Overview

overview

10

Static

static

8

Document_2...20.xls

windows7_x64

1

Document_2...20.xls

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    16-12-2020 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document_2039517850_12162020.xls

  • Size

    54KB

  • MD5

    0ab5d82db3541b40b3ef56d03efe8a3f

  • SHA1

    e44e018503f87fa50b1ad1e7e56a3f4a3b56eff9

  • SHA256

    210468bf9c97e5bbae46e464625550d20079fb3766ad33d490f06e0cd037163a

  • SHA512

    2824970bfa09450f8266274e4da423b0c418289b033842402959886a8514d4564620a83b82af5217be88eeb088621826f816e0fa320b3c0a11dfc8493eaae1fa

Score
10/10
qakbotabc1141608129413bankercryptonepackerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

abc114

Campaign

1608129413

C2

86.127.22.190:443

35.139.242.207:443

108.190.194.146:2222

187.213.199.54:443

68.83.89.188:443

41.233.152.232:993

196.151.252.84:443

181.208.249.141:443

172.87.134.226:443

96.27.47.70:2222

83.110.109.78:2222

93.86.1.159:995

217.162.149.212:443

80.11.210.247:443

72.252.201.69:443

185.163.221.77:2222

189.62.175.92:22

95.76.27.6:443

45.77.115.208:443

187.213.82.104:995

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Loads dropped DLL 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document_2039517850_12162020.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer
        3⤵
        • Loads dropped DLL
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:728
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn enbmzpp /tr "regsvr32.exe -s \"C:\IntelCompany\JIOLAS.RRTTOOKK\"" /SC ONCE /Z /ST 20:13 /ET 20:25
            5⤵
            • Creates scheduled task(s)
            PID:3916
  • \??\c:\windows\system32\regsvr32.exe
    regsvr32.exe -s "C:\IntelCompany\JIOLAS.RRTTOOKK"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\SysWOW64\regsvr32.exe
      -s "C:\IntelCompany\JIOLAS.RRTTOOKK"
      2⤵
      • Loads dropped DLL
      PID:1152
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 596
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelCompany\JIOLAS.RRTTOOKK
    MD5

    886b6f891a54321f84f503aaddb1d97d

    SHA1

    8be5ba9a0a8445d2685d671158f0f27723dd32d4

    SHA256

    61132270fc38aa584ca11850d81a5fbed619732cc21a4d1934e06cec9036c532

    SHA512

    62cb046bc1c4a003bc7696f6a7b2f511acf2fb26fe10f3e8f49b0aef17dd276acf628924ce4d89d90ea7d170203d45853495087cd6d49f1e9b7db8100f73a6f8

    Download Submit
  • C:\IntelCompany\JIOLAS.RRTTOOKK
    MD5

    4efa1c470bcb999f599ca0f4eaeb37aa

    SHA1

    423d75b87d38d9a77a147967e444ac588153ad0e

    SHA256

    087d773ae623a094c085112c09aa0526bba1652d72ff713b66e3f80cbde64f45

    SHA512

    3024f7e10f817d0f3203ddc8416d818f06057b6001d2f83df6fcf63fe2f49508a0243669f9ff9ae28e884c8a8c7e3e9887cf55f4201562a628e7ef1785ab899c

    Download Submit
  • \IntelCompany\JIOLAS.RRTTOOKK
    MD5

    886b6f891a54321f84f503aaddb1d97d

    SHA1

    8be5ba9a0a8445d2685d671158f0f27723dd32d4

    SHA256

    61132270fc38aa584ca11850d81a5fbed619732cc21a4d1934e06cec9036c532

    SHA512

    62cb046bc1c4a003bc7696f6a7b2f511acf2fb26fe10f3e8f49b0aef17dd276acf628924ce4d89d90ea7d170203d45853495087cd6d49f1e9b7db8100f73a6f8

    Download Submit
  • \IntelCompany\JIOLAS.RRTTOOKK
    MD5

    4efa1c470bcb999f599ca0f4eaeb37aa

    SHA1

    423d75b87d38d9a77a147967e444ac588153ad0e

    SHA256

    087d773ae623a094c085112c09aa0526bba1652d72ff713b66e3f80cbde64f45

    SHA512

    3024f7e10f817d0f3203ddc8416d818f06057b6001d2f83df6fcf63fe2f49508a0243669f9ff9ae28e884c8a8c7e3e9887cf55f4201562a628e7ef1785ab899c

    Download Submit
  • memory/372-18-0x0000000002F60000-0x0000000002F61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/372-20-0x0000000003950000-0x0000000003951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/580-2-0x00007FFA007A0000-0x00007FFA00DD7000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/728-10-0x0000000000970000-0x00000000009A5000-memory.dmp
    Filesize

    212KB

    Download
  • memory/728-12-0x0000000010000000-0x0000000010035000-memory.dmp
    Filesize

    212KB

    Download
  • memory/728-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1152-16-0x0000000000000000-mapping.dmp
    Download
  • memory/1152-19-0x0000000000000000-mapping.dmp
    Download
  • memory/2812-11-0x0000000000000000-mapping.dmp
    Download
  • memory/2812-14-0x0000000003200000-0x0000000003235000-memory.dmp
    Filesize

    212KB

    Download
  • memory/3916-13-0x0000000000000000-mapping.dmp
    Download
  • memory/3924-6-0x0000000000000000-mapping.dmp
    Download