Analysis
-
max time kernel
139s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-12-2020 18:09
Static task
static1
Behavioral task
behavioral1
Sample
Document_2039517850_12162020.xls
Resource
win7v20201028
General
-
Target
Document_2039517850_12162020.xls
-
Size
54KB
-
MD5
0ab5d82db3541b40b3ef56d03efe8a3f
-
SHA1
e44e018503f87fa50b1ad1e7e56a3f4a3b56eff9
-
SHA256
210468bf9c97e5bbae46e464625550d20079fb3766ad33d490f06e0cd037163a
-
SHA512
2824970bfa09450f8266274e4da423b0c418289b033842402959886a8514d4564620a83b82af5217be88eeb088621826f816e0fa320b3c0a11dfc8493eaae1fa
Malware Config
Extracted
qakbot
abc114
1608129413
86.127.22.190:443
35.139.242.207:443
108.190.194.146:2222
187.213.199.54:443
68.83.89.188:443
41.233.152.232:993
196.151.252.84:443
181.208.249.141:443
172.87.134.226:443
96.27.47.70:2222
83.110.109.78:2222
93.86.1.159:995
217.162.149.212:443
80.11.210.247:443
72.252.201.69:443
185.163.221.77:2222
189.62.175.92:22
95.76.27.6:443
45.77.115.208:443
187.213.82.104:995
47.44.217.98:443
91.138.177.114:2222
72.240.200.181:2222
71.182.142.63:443
90.53.103.26:2222
81.97.154.100:443
45.118.216.157:443
70.118.146.154:995
83.202.68.220:2222
86.97.221.121:443
67.141.11.98:443
184.189.122.72:443
189.150.111.8:2222
24.229.150.54:995
200.38.254.177:443
109.106.69.138:2222
5.204.148.208:995
109.154.79.222:2222
190.220.8.10:995
87.27.110.90:2222
65.48.208.194:443
78.101.130.59:995
75.136.26.147:443
47.138.204.19:443
140.82.49.12:443
41.205.16.222:443
67.6.54.180:443
80.227.5.70:443
193.248.154.174:2222
93.148.241.179:2222
67.249.12.146:443
109.205.204.229:2222
90.201.21.58:443
50.29.166.232:995
144.202.38.185:995
149.28.99.97:443
45.77.115.208:995
144.202.38.185:443
149.28.101.90:2222
149.28.99.97:995
149.28.101.90:995
149.28.98.196:2222
209.137.209.158:443
144.202.38.185:2222
45.63.107.192:995
45.63.107.192:443
149.28.99.97:2222
217.39.74.146:2222
82.12.157.95:995
45.63.107.192:2222
149.28.98.196:443
66.97.247.15:443
149.28.98.196:995
108.46.145.30:443
78.101.158.1:61201
103.110.6.151:2087
5.12.11.200:443
78.63.226.32:443
46.53.14.19:443
116.240.78.45:995
75.67.192.125:443
161.142.217.62:443
151.60.38.21:443
86.98.21.136:443
188.26.59.21:443
75.109.180.221:995
217.128.117.218:2222
78.181.19.134:443
5.2.212.254:443
35.136.78.225:443
24.122.0.90:443
68.131.19.52:443
197.57.67.109:443
78.154.28.105:443
2.49.219.254:22
187.155.59.73:443
83.110.213.25:443
2.50.143.154:2222
85.105.29.218:443
151.61.125.180:2222
72.93.55.22:443
39.32.147.77:995
151.73.121.136:443
24.29.30.31:443
45.77.115.208:2222
72.214.55.195:995
208.93.202.41:443
2.7.69.217:2222
81.88.254.62:443
41.225.231.43:443
62.116.43.76:53
85.101.187.146:443
73.94.229.115:443
190.31.192.34:443
51.223.138.251:443
92.154.83.96:1194
65.131.41.96:995
90.61.38.208:2222
86.122.248.164:2222
74.222.204.82:995
190.128.215.174:443
86.245.82.249:2078
188.27.116.133:443
80.195.103.146:2222
85.60.132.8:2087
74.129.26.119:443
71.58.19.33:443
189.183.206.114:443
180.151.233.178:443
41.176.38.114:995
80.11.5.65:2222
196.221.77.89:995
75.136.40.155:443
86.121.3.80:443
24.139.72.117:443
94.52.68.72:443
2.91.9.248:443
79.129.252.62:2222
5.193.148.126:2078
72.36.59.46:2222
2.50.159.19:2222
37.105.7.219:995
196.204.207.111:443
105.198.236.99:443
184.179.14.130:22
203.106.116.190:443
81.150.181.168:2222
155.186.9.160:443
2.91.235.94:443
83.110.13.182:2222
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3984 2432 rundll32.exe EXCEL.EXE -
Processes:
resource yara_rule C:\IntelCompany\JIOLAS.RRTTOOKK cryptone \IntelCompany\JIOLAS.RRTTOOKK cryptone -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 3992 rundll32.exe 3816 regsvr32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2688 3816 WerFault.exe regsvr32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2432 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
