Overview

overview

10

Static

static

8

deed contr...21.doc

windows7_x64

10

deed contr...21.doc

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-02-2021 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    deed contract,02.02.2021.doc

  • Size

    96KB

  • MD5

    1d33c7b0259d6322530a155a32a1eba3

  • SHA1

    e59ca07dcf1ce767077fe81179d726df5ad45337

  • SHA256

    eebfa6156f35bb2d5db5d88d7c1f14f3d0113494a205498f19d4fc40bc20aa04

  • SHA512

    d2801cf6a8d2da658bb5228567215f0e9c2ffb00e50f708fe22665c263d18bcc2dd7e0123b8cb5a3a48323c5262c5e443f04237cbe4a49a8450e3ed19d801aad

Score
10/10
qakbotkrk011611569149bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

krk01

Campaign

1611569149

C2

31.5.21.66:995

89.3.198.238:443

202.188.138.162:443

188.24.128.253:443

175.141.219.71:443

151.60.15.183:443

184.189.122.72:443

80.227.5.70:443

140.82.49.12:443

89.211.241.100:995

81.97.154.100:443

77.27.174.49:995

92.154.83.96:2078

42.3.8.54:443

71.187.170.235:443

46.153.36.53:995

71.182.142.63:443

105.186.102.16:443

50.244.112.106:443

78.63.226.32:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\deed contract,02.02.2021.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\programdata\xml.com
      "C:\programdata\xml.com" process list /format : ".xsl"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Windows\SYSTEM32\regsvr32.exe
        regsvr32 c:\programdata\37102.jpg
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Windows\SysWOW64\regsvr32.exe
          c:\programdata\37102.jpg
          4⤵
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1556
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1616
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vroitoybx /tr "regsvr32.exe -s \"c:\programdata\37102.jpg\"" /SC ONCE /Z /ST 14:59 /ET 15:11
              6⤵
              • Creates scheduled task(s)
              PID:552
  • \??\c:\windows\system32\regsvr32.exe
    regsvr32.exe -s "c:\programdata\37102.jpg"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\SysWOW64\regsvr32.exe
      -s "c:\programdata\37102.jpg"
      2⤵
      • Loads dropped DLL
      PID:352
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 596
        3⤵
        • Drops file in Windows directory
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\xml.com
    MD5

    4191f61f2449ccc2bc2f2ac6d8898ce7

    SHA1

    d49936fc8a03561214ce4bf9791ca59e94ab8fe9

    SHA256

    74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

    SHA512

    fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\.xsl
    MD5

    951d851ba666d2cc4c4fc4080d34e3eb

    SHA1

    c46e5a4fd532d5627588897f177678d942ab0aaf

    SHA256

    cd1fe9542a51787f269357c35df282eae27eb9568dfcafb6ec89bb59f0c571ab

    SHA512

    e65399d3fd36e84b56fc4e0126f316bd1de91cbd3f2a735d23e169945c0b32b10f09864c61f05491b00e2aeed0314b8f773d8b42568b490665eea82ee6d1a419

    Download Submit
  • C:\programdata\xml.com
    MD5

    4191f61f2449ccc2bc2f2ac6d8898ce7

    SHA1

    d49936fc8a03561214ce4bf9791ca59e94ab8fe9

    SHA256

    74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

    SHA512

    fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

    Download Submit
  • \??\c:\programdata\37102.jpg
    MD5

    a73d1d9296d479ff5f1d2ecb8135b97d

    SHA1

    5dea2f19c48708e05939a2fca9b7388767e702b9

    SHA256

    739ff1e9dfb75059bbcbb391135e86d3a6d6e69f155a01741a75fdaf7f3fc9bf

    SHA512

    0f20eb1425b608c5269fe4ef4ec390264f3c3ba21e790d90f20e55e5e3657e3a78af573c2718aaf77e4460f18b546bdc35baa52b21ea1fb3e2b1ab03bf5f902c

    Download Submit
  • \??\c:\programdata\37102.jpg
    MD5

    8bac227baa397ac730b4c65c19a79fe5

    SHA1

    f8735861ae35590e841daf67b43787a054339435

    SHA256

    bf3872c7e85d2f9d330aa6dc52f54e4003fadbed386c75fe3f22713269302e1b

    SHA512

    72b7f7c54436f38e6baa71f329e4b79b63e3987f6f61322a0128356afd23ffe64d126cea43385cfeba02d6971ce293ad35c8236236c3073495372ac2ca56de80

    Download Submit
  • \ProgramData\37102.jpg
    MD5

    a73d1d9296d479ff5f1d2ecb8135b97d

    SHA1

    5dea2f19c48708e05939a2fca9b7388767e702b9

    SHA256

    739ff1e9dfb75059bbcbb391135e86d3a6d6e69f155a01741a75fdaf7f3fc9bf

    SHA512

    0f20eb1425b608c5269fe4ef4ec390264f3c3ba21e790d90f20e55e5e3657e3a78af573c2718aaf77e4460f18b546bdc35baa52b21ea1fb3e2b1ab03bf5f902c

    Download Submit
  • \ProgramData\37102.jpg
    MD5

    8bac227baa397ac730b4c65c19a79fe5

    SHA1

    f8735861ae35590e841daf67b43787a054339435

    SHA256

    bf3872c7e85d2f9d330aa6dc52f54e4003fadbed386c75fe3f22713269302e1b

    SHA512

    72b7f7c54436f38e6baa71f329e4b79b63e3987f6f61322a0128356afd23ffe64d126cea43385cfeba02d6971ce293ad35c8236236c3073495372ac2ca56de80

    Download Submit
  • memory/352-23-0x0000000000000000-mapping.dmp
    Download
  • memory/552-20-0x0000000000000000-mapping.dmp
    Download
  • memory/1308-2-0x00007FF8B5E60000-0x00007FF8B5E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1308-3-0x00007FF8B5E60000-0x00007FF8B5E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1308-9-0x0000023728540000-0x0000023728544000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1308-6-0x00007FF8B5E60000-0x00007FF8B5E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1308-4-0x00007FF8B5E60000-0x00007FF8B5E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1308-5-0x00007FF8D6250000-0x00007FF8D6887000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1376-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1556-14-0x0000000000000000-mapping.dmp
    Download
  • memory/1556-17-0x0000000000A60000-0x0000000000A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1556-16-0x0000000073FD0000-0x0000000074005000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1616-19-0x00000000006F0000-0x0000000000725000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1616-18-0x0000000000000000-mapping.dmp
    Download
  • memory/1616-21-0x00000000006F0000-0x0000000000725000-memory.dmp
    Filesize

    212KB

    Download
  • memory/2100-12-0x0000000000000000-mapping.dmp
    Download
  • memory/2584-25-0x0000000003BB0000-0x0000000003BB1000-memory.dmp
    Filesize

    4KB

    Download