qakbot | aed3b7b54243021aa6b20fda0ea7bb46a2065a1371202b3bab86482fa3f5bd46

General

Target

CompensationClaim-2000459547-02022021.xls
Size

67KB
MD5

cb555300cee97b3250f5ca1650197f7b
SHA1

702beedaaef076fa9f8fd6510493925f090fe4a1
SHA256

aed3b7b54243021aa6b20fda0ea7bb46a2065a1371202b3bab86482fa3f5bd46
SHA512

a57dfeb94bf437df67bf7b13137aebe08b0ba1c04f3bf94cf98105c34683e96e6986495c157f83ff9cc93332680b1f280d9aa72c6f5d1196f5c7606dd4755ddf

Score

10^/10

qakbot abc123 1612349986 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc123

Campaign

1612349986

C2

222.154.253.111:995

50.244.112.106:443

83.110.108.181:2222

105.198.236.99:443

74.77.162.33:443

106.250.150.98:443

196.151.252.84:443

45.118.216.157:443

140.82.49.12:443

80.11.173.82:8443

71.88.193.17:443

68.186.192.69:443

46.153.119.255:995

81.214.126.173:2222

108.31.15.10:995

197.45.110.165:995

81.88.254.62:443

86.97.8.249:443

202.187.58.21:443

41.39.134.183:443

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	304	1068	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	832	1068	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	344	1068	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	644	1068	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1680	1068	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

1068 EXCEL.EXE
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exeregsvr32.exe

pid process

832 rundll32.exe
1680 rundll32.exe
1576 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

776 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1068	EXCEL.EXE

pid	process
832	rundll32.exe
1680	rundll32.exe
1576	regsvr32.exe

pid	process
776	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Modifies registry class 47 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a0031000000000045529d49102054656d700000360008000400efbe5c51a69645529d492a000000e5010000000002000000000000000000000000000000540065006d007000000014000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000005c511c9a10204c6f63616c00380008000400efbe5c51a6965c511c9a2a000000e40100000000020000000000000000000000000000004c006f00630061006c00000014000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000005c51a696122041707044617461003c0008000400efbe5c51a6965c51a6962a000000d10100000000020000000000000000000000000000004100700070004400610074006100000016000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000005c51a6961100557365727300600008000400efbeee3a851a5c51a6962a000000cc01000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000004552a449100041646d696e00380008000400efbe5c51a6964552a4492a0000002e000000000004000000000000000000000000000000410064006d0069006e00000014000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1068 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

832 rundll32.exe
832 rundll32.exe
1680 rundll32.exe
1680 rundll32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

832 rundll32.exe
1680 rundll32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

1068 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1068 EXCEL.EXE
1068 EXCEL.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

1068 EXCEL.EXE
1068 EXCEL.EXE
1068 EXCEL.EXE
1068 EXCEL.EXE
1068 EXCEL.EXE
1068 EXCEL.EXE
1068 EXCEL.EXE
1068 EXCEL.EXE

pid	process
1068	EXCEL.EXE

pid	process
832	rundll32.exe
832	rundll32.exe
1680	rundll32.exe
1680	rundll32.exe

pid	process
832	rundll32.exe
1680	rundll32.exe

pid	process
1068	EXCEL.EXE

pid	process
1068	EXCEL.EXE
1068	EXCEL.EXE

pid	process
1068	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

EXCEL.EXErundll32.exeexplorer.exerundll32.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1068 wrote to memory of 304	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 304	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 304	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 304	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 304	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 304	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 304	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 832	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 832	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 832	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 832	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 832	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 832	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 832	1068	EXCEL.EXE	rundll32.exe
PID 832 wrote to memory of 792	832	rundll32.exe	explorer.exe
PID 832 wrote to memory of 792	832	rundll32.exe	explorer.exe
PID 832 wrote to memory of 792	832	rundll32.exe	explorer.exe
PID 832 wrote to memory of 792	832	rundll32.exe	explorer.exe
PID 832 wrote to memory of 792	832	rundll32.exe	explorer.exe
PID 832 wrote to memory of 792	832	rundll32.exe	explorer.exe
PID 1068 wrote to memory of 344	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 344	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 344	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 344	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 344	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 344	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 344	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 644	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 644	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 644	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 644	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 644	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 644	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 644	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 1680	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 1680	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 1680	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 1680	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 1680	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 1680	1068	EXCEL.EXE	rundll32.exe
PID 1068 wrote to memory of 1680	1068	EXCEL.EXE	rundll32.exe
PID 792 wrote to memory of 776	792	explorer.exe	schtasks.exe
PID 792 wrote to memory of 776	792	explorer.exe	schtasks.exe
PID 792 wrote to memory of 776	792	explorer.exe	schtasks.exe
PID 792 wrote to memory of 776	792	explorer.exe	schtasks.exe
PID 1680 wrote to memory of 1996	1680	rundll32.exe	explorer.exe
PID 1680 wrote to memory of 1996	1680	rundll32.exe	explorer.exe
PID 1680 wrote to memory of 1996	1680	rundll32.exe	explorer.exe
PID 1680 wrote to memory of 1996	1680	rundll32.exe	explorer.exe
PID 1680 wrote to memory of 1996	1680	rundll32.exe	explorer.exe
PID 1680 wrote to memory of 1996	1680	rundll32.exe	explorer.exe
PID 892 wrote to memory of 776	892	taskeng.exe	regsvr32.exe
PID 892 wrote to memory of 776	892	taskeng.exe	regsvr32.exe
PID 892 wrote to memory of 776	892	taskeng.exe	regsvr32.exe
PID 892 wrote to memory of 776	892	taskeng.exe	regsvr32.exe
PID 892 wrote to memory of 776	892	taskeng.exe	regsvr32.exe
PID 776 wrote to memory of 1576	776	regsvr32.exe	regsvr32.exe
PID 776 wrote to memory of 1576	776	regsvr32.exe	regsvr32.exe
PID 776 wrote to memory of 1576	776	regsvr32.exe	regsvr32.exe
PID 776 wrote to memory of 1576	776	regsvr32.exe	regsvr32.exe
PID 776 wrote to memory of 1576	776	regsvr32.exe	regsvr32.exe
PID 776 wrote to memory of 1576	776	regsvr32.exe	regsvr32.exe
PID 776 wrote to memory of 1576	776	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\CompensationClaim-2000459547-02022021.xls
1⤵
- Deletes itself
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:304

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF1,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hwtengerhc /tr "regsvr32.exe -s \"C:\Users\Admin\HYGFR.HYGF1\"" /SC ONCE /Z /ST 09:15 /ET 09:27
4⤵
- Creates scheduled task(s)
PID:776

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:344

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:644

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF4,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:1996

C:\Windows\system32\taskeng.exe
taskeng.exe {24C46644-A97A-4823-8E03-F83F59E6358C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\HYGFR.HYGF1"
2⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\HYGFR.HYGF1"
3⤵
- Loads dropped DLL
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\HYGFR.HYGF1
MD5
67ffd1306ef7070a92aa648a45a09756

SHA1
ca57c4b3486430ed50cd11666492f077c9d11a11

SHA256
d3501e9f6f190ee55e0cee711aedbf2b2b7cc325177d0fccddfe09ee83abbc28

SHA512
4e494ae48dbd9fc03dcaf95b6321b53781468fc48ef12231998e922adcc30294eddfebf8f32833affc141c7acb1bea677eb8787e1991a985d073880acf803769

Download Submit
C:\Users\Admin\HYGFR.HYGF1
MD5
388e0595f0bd2f250b0b1526e7a9e4e2

SHA1
db3b5784319d41285fd13645d276e4be4190e2b2

SHA256
fd1dfc13e78f42fd7a7f0a44390295a5c8367f4e7a8fa25e8f68541e12300a5c

SHA512
b140a30725eb2d100220710f292a5018ffe83338ea72b147ac3bdc85c440a6742865168b794a5092877641c75f6546ac0ecbf0a7723f0dd7faa4bcdc0c149484

Download Submit
C:\Users\Admin\HYGFR.HYGF4
MD5
67ffd1306ef7070a92aa648a45a09756

SHA1
ca57c4b3486430ed50cd11666492f077c9d11a11

SHA256
d3501e9f6f190ee55e0cee711aedbf2b2b7cc325177d0fccddfe09ee83abbc28

SHA512
4e494ae48dbd9fc03dcaf95b6321b53781468fc48ef12231998e922adcc30294eddfebf8f32833affc141c7acb1bea677eb8787e1991a985d073880acf803769

Download Submit
\Users\Admin\HYGFR.HYGF1
MD5
67ffd1306ef7070a92aa648a45a09756

SHA1
ca57c4b3486430ed50cd11666492f077c9d11a11

SHA256
d3501e9f6f190ee55e0cee711aedbf2b2b7cc325177d0fccddfe09ee83abbc28

SHA512
4e494ae48dbd9fc03dcaf95b6321b53781468fc48ef12231998e922adcc30294eddfebf8f32833affc141c7acb1bea677eb8787e1991a985d073880acf803769

Download Submit
\Users\Admin\HYGFR.HYGF1
MD5
388e0595f0bd2f250b0b1526e7a9e4e2

SHA1
db3b5784319d41285fd13645d276e4be4190e2b2

SHA256
fd1dfc13e78f42fd7a7f0a44390295a5c8367f4e7a8fa25e8f68541e12300a5c

SHA512
b140a30725eb2d100220710f292a5018ffe83338ea72b147ac3bdc85c440a6742865168b794a5092877641c75f6546ac0ecbf0a7723f0dd7faa4bcdc0c149484

Download Submit
\Users\Admin\HYGFR.HYGF4
MD5
67ffd1306ef7070a92aa648a45a09756

SHA1
ca57c4b3486430ed50cd11666492f077c9d11a11

SHA256
d3501e9f6f190ee55e0cee711aedbf2b2b7cc325177d0fccddfe09ee83abbc28

SHA512
4e494ae48dbd9fc03dcaf95b6321b53781468fc48ef12231998e922adcc30294eddfebf8f32833affc141c7acb1bea677eb8787e1991a985d073880acf803769

Download Submit
memory/304-6-0x0000000000000000-mapping.dmp

Download
memory/304-7-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/344-19-0x0000000000000000-mapping.dmp

Download
memory/644-21-0x0000000000000000-mapping.dmp

Download
memory/776-41-0x0000000000000000-mapping.dmp

Download
memory/776-29-0x0000000000000000-mapping.dmp

Download
memory/776-42-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmp

Filesize
8KB

Download
memory/792-30-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/792-27-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/792-15-0x0000000000000000-mapping.dmp

Download
memory/792-17-0x000000006C8A1000-0x000000006C8A3000-memory.dmp

Filesize
8KB

Download
memory/832-12-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/832-13-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/832-18-0x0000000000A00000-0x0000000000A35000-memory.dmp

Filesize
212KB

Download
memory/832-8-0x0000000000000000-mapping.dmp

Download
memory/832-14-0x0000000000A00000-0x0000000000A35000-memory.dmp

Filesize
212KB

Download
memory/1068-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1068-39-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/1068-3-0x0000000071681000-0x0000000071683000-memory.dmp

Filesize
8KB

Download
memory/1068-2-0x000000002F851000-0x000000002F854000-memory.dmp

Filesize
12KB

Download
memory/1068-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1068-38-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/1576-44-0x0000000000000000-mapping.dmp

Download
memory/1680-36-0x0000000001DF0000-0x0000000001E25000-memory.dmp

Filesize
212KB

Download
memory/1680-23-0x0000000000000000-mapping.dmp

Download
memory/1680-28-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1680-32-0x0000000001DF0000-0x0000000001E25000-memory.dmp

Filesize
212KB

Download
memory/1984-5-0x000007FEF77D0000-0x000007FEF7A4A000-memory.dmp

Filesize
2.5MB

Download
memory/1996-37-0x00000000000D0000-0x0000000000105000-memory.dmp

Filesize
212KB

Download
memory/1996-33-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads