Analysis
-
max time kernel
136s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-02-2021 14:53
Static task
static1
Behavioral task
behavioral1
Sample
deed contract,02.02.2021.doc
Resource
win7v20201028
General
-
Target
deed contract,02.02.2021.doc
-
Size
96KB
-
MD5
1d33c7b0259d6322530a155a32a1eba3
-
SHA1
e59ca07dcf1ce767077fe81179d726df5ad45337
-
SHA256
eebfa6156f35bb2d5db5d88d7c1f14f3d0113494a205498f19d4fc40bc20aa04
-
SHA512
d2801cf6a8d2da658bb5228567215f0e9c2ffb00e50f708fe22665c263d18bcc2dd7e0123b8cb5a3a48323c5262c5e443f04237cbe4a49a8450e3ed19d801aad
Malware Config
Extracted
qakbot
krk01
1611569149
31.5.21.66:995
89.3.198.238:443
202.188.138.162:443
188.24.128.253:443
175.141.219.71:443
151.60.15.183:443
184.189.122.72:443
80.227.5.70:443
140.82.49.12:443
89.211.241.100:995
81.97.154.100:443
77.27.174.49:995
92.154.83.96:2078
42.3.8.54:443
71.187.170.235:443
46.153.36.53:995
71.182.142.63:443
105.186.102.16:443
50.244.112.106:443
78.63.226.32:443
85.132.36.111:2222
68.186.192.69:443
75.136.40.155:443
68.225.60.77:995
144.139.47.206:443
79.129.121.81:995
98.121.187.78:443
75.67.192.125:443
216.201.162.158:443
2.50.2.216:443
75.136.26.147:443
84.72.35.226:443
172.78.30.215:443
105.198.236.99:443
83.110.102.100:443
193.248.221.184:2222
190.85.91.154:443
96.37.113.36:993
83.110.108.181:2222
88.233.91.244:443
95.77.223.148:443
207.246.77.75:2222
86.236.77.68:2222
207.246.77.75:443
45.63.107.192:995
77.211.30.202:995
149.28.99.97:443
207.246.77.75:8443
149.28.98.196:2222
207.246.116.237:995
207.246.116.237:8443
149.28.99.97:995
207.246.77.75:995
207.246.116.237:2222
45.77.115.208:443
45.32.211.207:995
149.28.101.90:8443
149.28.101.90:443
149.28.99.97:2222
172.115.177.204:2222
144.202.38.185:995
207.246.116.237:443
149.28.98.196:443
144.202.38.185:443
149.28.101.90:995
45.32.211.207:2222
45.32.211.207:443
45.32.211.207:8443
149.28.98.196:995
144.202.38.185:2222
45.63.107.192:443
149.28.101.90:2222
45.63.107.192:2222
45.77.115.208:2222
196.151.252.84:443
105.198.236.101:443
82.76.47.211:443
45.77.115.208:995
45.77.115.208:8443
213.60.147.140:443
92.59.35.196:2222
47.22.148.6:443
203.106.195.67:443
202.185.50.15:443
173.70.165.101:995
50.240.77.238:22
86.98.93.124:2078
172.87.157.235:3389
197.45.110.165:995
76.25.142.196:443
106.51.52.111:443
188.25.63.105:443
83.110.12.140:2222
64.121.114.87:443
50.29.166.232:995
217.133.54.140:32100
122.148.156.131:995
173.21.10.71:2222
45.46.53.140:2222
67.6.91.75:443
47.156.65.184:443
76.111.128.194:443
75.118.1.141:443
65.27.228.247:443
71.74.12.34:443
74.68.144.202:443
98.240.24.57:443
47.196.192.184:443
71.14.110.199:443
71.197.126.250:443
24.253.38.139:993
197.161.154.132:443
80.7.129.64:995
47.208.8.187:443
89.137.211.239:995
86.220.60.133:2222
94.53.92.42:443
78.97.207.104:443
106.250.150.98:443
67.8.103.21:443
41.39.134.183:443
2.50.161.6:2222
96.19.117.140:443
199.19.117.131:443
104.37.20.207:995
216.150.207.100:2222
189.222.111.204:443
73.216.60.90:2222
69.123.179.70:443
189.237.7.9:443
89.137.221.232:443
109.12.111.14:443
125.63.101.62:443
2.7.69.217:2222
89.211.247.202:443
201.130.149.43:995
186.155.151.167:443
201.127.37.219:443
151.205.102.42:443
189.210.115.207:443
97.69.160.4:2222
72.240.200.181:2222
72.252.201.69:443
172.87.134.226:995
209.210.187.52:995
209.210.187.52:443
108.46.145.30:443
24.229.150.54:995
186.84.90.232:443
80.11.5.65:2222
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xml.compid process 1376 xml.com -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1556 regsvr32.exe 352 regsvr32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2584 352 WerFault.exe regsvr32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1308 WINWORD.EXE 1308 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
regsvr32.exeWerFault.exepid process 1556 regsvr32.exe 1556 regsvr32.exe 1556 regsvr32.exe 1556 regsvr32.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
regsvr32.exepid process 1556 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
xml.comWerFault.exedescription pid process Token: SeIncreaseQuotaPrivilege 1376 xml.com Token: SeSecurityPrivilege 1376 xml.com Token: SeTakeOwnershipPrivilege 1376 xml.com Token: SeLoadDriverPrivilege 1376 xml.com Token: SeSystemProfilePrivilege 1376 xml.com Token: SeSystemtimePrivilege 1376 xml.com Token: SeProfSingleProcessPrivilege 1376 xml.com Token: SeIncBasePriorityPrivilege 1376 xml.com Token: SeCreatePagefilePrivilege 1376 xml.com Token: SeBackupPrivilege 1376 xml.com Token: SeRestorePrivilege 1376 xml.com Token: SeShutdownPrivilege 1376 xml.com Token: SeDebugPrivilege 1376 xml.com Token: SeSystemEnvironmentPrivilege 1376 xml.com Token: SeRemoteShutdownPrivilege 1376 xml.com Token: SeUndockPrivilege 1376 xml.com Token: SeManageVolumePrivilege 1376 xml.com Token: 33 1376 xml.com Token: 34 1376 xml.com Token: 35 1376 xml.com Token: 36 1376 xml.com Token: SeIncreaseQuotaPrivilege 1376 xml.com Token: SeSecurityPrivilege 1376 xml.com Token: SeTakeOwnershipPrivilege 1376 xml.com Token: SeLoadDriverPrivilege 1376 xml.com Token: SeSystemProfilePrivilege 1376 xml.com Token: SeSystemtimePrivilege 1376 xml.com Token: SeProfSingleProcessPrivilege 1376 xml.com Token: SeIncBasePriorityPrivilege 1376 xml.com Token: SeCreatePagefilePrivilege 1376 xml.com Token: SeBackupPrivilege 1376 xml.com Token: SeRestorePrivilege 1376 xml.com Token: SeShutdownPrivilege 1376 xml.com Token: SeDebugPrivilege 1376 xml.com Token: SeSystemEnvironmentPrivilege 1376 xml.com Token: SeRemoteShutdownPrivilege 1376 xml.com Token: SeUndockPrivilege 1376 xml.com Token: SeManageVolumePrivilege 1376 xml.com Token: 33 1376 xml.com Token: 34 1376 xml.com Token: 35 1376 xml.com Token: 36 1376 xml.com Token: SeRestorePrivilege 2584 WerFault.exe Token: SeBackupPrivilege 2584 WerFault.exe Token: SeBackupPrivilege 2584 WerFault.exe Token: SeDebugPrivilege 2584 WerFault.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WINWORD.EXExml.comregsvr32.exeregsvr32.exeexplorer.exeregsvr32.exedescription pid process target process PID 1308 wrote to memory of 1376 1308 WINWORD.EXE xml.com PID 1308 wrote to memory of 1376 1308 WINWORD.EXE xml.com PID 1376 wrote to memory of 2100 1376 xml.com regsvr32.exe PID 1376 wrote to memory of 2100 1376 xml.com regsvr32.exe PID 2100 wrote to memory of 1556 2100 regsvr32.exe regsvr32.exe PID 2100 wrote to memory of 1556 2100 regsvr32.exe regsvr32.exe PID 2100 wrote to memory of 1556 2100 regsvr32.exe regsvr32.exe PID 1556 wrote to memory of 1616 1556 regsvr32.exe explorer.exe PID 1556 wrote to memory of 1616 1556 regsvr32.exe explorer.exe PID 1556 wrote to memory of 1616 1556 regsvr32.exe explorer.exe PID 1556 wrote to memory of 1616 1556 regsvr32.exe explorer.exe PID 1556 wrote to memory of 1616 1556 regsvr32.exe explorer.exe PID 1616 wrote to memory of 552 1616 explorer.exe schtasks.exe PID 1616 wrote to memory of 552 1616 explorer.exe schtasks.exe PID 1616 wrote to memory of 552 1616 explorer.exe schtasks.exe PID 1572 wrote to memory of 352 1572 regsvr32.exe regsvr32.exe PID 1572 wrote to memory of 352 1572 regsvr32.exe regsvr32.exe PID 1572 wrote to memory of 352 1572 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\deed contract,02.02.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\programdata\xml.com"C:\programdata\xml.com" process list /format : ".xsl"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 c:\programdata\37102.jpg3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exec:\programdata\37102.jpg4⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vroitoybx /tr "regsvr32.exe -s \"c:\programdata\37102.jpg\"" /SC ONCE /Z /ST 14:59 /ET 15:116⤵
- Creates scheduled task(s)
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "c:\programdata\37102.jpg"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "c:\programdata\37102.jpg"2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 5963⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\xml.comMD5
4191f61f2449ccc2bc2f2ac6d8898ce7
SHA1d49936fc8a03561214ce4bf9791ca59e94ab8fe9
SHA25674d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173
SHA512fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f
-
C:\Users\Admin\AppData\Local\Temp\.xslMD5
951d851ba666d2cc4c4fc4080d34e3eb
SHA1c46e5a4fd532d5627588897f177678d942ab0aaf
SHA256cd1fe9542a51787f269357c35df282eae27eb9568dfcafb6ec89bb59f0c571ab
SHA512e65399d3fd36e84b56fc4e0126f316bd1de91cbd3f2a735d23e169945c0b32b10f09864c61f05491b00e2aeed0314b8f773d8b42568b490665eea82ee6d1a419
-
C:\programdata\xml.comMD5
4191f61f2449ccc2bc2f2ac6d8898ce7
SHA1d49936fc8a03561214ce4bf9791ca59e94ab8fe9
SHA25674d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173
SHA512fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f
-
\??\c:\programdata\37102.jpgMD5
a73d1d9296d479ff5f1d2ecb8135b97d
SHA15dea2f19c48708e05939a2fca9b7388767e702b9
SHA256739ff1e9dfb75059bbcbb391135e86d3a6d6e69f155a01741a75fdaf7f3fc9bf
SHA5120f20eb1425b608c5269fe4ef4ec390264f3c3ba21e790d90f20e55e5e3657e3a78af573c2718aaf77e4460f18b546bdc35baa52b21ea1fb3e2b1ab03bf5f902c
-
\??\c:\programdata\37102.jpgMD5
8bac227baa397ac730b4c65c19a79fe5
SHA1f8735861ae35590e841daf67b43787a054339435
SHA256bf3872c7e85d2f9d330aa6dc52f54e4003fadbed386c75fe3f22713269302e1b
SHA51272b7f7c54436f38e6baa71f329e4b79b63e3987f6f61322a0128356afd23ffe64d126cea43385cfeba02d6971ce293ad35c8236236c3073495372ac2ca56de80
-
\ProgramData\37102.jpgMD5
a73d1d9296d479ff5f1d2ecb8135b97d
SHA15dea2f19c48708e05939a2fca9b7388767e702b9
SHA256739ff1e9dfb75059bbcbb391135e86d3a6d6e69f155a01741a75fdaf7f3fc9bf
SHA5120f20eb1425b608c5269fe4ef4ec390264f3c3ba21e790d90f20e55e5e3657e3a78af573c2718aaf77e4460f18b546bdc35baa52b21ea1fb3e2b1ab03bf5f902c
-
\ProgramData\37102.jpgMD5
8bac227baa397ac730b4c65c19a79fe5
SHA1f8735861ae35590e841daf67b43787a054339435
SHA256bf3872c7e85d2f9d330aa6dc52f54e4003fadbed386c75fe3f22713269302e1b
SHA51272b7f7c54436f38e6baa71f329e4b79b63e3987f6f61322a0128356afd23ffe64d126cea43385cfeba02d6971ce293ad35c8236236c3073495372ac2ca56de80
-
memory/352-23-0x0000000000000000-mapping.dmp
-
memory/552-20-0x0000000000000000-mapping.dmp
-
memory/1308-2-0x00007FF8B5E60000-0x00007FF8B5E70000-memory.dmpFilesize
64KB
-
memory/1308-3-0x00007FF8B5E60000-0x00007FF8B5E70000-memory.dmpFilesize
64KB
-
memory/1308-9-0x0000023728540000-0x0000023728544000-memory.dmpFilesize
16KB
-
memory/1308-6-0x00007FF8B5E60000-0x00007FF8B5E70000-memory.dmpFilesize
64KB
-
memory/1308-4-0x00007FF8B5E60000-0x00007FF8B5E70000-memory.dmpFilesize
64KB
-
memory/1308-5-0x00007FF8D6250000-0x00007FF8D6887000-memory.dmpFilesize
6.2MB
-
memory/1376-7-0x0000000000000000-mapping.dmp
-
memory/1556-14-0x0000000000000000-mapping.dmp
-
memory/1556-17-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/1556-16-0x0000000073FD0000-0x0000000074005000-memory.dmpFilesize
212KB
-
memory/1616-19-0x00000000006F0000-0x0000000000725000-memory.dmpFilesize
212KB
-
memory/1616-18-0x0000000000000000-mapping.dmp
-
memory/1616-21-0x00000000006F0000-0x0000000000725000-memory.dmpFilesize
212KB
-
memory/2100-12-0x0000000000000000-mapping.dmp
-
memory/2584-25-0x0000000003BB0000-0x0000000003BB1000-memory.dmpFilesize
4KB