Analysis
-
max time kernel
148s -
max time network
128s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-02-2021 18:47
Behavioral task
behavioral1
Sample
document-1743692288.xls
Resource
win7v20201028
General
-
Target
document-1743692288.xls
-
Size
88KB
-
MD5
fa1f35763e1c13386feca469dd16a22b
-
SHA1
1cbfc5e62e085bba8366cc077dfc91923a8ceefd
-
SHA256
c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54
-
SHA512
31619aeebfdd1247252a9e3881c4ba5824b82558af2a814b1fe90b67b4403950f94f9ab02d968d30477031648cbf90c520b95f58f8beffa47952994a1c3b38dc
Malware Config
Extracted
https://miraclecollagen.co.za/ds/1802.gif
Extracted
qakbot
tr
1613385567
78.63.226.32:443
197.51.82.72:443
193.248.221.184:2222
95.77.223.148:443
71.199.192.62:443
77.211.30.202:995
80.227.5.69:443
77.27.204.204:995
81.97.154.100:443
173.184.119.153:995
38.92.225.121:443
81.150.181.168:2222
90.65.236.181:2222
83.110.103.152:443
73.153.211.227:443
188.25.63.105:443
89.137.211.239:995
202.188.138.162:443
98.173.34.212:995
87.202.87.210:2222
195.12.154.8:443
47.217.24.69:6881
182.48.193.200:443
108.160.123.244:443
96.57.188.174:2222
45.118.216.157:443
84.72.35.226:443
172.115.177.204:2222
86.236.77.68:2222
82.127.125.209:990
176.181.247.197:443
97.69.160.4:2222
90.101.117.122:2222
189.223.201.91:443
140.82.49.12:443
2.7.69.217:2222
83.110.12.140:2222
85.132.36.111:2222
197.45.110.165:995
149.28.99.97:995
45.63.107.192:2222
149.28.98.196:2222
149.28.99.97:2222
144.202.38.185:443
149.28.99.97:443
45.63.107.192:443
45.63.107.192:995
144.202.38.185:2222
149.28.101.90:995
149.28.101.90:2222
149.28.101.90:8443
45.32.211.207:8443
149.28.98.196:995
149.28.98.196:443
45.32.211.207:995
149.28.101.90:443
207.246.77.75:443
45.77.115.208:8443
207.246.77.75:995
207.246.77.75:2222
45.32.211.207:2222
45.32.211.207:443
45.77.115.208:995
144.202.38.185:995
45.77.115.208:2222
207.246.116.237:8443
207.246.116.237:2222
207.246.77.75:8443
207.246.116.237:995
207.246.116.237:443
45.77.117.108:443
45.77.117.108:995
45.77.117.108:8443
45.77.117.108:2222
45.77.115.208:443
89.3.198.238:443
2.232.253.79:995
73.25.124.140:2222
136.232.34.70:443
157.131.108.180:443
217.133.54.140:32100
195.43.173.70:443
86.98.93.124:2078
176.205.222.30:2078
105.96.8.96:443
50.29.166.232:995
27.223.92.142:995
119.153.62.76:3389
47.187.115.228:443
67.6.12.4:443
65.27.228.247:443
23.240.70.80:995
216.201.162.158:443
139.216.137.189:995
64.121.114.87:443
79.129.121.81:995
172.87.157.235:3389
75.118.1.141:443
75.136.26.147:443
96.250.60.138:443
50.244.112.106:443
115.133.243.6:443
47.196.192.184:443
45.46.53.140:2222
105.198.236.101:443
144.139.166.18:443
196.151.252.84:443
71.197.126.250:443
196.221.207.137:995
71.117.132.169:443
74.68.144.202:443
76.25.142.196:443
98.240.24.57:443
144.139.47.206:443
86.245.46.27:2222
173.21.10.71:2222
78.97.207.104:443
86.220.60.133:2222
69.245.102.225:443
94.53.92.42:443
71.74.12.34:443
84.247.55.190:8443
173.25.45.66:443
46.153.55.149:995
78.22.58.205:3389
105.198.236.99:443
24.152.219.253:995
82.76.47.211:443
189.223.234.23:995
96.37.113.36:993
47.187.74.181:443
50.25.89.74:443
174.104.31.209:443
199.19.117.131:443
201.143.235.13:443
189.146.183.105:443
181.48.190.78:443
189.223.97.175:443
47.22.148.6:443
173.70.165.101:995
74.222.204.82:995
75.67.192.125:443
32.210.98.6:443
106.51.52.111:443
59.90.246.200:443
70.49.88.199:2222
186.28.51.27:443
98.252.118.134:443
209.210.187.52:995
189.210.115.207:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 928 324 rundll32.exe 24 -
Loads dropped DLL 2 IoCs
pid Process 928 rundll32.exe 456 regsvr32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 620 schtasks.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 324 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 928 rundll32.exe 928 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 928 rundll32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 324 EXCEL.EXE 324 EXCEL.EXE 324 EXCEL.EXE 324 EXCEL.EXE 324 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 324 wrote to memory of 928 324 EXCEL.EXE 31 PID 324 wrote to memory of 928 324 EXCEL.EXE 31 PID 324 wrote to memory of 928 324 EXCEL.EXE 31 PID 324 wrote to memory of 928 324 EXCEL.EXE 31 PID 324 wrote to memory of 928 324 EXCEL.EXE 31 PID 324 wrote to memory of 928 324 EXCEL.EXE 31 PID 324 wrote to memory of 928 324 EXCEL.EXE 31 PID 928 wrote to memory of 1116 928 rundll32.exe 32 PID 928 wrote to memory of 1116 928 rundll32.exe 32 PID 928 wrote to memory of 1116 928 rundll32.exe 32 PID 928 wrote to memory of 1116 928 rundll32.exe 32 PID 928 wrote to memory of 1116 928 rundll32.exe 32 PID 928 wrote to memory of 1116 928 rundll32.exe 32 PID 1116 wrote to memory of 620 1116 explorer.exe 33 PID 1116 wrote to memory of 620 1116 explorer.exe 33 PID 1116 wrote to memory of 620 1116 explorer.exe 33 PID 1116 wrote to memory of 620 1116 explorer.exe 33 PID 1688 wrote to memory of 1008 1688 taskeng.exe 37 PID 1688 wrote to memory of 1008 1688 taskeng.exe 37 PID 1688 wrote to memory of 1008 1688 taskeng.exe 37 PID 1688 wrote to memory of 1008 1688 taskeng.exe 37 PID 1688 wrote to memory of 1008 1688 taskeng.exe 37 PID 1008 wrote to memory of 456 1008 regsvr32.exe 38 PID 1008 wrote to memory of 456 1008 regsvr32.exe 38 PID 1008 wrote to memory of 456 1008 regsvr32.exe 38 PID 1008 wrote to memory of 456 1008 regsvr32.exe 38 PID 1008 wrote to memory of 456 1008 regsvr32.exe 38 PID 1008 wrote to memory of 456 1008 regsvr32.exe 38 PID 1008 wrote to memory of 456 1008 regsvr32.exe 38
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1743692288.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\rundll32.exerundll32 ..\idefje.ekfd,DllRegisterServer2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn goumgxsyra /tr "regsvr32.exe -s \"C:\Users\Admin\idefje.ekfd\"" /SC ONCE /Z /ST 19:46 /ET 19:584⤵
- Creates scheduled task(s)
PID:620
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {924969D1-1F33-4CD7-B1CC-1A5D6A4A40E9} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\idefje.ekfd"2⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\idefje.ekfd"3⤵
- Loads dropped DLL
PID:456
-
-