Analysis
-
max time kernel
140s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-02-2021 10:20
Behavioral task
behavioral1
Sample
qb.xls
Resource
win7v20201028
General
-
Target
qb.xls
-
Size
67KB
-
MD5
c9a898c5a3270a8afe2c5be7a1cda7d3
-
SHA1
8fcdd739624c60795d18d0f2d769f70ffcaf04a3
-
SHA256
e3154af64e8c0979c27748c4c445b3fff752188c780a46b98f4fdb96b028c85d
-
SHA512
50e3b721b3d715ce6b3c3d85b34c127f81cf2f32654d7d59bf054b944b39578231279c2308106f36ee27235bd3a5d4595d786b8c90f7049ffab92d9bad970161
Malware Config
Extracted
qakbot
abc123
1612275762
196.151.252.84:443
216.201.162.158:443
83.110.12.140:2222
105.186.102.16:443
108.31.15.10:995
193.248.221.184:2222
68.225.60.77:995
197.45.110.165:995
89.3.198.238:443
81.97.154.100:443
81.214.126.173:2222
108.46.145.30:443
71.187.170.235:443
72.240.200.181:2222
81.88.254.62:443
98.240.24.57:443
86.97.8.249:443
75.136.40.155:443
79.129.121.81:995
37.211.90.175:995
2.7.69.217:2222
78.63.226.32:443
80.227.5.69:443
47.22.148.6:443
125.63.101.62:443
181.48.190.78:443
41.39.134.183:443
78.97.207.104:443
188.25.63.105:443
68.131.107.37:443
172.78.30.215:443
90.101.117.122:2222
81.150.181.168:2222
45.77.115.208:2222
85.52.72.32:2222
76.110.113.71:995
106.51.52.111:443
75.67.192.125:443
172.115.177.204:2222
83.110.103.152:443
71.74.12.34:443
149.28.99.97:2222
207.246.116.237:2222
207.246.77.75:443
45.32.211.207:2222
149.28.101.90:995
149.28.101.90:8443
45.32.211.207:443
207.246.77.75:8443
149.28.98.196:995
207.246.116.237:995
45.63.107.192:2222
45.63.107.192:443
144.202.38.185:443
149.28.98.196:443
45.63.107.192:995
149.28.101.90:443
149.28.99.97:995
45.77.115.208:443
207.246.77.75:995
144.202.38.185:2222
45.32.211.207:8443
149.28.99.97:443
149.28.101.90:2222
207.246.116.237:443
144.202.38.185:995
207.246.116.237:8443
207.246.77.75:2222
149.28.98.196:2222
45.32.211.207:995
175.141.219.71:443
184.189.122.72:443
176.181.247.197:443
77.27.174.49:995
92.59.35.196:2222
51.9.198.164:2222
24.139.72.117:443
98.121.187.78:443
45.77.115.208:8443
45.77.115.208:995
172.87.157.235:3389
85.58.200.50:2222
41.205.16.1:443
50.240.77.238:22
95.77.223.148:443
24.50.118.93:443
84.72.35.226:443
86.220.60.133:2222
184.179.14.130:22
190.85.91.154:443
24.152.219.253:995
70.126.76.75:443
160.3.187.114:443
64.121.114.87:443
67.8.103.21:443
50.244.112.106:443
83.110.108.181:2222
37.211.83.41:443
140.82.49.12:443
80.11.173.82:8443
125.209.114.182:995
213.60.147.140:443
71.88.193.17:443
197.161.154.132:443
85.132.36.111:2222
2.232.253.79:995
68.186.192.69:443
24.43.22.218:993
105.198.236.101:443
46.153.119.255:995
151.60.14.100:443
86.236.77.68:2222
86.98.93.124:2078
31.5.21.66:995
203.198.96.37:443
151.245.68.56:32103
50.29.166.232:995
106.250.150.98:443
76.25.142.196:443
202.184.20.119:443
115.133.243.6:443
27.223.92.142:995
82.76.47.211:443
122.148.156.131:995
173.21.10.71:2222
125.239.152.76:995
144.139.47.206:443
45.46.53.140:2222
144.139.166.18:443
67.6.12.4:443
76.111.128.194:443
75.136.26.147:443
75.118.1.141:443
65.27.228.247:443
74.77.162.33:443
100.2.123.122:443
69.123.179.70:443
70.26.7.67:2222
199.19.117.131:443
71.197.126.250:443
201.170.168.142:995
72.48.124.36:443
186.28.51.27:443
172.87.134.226:995
97.69.160.4:2222
67.165.206.193:993
72.252.201.69:443
74.68.144.202:443
89.137.211.239:995
70.54.25.76:2222
Signatures
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3996 4000 rundll32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3840 4000 rundll32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 660 4000 rundll32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3824 4000 rundll32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4100 4000 rundll32.exe EXCEL.EXE -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 2324 rundll32.exe 4256 regsvr32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4308 4256 WerFault.exe regsvr32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4000 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
rundll32.exeWerFault.exepid process 2324 rundll32.exe 2324 rundll32.exe 2324 rundll32.exe 2324 rundll32.exe 4308 WerFault.exe 4308 WerFault.exe 4308 WerFault.exe 4308 WerFault.exe 4308 WerFault.exe 4308 WerFault.exe 4308 WerFault.exe 4308 WerFault.exe 4308 WerFault.exe 4308 WerFault.exe 4308 WerFault.exe 4308 WerFault.exe 4308 WerFault.exe 4308 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 2324 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4308 WerFault.exe Token: SeBackupPrivilege 4308 WerFault.exe Token: SeDebugPrivilege 4308 WerFault.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
EXCEL.EXEpid process 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE 4000 EXCEL.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exeexplorer.exeregsvr32.exedescription pid process target process PID 4000 wrote to memory of 3996 4000 EXCEL.EXE rundll32.exe PID 4000 wrote to memory of 3996 4000 EXCEL.EXE rundll32.exe PID 4000 wrote to memory of 3840 4000 EXCEL.EXE rundll32.exe PID 4000 wrote to memory of 3840 4000 EXCEL.EXE rundll32.exe PID 3840 wrote to memory of 2324 3840 rundll32.exe rundll32.exe PID 3840 wrote to memory of 2324 3840 rundll32.exe rundll32.exe PID 3840 wrote to memory of 2324 3840 rundll32.exe rundll32.exe PID 2324 wrote to memory of 2216 2324 rundll32.exe explorer.exe PID 2324 wrote to memory of 2216 2324 rundll32.exe explorer.exe PID 2324 wrote to memory of 2216 2324 rundll32.exe explorer.exe PID 2324 wrote to memory of 2216 2324 rundll32.exe explorer.exe PID 2324 wrote to memory of 2216 2324 rundll32.exe explorer.exe PID 4000 wrote to memory of 660 4000 EXCEL.EXE rundll32.exe PID 4000 wrote to memory of 660 4000 EXCEL.EXE rundll32.exe PID 2216 wrote to memory of 1524 2216 explorer.exe schtasks.exe PID 2216 wrote to memory of 1524 2216 explorer.exe schtasks.exe PID 2216 wrote to memory of 1524 2216 explorer.exe schtasks.exe PID 4000 wrote to memory of 3824 4000 EXCEL.EXE rundll32.exe PID 4000 wrote to memory of 3824 4000 EXCEL.EXE rundll32.exe PID 4000 wrote to memory of 4100 4000 EXCEL.EXE rundll32.exe PID 4000 wrote to memory of 4100 4000 EXCEL.EXE rundll32.exe PID 4240 wrote to memory of 4256 4240 regsvr32.exe regsvr32.exe PID 4240 wrote to memory of 4256 4240 regsvr32.exe regsvr32.exe PID 4240 wrote to memory of 4256 4240 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\qb.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\HYGFR.HYGF,DllRegisterServer2⤵
- Process spawned unexpected child process
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\HYGFR.HYGF1,DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\HYGFR.HYGF1,DllRegisterServer3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn uwqimtlxic /tr "regsvr32.exe -s \"C:\Users\Admin\HYGFR.HYGF1\"" /SC ONCE /Z /ST 10:26 /ET 10:385⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\HYGFR.HYGF2,DllRegisterServer2⤵
- Process spawned unexpected child process
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\HYGFR.HYGF3,DllRegisterServer2⤵
- Process spawned unexpected child process
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\HYGFR.HYGF4,DllRegisterServer2⤵
- Process spawned unexpected child process
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\HYGFR.HYGF1"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\HYGFR.HYGF1"2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 5963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\HYGFR.HYGF1MD5
77f747e03c81e884840330e356969825
SHA1032b47ec2f25613ca2dea8e26ed63f41c89747db
SHA256dc0bac170788ea9646b9f980ad51adf8d210f01c653c89a9f884f77c013d6924
SHA51279f7667f6efd3fd9ee26c253a707e15e2774541234e0a09793a6646c477109c1658a1408f26163a7f9784dd8b66d484e96570c4a5effac8a90299eb627dcf481
-
C:\Users\Admin\HYGFR.HYGF1MD5
7593f350d5c3c9ee3f91dcedad359b32
SHA1f2bd2db89bd31eaac17a85fb04e597f57f8e824b
SHA256d82804f47fd8018a4709fca3f31246431e694d152c3e9bfdc311c6c2ceaa73ed
SHA512e81bb719ced43a52eba2b4fd2fd955ba48e8ed2c2773051dd8fe72a8a0aed0c5198e671cf39d275d401fa8854b87976e3a314452264e0dd8514c9ae0817041c9
-
C:\Users\Admin\HYGFR.HYGF2MD5
d40f0d3acb5e264dcaae5935dfe9152e
SHA1f90886590579d0eccd74a802b1272b6455b600f6
SHA256aeb69d38aa46a1cf16a0b18d9fd7ecd01c2ba17e7ba8d4468fda019f37a59987
SHA5122e5cd3486dcd0c17d38697fb0de0a740930a751d5b338ef79df349ab1f471f5faa434cfbd2f8efb335855d77e00a380ab2c90daec494703e9be1ee78bcc3a157
-
\Users\Admin\HYGFR.HYGF1MD5
7593f350d5c3c9ee3f91dcedad359b32
SHA1f2bd2db89bd31eaac17a85fb04e597f57f8e824b
SHA256d82804f47fd8018a4709fca3f31246431e694d152c3e9bfdc311c6c2ceaa73ed
SHA512e81bb719ced43a52eba2b4fd2fd955ba48e8ed2c2773051dd8fe72a8a0aed0c5198e671cf39d275d401fa8854b87976e3a314452264e0dd8514c9ae0817041c9
-
\Users\Admin\HYGFR.HYGF1MD5
77f747e03c81e884840330e356969825
SHA1032b47ec2f25613ca2dea8e26ed63f41c89747db
SHA256dc0bac170788ea9646b9f980ad51adf8d210f01c653c89a9f884f77c013d6924
SHA51279f7667f6efd3fd9ee26c253a707e15e2774541234e0a09793a6646c477109c1658a1408f26163a7f9784dd8b66d484e96570c4a5effac8a90299eb627dcf481
-
memory/660-16-0x0000000000000000-mapping.dmp
-
memory/1524-17-0x0000000000000000-mapping.dmp
-
memory/2216-18-0x0000000002E00000-0x0000000002E35000-memory.dmpFilesize
212KB
-
memory/2216-15-0x0000000002E00000-0x0000000002E35000-memory.dmpFilesize
212KB
-
memory/2216-14-0x0000000000000000-mapping.dmp
-
memory/2324-10-0x0000000000000000-mapping.dmp
-
memory/2324-12-0x0000000000F10000-0x0000000000F44000-memory.dmpFilesize
208KB
-
memory/2324-13-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3824-20-0x0000000000000000-mapping.dmp
-
memory/3840-8-0x0000000000000000-mapping.dmp
-
memory/3996-7-0x0000000000000000-mapping.dmp
-
memory/4000-5-0x00007FFCC06C0000-0x00007FFCC0CF7000-memory.dmpFilesize
6.2MB
-
memory/4000-6-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmpFilesize
64KB
-
memory/4000-2-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmpFilesize
64KB
-
memory/4000-4-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmpFilesize
64KB
-
memory/4000-3-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmpFilesize
64KB
-
memory/4100-21-0x0000000000000000-mapping.dmp
-
memory/4256-23-0x0000000000000000-mapping.dmp
-
memory/4308-25-0x0000000003320000-0x0000000003321000-memory.dmpFilesize
4KB