rundll32.exeWerFault.exepid process 3992 rundll32.exe 3992 rundll32.exe 3992 rundll32.exe 3992 rundll32.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 3992 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2688 WerFault.exe Token: SeBackupPrivilege 2688 WerFault.exe Token: SeDebugPrivilege 2688 WerFault.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE 2432 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exeexplorer.exeregsvr32.exedescription pid process target process PID 2432 wrote to memory of 3984 2432 EXCEL.EXE rundll32.exe PID 2432 wrote to memory of 3984 2432 EXCEL.EXE rundll32.exe PID 3984 wrote to memory of 3992 3984 rundll32.exe rundll32.exe PID 3984 wrote to memory of 3992 3984 rundll32.exe rundll32.exe PID 3984 wrote to memory of 3992 3984 rundll32.exe rundll32.exe PID 3992 wrote to memory of 4056 3992 rundll32.exe explorer.exe PID 3992 wrote to memory of 4056 3992 rundll32.exe explorer.exe PID 3992 wrote to memory of 4056 3992 rundll32.exe explorer.exe PID 3992 wrote to memory of 4056 3992 rundll32.exe explorer.exe PID 3992 wrote to memory of 4056 3992 rundll32.exe explorer.exe PID 4056 wrote to memory of 2288 4056 explorer.exe schtasks.exe PID 4056 wrote to memory of 2288 4056 explorer.exe schtasks.exe PID 4056 wrote to memory of 2288 4056 explorer.exe schtasks.exe PID 3084 wrote to memory of 3816 3084 regsvr32.exe regsvr32.exe PID 3084 wrote to memory of 3816 3084 regsvr32.exe regsvr32.exe PID 3084 wrote to memory of 3816 3084 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document_2039517850_12162020.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bhishxwcoq /tr "regsvr32.exe -s \"C:\IntelCompany\JIOLAS.RRTTOOKK\"" /SC ONCE /Z /ST 19:08 /ET 19:205⤵
- Creates scheduled task(s)
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\IntelCompany\JIOLAS.RRTTOOKK"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\IntelCompany\JIOLAS.RRTTOOKK"2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 5763⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\IntelCompany\JIOLAS.RRTTOOKKMD5
26a73826310f3e226c41ef9f83e02a2c
SHA1898c6a11fdf70f247ac57d07f819b09370b126d7
SHA256103069fc038d0ec26cc16e4f56dc51d1f0abc1e7ff47b6fbfa7dfb63f03985fa
SHA512d53cd85d5bcaea7a1c6af16946942b850980ed7603a4a0069e7fddc02de972fb01ac523b7fe2748026d5138188c0c641a7b695302e9ced2fd307de9719332045
-
C:\IntelCompany\JIOLAS.RRTTOOKKMD5
0d11ed13ee38dd5c6dcbe7da0a51ab98
SHA153663cd9d25c6240089620dadeb26d953494409c
SHA2562a1421617a9f22a0da68b49c2c5497ecaea7bf733900c6f58c742c83f54eaf25
SHA5126dea8a553cb76b0f525e9a0fe929c70ec6a8ea5fb2b86503531434f3965a3071062351a00fa53bdf90890da809a70707da511d04767b203a69480d836eb66c08
-
\IntelCompany\JIOLAS.RRTTOOKKMD5
26a73826310f3e226c41ef9f83e02a2c
SHA1898c6a11fdf70f247ac57d07f819b09370b126d7
SHA256103069fc038d0ec26cc16e4f56dc51d1f0abc1e7ff47b6fbfa7dfb63f03985fa
SHA512d53cd85d5bcaea7a1c6af16946942b850980ed7603a4a0069e7fddc02de972fb01ac523b7fe2748026d5138188c0c641a7b695302e9ced2fd307de9719332045
-
\IntelCompany\JIOLAS.RRTTOOKKMD5
0d11ed13ee38dd5c6dcbe7da0a51ab98
SHA153663cd9d25c6240089620dadeb26d953494409c
SHA2562a1421617a9f22a0da68b49c2c5497ecaea7bf733900c6f58c742c83f54eaf25
SHA5126dea8a553cb76b0f525e9a0fe929c70ec6a8ea5fb2b86503531434f3965a3071062351a00fa53bdf90890da809a70707da511d04767b203a69480d836eb66c08
-
memory/2288-12-0x0000000000000000-mapping.dmp
-
memory/2432-2-0x00007FFD88A40000-0x00007FFD89077000-memory.dmpFilesize
6.2MB
-
memory/2688-20-0x0000000003B90000-0x0000000003B91000-memory.dmpFilesize
4KB
-
memory/2688-18-0x0000000003570000-0x0000000003571000-memory.dmpFilesize
4KB
-
memory/2688-17-0x0000000003170000-0x0000000003171000-memory.dmpFilesize
4KB
-
memory/3816-19-0x0000000000000000-mapping.dmp
-
memory/3816-15-0x0000000000000000-mapping.dmp
-
memory/3984-5-0x0000000000000000-mapping.dmp
-
memory/3992-11-0x0000000010000000-0x0000000010035000-memory.dmpFilesize
212KB
-
memory/3992-7-0x0000000000000000-mapping.dmp
-
memory/3992-9-0x0000000002EB0000-0x0000000002EE5000-memory.dmpFilesize
212KB
-
memory/4056-13-0x0000000000590000-0x00000000005C5000-memory.dmpFilesize
212KB
-
memory/4056-10-0x0000000000000000-mapping.dmp