Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-02-2021 18:45
Static task
static1
Behavioral task
behavioral1
Sample
bid,02.21.doc
Resource
win7v20201028
General
-
Target
bid,02.21.doc
-
Size
95KB
-
MD5
8d4ca32c865cbc75fb529bc64730c453
-
SHA1
334c4352dbda3759ca503a6118bc2ddb09b6f9d7
-
SHA256
53b9aaed11c3bff95b8baeef19467b11ab6ef362e2f8b550ee531babbddd9e0f
-
SHA512
3bd039c6d748008d76d5095be0130763e74dd68929e1f8878c557e92bff5742731fdfddbb38171b4f6c13ed42e7339ea4bd54c975d6f36015ea6f7b2bfb66f50
Malware Config
Extracted
qakbot
krk01
1611569149
31.5.21.66:995
89.3.198.238:443
202.188.138.162:443
188.24.128.253:443
175.141.219.71:443
151.60.15.183:443
184.189.122.72:443
80.227.5.70:443
140.82.49.12:443
89.211.241.100:995
81.97.154.100:443
77.27.174.49:995
92.154.83.96:2078
42.3.8.54:443
71.187.170.235:443
46.153.36.53:995
71.182.142.63:443
105.186.102.16:443
50.244.112.106:443
78.63.226.32:443
85.132.36.111:2222
68.186.192.69:443
75.136.40.155:443
68.225.60.77:995
144.139.47.206:443
79.129.121.81:995
98.121.187.78:443
75.67.192.125:443
216.201.162.158:443
2.50.2.216:443
75.136.26.147:443
84.72.35.226:443
172.78.30.215:443
105.198.236.99:443
83.110.102.100:443
193.248.221.184:2222
190.85.91.154:443
96.37.113.36:993
83.110.108.181:2222
88.233.91.244:443
95.77.223.148:443
207.246.77.75:2222
86.236.77.68:2222
207.246.77.75:443
45.63.107.192:995
77.211.30.202:995
149.28.99.97:443
207.246.77.75:8443
149.28.98.196:2222
207.246.116.237:995
207.246.116.237:8443
149.28.99.97:995
207.246.77.75:995
207.246.116.237:2222
45.77.115.208:443
45.32.211.207:995
149.28.101.90:8443
149.28.101.90:443
149.28.99.97:2222
172.115.177.204:2222
144.202.38.185:995
207.246.116.237:443
149.28.98.196:443
144.202.38.185:443
149.28.101.90:995
45.32.211.207:2222
45.32.211.207:443
45.32.211.207:8443
149.28.98.196:995
144.202.38.185:2222
45.63.107.192:443
149.28.101.90:2222
45.63.107.192:2222
45.77.115.208:2222
196.151.252.84:443
105.198.236.101:443
82.76.47.211:443
45.77.115.208:995
45.77.115.208:8443
213.60.147.140:443
92.59.35.196:2222
47.22.148.6:443
203.106.195.67:443
202.185.50.15:443
173.70.165.101:995
50.240.77.238:22
86.98.93.124:2078
172.87.157.235:3389
197.45.110.165:995
76.25.142.196:443
106.51.52.111:443
188.25.63.105:443
83.110.12.140:2222
64.121.114.87:443
50.29.166.232:995
217.133.54.140:32100
122.148.156.131:995
173.21.10.71:2222
45.46.53.140:2222
67.6.91.75:443
47.156.65.184:443
76.111.128.194:443
75.118.1.141:443
65.27.228.247:443
71.74.12.34:443
74.68.144.202:443
98.240.24.57:443
47.196.192.184:443
71.14.110.199:443
71.197.126.250:443
24.253.38.139:993
197.161.154.132:443
80.7.129.64:995
47.208.8.187:443
89.137.211.239:995
86.220.60.133:2222
94.53.92.42:443
78.97.207.104:443
106.250.150.98:443
67.8.103.21:443
41.39.134.183:443
2.50.161.6:2222
96.19.117.140:443
199.19.117.131:443
104.37.20.207:995
216.150.207.100:2222
189.222.111.204:443
73.216.60.90:2222
69.123.179.70:443
189.237.7.9:443
89.137.221.232:443
109.12.111.14:443
125.63.101.62:443
2.7.69.217:2222
89.211.247.202:443
201.130.149.43:995
186.155.151.167:443
201.127.37.219:443
151.205.102.42:443
189.210.115.207:443
97.69.160.4:2222
72.240.200.181:2222
72.252.201.69:443
172.87.134.226:995
209.210.187.52:995
209.210.187.52:443
108.46.145.30:443
24.229.150.54:995
186.84.90.232:443
80.11.5.65:2222
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xml.compid process 1264 xml.com -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2620 regsvr32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 496 WINWORD.EXE 496 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 2620 regsvr32.exe 2620 regsvr32.exe 2620 regsvr32.exe 2620 regsvr32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
regsvr32.exepid process 2620 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
xml.comdescription pid process Token: SeIncreaseQuotaPrivilege 1264 xml.com Token: SeSecurityPrivilege 1264 xml.com Token: SeTakeOwnershipPrivilege 1264 xml.com Token: SeLoadDriverPrivilege 1264 xml.com Token: SeSystemProfilePrivilege 1264 xml.com Token: SeSystemtimePrivilege 1264 xml.com Token: SeProfSingleProcessPrivilege 1264 xml.com Token: SeIncBasePriorityPrivilege 1264 xml.com Token: SeCreatePagefilePrivilege 1264 xml.com Token: SeBackupPrivilege 1264 xml.com Token: SeRestorePrivilege 1264 xml.com Token: SeShutdownPrivilege 1264 xml.com Token: SeDebugPrivilege 1264 xml.com Token: SeSystemEnvironmentPrivilege 1264 xml.com Token: SeRemoteShutdownPrivilege 1264 xml.com Token: SeUndockPrivilege 1264 