qakbot | 208db84f6584f0feea7ad5098a17862e1ad87eac413e1c8a9e402f773b1fd615

Analysis

max time kernel
152s
max time network
23s
platform
windows7_x64
resource
win7v20201028
submitted
08-02-2021 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

commerce _02.21.doc
Size

95KB
MD5

722794fe9f968337d7e5169e8e27fccf
SHA1

dfa1c56a856f306887ffb98a827bb284a810f81b
SHA256

208db84f6584f0feea7ad5098a17862e1ad87eac413e1c8a9e402f773b1fd615
SHA512

03a3f20759cdcdeda185e07d5cdc9ca8549ecc24214752c12c70b25eb63cbfbb4a328cc25f2bdbb4d38deb022afc5d41c7dfa706238617b51c78b27e8f2e4e3a

Score

10^/10

qakbot krk01 1611569149 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

krk01

Campaign

1611569149

31.5.21.66:995

89.3.198.238:443

202.188.138.162:443

188.24.128.253:443

175.141.219.71:443

151.60.15.183:443

184.189.122.72:443

80.227.5.70:443

140.82.49.12:443

89.211.241.100:995

81.97.154.100:443

77.27.174.49:995

92.154.83.96:2078

42.3.8.54:443

71.187.170.235:443

46.153.36.53:995

71.182.142.63:443

105.186.102.16:443

50.244.112.106:443

78.63.226.32:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 1 IoCs

Processes:

xml.com

pid process

1156 xml.com
Loads dropped DLL 5 IoCs

Processes:

WINWORD.EXEregsvr32.exe

pid process

1044 WINWORD.EXE
1044 WINWORD.EXE
1044 WINWORD.EXE
1044 WINWORD.EXE
1968 regsvr32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1156	xml.com

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4BB2E6E-CA54-4D20-ACE1-9193ACB947E8}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\TypeLib\{E4BB2E6E-CA54-4D20-ACE1-9193ACB947E8}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\TypeLib\{E4BB2E6E-CA54-4D20-ACE1-9193ACB947E8}\2.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1044 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1968 regsvr32.exe
1968 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1968 regsvr32.exe

pid	process
1968	regsvr32.exe
1968	regsvr32.exe

pid	process
1968	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

xml.com

description	pid	process
Token: SeIncreaseQuotaPrivilege	1156	xml.com
Token: SeSecurityPrivilege	1156	xml.com
Token: SeTakeOwnershipPrivilege	1156	xml.com
Token: SeLoadDriverPrivilege	1156	xml.com
Token: SeSystemProfilePrivilege	1156	xml.com
Token: SeSystemtimePrivilege	1156	xml.com
Token: SeProfSingleProcessPrivilege	1156	xml.com
Token: SeIncBasePriorityPrivilege	1156	xml.com
Token: SeCreatePagefilePrivilege	1156	xml.com
Token: SeBackupPrivilege	1156	xml.com
Token: SeRestorePrivilege	1156	xml.com
Token: SeShutdownPrivilege	1156	xml.com
Token: SeDebugPrivilege	1156	xml.com
Token: SeSystemEnvironmentPrivilege	1156	xml.com
Token: SeRemoteShutdownPrivilege	1156	xml.com
Token: SeUndockPrivilege	1156	xml.com
Token: SeManageVolumePrivilege	1156	xml.com
Token: 33	1156	xml.com
Token: 34	1156	xml.com
Token: 35	1156	xml.com
Token: SeIncreaseQuotaPrivilege	1156	xml.com
Token: SeSecurityPrivilege	1156	xml.com
Token: SeTakeOwnershipPrivilege	1156	xml.com
Token: SeLoadDriverPrivilege	1156	xml.com
Token: SeSystemProfilePrivilege	1156	xml.com
Token: SeSystemtimePrivilege	1156	xml.com
Token: SeProfSingleProcessPrivilege	1156	xml.com
Token: SeIncBasePriorityPrivilege	1156	xml.com
Token: SeCreatePagefilePrivilege	1156	xml.com
Token: SeBackupPrivilege	1156	xml.com
Token: SeRestorePrivilege	1156	xml.com
Token: SeShutdownPrivilege	1156	xml.com
Token: SeDebugPrivilege	1156	xml.com
Token: SeSystemEnvironmentPrivilege	1156	xml.com
Token: SeRemoteShutdownPrivilege	1156	xml.com
Token: SeUndockPrivilege	1156	xml.com
Token: SeManageVolumePrivilege	1156	xml.com
Token: 33	1156	xml.com
Token: 34	1156	xml.com
Token: 35	1156	xml.com

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

WINWORD.EXE

pid	process
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WINWORD.EXExml.comregsvr32.exe

description	pid	process	target process
PID 1044 wrote to memory of 1156	1044	WINWORD.EXE	xml.com
PID 1044 wrote to memory of 1156	1044	WINWORD.EXE	xml.com
PID 1044 wrote to memory of 1156	1044	WINWORD.EXE	xml.com
PID 1044 wrote to memory of 1156	1044	WINWORD.EXE	xml.com
PID 1044 wrote to memory of 816	1044	WINWORD.EXE	splwow64.exe
PID 1044 wrote to memory of 816	1044	WINWORD.EXE	splwow64.exe
PID 1044 wrote to memory of 816	1044	WINWORD.EXE	splwow64.exe
PID 1044 wrote to memory of 816	1044	WINWORD.EXE	splwow64.exe
PID 1156 wrote to memory of 1968	1156	xml.com	regsvr32.exe
PID 1156 wrote to memory of 1968	1156	xml.com	regsvr32.exe
PID 1156 wrote to memory of 1968	1156	xml.com	regsvr32.exe
PID 1156 wrote to memory of 1968	1156	xml.com	regsvr32.exe
PID 1156 wrote to memory of 1968	1156	xml.com	regsvr32.exe
PID 1156 wrote to memory of 1968	1156	xml.com	regsvr32.exe
PID 1156 wrote to memory of 1968	1156	xml.com	regsvr32.exe
PID 1968 wrote to memory of 664	1968	regsvr32.exe	explorer.exe
PID 1968 wrote to memory of 664	1968	regsvr32.exe	explorer.exe
PID 1968 wrote to memory of 664	1968	regsvr32.exe	explorer.exe
PID 1968 wrote to memory of 664	1968	regsvr32.exe	explorer.exe
PID 1968 wrote to memory of 664	1968	regsvr32.exe	explorer.exe
PID 1968 wrote to memory of 664	1968	regsvr32.exe	explorer.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commerce _02.21.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044

C:\programdata\xml.com
"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\programdata\27759.jpg
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
PID:664

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xml.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
C:\programdata\xml.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
\??\c:\programdata\27759.jpg
MD5
9159385b8c97c71345927b333aeda23e

SHA1
a8327bba8d0bedc0423aeb2d57727d7b12f68377

SHA256
908054b1ffb1cddae6520a4ad86ddca31d8882f3d4c5a0c3ea2a253e6c55f264

SHA512
700fadaa2d1406b2705a8409411bd832df7c56ff195c487c9d83ee16fc9ea60d72cfc4df6dfc81e54ca124e71aefa8931d25fa18cac5b952b8c53aaa36c607e5

Download Submit
\??\c:\programdata\i.xsl
MD5
87189b779e944d94f1f3e0a8720cfde3

SHA1
b8e7bb364f5909ace5447d707e24a1d4757904ec

SHA256
be41f4f3b31aae82f634ba1a853ca993900dcd4b13607e1546cbe959ae03b7b7

SHA512
c5daffdf9cf3e423dc34bb2ff29cc51341859a8c301d2e694f98f0df8ebd775dfc9bfdc3e5460ff3cde0f93832fcd38dbe2d96e1ec4db4a1556f40868ec1aaf3

Download Submit
\ProgramData\27759.jpg
MD5
9159385b8c97c71345927b333aeda23e

SHA1
a8327bba8d0bedc0423aeb2d57727d7b12f68377

SHA256
908054b1ffb1cddae6520a4ad86ddca31d8882f3d4c5a0c3ea2a253e6c55f264

SHA512
700fadaa2d1406b2705a8409411bd832df7c56ff195c487c9d83ee16fc9ea60d72cfc4df6dfc81e54ca124e71aefa8931d25fa18cac5b952b8c53aaa36c607e5

Download Submit
\ProgramData\xml.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
\ProgramData\xml.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
\ProgramData\xml.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
\ProgramData\xml.com
MD5
a03cf3838775e0801a0894c8bacd2e56

SHA1
4368dbd172224ec9461364be1ac9dffc5d9224a8

SHA256
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81

SHA512
b9e2467157139cc288e027d34865034eaf441dd69981a91df18d60e6b6a7cc53f8102230d18e4c6de2f3ad3ab413d755663bfc82d3033e52faf38509a7cdfcdc

Download Submit
memory/520-15-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

Filesize
2.5MB

Download
memory/664-25-0x000000006A461000-0x000000006A463000-memory.dmp

Filesize
8KB

Download
memory/664-26-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/664-23-0x0000000000000000-mapping.dmp

Download
memory/816-13-0x000007FEFB851000-0x000007FEFB853000-memory.dmp

Filesize
8KB

Download
memory/816-12-0x0000000000000000-mapping.dmp

Download
memory/1044-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1044-5-0x00000000062F0000-0x00000000062F2000-memory.dmp

Filesize
8KB

Download
memory/1044-3-0x000000006FDD1000-0x000000006FDD3000-memory.dmp

Filesize
8KB

Download
memory/1044-2-0x0000000072351000-0x0000000072354000-memory.dmp

Filesize
12KB

Download
memory/1156-10-0x0000000000000000-mapping.dmp

Download
memory/1968-17-0x0000000000000000-mapping.dmp

Download
memory/1968-22-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1968-21-0x000000006AB40000-0x000000006AB75000-memory.dmp

Filesize
212KB

Download
memory/1968-18-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/1968-27-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download