Overview

overview

10

Static

static

8

Document_2...20.xls

windows7_x64

1

Document_2...20.xls

windows10_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    16-12-2020 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document_2039517850_12162020.xls

  • Size

    54KB

  • MD5

    0ab5d82db3541b40b3ef56d03efe8a3f

  • SHA1

    e44e018503f87fa50b1ad1e7e56a3f4a3b56eff9

  • SHA256

    210468bf9c97e5bbae46e464625550d20079fb3766ad33d490f06e0cd037163a

  • SHA512

    2824970bfa09450f8266274e4da423b0c418289b033842402959886a8514d4564620a83b82af5217be88eeb088621826f816e0fa320b3c0a11dfc8493eaae1fa

Score
10/10
qakbotabc1141608129413bankercryptonepackerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

abc114

Campaign

1608129413

C2

86.127.22.190:443

35.139.242.207:443

108.190.194.146:2222

187.213.199.54:443

68.83.89.188:443

41.233.152.232:993

196.151.252.84:443

181.208.249.141:443

172.87.134.226:443

96.27.47.70:2222

83.110.109.78:2222

93.86.1.159:995

217.162.149.212:443

80.11.210.247:443

72.252.201.69:443

185.163.221.77:2222

189.62.175.92:22

95.76.27.6:443

45.77.115.208:443

187.213.82.104:995

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Loads dropped DLL 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document_2039517850_12162020.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer
        3⤵
        • Loads dropped DLL
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3992
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4056
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bhishxwcoq /tr "regsvr32.exe -s \"C:\IntelCompany\JIOLAS.RRTTOOKK\"" /SC ONCE /Z /ST 19:08 /ET 19:20
            5⤵
            • Creates scheduled task(s)
            PID:2288
  • \??\c:\windows\system32\regsvr32.exe
    regsvr32.exe -s "C:\IntelCompany\JIOLAS.RRTTOOKK"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3084
    • C:\Windows\SysWOW64\regsvr32.exe
      -s "C:\IntelCompany\JIOLAS.RRTTOOKK"
      2⤵
      • Loads dropped DLL
      PID:3816
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 576
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelCompany\JIOLAS.RRTTOOKK
    MD5

    26a73826310f3e226c41ef9f83e02a2c

    SHA1

    898c6a11fdf70f247ac57d07f819b09370b126d7

    SHA256

    103069fc038d0ec26cc16e4f56dc51d1f0abc1e7ff47b6fbfa7dfb63f03985fa

    SHA512

    d53cd85d5bcaea7a1c6af16946942b850980ed7603a4a0069e7fddc02de972fb01ac523b7fe2748026d5138188c0c641a7b695302e9ced2fd307de9719332045

    Download Submit
  • C:\IntelCompany\JIOLAS.RRTTOOKK
    MD5

    0d11ed13ee38dd5c6dcbe7da0a51ab98

    SHA1

    53663cd9d25c6240089620dadeb26d953494409c

    SHA256

    2a1421617a9f22a0da68b49c2c5497ecaea7bf733900c6f58c742c83f54eaf25

    SHA512

    6dea8a553cb76b0f525e9a0fe929c70ec6a8ea5fb2b86503531434f3965a3071062351a00fa53bdf90890da809a70707da511d04767b203a69480d836eb66c08

    Download Submit
  • \IntelCompany\JIOLAS.RRTTOOKK
    MD5

    26a73826310f3e226c41ef9f83e02a2c

    SHA1

    898c6a11fdf70f247ac57d07f819b09370b126d7

    SHA256

    103069fc038d0ec26cc16e4f56dc51d1f0abc1e7ff47b6fbfa7dfb63f03985fa

    SHA512

    d53cd85d5bcaea7a1c6af16946942b850980ed7603a4a0069e7fddc02de972fb01ac523b7fe2748026d5138188c0c641a7b695302e9ced2fd307de9719332045

    Download Submit
  • \IntelCompany\JIOLAS.RRTTOOKK
    MD5

    0d11ed13ee38dd5c6dcbe7da0a51ab98

    SHA1

    53663cd9d25c6240089620dadeb26d953494409c

    SHA256

    2a1421617a9f22a0da68b49c2c5497ecaea7bf733900c6f58c742c83f54eaf25

    SHA512

    6dea8a553cb76b0f525e9a0fe929c70ec6a8ea5fb2b86503531434f3965a3071062351a00fa53bdf90890da809a70707da511d04767b203a69480d836eb66c08

    Download Submit
  • memory/2288-12-0x0000000000000000-mapping.dmp
    Download
  • memory/2432-2-0x00007FFD88A40000-0x00007FFD89077000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2688-20-0x0000000003B90000-0x0000000003B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2688-18-0x0000000003570000-0x0000000003571000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2688-17-0x0000000003170000-0x0000000003171000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3816-19-0x0000000000000000-mapping.dmp
    Download
  • memory/3816-15-0x0000000000000000-mapping.dmp
    Download
  • memory/3984-5-0x0000000000000000-mapping.dmp
    Download
  • memory/3992-11-0x0000000010000000-0x0000000010035000-memory.dmp
    Filesize

    212KB

    Download
  • memory/3992-7-0x0000000000000000-mapping.dmp
    Download
  • memory/3992-9-0x0000000002EB0000-0x0000000002EE5000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4056-13-0x0000000000590000-0x00000000005C5000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4056-10-0x0000000000000000-mapping.dmp
    Download