qakbot | 53b9aaed11c3bff95b8baeef19467b11ab6ef362e2f8b550ee531babbddd9e0f

Analysis

max time kernel
150s
max time network
9s
platform
windows7_x64
resource
win7v20201028
submitted
04-02-2021 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bid,02.21.doc
Size

95KB
MD5

8d4ca32c865cbc75fb529bc64730c453
SHA1

334c4352dbda3759ca503a6118bc2ddb09b6f9d7
SHA256

53b9aaed11c3bff95b8baeef19467b11ab6ef362e2f8b550ee531babbddd9e0f
SHA512

3bd039c6d748008d76d5095be0130763e74dd68929e1f8878c557e92bff5742731fdfddbb38171b4f6c13ed42e7339ea4bd54c975d6f36015ea6f7b2bfb66f50

Score

10^/10

qakbot krk01 1611569149 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

krk01

Campaign

1611569149

31.5.21.66:995

89.3.198.238:443

202.188.138.162:443

188.24.128.253:443

175.141.219.71:443

151.60.15.183:443

184.189.122.72:443

80.227.5.70:443

140.82.49.12:443

89.211.241.100:995

81.97.154.100:443

77.27.174.49:995

92.154.83.96:2078

42.3.8.54:443

71.187.170.235:443

46.153.36.53:995

71.182.142.63:443

105.186.102.16:443

50.244.112.106:443

78.63.226.32:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 1 IoCs

Processes:

xml.com

pid process

1272 xml.com
Loads dropped DLL 5 IoCs

Processes:

WINWORD.EXEregsvr32.exe

pid process

1684 WINWORD.EXE
1684 WINWORD.EXE
1684 WINWORD.EXE
1684 WINWORD.EXE
316 regsvr32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1272	xml.com

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib\{026D6E91-FF14-44AE-942A-E1B5D1B9DD22}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib\{026D6E91-FF14-44AE-942A-E1B5D1B9DD22}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026D6E91-FF14-44AE-942A-E1B5D1B9DD22}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026D6E91-FF14-44AE-942A-E1B5D1B9DD22}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1684 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

316 regsvr32.exe
316 regsvr32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

regsvr32.exe

pid process

316 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

316 regsvr32.exe

pid	process
316	regsvr32.exe
316	regsvr32.exe

pid	process
316	regsvr32.exe

pid	process
316	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

xml.com

description	pid	process
Token: SeIncreaseQuotaPrivilege	1272	xml.com
Token: SeSecurityPrivilege	1272	xml.com
Token: SeTakeOwnershipPrivilege	1272	xml.com
Token: SeLoadDriverPrivilege	1272	xml.com
Token: SeSystemProfilePrivilege	1272	xml.com
Token: SeSystemtimePrivilege	1272	xml.com
Token: SeProfSingleProcessPrivilege	1272	xml.com
Token: SeIncBasePriorityPrivilege	1272	xml.com
Token: SeCreatePagefilePrivilege	1272	xml.com
Token: SeBackupPrivilege	1272	xml.com
Token: SeRestorePrivilege	1272	xml.com
Token: SeShutdownPrivilege	1272	xml.com
Token: SeDebugPrivilege	1272	xml.com
Token: SeSystemEnvironmentPrivilege	1272	xml.com
Token: SeRemoteShutdownPrivilege	1272	xml.com
Token: SeUndockPrivilege	1272	xml.com
Token: SeManageVolumePrivilege	1272	xml.com
Token: 33	1272	xml.com
Token: 34	1272	xml.com
Token: 35	1272	xml.com
Token: SeIncreaseQuotaPrivilege	1272	xml.com
Token: SeSecurityPrivilege	1272	xml.com
Token: SeTakeOwnershipPrivilege	1272	xml.com
Token: SeLoadDriverPrivilege	1272	xml.com
Token: SeSystemProfilePrivilege	1272	xml.com
Token: SeSystemtimePrivilege	1272	xml.com
Token: SeProfSingleProcessPrivilege	1272	xml.com
Token: SeIncBasePriorityPrivilege	1272	xml.com
Token: SeCreatePagefilePrivilege	1272	xml.com
Token: SeBackupPrivilege	1272	xml.com
Token: SeRestorePrivilege	1272	xml.com
Token: SeShutdownPrivilege	1272	xml.com
Token: SeDebugPrivilege	1272	xml.com
Token: SeSystemEnvironmentPrivilege	1272	xml.com
Token: SeRemoteShutdownPrivilege	1272	xml.com
Token: SeUndockPrivilege	1272	xml.com
Token: SeManageVolumePrivilege	1272	xml.com
Token: 33	1272	xml.com
Token: 34	1272	xml.com
Token: 35	1272	xml.com

