Overview

overview

10

Static

static

8

Compensati...21.xls

windows7_x64

10

Compensati...21.xls

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-02-2021 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CompensationClaim-2000459547-02022021.xls

  • Size

    67KB

  • MD5

    cb555300cee97b3250f5ca1650197f7b

  • SHA1

    702beedaaef076fa9f8fd6510493925f090fe4a1

  • SHA256

    aed3b7b54243021aa6b20fda0ea7bb46a2065a1371202b3bab86482fa3f5bd46

  • SHA512

    a57dfeb94bf437df67bf7b13137aebe08b0ba1c04f3bf94cf98105c34683e96e6986495c157f83ff9cc93332680b1f280d9aa72c6f5d1196f5c7606dd4755ddf

Score
10/10
qakbotabc1231612349986bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

abc123

Campaign

1612349986

C2

222.154.253.111:995

50.244.112.106:443

83.110.108.181:2222

105.198.236.99:443

74.77.162.33:443

106.250.150.98:443

196.151.252.84:443

45.118.216.157:443

140.82.49.12:443

80.11.173.82:8443

71.88.193.17:443

68.186.192.69:443

46.153.119.255:995

81.214.126.173:2222

108.31.15.10:995

197.45.110.165:995

81.88.254.62:443

86.97.8.249:443

202.187.58.21:443

41.39.134.183:443

Signatures

  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 5 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\CompensationClaim-2000459547-02022021.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\HYGFR.HYGF,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:3588
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\HYGFR.HYGF1,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3592
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 ..\HYGFR.HYGF1,DllRegisterServer
        3⤵
        • Loads dropped DLL
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4032
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nzfwujjjn /tr "regsvr32.exe -s \"C:\Users\Admin\HYGFR.HYGF1\"" /SC ONCE /Z /ST 10:19 /ET 10:31
            5⤵
            • Creates scheduled task(s)
            PID:3936
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\HYGFR.HYGF2,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:3048
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\HYGFR.HYGF3,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:3932
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\HYGFR.HYGF4,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 ..\HYGFR.HYGF4,DllRegisterServer
        3⤵
        • Loads dropped DLL
        PID:3716
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 748
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3596
  • \??\c:\windows\system32\regsvr32.exe
    regsvr32.exe -s "C:\Users\Admin\HYGFR.HYGF1"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3244
    • C:\Windows\SysWOW64\regsvr32.exe
      -s "C:\Users\Admin\HYGFR.HYGF1"
      2⤵
      • Loads dropped DLL
      PID:3860
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 596
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\HYGFR.HYGF1
    MD5

    0d61b148fba30bccb483c65fd7e7babc

    SHA1

    50fd3a2e5a49bb9b57ca1a463bb6afe90994c3dc

    SHA256

    e5e99dd402f104863146e270f4f769b61abe3f2344058f27b78c3e54f25e1be8

    SHA512

    4cfd6a6e66bb7a7725d9377b53c5cd36e5f130c3872751b30f0f0ed49562a3adb9bcce927eb5f2d83dd338a67482ed20f265d25510c7fb926f2fb2f431f3456d

    Download Submit
  • C:\Users\Admin\HYGFR.HYGF1
    MD5

    6e0a15ac62d32983e782c715ed4b5ec8

    SHA1

    f718149ba16ef95a7d48dbd69d6d9dc224d0b87f

    SHA256

    08697d907c6be7c0952fa7e2d8498a742bfa3e5709548e77e7d187ae967d8552

    SHA512

    29ad758d0c3745c7b4e3aa4fece1daefa82e6ac07f851b76a50ce0e6c56f4333ca3e0ab4925d9558b2cfca4e2a243ca20355b1f8025c9980e7986fbe48836104

    Download Submit
  • C:\Users\Admin\HYGFR.HYGF4
    MD5

    6e0a15ac62d32983e782c715ed4b5ec8

    SHA1

    f718149ba16ef95a7d48dbd69d6d9dc224d0b87f

    SHA256

    08697d907c6be7c0952fa7e2d8498a742bfa3e5709548e77e7d187ae967d8552

    SHA512

    29ad758d0c3745c7b4e3aa4fece1daefa82e6ac07f851b76a50ce0e6c56f4333ca3e0ab4925d9558b2cfca4e2a243ca20355b1f8025c9980e7986fbe48836104

    Download Submit
  • \Users\Admin\HYGFR.HYGF1
    MD5

    6e0a15ac62d32983e782c715ed4b5ec8

    SHA1

    f718149ba16ef95a7d48dbd69d6d9dc224d0b87f

    SHA256

    08697d907c6be7c0952fa7e2d8498a742bfa3e5709548e77e7d187ae967d8552

    SHA512

    29ad758d0c3745c7b4e3aa4fece1daefa82e6ac07f851b76a50ce0e6c56f4333ca3e0ab4925d9558b2cfca4e2a243ca20355b1f8025c9980e7986fbe48836104

    Download Submit
  • \Users\Admin\HYGFR.HYGF1
    MD5

    6e0a15ac62d32983e782c715ed4b5ec8

    SHA1

    f718149ba16ef95a7d48dbd69d6d9dc224d0b87f

    SHA256

    08697d907c6be7c0952fa7e2d8498a742bfa3e5709548e77e7d187ae967d8552

    SHA512

    29ad758d0c3745c7b4e3aa4fece1daefa82e6ac07f851b76a50ce0e6c56f4333ca3e0ab4925d9558b2cfca4e2a243ca20355b1f8025c9980e7986fbe48836104

    Download Submit
  • \Users\Admin\HYGFR.HYGF1
    MD5

    0d61b148fba30bccb483c65fd7e7babc

    SHA1

    50fd3a2e5a49bb9b57ca1a463bb6afe90994c3dc

    SHA256

    e5e99dd402f104863146e270f4f769b61abe3f2344058f27b78c3e54f25e1be8

    SHA512

    4cfd6a6e66bb7a7725d9377b53c5cd36e5f130c3872751b30f0f0ed49562a3adb9bcce927eb5f2d83dd338a67482ed20f265d25510c7fb926f2fb2f431f3456d

    Download Submit
  • \Users\Admin\HYGFR.HYGF4
    MD5

    6e0a15ac62d32983e782c715ed4b5ec8

    SHA1

    f718149ba16ef95a7d48dbd69d6d9dc224d0b87f

    SHA256

    08697d907c6be7c0952fa7e2d8498a742bfa3e5709548e77e7d187ae967d8552

    SHA512

    29ad758d0c3745c7b4e3aa4fece1daefa82e6ac07f851b76a50ce0e6c56f4333ca3e0ab4925d9558b2cfca4e2a243ca20355b1f8025c9980e7986fbe48836104

    Download Submit
  • \Users\Admin\HYGFR.HYGF4
    MD5

    6e0a15ac62d32983e782c715ed4b5ec8

    SHA1

    f718149ba16ef95a7d48dbd69d6d9dc224d0b87f

    SHA256

    08697d907c6be7c0952fa7e2d8498a742bfa3e5709548e77e7d187ae967d8552

    SHA512

    29ad758d0c3745c7b4e3aa4fece1daefa82e6ac07f851b76a50ce0e6c56f4333ca3e0ab4925d9558b2cfca4e2a243ca20355b1f8025c9980e7986fbe48836104

    Download Submit
  • memory/640-6-0x00007FFC11220000-0x00007FFC11230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/640-5-0x00007FFC34000000-0x00007FFC34637000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/640-4-0x00007FFC11220000-0x00007FFC11230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/640-2-0x00007FFC11220000-0x00007FFC11230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/640-3-0x00007FFC11220000-0x00007FFC11230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/740-18-0x0000000005B80000-0x0000000005BB5000-memory.dmp
    Filesize

    212KB

    Download
  • memory/740-13-0x0000000003F81000-0x0000000004020000-memory.dmp
    Filesize

    636KB

    Download
  • memory/740-15-0x0000000004210000-0x0000000004257000-memory.dmp
    Filesize

    284KB

    Download
  • memory/740-10-0x0000000000000000-mapping.dmp
    Download
  • memory/740-14-0x0000000000350000-0x0000000000351000-memory.dmp
    Filesize

    4KB

    Download
  • memory/740-16-0x0000000005B80000-0x0000000005BB5000-memory.dmp
    Filesize

    212KB

    Download
  • memory/2120-24-0x0000000000000000-mapping.dmp
    Download
  • memory/2284-37-0x0000000003A70000-0x0000000003A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3048-21-0x0000000000000000-mapping.dmp
    Download
  • memory/3588-7-0x0000000000000000-mapping.dmp
    Download
  • memory/3592-8-0x0000000000000000-mapping.dmp
    Download
  • memory/3596-33-0x0000000004700000-0x0000000004701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3716-26-0x0000000000000000-mapping.dmp
    Download
  • memory/3716-29-0x0000000000871000-0x0000000000910000-memory.dmp
    Filesize

    636KB

    Download
  • memory/3716-30-0x0000000000980000-0x0000000000981000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3716-32-0x0000000005CD0000-0x0000000005D05000-memory.dmp
    Filesize

    212KB

    Download
  • memory/3860-35-0x0000000000000000-mapping.dmp
    Download
  • memory/3932-23-0x0000000000000000-mapping.dmp
    Download
  • memory/3936-19-0x0000000000000000-mapping.dmp
    Download
  • memory/4032-22-0x00000000009C0000-0x00000000009F5000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4032-20-0x00000000009C0000-0x00000000009F5000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4032-17-0x0000000000000000-mapping.dmp
    Download