Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-12-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
Complaint-Letter_2082718428_12042020.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Complaint-Letter_2082718428_12042020.xls
Resource
win10v20201028
General
-
Target
Complaint-Letter_2082718428_12042020.xls
-
Size
43KB
-
MD5
af743920f1c2a88671efd757f7eaa9b7
-
SHA1
d1743d50f044da581d99ffd7a81956c74262d896
-
SHA256
bc6bb3e5c68a9624544780f6f1a7b411b4a0906b7662110b38e7cfff280731c3
-
SHA512
69b6fcfabba261bea736c097d362ff8aa7255e71d0ec6a0c99624e4dd5033824fa6a279a10fcbbd6462e98b41d53df1ab3a94aea78dc0f1771786dffac504644
Malware Config
Extracted
qakbot
abc107
1607078484
32.212.117.188:443
109.205.204.229:2222
72.36.59.46:2222
173.18.126.193:2222
96.225.88.23:443
89.137.211.239:443
110.142.205.182:443
82.76.47.211:443
193.83.25.177:995
67.40.253.209:995
73.244.83.199:443
2.90.186.243:995
189.252.62.238:995
141.237.135.194:443
82.78.70.128:443
185.125.151.172:443
79.117.239.22:2222
86.189.252.131:2222
83.114.243.80:2222
2.50.56.81:443
191.84.4.150:443
83.202.68.220:2222
184.98.97.227:995
96.21.251.127:2222
58.179.21.147:995
200.75.136.78:443
37.21.231.245:995
81.97.154.100:443
185.105.131.233:443
45.32.165.134:443
140.82.27.132:443
45.32.162.253:443
201.127.76.175:2222
86.122.248.164:2222
67.141.11.98:443
73.51.245.231:995
37.116.152.122:2078
111.95.212.237:2222
172.87.157.235:3389
116.240.78.45:995
68.131.19.52:443
93.149.253.201:2222
78.187.125.116:2222
86.121.43.200:443
82.76.238.65:2222
84.232.252.202:2222
184.21.136.237:995
37.234.175.105:995
80.14.22.234:2222
24.179.13.119:443
46.209.237.214:995
71.163.223.144:443
86.98.34.84:995
41.239.180.69:993
195.97.101.40:443
2.7.202.106:2222
103.102.100.78:2222
65.131.47.74:995
37.171.1.224:0
79.166.96.86:2222
83.110.74.173:443
120.150.218.241:443
161.142.217.62:443
180.233.150.134:443
182.161.6.57:3389
164.155.230.98:443
85.105.29.218:443
151.27.126.133:443
217.162.149.212:443
92.154.83.96:2087
105.198.236.99:443
72.66.47.70:443
211.24.72.253:443
118.160.160.116:443
72.28.255.159:995
86.97.162.141:2222
92.154.83.96:2222
68.46.142.48:995
47.196.192.184:443
24.218.181.15:443
24.43.22.220:993
193.248.154.174:2222
173.21.10.71:2222
75.136.40.155:443
67.61.157.208:443
125.63.101.62:443
2.51.246.190:995
98.121.187.78:443
172.78.30.215:443
160.3.184.253:443
78.162.70.119:443
80.11.5.65:2222
78.63.226.32:443
81.214.126.173:2222
80.195.103.146:2222
174.87.65.179:443
136.232.34.70:443
86.245.87.251:2078
47.146.34.236:443
24.95.61.62:443
87.218.53.206:2222
176.45.218.26:995
197.86.204.84:443
78.101.145.96:61201
174.62.13.151:443
37.106.7.7:443
81.150.181.168:2222
94.69.112.148:2222
151.33.226.156:443
109.154.193.21:2222
69.181.191.232:443
96.40.175.33:443
79.115.171.106:2222
217.128.117.218:2222
87.115.120.176:2222
89.137.77.237:443
47.21.192.182:2222
81.133.234.36:2222
62.38.114.12:2222
94.52.160.116:443
181.129.155.10:443
84.117.176.32:443
151.75.13.83:443
45.63.107.192:2222
197.135.156.41:443
78.181.19.134:443
71.10.43.79:443
92.154.83.96:2078
144.202.38.185:995
149.28.99.97:2222
149.28.98.196:443
144.202.38.185:443
149.28.98.196:995
92.154.83.96:1194
149.28.99.97:443
89.137.211.72:443
45.63.107.192:995
149.28.98.196:2222
144.202.38.185:2222
203.106.195.67:443
162.157.19.33:2222
98.124.76.187:443
122.59.40.31:443
199.116.241.147:443
121.58.199.24:443
120.151.95.167:443
85.132.36.111:2222
75.136.26.147:443
24.27.82.216:2222
94.69.242.254:2222
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 368 1824 rundll32.exe EXCEL.EXE -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 368 rundll32.exe 1680 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1824 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 368 rundll32.exe 368 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 368 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1824 EXCEL.EXE 1824 EXCEL.EXE 1824 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exedescription pid process target process PID 1824 wrote to memory of 368 1824 EXCEL.EXE rundll32.exe PID 1824 wrote to memory of 368 1824 EXCEL.EXE rundll32.exe PID 1824 wrote to memory of 368 1824 EXCEL.EXE rundll32.exe PID 1824 wrote to memory of 368 1824 EXCEL.EXE rundll32.exe PID 1824 wrote to memory of 368 1824 EXCEL.EXE rundll32.exe PID 1824 wrote to memory of 368 1824 EXCEL.EXE rundll32.exe PID 1824 wrote to memory of 368 1824 EXCEL.EXE rundll32.exe PID 368 wrote to memory of 1000 368 rundll32.exe explorer.exe PID 368 wrote to memory of 1000 368 rundll32.exe explorer.exe PID 368 wrote to memory of 1000 368 rundll32.exe explorer.exe PID 368 wrote to memory of 1000 368 rundll32.exe explorer.exe PID 368 wrote to memory of 1000 368 rundll32.exe explorer.exe PID 368 wrote to memory of 1000 368 rundll32.exe explorer.exe PID 1000 wrote to memory of 616 1000 explorer.exe schtasks.exe PID 1000 wrote to memory of 616 1000 explorer.exe schtasks.exe PID 1000 wrote to memory of 616 1000 explorer.exe schtasks.exe PID 1000 wrote to memory of 616 1000 explorer.exe schtasks.exe PID 1916 wrote to memory of 1528 1916 taskeng.exe regsvr32.exe PID 1916 wrote to memory of 1528 1916 taskeng.exe regsvr32.exe PID 1916 wrote to memory of 1528 1916 taskeng.exe regsvr32.exe PID 1916 wrote to memory of 1528 1916 taskeng.exe regsvr32.exe PID 1916 wrote to memory of 1528 1916 taskeng.exe regsvr32.exe PID 1528 wrote to memory of 1680 1528 regsvr32.exe regsvr32.exe PID 1528 wrote to memory of 1680 1528 regsvr32.exe regsvr32.exe PID 1528 wrote to memory of 1680 1528 regsvr32.exe regsvr32.exe PID 1528 wrote to memory of 1680 1528 regsvr32.exe regsvr32.exe PID 1528 wrote to memory of 1680 1528 regsvr32.exe regsvr32.exe PID 1528 wrote to memory of 1680 1528 regsvr32.exe regsvr32.exe PID 1528 wrote to memory of 1680 1528 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Complaint-Letter_2082718428_12042020.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\AppData\Roaming\Herti.klaciiaa,DllRegisterServer2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn umlmpqasl /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Roaming\Herti.klaciiaa\"" /SC ONCE /Z /ST 15:08 /ET 15:204⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {BEA35088-1961-411A-BB7A-AAEC49452098} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Roaming\Herti.klaciiaa"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Roaming\Herti.klaciiaa"3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Herti.klaciiaaMD5
5707f51f0b092a06abf4f605dc1c9b43
SHA18094f644906400da76925802d8dea4432ee9b86b
SHA256ac89662e83fd7ff5b5b28be5ec582c864c76d6f14de7f2dddf47b63b089048b6
SHA512566a001ed203cae8a0db617c621841f6358bd13e86cda6bd6ea31d03c24818a2716b5935f578855fdb9572d11d1bfe9811b682b7d31b96bc1244efba1754a8a0
-
C:\Users\Admin\AppData\Roaming\Herti.klaciiaaMD5
d816fe5f31af4196f84333384692e8a3
SHA19e9bd6ae31de39496e15a2a3968d4a2cbc8a5f9b
SHA2565936a37a90f3c7ab44d79d93388f38eba56e8b0f391b7aeaa0a1a65e4cd97b76
SHA51265b3dbcf089e8ac3dc700f85f35c6a2a14ebfee6efbc87d73c23b408d58feb20cd0a0641a05ac8acf665b29efd75d6f3368fce0f2d7245447ad99189c0857f33
-
\Users\Admin\AppData\Roaming\Herti.klaciiaaMD5
5707f51f0b092a06abf4f605dc1c9b43
SHA18094f644906400da76925802d8dea4432ee9b86b
SHA256ac89662e83fd7ff5b5b28be5ec582c864c76d6f14de7f2dddf47b63b089048b6
SHA512566a001ed203cae8a0db617c621841f6358bd13e86cda6bd6ea31d03c24818a2716b5935f578855fdb9572d11d1bfe9811b682b7d31b96bc1244efba1754a8a0
-
\Users\Admin\AppData\Roaming\Herti.klaciiaaMD5
d816fe5f31af4196f84333384692e8a3
SHA19e9bd6ae31de39496e15a2a3968d4a2cbc8a5f9b
SHA2565936a37a90f3c7ab44d79d93388f38eba56e8b0f391b7aeaa0a1a65e4cd97b76
SHA51265b3dbcf089e8ac3dc700f85f35c6a2a14ebfee6efbc87d73c23b408d58feb20cd0a0641a05ac8acf665b29efd75d6f3368fce0f2d7245447ad99189c0857f33
-
memory/368-3-0x0000000000000000-mapping.dmp
-
memory/368-7-0x00000000001F0000-0x0000000000211000-memory.dmpFilesize
132KB
-
memory/368-9-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/616-10-0x0000000000000000-mapping.dmp
-
memory/1000-8-0x0000000000000000-mapping.dmp
-
memory/1000-11-0x0000000000080000-0x00000000000A1000-memory.dmpFilesize
132KB
-
memory/1000-6-0x00000000000B0000-0x00000000000B2000-memory.dmpFilesize
8KB
-
memory/1408-2-0x000007FEF7020000-0x000007FEF729A000-memory.dmpFilesize
2.5MB
-
memory/1528-12-0x0000000000000000-mapping.dmp
-
memory/1680-14-0x0000000000000000-mapping.dmp