qakbot | e3154af64e8c0979c27748c4c445b3fff752188c780a46b98f4fdb96b028c85d

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1524 schtasks.exe

pid	process
1524	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4000 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe
4308	WerFault.exe
4308	WerFault.exe
4308	WerFault.exe
4308	WerFault.exe
4308	WerFault.exe
4308	WerFault.exe
4308	WerFault.exe
4308	WerFault.exe
4308	WerFault.exe
4308	WerFault.exe
4308	WerFault.exe
4308	WerFault.exe
4308	WerFault.exe
4308	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

2324 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4308 WerFault.exe
Token: SeBackupPrivilege 4308 WerFault.exe
Token: SeDebugPrivilege 4308 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	4308	WerFault.exe
Token: SeBackupPrivilege	4308	WerFault.exe
Token: SeDebugPrivilege	4308	WerFault.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

EXCEL.EXE

pid	process
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 4000 wrote to memory of 3996	4000	EXCEL.EXE	rundll32.exe
PID 4000 wrote to memory of 3996	4000	EXCEL.EXE	rundll32.exe
PID 4000 wrote to memory of 3840	4000	EXCEL.EXE	rundll32.exe
PID 4000 wrote to memory of 3840	4000	EXCEL.EXE	rundll32.exe
PID 3840 wrote to memory of 2324	3840	rundll32.exe	rundll32.exe
PID 3840 wrote to memory of 2324	3840	rundll32.exe	rundll32.exe
PID 3840 wrote to memory of 2324	3840	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 2216	2324	rundll32.exe	explorer.exe
PID 2324 wrote to memory of 2216	2324	rundll32.exe	explorer.exe
PID 2324 wrote to memory of 2216	2324	rundll32.exe	explorer.exe
PID 2324 wrote to memory of 2216	2324	rundll32.exe	explorer.exe
PID 2324 wrote to memory of 2216	2324	rundll32.exe	explorer.exe
PID 4000 wrote to memory of 660	4000	EXCEL.EXE	rundll32.exe
PID 4000 wrote to memory of 660	4000	EXCEL.EXE	rundll32.exe
PID 2216 wrote to memory of 1524	2216	explorer.exe	schtasks.exe
PID 2216 wrote to memory of 1524	2216	explorer.exe	schtasks.exe
PID 2216 wrote to memory of 1524	2216	explorer.exe	schtasks.exe
PID 4000 wrote to memory of 3824	4000	EXCEL.EXE	rundll32.exe
PID 4000 wrote to memory of 3824	4000	EXCEL.EXE	rundll32.exe
PID 4000 wrote to memory of 4100	4000	EXCEL.EXE	rundll32.exe
PID 4000 wrote to memory of 4100	4000	EXCEL.EXE	rundll32.exe
PID 4240 wrote to memory of 4256	4240	regsvr32.exe	regsvr32.exe
PID 4240 wrote to memory of 4256	4240	regsvr32.exe	regsvr32.exe
PID 4240 wrote to memory of 4256	4240	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\qb.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:3996

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF1,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF1,DllRegisterServer
3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn uwqimtlxic /tr "regsvr32.exe -s \"C:\Users\Admin\HYGFR.HYGF1\"" /SC ONCE /Z /ST 10:26 /ET 10:38
5⤵
- Creates scheduled task(s)
PID:1524

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:660

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:3824

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\HYGFR.HYGF4,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4100

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\HYGFR.HYGF1"
1⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\HYGFR.HYGF1"
2⤵
- Loads dropped DLL
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

Peripheral Device Discovery

T1120

System Information Discovery

3