Analysis
-
max time kernel
145s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-12-2020 19:07
Static task
static1
Behavioral task
behavioral1
Sample
Document_2039517850_12162020.xls
Resource
win7v20201028
General
-
Target
Document_2039517850_12162020.xls
-
Size
54KB
-
MD5
0ab5d82db3541b40b3ef56d03efe8a3f
-
SHA1
e44e018503f87fa50b1ad1e7e56a3f4a3b56eff9
-
SHA256
210468bf9c97e5bbae46e464625550d20079fb3766ad33d490f06e0cd037163a
-
SHA512
2824970bfa09450f8266274e4da423b0c418289b033842402959886a8514d4564620a83b82af5217be88eeb088621826f816e0fa320b3c0a11dfc8493eaae1fa
Malware Config
Extracted
qakbot
abc114
1608129413
86.127.22.190:443
35.139.242.207:443
108.190.194.146:2222
187.213.199.54:443
68.83.89.188:443
41.233.152.232:993
196.151.252.84:443
181.208.249.141:443
172.87.134.226:443
96.27.47.70:2222
83.110.109.78:2222
93.86.1.159:995
217.162.149.212:443
80.11.210.247:443
72.252.201.69:443
185.163.221.77:2222
189.62.175.92:22
95.76.27.6:443
45.77.115.208:443
187.213.82.104:995
47.44.217.98:443
91.138.177.114:2222
72.240.200.181:2222
71.182.142.63:443
90.53.103.26:2222
81.97.154.100:443
45.118.216.157:443
70.118.146.154:995
83.202.68.220:2222
86.97.221.121:443
67.141.11.98:443
184.189.122.72:443
189.150.111.8:2222
24.229.150.54:995
200.38.254.177:443
109.106.69.138:2222
5.204.148.208:995
109.154.79.222:2222
190.220.8.10:995
87.27.110.90:2222
65.48.208.194:443
78.101.130.59:995
75.136.26.147:443
47.138.204.19:443
140.82.49.12:443
41.205.16.222:443
67.6.54.180:443
80.227.5.70:443
193.248.154.174:2222
93.148.241.179:2222
67.249.12.146:443
109.205.204.229:2222
90.201.21.58:443
50.29.166.232:995
144.202.38.185:995
149.28.99.97:443
45.77.115.208:995
144.202.38.185:443
149.28.101.90:2222
149.28.99.97:995
149.28.101.90:995
149.28.98.196:2222
209.137.209.158:443
144.202.38.185:2222
45.63.107.192:995
45.63.107.192:443
149.28.99.97:2222
217.39.74.146:2222
82.12.157.95:995
45.63.107.192:2222
149.28.98.196:443
66.97.247.15:443
149.28.98.196:995
108.46.145.30:443
78.101.158.1:61201
103.110.6.151:2087
5.12.11.200:443
78.63.226.32:443
46.53.14.19:443
116.240.78.45:995
75.67.192.125:443
161.142.217.62:443
151.60.38.21:443
86.98.21.136:443
188.26.59.21:443
75.109.180.221:995
217.128.117.218:2222
78.181.19.134:443
5.2.212.254:443
35.136.78.225:443
24.122.0.90:443
68.131.19.52:443
197.57.67.109:443
78.154.28.105:443
2.49.219.254:22
187.155.59.73:443
83.110.213.25:443
2.50.143.154:2222
85.105.29.218:443
151.61.125.180:2222
72.93.55.22:443
39.32.147.77:995
151.73.121.136:443
24.29.30.31:443
45.77.115.208:2222
72.214.55.195:995
208.93.202.41:443
2.7.69.217:2222
81.88.254.62:443
41.225.231.43:443
62.116.43.76:53
85.101.187.146:443
73.94.229.115:443
190.31.192.34:443
51.223.138.251:443
92.154.83.96:1194
65.131.41.96:995
90.61.38.208:2222
86.122.248.164:2222
74.222.204.82:995
190.128.215.174:443
86.245.82.249:2078
188.27.116.133:443
80.195.103.146:2222
85.60.132.8:2087
74.129.26.119:443
71.58.19.33:443
189.183.206.114:443
180.151.233.178:443
41.176.38.114:995
80.11.5.65:2222
196.221.77.89:995
75.136.40.155:443
86.121.3.80:443
24.139.72.117:443
94.52.68.72:443
2.91.9.248:443
79.129.252.62:2222
5.193.148.126:2078
72.36.59.46:2222
2.50.159.19:2222
37.105.7.219:995
196.204.207.111:443
105.198.236.99:443
184.179.14.130:22
203.106.116.190:443
81.150.181.168:2222
155.186.9.160:443
2.91.235.94:443
83.110.13.182:2222
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3924 580 rundll32.exe EXCEL.EXE -
Processes:
resource yara_rule C:\IntelCompany\JIOLAS.RRTTOOKK cryptone \IntelCompany\JIOLAS.RRTTOOKK cryptone -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 728 rundll32.exe 1152 regsvr32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 372 1152 WerFault.exe regsvr32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 580 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
