Analysis
-
max time kernel
148s -
max time network
128s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-02-2021 18:47
Behavioral task
behavioral1
Sample
document-1743692288.xls
Resource
win7v20201028
General
-
Target
document-1743692288.xls
-
Size
88KB
-
MD5
fa1f35763e1c13386feca469dd16a22b
-
SHA1
1cbfc5e62e085bba8366cc077dfc91923a8ceefd
-
SHA256
c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54
-
SHA512
31619aeebfdd1247252a9e3881c4ba5824b82558af2a814b1fe90b67b4403950f94f9ab02d968d30477031648cbf90c520b95f58f8beffa47952994a1c3b38dc
Malware Config
Extracted
https://miraclecollagen.co.za/ds/1802.gif
Extracted
qakbot
tr
1613385567
78.63.226.32:443
197.51.82.72:443
193.248.221.184:2222
95.77.223.148:443
71.199.192.62:443
77.211.30.202:995
80.227.5.69:443
77.27.204.204:995
81.97.154.100:443
173.184.119.153:995
38.92.225.121:443
81.150.181.168:2222
90.65.236.181:2222
83.110.103.152:443
73.153.211.227:443
188.25.63.105:443
89.137.211.239:995
202.188.138.162:443
98.173.34.212:995
87.202.87.210:2222
195.12.154.8:443
47.217.24.69:6881
182.48.193.200:443
108.160.123.244:443
96.57.188.174:2222
45.118.216.157:443
84.72.35.226:443
172.115.177.204:2222
86.236.77.68:2222
82.127.125.209:990
176.181.247.197:443
97.69.160.4:2222
90.101.117.122:2222
189.223.201.91:443
140.82.49.12:443
2.7.69.217:2222
83.110.12.140:2222
85.132.36.111:2222
197.45.110.165:995
149.28.99.97:995
45.63.107.192:2222
149.28.98.196:2222
149.28.99.97:2222
144.202.38.185:443
149.28.99.97:443
45.63.107.192:443
45.63.107.192:995
144.202.38.185:2222
149.28.101.90:995
149.28.101.90:2222
149.28.101.90:8443
45.32.211.207:8443
149.28.98.196:995
149.28.98.196:443
45.32.211.207:995
149.28.101.90:443
207.246.77.75:443
45.77.115.208:8443
207.246.77.75:995
207.246.77.75:2222
45.32.211.207:2222
45.32.211.207:443
45.77.115.208:995
144.202.38.185:995
45.77.115.208:2222
207.246.116.237:8443
207.246.116.237:2222
207.246.77.75:8443
207.246.116.237:995
207.246.116.237:443
45.77.117.108:443
45.77.117.108:995
45.77.117.108:8443
45.77.117.108:2222
45.77.115.208:443
89.3.198.238:443
2.232.253.79:995
73.25.124.140:2222
136.232.34.70:443
157.131.108.180:443
217.133.54.140:32100
195.43.173.70:443
86.98.93.124:2078
176.205.222.30:2078
105.96.8.96:443
50.29.166.232:995
27.223.92.142:995
119.153.62.76:3389
47.187.115.228:443
67.6.12.4:443
65.27.228.247:443
23.240.70.80:995
216.201.162.158:443
139.216.137.189:995
64.121.114.87:443
79.129.121.81:995
172.87.157.235:3389
75.118.1.141:443
75.136.26.147:443
96.250.60.138:443
50.244.112.106:443
115.133.243.6:443
47.196.192.184:443
45.46.53.140:2222
105.198.236.101:443
144.139.166.18:443
196.151.252.84:443
71.197.126.250:443
196.221.207.137:995
71.117.132.169:443
74.68.144.202:443
76.25.142.196:443
98.240.24.57:443
144.139.47.206:443
86.245.46.27:2222
173.21.10.71:2222
78.97.207.104:443
86.220.60.133:2222
69.245.102.225:443
94.53.92.42:443
71.74.12.34:443
84.247.55.190:8443
173.25.45.66:443
46.153.55.149:995
78.22.58.205:3389
105.198.236.99:443
24.152.219.253:995
82.76.47.211:443
189.223.234.23:995
96.37.113.36:993
47.187.74.181:443
50.25.89.74:443
174.104.31.209:443
199.19.117.131:443
201.143.235.13:443
189.146.183.105:443
181.48.190.78:443
189.223.97.175:443
47.22.148.6:443
173.70.165.101:995
74.222.204.82:995
75.67.192.125:443
32.210.98.6:443
106.51.52.111:443
59.90.246.200:443
70.49.88.199:2222
186.28.51.27:443
98.252.118.134:443
209.210.187.52:995
