qakbot | dfffacd10a8887ff9e48cb452696fa8a9b6b83ea3e285b4f7d3692677c8c30fc

General

Target

file.01.21.doc
Size

92KB
MD5

cfbd343882b57a2d395ddb566984a0dd
SHA1

8baa1cb1935bafa0f89bd4fc5d5c8c47d05d1f4c
SHA256

dfffacd10a8887ff9e48cb452696fa8a9b6b83ea3e285b4f7d3692677c8c30fc
SHA512

e3606d5bc2354c7e4b3eff6aa681ee77d8f9aeaec07641a93ac02aed063b952feaa8ffebbb1fb4e68e5d131ece24264c03a6f4a5191d15e42767203bf83e1653

Score

10^/10

qakbot krk01 1611569149 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

krk01

Campaign

1611569149

C2

31.5.21.66:995

89.3.198.238:443

202.188.138.162:443

188.24.128.253:443

175.141.219.71:443

151.60.15.183:443

184.189.122.72:443

80.227.5.70:443

140.82.49.12:443

89.211.241.100:995

81.97.154.100:443

77.27.174.49:995

92.154.83.96:2078

42.3.8.54:443

71.187.170.235:443

46.153.36.53:995

71.182.142.63:443

105.186.102.16:443

50.244.112.106:443

78.63.226.32:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 1 IoCs

Processes:

hello.com

pid process

2040 hello.com
Loads dropped DLL 2 IoCs

Processes:

WINWORD.EXEregsvr32.exe

pid process

1908 WINWORD.EXE
1668 regsvr32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
2040	hello.com

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib\{1A47FD33-8E4B-4012-A574-4700F2D6776A}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib\{1A47FD33-8E4B-4012-A574-4700F2D6776A}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A47FD33-8E4B-4012-A574-4700F2D6776A}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib\{1A47FD33-8E4B-4012-A574-4700F2D6776A}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1908 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1668 regsvr32.exe
1668 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1668 regsvr32.exe

pid	process
1668	regsvr32.exe
1668	regsvr32.exe

pid	process
1668	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

hello.com

description	pid	process
Token: SeIncreaseQuotaPrivilege	2040	hello.com
Token: SeSecurityPrivilege	2040	hello.com
Token: SeTakeOwnershipPrivilege	2040	hello.com
Token: SeLoadDriverPrivilege	2040	hello.com
Token: SeSystemProfilePrivilege	2040	hello.com
Token: SeSystemtimePrivilege	2040	hello.com
Token: SeProfSingleProcessPrivilege	2040	hello.com
Token: SeIncBasePriorityPrivilege	2040	hello.com
Token: SeCreatePagefilePrivilege	2040	hello.com
Token: SeBackupPrivilege	2040	hello.com
Token: SeRestorePrivilege	2040	hello.com
Token: SeShutdownPrivilege	2040	hello.com
Token: SeDebugPrivilege	2040	hello.com
Token: SeSystemEnvironmentPrivilege	2040	hello.com
Token: SeRemoteShutdownPrivilege	2040	hello.com
Token: SeUndockPrivilege	2040	hello.com
Token: SeManageVolumePrivilege	2040	hello.com
Token: 33	2040	hello.com
Token: 34	2040	hello.com
Token: 35	2040	hello.com
Token: SeIncreaseQuotaPrivilege	2040	hello.com
Token: SeSecurityPrivilege	2040	hello.com
Token: SeTakeOwnershipPrivilege	2040	hello.com
Token: SeLoadDriverPrivilege	2040	hello.com
Token: SeSystemProfilePrivilege	2040	hello.com
Token: SeSystemtimePrivilege	2040	hello.com
Token: SeProfSingleProcessPrivilege	2040	hello.com
Token: SeIncBasePriorityPrivilege	2040	hello.com
Token: SeCreatePagefilePrivilege	2040	hello.com
Token: SeBackupPrivilege	2040	hello.com
Token: SeRestorePrivilege	2040	hello.com
Token: SeShutdownPrivilege	2040	hello.com
Token: SeDebugPrivilege	2040	hello.com
Token: SeSystemEnvironmentPrivilege	2040	hello.com
Token: SeRemoteShutdownPrivilege	2040	hello.com
Token: SeUndockPrivilege	2040	hello.com
Token: SeManageVolumePrivilege	2040	hello.com
Token: 33	2040	hello.com
Token: 34	2040	hello.com
Token: 35	2040	hello.com

