Overview

overview

10

Static

static

8

order.02.21.doc

windows7_x64

10

order.02.21.doc

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    02-02-2021 00:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order.02.21.doc

  • Size

    96KB

  • MD5

    482575014b2267902cc89dff4c17134e

  • SHA1

    4dfa4463d055046080393b105f659b6f367e9167

  • SHA256

    a8e05882220ef7e0b55eef3048c1e79ea607e1aba5fafb6431b4e94fc75724e6

  • SHA512

    c7163ef3831be2da9f0c53cc12cae504a57dd6885e3def3e02b458abfc190a68a2da5a2d68d7f01f29de1b44038f9b613eb4d39dd1bb1f493302c6227435d6d4

Score
10/10
qakbotkrk011611569149bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

krk01

Campaign

1611569149

C2

31.5.21.66:995

89.3.198.238:443

202.188.138.162:443

188.24.128.253:443

175.141.219.71:443

151.60.15.183:443

184.189.122.72:443

80.227.5.70:443

140.82.49.12:443

89.211.241.100:995

81.97.154.100:443

77.27.174.49:995

92.154.83.96:2078

42.3.8.54:443

71.187.170.235:443

46.153.36.53:995

71.182.142.63:443

105.186.102.16:443

50.244.112.106:443

78.63.226.32:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\order.02.21.doc"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:292
    • \??\c:\programdata\xml.com
      c:\programdata\xml.com process list /format : ".xsl"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 c:\programdata\27867.jpg
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:848
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
            PID:1472
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1352

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\xml.com
        MD5

        a03cf3838775e0801a0894c8bacd2e56

        SHA1

        4368dbd172224ec9461364be1ac9dffc5d9224a8

        SHA256

        132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

        SHA512

        b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\.xsl
        MD5

        056f1894ed79ab92abb9a1e48f496f92

        SHA1

        672641775009e1573ef40f174169f8ec5742857a

        SHA256

        f677baa2df98c7f9d7339fa8249d8761f4d4451c9cefb5ffad1748e38dead68f

        SHA512

        02debf58536d9810a74b4579b21a956eb86c1e0ae2b23b7c03abac46107cea2a053c21e54680ffb43f10ebd81d921489c9f8d95ee7dd034bc8d48f77ecff9399

        Download Submit
      • \??\c:\programdata\27867.jpg
        MD5

        dd587969560f16f45a7f066182285ee7

        SHA1

        683a279c992d117a23b620d3110447d712d54e4c

        SHA256

        51947a6436c0334a22572c20df3b097bb8dd8f6b6822f2d03619f3e5190db68c

        SHA512

        015c56ac4b69880fc0dbd8b77a59770a84ee0dc6c11c1f538cc39000e7c4066e24a56f5138f2a43461a8a62697f955527289d11db4da4a8f2fcd1ff76bb81c3f

        Download Submit
      • \??\c:\programdata\xml.com
        MD5

        a03cf3838775e0801a0894c8bacd2e56

        SHA1

        4368dbd172224ec9461364be1ac9dffc5d9224a8

        SHA256

        132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

        SHA512

        b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

        Download Submit
      • \ProgramData\27867.jpg
        MD5

        dd587969560f16f45a7f066182285ee7

        SHA1

        683a279c992d117a23b620d3110447d712d54e4c

        SHA256

        51947a6436c0334a22572c20df3b097bb8dd8f6b6822f2d03619f3e5190db68c

        SHA512

        015c56ac4b69880fc0dbd8b77a59770a84ee0dc6c11c1f538cc39000e7c4066e24a56f5138f2a43461a8a62697f955527289d11db4da4a8f2fcd1ff76bb81c3f

        Download Submit
      • \ProgramData\xml.com
        MD5

        a03cf3838775e0801a0894c8bacd2e56

        SHA1

        4368dbd172224ec9461364be1ac9dffc5d9224a8

        SHA256

        132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

        SHA512

        b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

        Download Submit
      • memory/292-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/292-3-0x0000000070A61000-0x0000000070A63000-memory.dmp
        Filesize

        8KB

        Download
      • memory/292-10-0x0000000006050000-0x0000000006052000-memory.dmp
        Filesize

        8KB

        Download
      • memory/292-2-0x0000000072FE1000-0x0000000072FE4000-memory.dmp
        Filesize

        12KB

        Download
      • memory/840-12-0x000007FEF6B80000-0x000007FEF6DFA000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/848-14-0x0000000000000000-mapping.dmp
        Download
      • memory/848-15-0x0000000076861000-0x0000000076863000-memory.dmp
        Filesize

        8KB

        Download
      • memory/848-18-0x0000000010000000-0x0000000010035000-memory.dmp
        Filesize

        212KB

        Download
      • memory/848-19-0x00000000001B0000-0x00000000001B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/848-24-0x00000000004C0000-0x00000000004C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1352-8-0x0000000000000000-mapping.dmp
        Download
      • memory/1352-9-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1472-20-0x0000000000000000-mapping.dmp
        Download
      • memory/1472-22-0x000000006AF61000-0x000000006AF63000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1472-23-0x0000000000080000-0x00000000000B5000-memory.dmp
        Filesize

        212KB

        Download
      • memory/1812-6-0x0000000000000000-mapping.dmp
        Download