rundll32.exeWerFault.exepid process 728 rundll32.exe 728 rundll32.exe 728 rundll32.exe 728 rundll32.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 728 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 372 WerFault.exe Token: SeBackupPrivilege 372 WerFault.exe Token: SeDebugPrivilege 372 WerFault.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE 580 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exeexplorer.exeregsvr32.exedescription pid process target process PID 580 wrote to memory of 3924 580 EXCEL.EXE rundll32.exe PID 580 wrote to memory of 3924 580 EXCEL.EXE rundll32.exe PID 3924 wrote to memory of 728 3924 rundll32.exe rundll32.exe PID 3924 wrote to memory of 728 3924 rundll32.exe rundll32.exe PID 3924 wrote to memory of 728 3924 rundll32.exe rundll32.exe PID 728 wrote to memory of 2812 728 rundll32.exe explorer.exe PID 728 wrote to memory of 2812 728 rundll32.exe explorer.exe PID 728 wrote to memory of 2812 728 rundll32.exe explorer.exe PID 728 wrote to memory of 2812 728 rundll32.exe explorer.exe PID 728 wrote to memory of 2812 728 rundll32.exe explorer.exe PID 2812 wrote to memory of 3916 2812 explorer.exe schtasks.exe PID 2812 wrote to memory of 3916 2812 explorer.exe schtasks.exe PID 2812 wrote to memory of 3916 2812 explorer.exe schtasks.exe PID 2264 wrote to memory of 1152 2264 regsvr32.exe regsvr32.exe PID 2264 wrote to memory of 1152 2264 regsvr32.exe regsvr32.exe PID 2264 wrote to memory of 1152 2264 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document_2039517850_12162020.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn enbmzpp /tr "regsvr32.exe -s \"C:\IntelCompany\JIOLAS.RRTTOOKK\"" /SC ONCE /Z /ST 20:13 /ET 20:255⤵
- Creates scheduled task(s)
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\IntelCompany\JIOLAS.RRTTOOKK"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\IntelCompany\JIOLAS.RRTTOOKK"2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 5963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\IntelCompany\JIOLAS.RRTTOOKKMD5
886b6f891a54321f84f503aaddb1d97d
SHA18be5ba9a0a8445d2685d671158f0f27723dd32d4
SHA25661132270fc38aa584ca11850d81a5fbed619732cc21a4d1934e06cec9036c532
SHA51262cb046bc1c4a003bc7696f6a7b2f511acf2fb26fe10f3e8f49b0aef17dd276acf628924ce4d89d90ea7d170203d45853495087cd6d49f1e9b7db8100f73a6f8
-
C:\IntelCompany\JIOLAS.RRTTOOKKMD5
4efa1c470bcb999f599ca0f4eaeb37aa
SHA1423d75b87d38d9a77a147967e444ac588153ad0e
SHA256087d773ae623a094c085112c09aa0526bba1652d72ff713b66e3f80cbde64f45
SHA5123024f7e10f817d0f3203ddc8416d818f06057b6001d2f83df6fcf63fe2f49508a0243669f9ff9ae28e884c8a8c7e3e9887cf55f4201562a628e7ef1785ab899c
-
\IntelCompany\JIOLAS.RRTTOOKKMD5
886b6f891a54321f84f503aaddb1d97d
SHA18be5ba9a0a8445d2685d671158f0f27723dd32d4
SHA25661132270fc38aa584ca11850d81a5fbed619732cc21a4d1934e06cec9036c532
SHA51262cb046bc1c4a003bc7696f6a7b2f511acf2fb26fe10f3e8f49b0aef17dd276acf628924ce4d89d90ea7d170203d45853495087cd6d49f1e9b7db8100f73a6f8
-
\IntelCompany\JIOLAS.RRTTOOKKMD5
4efa1c470bcb999f599ca0f4eaeb37aa
SHA1423d75b87d38d9a77a147967e444ac588153ad0e
SHA256087d773ae623a094c085112c09aa0526bba1652d72ff713b66e3f80cbde64f45
SHA5123024f7e10f817d0f3203ddc8416d818f06057b6001d2f83df6fcf63fe2f49508a0243669f9ff9ae28e884c8a8c7e3e9887cf55f4201562a628e7ef1785ab899c
-
memory/372-18-0x0000000002F60000-0x0000000002F61000-memory.dmpFilesize
4KB
-
memory/372-20-0x0000000003950000-0x0000000003951000-memory.dmpFilesize
4KB
-
memory/580-2-0x00007FFA007A0000-0x00007FFA00DD7000-memory.dmpFilesize
6.2MB
-
memory/728-10-0x0000000000970000-0x00000000009A5000-memory.dmpFilesize
212KB
-
memory/728-12-0x0000000010000000-0x0000000010035000-memory.dmpFilesize
212KB
-
memory/728-8-0x0000000000000000-mapping.dmp
-
memory/1152-16-0x0000000000000000-mapping.dmp
-
memory/1152-19-0x0000000000000000-mapping.dmp
-
memory/2812-11-0x0000000000000000-mapping.dmp
-
memory/2812-14-0x0000000003200000-0x0000000003235000-memory.dmpFilesize
212KB
-
memory/3916-13-0x0000000000000000-mapping.dmp
-
memory/3924-6-0x0000000000000000-mapping.dmp