xml.com Token: SeManageVolumePrivilege 1264 xml.com Token: 33 1264 xml.com Token: 34 1264 xml.com Token: 35 1264 xml.com Token: 36 1264 xml.com Token: SeIncreaseQuotaPrivilege 1264 xml.com Token: SeSecurityPrivilege 1264 xml.com Token: SeTakeOwnershipPrivilege 1264 xml.com Token: SeLoadDriverPrivilege 1264 xml.com Token: SeSystemProfilePrivilege 1264 xml.com Token: SeSystemtimePrivilege 1264 xml.com Token: SeProfSingleProcessPrivilege 1264 xml.com Token: SeIncBasePriorityPrivilege 1264 xml.com Token: SeCreatePagefilePrivilege 1264 xml.com Token: SeBackupPrivilege 1264 xml.com Token: SeRestorePrivilege 1264 xml.com Token: SeShutdownPrivilege 1264 xml.com Token: SeDebugPrivilege 1264 xml.com Token: SeSystemEnvironmentPrivilege 1264 xml.com Token: SeRemoteShutdownPrivilege 1264 xml.com Token: SeUndockPrivilege 1264 xml.com Token: SeManageVolumePrivilege 1264 xml.com Token: 33 1264 xml.com Token: 34 1264 xml.com Token: 35 1264 xml.com Token: 36 1264 xml.com -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXExml.comregsvr32.exeregsvr32.exedescription pid process target process PID 496 wrote to memory of 1264 496 WINWORD.EXE xml.com PID 496 wrote to memory of 1264 496 WINWORD.EXE xml.com PID 1264 wrote to memory of 2588 1264 xml.com regsvr32.exe PID 1264 wrote to memory of 2588 1264 xml.com regsvr32.exe PID 2588 wrote to memory of 2620 2588 regsvr32.exe regsvr32.exe PID 2588 wrote to memory of 2620 2588 regsvr32.exe regsvr32.exe PID 2588 wrote to memory of 2620 2588 regsvr32.exe regsvr32.exe PID 2620 wrote to memory of 1624 2620 regsvr32.exe explorer.exe PID 2620 wrote to memory of 1624 2620 regsvr32.exe explorer.exe PID 2620 wrote to memory of 1624 2620 regsvr32.exe explorer.exe PID 2620 wrote to memory of 1624 2620 regsvr32.exe explorer.exe PID 2620 wrote to memory of 1624 2620 regsvr32.exe explorer.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid,02.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\programdata\xml.com"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 c:\programdata\1271.jpg3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exec:\programdata\1271.jpg4⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\xml.comMD5
4191f61f2449ccc2bc2f2ac6d8898ce7
SHA1d49936fc8a03561214ce4bf9791ca59e94ab8fe9
SHA25674d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173
SHA512fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f
-
C:\programdata\xml.comMD5
4191f61f2449ccc2bc2f2ac6d8898ce7
SHA1d49936fc8a03561214ce4bf9791ca59e94ab8fe9
SHA25674d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173
SHA512fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f
-
\??\c:\programdata\1271.jpgMD5
4a2a46cfca30f739994362c22f0d2f46
SHA1f0c75c3e93907f66e1f747d1eb099d144f30deeb
SHA256c335c63f7587348d5c65235379f76f5298fe90264857675cf08539a6be9e990b
SHA5121024ef1bff08cf739c90e04fae00e4ab1fb96a6bd77baebb258901a86d4626149c9197cfe4f025e7e0e4bce7db53ed5d80e4fadf83d7680832a640bda6876a5b
-
\??\c:\programdata\i.xslMD5
3bfe49781b0c5ebfce69bf1815076111
SHA112af9552ed24477939ad337973643ec758e62721
SHA2565243d6b20c66df6fb8e02b17b4963a8b33d4b907209fa08bf024becb341628a3
SHA51265a8535574bad660a9b4bc8b1bbcb0e479a40843c51432f8313248064bb6457bd2a9846c5a6fc382090942efb3b6ac9860a67a3876ff40a20923347ab45c0e3c
-
\ProgramData\1271.jpgMD5
4a2a46cfca30f739994362c22f0d2f46
SHA1f0c75c3e93907f66e1f747d1eb099d144f30deeb
SHA256c335c63f7587348d5c65235379f76f5298fe90264857675cf08539a6be9e990b
SHA5121024ef1bff08cf739c90e04fae00e4ab1fb96a6bd77baebb258901a86d4626149c9197cfe4f025e7e0e4bce7db53ed5d80e4fadf83d7680832a640bda6876a5b
-
memory/496-6-0x00007FF8052D0000-0x00007FF805907000-memory.dmpFilesize
6.2MB
-
memory/496-9-0x000001D7B2130000-0x000001D7B2134000-memory.dmpFilesize
16KB
-
memory/496-2-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmpFilesize
64KB
-
memory/496-5-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmpFilesize
64KB
-
memory/496-4-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmpFilesize
64KB
-
memory/496-3-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmpFilesize
64KB
-
memory/1264-7-0x0000000000000000-mapping.dmp
-
memory/1624-18-0x0000000000000000-mapping.dmp
-
memory/1624-19-0x0000000002F60000-0x0000000002F95000-memory.dmpFilesize
212KB
-
memory/2588-12-0x0000000000000000-mapping.dmp
-
memory/2620-14-0x0000000000000000-mapping.dmp
-
memory/2620-16-0x00000000736E0000-0x0000000073715000-memory.dmpFilesize
212KB
-
memory/2620-17-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB