7ba97acce99989a5eba976cd2d9812fa07e2190c11911a86547aa9d46a1f4704a7f53ab3165fc4ec
-
memory/928-8-0x0000000000000000-mapping.dmp
-
memory/928-11-0x00000000000D0000-0x00000000000F1000-memory.dmpFilesize
132KB
-
memory/928-6-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/988-10-0x0000000000000000-mapping.dmp
-
memory/1344-2-0x000007FEF5BD0000-0x000007FEF5E4A000-memory.dmpFilesize
2.5MB
-
memory/1376-12-0x0000000000000000-mapping.dmp
-
memory/1472-14-0x0000000000000000-mapping.dmp
-
memory/1680-7-0x00000000001F0000-0x0000000000211000-memory.dmpFilesize
132KB
-
memory/1680-9-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/1680-3-0x0000000000000000-mapping.dmp