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WINWORD.EXEhello.comregsvr32.exe

description	pid	process	target process
PID 1908 wrote to memory of 2040	1908	WINWORD.EXE	hello.com
PID 1908 wrote to memory of 2040	1908	WINWORD.EXE	hello.com
PID 1908 wrote to memory of 2040	1908	WINWORD.EXE	hello.com
PID 1908 wrote to memory of 2040	1908	WINWORD.EXE	hello.com
PID 1908 wrote to memory of 1764	1908	WINWORD.EXE	splwow64.exe
PID 1908 wrote to memory of 1764	1908	WINWORD.EXE	splwow64.exe
PID 1908 wrote to memory of 1764	1908	WINWORD.EXE	splwow64.exe
PID 1908 wrote to memory of 1764	1908	WINWORD.EXE	splwow64.exe
PID 2040 wrote to memory of 1668	2040	hello.com	regsvr32.exe
PID 2040 wrote to memory of 1668	2040	hello.com	regsvr32.exe
PID 2040 wrote to memory of 1668	2040	hello.com	regsvr32.exe
PID 2040 wrote to memory of 1668	2040	hello.com	regsvr32.exe
PID 2040 wrote to memory of 1668	2040	hello.com	regsvr32.exe
PID 2040 wrote to memory of 1668	2040	hello.com	regsvr32.exe
PID 2040 wrote to memory of 1668	2040	hello.com	regsvr32.exe
PID 1668 wrote to memory of 1692	1668	regsvr32.exe	explorer.exe
PID 1668 wrote to memory of 1692	1668	regsvr32.exe	explorer.exe
PID 1668 wrote to memory of 1692	1668	regsvr32.exe	explorer.exe
PID 1668 wrote to memory of 1692	1668	regsvr32.exe	explorer.exe
PID 1668 wrote to memory of 1692	1668	regsvr32.exe	explorer.exe
PID 1668 wrote to memory of 1692	1668	regsvr32.exe	explorer.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\file.01.21.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

\??\c:\programdata\hello.com
c:\programdata\hello.com pagefile get /format:"c:\programdata\hello.xsL"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\programdata\41401.jpg
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
PID:1692

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hello.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
\??\c:\programdata\41401.jpg
MD5
e64137072aa73702889674831b424cbb

SHA1
beb3fe4681e84941617ccaeb89169efc7268a0ba

SHA256
8f3f6fcef89bdf02fe1108b0452bd701860ef8ca111d09859daba97fc1d3ef9a

SHA512
56bdae98e5b186e342112b1ff44e4116c8e40f964f4c0cadd7ad09e2172b70c7019b7450a0a87574626cf4786f2d187592711c57f740d8d8757a9e36dc3d646c

Download Submit
\??\c:\programdata\hello.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
\??\c:\programdata\hello.xsL
MD5
886f82da2d65f460b35eb737d2897940

SHA1
bd75c902bb9b490cb38667e11ee5979187b82468

SHA256
04d407837c3a0a82ecc6d73c8d5685ca48621ee018b698f469bc954506a14f74

SHA512
fff94b2555fa49f7b4f03d2bfd1bdb14c24ed2947f0332f6e65046b98406c706224a612dac74bebad14cfe0f1cbe88e3df51b2b5b25fb2f436d53d29357d2ca8

Download Submit
\ProgramData\41401.jpg
MD5
e64137072aa73702889674831b424cbb

SHA1
beb3fe4681e84941617ccaeb89169efc7268a0ba

SHA256
8f3f6fcef89bdf02fe1108b0452bd701860ef8ca111d09859daba97fc1d3ef9a

SHA512
56bdae98e5b186e342112b1ff44e4116c8e40f964f4c0cadd7ad09e2172b70c7019b7450a0a87574626cf4786f2d187592711c57f740d8d8757a9e36dc3d646c

Download Submit
\ProgramData\hello.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
memory/916-13-0x000007FEF76B0000-0x000007FEF792A000-memory.dmp

Filesize
2.5MB

Download
memory/1668-19-0x000000006AFF0000-0x000000006B025000-memory.dmp

Filesize
212KB

Download
memory/1668-16-0x0000000076271000-0x0000000076273000-memory.dmp

Filesize
8KB

Download
memory/1668-15-0x0000000000000000-mapping.dmp

Download
memory/1668-20-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1668-25-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1692-21-0x0000000000000000-mapping.dmp

Download
memory/1692-23-0x000000006A8F1000-0x000000006A8F3000-memory.dmp

Filesize
8KB

Download
memory/1692-24-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1764-9-0x0000000000000000-mapping.dmp

Download
memory/1764-10-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/1908-8-0x0000000006280000-0x0000000006282000-memory.dmp

Filesize
8KB

Download
memory/1908-2-0x00000000727A1000-0x00000000727A4000-memory.dmp

Filesize
12KB

Download
memory/1908-3-0x0000000070221000-0x0000000070223000-memory.dmp

Filesize
8KB

Download
memory/1908-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2040-12-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2040-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads