Analysis
-
max time kernel
146s -
max time network
131s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
16-12-2020 10:40
Static task
static1
Behavioral task
behavioral1
Sample
Document_314379760-Copy.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Document_314379760-Copy.xls
Resource
win10v20201028
General
-
Target
Document_314379760-Copy.xls
-
Size
59KB
-
MD5
24e2b1dc895e185efb45e60cda15abbf
-
SHA1
6e49f02ddab975d859f401d4ea59fb6fec37ce7f
-
SHA256
d92c94030dca29964cb4e5cd8a31c6fc73ce0b0e01734450aed7e3327f132e78
-
SHA512
93b0f7cb2c948123b7bd13db860b891686522a0bbc16890a6cbfcff1a4b0c91475f56d2b079612bd75daec415cf42688f82d202509533b3512cd4c80b7911b3e
Malware Config
Extracted
qakbot
abc110
1607524278
78.63.226.32:443
72.252.201.69:443
68.190.152.98:443
72.240.200.181:2222
216.137.142.200:2222
87.27.110.90:2222
94.69.242.254:2222
189.183.209.211:443
94.26.119.221:443
186.189.208.238:443
161.199.180.159:443
197.45.110.165:995
83.110.221.218:443
105.198.236.99:443
83.110.158.22:2222
24.37.178.158:443
185.105.131.233:443
79.101.206.250:995
92.154.83.96:2078
83.202.68.220:2222
217.39.74.146:2222
78.97.110.47:443
202.184.106.235:443
85.122.141.42:995
5.15.54.40:443
98.16.204.189:995
193.248.154.174:2222
67.82.244.199:2222
98.240.24.57:443
78.96.199.79:443
67.6.54.180:443
92.59.35.196:2083
109.205.204.229:2222
149.28.101.90:2222
2.89.122.180:995
71.182.142.63:443
108.160.123.244:443
37.106.117.51:443
80.14.22.234:2222
2.7.202.106:2222
46.124.106.217:6881
96.19.117.140:443
80.227.5.70:443
47.44.217.98:443
197.210.96.222:995
216.215.77.18:2222
77.27.174.49:995
78.189.29.95:443
72.66.116.178:995
108.190.151.108:2222
2.89.122.180:993
108.30.125.94:443
41.176.34.7:995
65.48.179.252:443
190.67.214.66:443
78.187.125.116:2222
174.76.21.134:443
47.22.148.6:995
24.229.150.54:995
91.104.235.91:995
81.97.154.100:443
155.186.9.160:443
197.51.82.115:995
197.161.154.132:443
86.121.3.80:443
85.132.36.111:2222
197.86.204.201:443
74.124.191.6:443
184.21.136.237:995
93.148.241.179:2222
92.154.83.96:1194
93.113.177.152:443
160.3.184.253:443
2.49.219.254:22
80.195.103.146:2222
151.75.23.92:443
217.128.117.218:2222
174.62.13.151:443
78.97.207.104:443
186.29.96.147:443
74.137.189.78:443
95.77.223.148:443
83.110.151.105:443
5.12.254.113:443
174.55.197.4:443
5.193.177.247:2078
78.181.19.134:443
95.76.27.6:443
219.74.176.225:443
85.105.29.218:443
120.150.218.241:443
2.50.47.61:2078
149.28.101.90:8443
78.162.70.119:443
50.244.112.10:995
125.63.101.62:443
103.102.100.78:2222
86.121.194.157:443
156.213.147.56:443
41.39.134.183:443
47.22.148.6:443
74.128.121.17:443
79.129.252.62:2222
77.132.113.187:2222
78.101.158.1:61201
24.201.61.153:2078
2.50.2.216:443
216.201.162.158:443
94.59.236.155:995
208.93.202.41:443
62.38.114.12:2222
172.87.157.235:3389
151.61.107.248:2222
50.244.112.90:443
87.218.53.206:2222
75.136.40.155:443
81.133.234.36:2222
197.135.87.55:443
96.225.88.23:443
41.239.137.134:993
176.181.247.197:443
102.185.13.89:443
83.196.50.197:2222
212.70.107.59:995
79.166.96.86:2222
81.214.126.173:2222
185.163.221.77:2222
2.51.240.250:995
59.89.129.103:443
83.114.243.80:2222
37.116.152.122:2078
80.106.85.24:2222
2.50.56.81:443
47.21.192.182:2222
74.195.52.3:443
184.98.97.227:995
81.150.181.168:2222
217.165.3.30:443
77.211.30.202:995
93.146.133.102:2222
35.134.202.234:443
96.21.251.127:2222
102.187.19.171:443
92.154.83.96:2087
37.211.93.46:443
84.117.176.32:443
58.179.21.147:995
98.124.76.187:443
24.139.72.117:443
2.50.159.196:2222
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1980 996 rundll32.exe EXCEL.EXE -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 1980 rundll32.exe 620 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 996 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1980 rundll32.exe 1980 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1980 rundll32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
EXCEL.EXEpid process 996 EXCEL.EXE 996 EXCEL.EXE 996 EXCEL.EXE 996 EXCEL.EXE 996 EXCEL.EXE 996 EXCEL.EXE 996 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exedescription pid process target process PID 996 wrote to memory of 1980 996 EXCEL.EXE rundll32.exe PID 996 wrote to memory of 1980 996 EXCEL.EXE rundll32.exe PID 996 wrote to memory of 1980 996 EXCEL.EXE rundll32.exe PID 996 wrote to memory of 1980 996 EXCEL.EXE rundll32.exe PID 996 wrote to memory of 1980 996 EXCEL.EXE rundll32.exe PID 996 wrote to memory of 1980 996 EXCEL.EXE rundll32.exe PID 996 wrote to memory of 1980 996 EXCEL.EXE rundll32.exe PID 1980 wrote to memory of 908 1980 rundll32.exe explorer.exe PID 1980 wrote to memory of 908 1980 rundll32.exe explorer.exe PID 1980 wrote to memory of 908 1980 rundll32.exe explorer.exe PID 1980 wrote to memory of 908 1980 rundll32.exe explorer.exe PID 1980 wrote to memory of 908 1980 rundll32.exe explorer.exe PID 1980 wrote to memory of 908 1980 rundll32.exe explorer.exe PID 908 wrote to memory of 1424 908 explorer.exe schtasks.exe PID 908 wrote to memory of 1424 908 explorer.exe schtasks.exe PID 908 wrote to memory of 1424 908 explorer.exe schtasks.exe PID 908 wrote to memory of 1424 908 explorer.exe schtasks.exe PID 1224 wrote to memory of 960 1224 taskeng.exe regsvr32.exe PID 1224 wrote to memory of 960 1224 taskeng.exe regsvr32.exe PID 1224 wrote to memory of 960 1224 taskeng.exe regsvr32.exe PID 1224 wrote to memory of 960 1224 taskeng.exe regsvr32.exe PID 1224 wrote to memory of 960 1224 taskeng.exe regsvr32.exe PID 960 wrote to memory of 620 960 regsvr32.exe regsvr32.exe PID 960 wrote to memory of 620 960 regsvr32.exe regsvr32.exe PID 960 wrote to memory of 620 960 regsvr32.exe regsvr32.exe PID 960 wrote to memory of 620 960 regsvr32.exe regsvr32.exe PID 960 wrote to memory of 620 960 regsvr32.exe regsvr32.exe PID 960 wrote to memory of 620 960 regsvr32.exe regsvr32.exe PID 960 wrote to memory of 620 960 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Document_314379760-Copy.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\AppData\Kipofe.mmaallaauu,DllRegisterServer2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn iarolojz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Kipofe.mmaallaauu\"" /SC ONCE /Z /ST 11:46 /ET 11:584⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {2D423688-00EF-4A21-A4C9-D3A2BD147EAC} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Kipofe.mmaallaauu"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Kipofe.mmaallaauu"3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Kipofe.mmaallaauuMD5
6262ac21d7a47c5914b64d2f9fb53547
SHA16acee3bbd3b6b12f4e7588ac7a925edf2012e4a8
SHA25658be24e908a199d1f98254e69bedd539cb13558887b456cd71b843542f330c18
SHA5120c02a873c515a2b7e9df6368fb606aa06fcd12b12abd2db1f00d9a6aef155e9d7b3599d3dc12ebf1c1e631f32e7e5cab24db1653fcd6206a7dc613397c82c4ac
-
C:\Users\Admin\AppData\Kipofe.mmaallaauuMD5
271c50019420fd37f92c8b61c6dd408b
SHA1c11d5431cdd42ea45ed930edb3fd9cce11410255
SHA256ba6f04a27354fc119878403d50689d102260e86eb1b3a70190ab1a9533ee99f3
SHA512d41d02d683ba34b931589d7e686087ff8756b4253a61d20a2e3c6f2d25df5377ff5dbb5aa2953fda72912887cf32cb1e57792bdf7075a05b38a4e2d31afa6b05
-
\Users\Admin\AppData\Kipofe.mmaallaauuMD5
6262ac21d7a47c5914b64d2f9fb53547
SHA16acee3bbd3b6b12f4e7588ac7a925edf2012e4a8
SHA25658be24e908a199d1f98254e69bedd539cb13558887b456cd71b843542f330c18
SHA5120c02a873c515a2b7e9df6368fb606aa06fcd12b12abd2db1f00d9a6aef155e9d7b3599d3dc12ebf1c1e631f32e7e5cab24db1653fcd6206a7dc613397c82c4ac
-
\Users\Admin\AppData\Kipofe.mmaallaauuMD5
271c50019420fd37f92c8b61c6dd408b
SHA1c11d5431cdd42ea45ed930edb3fd9cce11410255
SHA256ba6f04a27354fc119878403d50689d102260e86eb1b3a70190ab1a9533ee99f3
SHA512d41d02d683ba34b931589d7e686087ff8756b4253a61d20a2e3c6f2d25df5377ff5dbb5aa2953fda72912887cf32cb1e57792bdf7075a05b38a4e2d31afa6b05
-
memory/620-14-0x0000000000000000-mapping.dmp
-
memory/908-8-0x0000000000000000-mapping.dmp
-
memory/908-11-0x00000000000C0000-0x00000000000E1000-memory.dmpFilesize
132KB
-
memory/908-6-0x00000000000F0000-0x00000000000F2000-memory.dmpFilesize
8KB
-
memory/960-12-0x0000000000000000-mapping.dmp
-
memory/1424-10-0x0000000000000000-mapping.dmp
-
memory/1448-2-0x000007FEF6890000-0x000007FEF6B0A000-memory.dmpFilesize
2.5MB
-
memory/1980-9-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/1980-7-0x00000000001E0000-0x0000000000201000-memory.dmpFilesize
132KB
-
memory/1980-3-0x0000000000000000-mapping.dmp