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WINWORD.EXExml.comregsvr32.exe

description	pid	process	target process
PID 1684 wrote to memory of 1272	1684	WINWORD.EXE	xml.com
PID 1684 wrote to memory of 1272	1684	WINWORD.EXE	xml.com
PID 1684 wrote to memory of 1272	1684	WINWORD.EXE	xml.com
PID 1684 wrote to memory of 1272	1684	WINWORD.EXE	xml.com
PID 1684 wrote to memory of 1812	1684	WINWORD.EXE	splwow64.exe
PID 1684 wrote to memory of 1812	1684	WINWORD.EXE	splwow64.exe
PID 1684 wrote to memory of 1812	1684	WINWORD.EXE	splwow64.exe
PID 1684 wrote to memory of 1812	1684	WINWORD.EXE	splwow64.exe
PID 1272 wrote to memory of 316	1272	xml.com	regsvr32.exe
PID 1272 wrote to memory of 316	1272	xml.com	regsvr32.exe
PID 1272 wrote to memory of 316	1272	xml.com	regsvr32.exe
PID 1272 wrote to memory of 316	1272	xml.com	regsvr32.exe
PID 1272 wrote to memory of 316	1272	xml.com	regsvr32.exe
PID 1272 wrote to memory of 316	1272	xml.com	regsvr32.exe
PID 1272 wrote to memory of 316	1272	xml.com	regsvr32.exe
PID 316 wrote to memory of 1008	316	regsvr32.exe	explorer.exe
PID 316 wrote to memory of 1008	316	regsvr32.exe	explorer.exe
PID 316 wrote to memory of 1008	316	regsvr32.exe	explorer.exe
PID 316 wrote to memory of 1008	316	regsvr32.exe	explorer.exe
PID 316 wrote to memory of 1008	316	regsvr32.exe	explorer.exe
PID 316 wrote to memory of 1008	316	regsvr32.exe	explorer.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid,02.21.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\programdata\xml.com
"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\programdata\1271.jpg
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
PID:1008

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xml.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
C:\programdata\xml.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
\??\c:\programdata\1271.jpg
MD5
4a2a46cfca30f739994362c22f0d2f46

SHA1
f0c75c3e93907f66e1f747d1eb099d144f30deeb

SHA256
c335c63f7587348d5c65235379f76f5298fe90264857675cf08539a6be9e990b

SHA512
1024ef1bff08cf739c90e04fae00e4ab1fb96a6bd77baebb258901a86d4626149c9197cfe4f025e7e0e4bce7db53ed5d80e4fadf83d7680832a640bda6876a5b

Download Submit
\??\c:\programdata\i.xsl
MD5
3bfe49781b0c5ebfce69bf1815076111

SHA1
12af9552ed24477939ad337973643ec758e62721

SHA256
5243d6b20c66df6fb8e02b17b4963a8b33d4b907209fa08bf024becb341628a3

SHA512
65a8535574bad660a9b4bc8b1bbcb0e479a40843c51432f8313248064bb6457bd2a9846c5a6fc382090942efb3b6ac9860a67a3876ff40a20923347ab45c0e3c

Download Submit
\ProgramData\1271.jpg
MD5
4a2a46cfca30f739994362c22f0d2f46

SHA1
f0c75c3e93907f66e1f747d1eb099d144f30deeb

SHA256
c335c63f7587348d5c65235379f76f5298fe90264857675cf08539a6be9e990b

SHA512
1024ef1bff08cf739c90e04fae00e4ab1fb96a6bd77baebb258901a86d4626149c9197cfe4f025e7e0e4bce7db53ed5d80e4fadf83d7680832a640bda6876a5b

Download Submit
\ProgramData\xml.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
\ProgramData\xml.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
\ProgramData\xml.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
\ProgramData\xml.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
memory/316-17-0x0000000000000000-mapping.dmp

Download
memory/316-21-0x000000006B6C0000-0x000000006B6F5000-memory.dmp

Filesize
212KB

Download
memory/316-27-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/316-22-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/316-18-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1008-23-0x0000000000000000-mapping.dmp

Download
memory/1008-25-0x000000006B151000-0x000000006B153000-memory.dmp

Filesize
8KB

Download
memory/1008-26-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1060-15-0x000007FEF68D0000-0x000007FEF6B4A000-memory.dmp

Filesize
2.5MB

Download
memory/1272-9-0x0000000000000000-mapping.dmp

Download
memory/1684-2-0x0000000072DC1000-0x0000000072DC4000-memory.dmp

Filesize
12KB

Download
memory/1684-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1684-3-0x0000000070841000-0x0000000070843000-memory.dmp

Filesize
8KB

Download
memory/1684-11-0x00000000060D0000-0x00000000060D2000-memory.dmp

Filesize
8KB

Download
memory/1812-12-0x0000000000000000-mapping.dmp

Download
memory/1812-14-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download