Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-02-2021 19:35
Behavioral task
behavioral1
Sample
document-1911271790.xls
Resource
win7v20201028
General
-
Target
document-1911271790.xls
-
Size
88KB
-
MD5
b06088f340daf14e2329423e6c03a3d8
-
SHA1
16cb3c036658cb410b7ba2af0e5b580791d43271
-
SHA256
9c60f9e70aacfccb250fe5cce6d0cf8701e5dc08c2aa9ac44db5e95d8f51130a
-
SHA512
6fb87d80550049a3a2750c8d3e0078d75a30b1e987c0f4d1afc40030fe95242c5146e4206bafd3f8c36be1f6b6cdd257e7dd90690f8f14b7df66e06889da2aee
Malware Config
Extracted
qakbot
tr
1613385567
78.63.226.32:443
197.51.82.72:443
193.248.221.184:2222
95.77.223.148:443
71.199.192.62:443
77.211.30.202:995
80.227.5.69:443
77.27.204.204:995
81.97.154.100:443
173.184.119.153:995
38.92.225.121:443
81.150.181.168:2222
90.65.236.181:2222
83.110.103.152:443
73.153.211.227:443
188.25.63.105:443
89.137.211.239:995
202.188.138.162:443
98.173.34.212:995
87.202.87.210:2222
195.12.154.8:443
47.217.24.69:6881
182.48.193.200:443
108.160.123.244:443
96.57.188.174:2222
45.118.216.157:443
84.72.35.226:443
172.115.177.204:2222
86.236.77.68:2222
82.127.125.209:990
176.181.247.197:443
97.69.160.4:2222
90.101.117.122:2222
189.223.201.91:443
140.82.49.12:443
2.7.69.217:2222
83.110.12.140:2222
85.132.36.111:2222
197.45.110.165:995
149.28.99.97:995
45.63.107.192:2222
149.28.98.196:2222
149.28.99.97:2222
144.202.38.185:443
149.28.99.97:443
45.63.107.192:443
45.63.107.192:995
144.202.38.185:2222
149.28.101.90:995
149.28.101.90:2222
149.28.101.90:8443
45.32.211.207:8443
149.28.98.196:995
149.28.98.196:443
45.32.211.207:995
149.28.101.90:443
207.246.77.75:443
45.77.115.208:8443
207.246.77.75:995
207.246.77.75:2222
45.32.211.207:2222
45.32.211.207:443
45.77.115.208:995
144.202.38.185:995
45.77.115.208:2222
207.246.116.237:8443
207.246.116.237:2222
207.246.77.75:8443
207.246.116.237:995
207.246.116.237:443
45.77.117.108:443
45.77.117.108:995
45.77.117.108:8443
45.77.117.108:2222
45.77.115.208:443
89.3.198.238:443
2.232.253.79:995
73.25.124.140:2222
136.232.34.70:443
157.131.108.180:443
217.133.54.140:32100
195.43.173.70:443
86.98.93.124:2078
176.205.222.30:2078
105.96.8.96:443
50.29.166.232:995
27.223.92.142:995
119.153.62.76:3389
47.187.115.228:443
67.6.12.4:443
65.27.228.247:443
23.240.70.80:995
216.201.162.158:443
139.216.137.189:995
64.121.114.87:443
79.129.121.81:995
172.87.157.235:3389
75.118.1.141:443
75.136.26.147:443
96.250.60.138:443
50.244.112.106:443
115.133.243.6:443
47.196.192.184:443
45.46.53.140:2222
105.198.236.101:443
144.139.166.18:443
196.151.252.84:443
71.197.126.250:443
196.221.207.137:995
71.117.132.169:443
74.68.144.202:443
76.25.142.196:443
98.240.24.57:443
144.139.47.206:443
86.245.46.27:2222
173.21.10.71:2222
78.97.207.104:443
86.220.60.133:2222
69.245.102.225:443
94.53.92.42:443
71.74.12.34:443
84.247.55.190:8443
173.25.45.66:443
46.153.55.149:995
78.22.58.205:3389
105.198.236.99:443
24.152.219.253:995
82.76.47.211:443
189.223.234.23:995
96.37.113.36:993
47.187.74.181:443
50.25.89.74:443
174.104.31.209:443
199.19.117.131:443
201.143.235.13:443
189.146.183.105:443
181.48.190.78:443
189.223.97.175:443
47.22.148.6:443
173.70.165.101:995
74.222.204.82:995
75.67.192.125:443
32.210.98.6:443
106.51.52.111:443
59.90.246.200:443
70.49.88.199:2222
186.28.51.27:443
98.252.118.134:443
209.210.187.52:995
189.210.115.207:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2544 648 rundll32.exe EXCEL.EXE -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4012 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\idefje.ekfd themida \Users\Admin\idefje.ekfd themida behavioral2/memory/4012-11-0x0000000010000000-0x0000000010429000-memory.dmp themida behavioral2/memory/3452-18-0x0000000003000000-0x0000000003429000-memory.dmp themida behavioral2/memory/1136-24-0x0000000003090000-0x00000000034B9000-memory.dmp themida behavioral2/memory/3972-27-0x00000000008C0000-0x0000000000CE9000-memory.dmp themida -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 4012 rundll32.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4032 3452 WerFault.exe explorer.exe 3944 1136 WerFault.exe explorer.exe 1416 3972 WerFault.exe mobsync.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 648 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
rundll32.exeWerFault.exeWerFault.exeWerFault.exepid process 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 3944 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
rundll32.exepid process 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 4032 WerFault.exe Token: SeBackupPrivilege 4032 WerFault.exe Token: SeDebugPrivilege 4032 WerFault.exe Token: SeDebugPrivilege 3944 WerFault.exe Token: SeDebugPrivilege 1416 WerFault.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 648 wrote to memory of 2544 648 EXCEL.EXE rundll32.exe PID 648 wrote to memory of 2544 648 EXCEL.EXE rundll32.exe PID 2544 wrote to memory of 4012 2544 rundll32.exe rundll32.exe PID 2544 wrote to memory of 4012 2544 rundll32.exe rundll32.exe PID 2544 wrote to memory of 4012 2544 rundll32.exe rundll32.exe PID 4012 wrote to memory of 3452 4012 rundll32.exe explorer.exe PID 4012 wrote to memory of 3452 4012 rundll32.exe explorer.exe PID 4012 wrote to memory of 3452 4012 rundll32.exe explorer.exe PID 4012 wrote to memory of 3452 4012 rundll32.exe explorer.exe PID 4012 wrote to memory of 3452 4012 rundll32.exe explorer.exe PID 4012 wrote to memory of 1136 4012 rundll32.exe explorer.exe PID 4012 wrote to memory of 1136 4012 rundll32.exe explorer.exe PID 4012 wrote to memory of 1136 4012 rundll32.exe explorer.exe PID 4012 wrote to memory of 1136 4012 rundll32.exe explorer.exe PID 4012 wrote to memory of 1136 4012 rundll32.exe explorer.exe PID 4012 wrote to memory of 3972 4012 rundll32.exe mobsync.exe PID 4012 wrote to memory of 3972 4012 rundll32.exe mobsync.exe PID 4012 wrote to memory of 3972 4012 rundll32.exe mobsync.exe PID 4012 wrote to memory of 3972 4012 rundll32.exe mobsync.exe PID 4012 wrote to memory of 3972 4012 rundll32.exe mobsync.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\document-1911271790.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\idefje.ekfd,DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\idefje.ekfd,DllRegisterServer3⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 7205⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 7365⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mobsync.exeC:\Windows\SysWOW64\mobsync.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 4645⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\idefje.ekfdMD5
b509be029763ac06bb800fc69aa37233
SHA13eeca996be760557f70776ab61c700fe45a7c22d
SHA256cb3a5f285a6e6682544aec97a87cba31df7f9a03e9ecd5635fe5117782983fb0
SHA512d43444cfb5489d582efebe246da5f75d716cf70c52c4be679b2018acc90461892b99158327733dc16d4202f5bd16b95f2ddc3082fef7c36c966fe9dfb7cd3514
-
\Users\Admin\idefje.ekfdMD5
b509be029763ac06bb800fc69aa37233
SHA13eeca996be760557f70776ab61c700fe45a7c22d
SHA256cb3a5f285a6e6682544aec97a87cba31df7f9a03e9ecd5635fe5117782983fb0
SHA512d43444cfb5489d582efebe246da5f75d716cf70c52c4be679b2018acc90461892b99158327733dc16d4202f5bd16b95f2ddc3082fef7c36c966fe9dfb7cd3514
-
memory/648-2-0x00007FF9C3DC0000-0x00007FF9C3DD0000-memory.dmpFilesize
64KB
-
memory/648-3-0x00007FF9C3DC0000-0x00007FF9C3DD0000-memory.dmpFilesize
64KB
-
memory/648-4-0x00007FF9C3DC0000-0x00007FF9C3DD0000-memory.dmpFilesize
64KB
-
memory/648-6-0x00007FF9C3DC0000-0x00007FF9C3DD0000-memory.dmpFilesize
64KB
-
memory/648-5-0x00007FF9E73C0000-0x00007FF9E79F7000-memory.dmpFilesize
6.2MB
-
memory/1136-24-0x0000000003090000-0x00000000034B9000-memory.dmpFilesize
4.2MB
-
memory/1136-20-0x0000000000000000-mapping.dmp
-
memory/1416-26-0x0000000004280000-0x0000000004281000-memory.dmpFilesize
4KB
-
memory/2544-7-0x0000000000000000-mapping.dmp
-
memory/3452-18-0x0000000003000000-0x0000000003429000-memory.dmpFilesize
4.2MB
-
memory/3452-14-0x0000000000000000-mapping.dmp
-
memory/3944-21-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/3972-25-0x0000000000000000-mapping.dmp
-
memory/3972-27-0x00000000008C0000-0x0000000000CE9000-memory.dmpFilesize
4.2MB
-
memory/4012-13-0x0000000077C34000-0x0000000077C35000-memory.dmpFilesize
4KB
-
memory/4012-12-0x0000000010001000-0x0000000010025000-memory.dmpFilesize
144KB
-
memory/4012-11-0x0000000010000000-0x0000000010429000-memory.dmpFilesize
4.2MB
-
memory/4012-9-0x0000000000000000-mapping.dmp
-
memory/4032-15-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/4032-16-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/4032-19-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB