document-1743692288.xls

General
Target

document-1743692288.xls

Filesize

88KB

Completed

18-02-2021 18:50

Score
10 /10
MD5

fa1f35763e1c13386feca469dd16a22b

SHA1

1cbfc5e62e085bba8366cc077dfc91923a8ceefd

SHA256

c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

https://miraclecollagen.co.za/ds/1802.gif

Extracted

Family qakbot
Botnet tr
Campaign 1613385567
C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

195.12.154.8:443

47.217.24.69:6881

182.48.193.200:443

108.160.123.244:443

96.57.188.174:2222

45.118.216.157:443

84.72.35.226:443

172.115.177.204:2222

86.236.77.68:2222

82.127.125.209:990

176.181.247.197:443

97.69.160.4:2222

90.101.117.122:2222

189.223.201.91:443

140.82.49.12:443

2.7.69.217:2222

83.110.12.140:2222

85.132.36.111:2222

197.45.110.165:995

149.28.99.97:995

45.63.107.192:2222

149.28.98.196:2222

149.28.99.97:2222

144.202.38.185:443

149.28.99.97:443

45.63.107.192:443

45.63.107.192:995

144.202.38.185:2222

149.28.101.90:995

149.28.101.90:2222

Signatures 11

Filter: none

Defense Evasion
Discovery
Persistence
  • Process spawned unexpected child process
    rundll32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process928324rundll32.exeEXCEL.EXE
  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Loads dropped DLL
    rundll32.exeregsvr32.exe

    Reported IOCs

    pidprocess
    928rundll32.exe
    456regsvr32.exe
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    620schtasks.exe
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessorEXCEL.EXE
  • Modifies Internet Explorer settings
    EXCEL.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExtEXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\ToolbarEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"EXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    324EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    928rundll32.exe
    928rundll32.exe
  • Suspicious behavior: MapViewOfSection
    rundll32.exe

    Reported IOCs

    pidprocess
    928rundll32.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    324EXCEL.EXE
    324EXCEL.EXE
    324EXCEL.EXE
    324EXCEL.EXE
    324EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 324 wrote to memory of 928324EXCEL.EXErundll32.exe
    PID 324 wrote to memory of 928324EXCEL.EXErundll32.exe
    PID 324 wrote to memory of 928324EXCEL.EXErundll32.exe
    PID 324 wrote to memory of 928324EXCEL.EXErundll32.exe
    PID 324 wrote to memory of 928324EXCEL.EXErundll32.exe
    PID 324 wrote to memory of 928324EXCEL.EXErundll32.exe
    PID 324 wrote to memory of 928324EXCEL.EXErundll32.exe
    PID 928 wrote to memory of 1116928rundll32.exeexplorer.exe
    PID 928 wrote to memory of 1116928rundll32.exeexplorer.exe
    PID 928 wrote to memory of 1116928rundll32.exeexplorer.exe
    PID 928 wrote to memory of 1116928rundll32.exeexplorer.exe
    PID 928 wrote to memory of 1116928rundll32.exeexplorer.exe
    PID 928 wrote to memory of 1116928rundll32.exeexplorer.exe
    PID 1116 wrote to memory of 6201116explorer.exeschtasks.exe
    PID 1116 wrote to memory of 6201116explorer.exeschtasks.exe
    PID 1116 wrote to memory of 6201116explorer.exeschtasks.exe
    PID 1116 wrote to memory of 6201116explorer.exeschtasks.exe
    PID 1688 wrote to memory of 10081688taskeng.exeregsvr32.exe
    PID 1688 wrote to memory of 10081688taskeng.exeregsvr32.exe
    PID 1688 wrote to memory of 10081688taskeng.exeregsvr32.exe
    PID 1688 wrote to memory of 10081688taskeng.exeregsvr32.exe
    PID 1688 wrote to memory of 10081688taskeng.exeregsvr32.exe
    PID 1008 wrote to memory of 4561008regsvr32.exeregsvr32.exe
    PID 1008 wrote to memory of 4561008regsvr32.exeregsvr32.exe
    PID 1008 wrote to memory of 4561008regsvr32.exeregsvr32.exe
    PID 1008 wrote to memory of 4561008regsvr32.exeregsvr32.exe
    PID 1008 wrote to memory of 4561008regsvr32.exeregsvr32.exe
    PID 1008 wrote to memory of 4561008regsvr32.exeregsvr32.exe
    PID 1008 wrote to memory of 4561008regsvr32.exeregsvr32.exe
Processes 7
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1743692288.xls
    Enumerates system info in registry
    Modifies Internet Explorer settings
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:324
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 ..\idefje.ekfd,DllRegisterServer
      Process spawned unexpected child process
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:928
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        Suspicious use of WriteProcessMemory
        PID:1116
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn goumgxsyra /tr "regsvr32.exe -s \"C:\Users\Admin\idefje.ekfd\"" /SC ONCE /Z /ST 19:46 /ET 19:58
          Creates scheduled task(s)
          PID:620
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {924969D1-1F33-4CD7-B1CC-1A5D6A4A40E9} S-1-5-18:NT AUTHORITY\System:Service:
    Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -s "C:\Users\Admin\idefje.ekfd"
      Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Windows\SysWOW64\regsvr32.exe
        -s "C:\Users\Admin\idefje.ekfd"
        Loads dropped DLL
        PID:456
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\idefje.ekfd

                      MD5

                      5d00236a63ba084e6c8e99d3f84500c0

                      SHA1

                      4a82505cbf31834ecd5b04344c121d2553f72811

                      SHA256

                      4c35a44fc0c64e5f0eb9801645dbe58e1176d5558f5060bca2a46f44ed6783b5

                      SHA512

                      8fcadfda0573210be163f6f2a761d03e11076ad2cfb193e428a3d4f7a970c0f903fd555cebd0221a2d6bce9e11c0dfcd5f0c13f341bcce2a0841f2be00cec005

                    • C:\Users\Admin\idefje.ekfd

                      MD5

                      a8e2e77d6e1159face67ee36e5d4f199

                      SHA1

                      e3494981cfbc8c9a2c7a053c3ca4ab662b7f529c

                      SHA256

                      307dcd0bd76ec40e3297813e65542bc6480262578d6623825340a5add4fb6bf8

                      SHA512

                      c5e1f248a90e3406e690b1a7c3f6e09f4c1b3db5be40786669ba3aa1d48f0e6f2b0060dc3ee098fb76dfb59f2aec14aac5300556c69e214eef542561bc7df273

                    • \Users\Admin\idefje.ekfd

                      MD5

                      5d00236a63ba084e6c8e99d3f84500c0

                      SHA1

                      4a82505cbf31834ecd5b04344c121d2553f72811

                      SHA256

                      4c35a44fc0c64e5f0eb9801645dbe58e1176d5558f5060bca2a46f44ed6783b5

                      SHA512

                      8fcadfda0573210be163f6f2a761d03e11076ad2cfb193e428a3d4f7a970c0f903fd555cebd0221a2d6bce9e11c0dfcd5f0c13f341bcce2a0841f2be00cec005

                    • \Users\Admin\idefje.ekfd

                      MD5

                      a8e2e77d6e1159face67ee36e5d4f199

                      SHA1

                      e3494981cfbc8c9a2c7a053c3ca4ab662b7f529c

                      SHA256

                      307dcd0bd76ec40e3297813e65542bc6480262578d6623825340a5add4fb6bf8

                      SHA512

                      c5e1f248a90e3406e690b1a7c3f6e09f4c1b3db5be40786669ba3aa1d48f0e6f2b0060dc3ee098fb76dfb59f2aec14aac5300556c69e214eef542561bc7df273

                    • memory/324-3-0x0000000071C91000-0x0000000071C93000-memory.dmp

                    • memory/324-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    • memory/324-2-0x000000002F791000-0x000000002F794000-memory.dmp

                    • memory/456-23-0x0000000000000000-mapping.dmp

                    • memory/620-18-0x0000000000000000-mapping.dmp

                    • memory/928-17-0x0000000000940000-0x0000000000975000-memory.dmp

                    • memory/928-10-0x00000000000F0000-0x00000000000F1000-memory.dmp

                    • memory/928-12-0x0000000000940000-0x0000000000975000-memory.dmp

                    • memory/928-6-0x0000000000000000-mapping.dmp

                    • memory/928-7-0x00000000766C1000-0x00000000766C3000-memory.dmp

                    • memory/928-11-0x00000000006A0000-0x00000000006D3000-memory.dmp

                    • memory/1008-20-0x0000000000000000-mapping.dmp

                    • memory/1008-21-0x000007FEFC3E1000-0x000007FEFC3E3000-memory.dmp

                    • memory/1116-16-0x00000000000C0000-0x00000000000F5000-memory.dmp

                    • memory/1116-19-0x00000000000C0000-0x00000000000F5000-memory.dmp

                    • memory/1116-15-0x000000006C9E1000-0x000000006C9E3000-memory.dmp

                    • memory/1116-13-0x0000000000000000-mapping.dmp

                    • memory/2040-5-0x000007FEF7D30000-0x000007FEF7FAA000-memory.dmp