189.210.115.207:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 928 324 rundll32.exe EXCEL.EXE -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 928 rundll32.exe 456 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 324 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 928 rundll32.exe 928 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 928 rundll32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 324 EXCEL.EXE 324 EXCEL.EXE 324 EXCEL.EXE 324 EXCEL.EXE 324 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exedescription pid process target process PID 324 wrote to memory of 928 324 EXCEL.EXE rundll32.exe PID 324 wrote to memory of 928 324 EXCEL.EXE rundll32.exe PID 324 wrote to memory of 928 324 EXCEL.EXE rundll32.exe PID 324 wrote to memory of 928 324 EXCEL.EXE rundll32.exe PID 324 wrote to memory of 928 324 EXCEL.EXE rundll32.exe PID 324 wrote to memory of 928 324 EXCEL.EXE rundll32.exe PID 324 wrote to memory of 928 324 EXCEL.EXE rundll32.exe PID 928 wrote to memory of 1116 928 rundll32.exe explorer.exe PID 928 wrote to memory of 1116 928 rundll32.exe explorer.exe PID 928 wrote to memory of 1116 928 rundll32.exe explorer.exe PID 928 wrote to memory of 1116 928 rundll32.exe explorer.exe PID 928 wrote to memory of 1116 928 rundll32.exe explorer.exe PID 928 wrote to memory of 1116 928 rundll32.exe explorer.exe PID 1116 wrote to memory of 620 1116 explorer.exe schtasks.exe PID 1116 wrote to memory of 620 1116 explorer.exe schtasks.exe PID 1116 wrote to memory of 620 1116 explorer.exe schtasks.exe PID 1116 wrote to memory of 620 1116 explorer.exe schtasks.exe PID 1688 wrote to memory of 1008 1688 taskeng.exe regsvr32.exe PID 1688 wrote to memory of 1008 1688 taskeng.exe regsvr32.exe PID 1688 wrote to memory of 1008 1688 taskeng.exe regsvr32.exe PID 1688 wrote to memory of 1008 1688 taskeng.exe regsvr32.exe PID 1688 wrote to memory of 1008 1688 taskeng.exe regsvr32.exe PID 1008 wrote to memory of 456 1008 regsvr32.exe regsvr32.exe PID 1008 wrote to memory of 456 1008 regsvr32.exe regsvr32.exe PID 1008 wrote to memory of 456 1008 regsvr32.exe regsvr32.exe PID 1008 wrote to memory of 456 1008 regsvr32.exe regsvr32.exe PID 1008 wrote to memory of 456 1008 regsvr32.exe regsvr32.exe PID 1008 wrote to memory of 456 1008 regsvr32.exe regsvr32.exe PID 1008 wrote to memory of 456 1008 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1743692288.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\rundll32.exerundll32 ..\idefje.ekfd,DllRegisterServer2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn goumgxsyra /tr "regsvr32.exe -s \"C:\Users\Admin\idefje.ekfd\"" /SC ONCE /Z /ST 19:46 /ET 19:584⤵
- Creates scheduled task(s)
PID:620
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {924969D1-1F33-4CD7-B1CC-1A5D6A4A40E9} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\idefje.ekfd"2⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\idefje.ekfd"3⤵
- Loads dropped DLL
PID:456
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5d00236a63ba084e6c8e99d3f84500c0
SHA14a82505cbf31834ecd5b04344c121d2553f72811
SHA2564c35a44fc0c64e5f0eb9801645dbe58e1176d5558f5060bca2a46f44ed6783b5
SHA5128fcadfda0573210be163f6f2a761d03e11076ad2cfb193e428a3d4f7a970c0f903fd555cebd0221a2d6bce9e11c0dfcd5f0c13f341bcce2a0841f2be00cec005
-
MD5
a8e2e77d6e1159face67ee36e5d4f199
SHA1e3494981cfbc8c9a2c7a053c3ca4ab662b7f529c
SHA256307dcd0bd76ec40e3297813e65542bc6480262578d6623825340a5add4fb6bf8
SHA512c5e1f248a90e3406e690b1a7c3f6e09f4c1b3db5be40786669ba3aa1d48f0e6f2b0060dc3ee098fb76dfb59f2aec14aac5300556c69e214eef542561bc7df273
-
MD5
5d00236a63ba084e6c8e99d3f84500c0
SHA14a82505cbf31834ecd5b04344c121d2553f72811
SHA2564c35a44fc0c64e5f0eb9801645dbe58e1176d5558f5060bca2a46f44ed6783b5
SHA5128fcadfda0573210be163f6f2a761d03e11076ad2cfb193e428a3d4f7a970c0f903fd555cebd0221a2d6bce9e11c0dfcd5f0c13f341bcce2a0841f2be00cec005
-
MD5
a8e2e77d6e1159face67ee36e5d4f199
SHA1e3494981cfbc8c9a2c7a053c3ca4ab662b7f529c
SHA256307dcd0bd76ec40e3297813e65542bc6480262578d6623825340a5add4fb6bf8
SHA512c5e1f248a90e3406e690b1a7c3f6e09f4c1b3db5be40786669ba3aa1d48f0e6f2b0060dc3ee098fb76dfb59f2aec14aac5300556c69e214eef542561bc7df273