document-1743692288.xls

backendfu1m1
featuresanalog, overview
max_time_kernel145125
max_time_network129432
platformwindows10_x64
resourcewin10v20201028
submitted18-02-2021 18:47

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

Filesize

88KB

Completed

18-02-2021 18:50

Score

10 ^/10

MD5

fa1f35763e1c13386feca469dd16a22b

SHA1

1cbfc5e62e085bba8366cc077dfc91923a8ceefd

SHA256

c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54

qakbot tr 1613385567 banker stealer trojan

Extracted

Family	qakbot
Botnet	tr
Campaign	1613385567
C2	78.63.226.32:443 197.51.82.72:443 193.248.221.184:2222 95.77.223.148:443 71.199.192.62:443 77.211.30.202:995 80.227.5.69:443 77.27.204.204:995 81.97.154.100:443 173.184.119.153:995 38.92.225.121:443 81.150.181.168:2222 90.65.236.181:2222 83.110.103.152:443 73.153.211.227:443 188.25.63.105:443 89.137.211.239:995 202.188.138.162:443 98.173.34.212:995 87.202.87.210:2222 195.12.154.8:443 47.217.24.69:6881 182.48.193.200:443 108.160.123.244:443 96.57.188.174:2222 45.118.216.157:443 84.72.35.226:443 172.115.177.204:2222 86.236.77.68:2222 82.127.125.209:990 176.181.247.197:443 97.69.160.4:2222 90.101.117.122:2222 189.223.201.91:443 140.82.49.12:443 2.7.69.217:2222 83.110.12.140:2222 85.132.36.111:2222 197.45.110.165:995 149.28.99.97:995 45.63.107.192:2222 149.28.98.196:2222 149.28.99.97:2222 144.202.38.185:443 149.28.99.97:443 45.63.107.192:443 45.63.107.192:995 144.202.38.185:2222 149.28.101.90:995 149.28.101.90:2222 149.28.101.90:8443 45.32.211.207:8443 149.28.98.196:995 149.28.98.196:443 45.32.211.207:995 149.28.101.90:443 207.246.77.75:443 45.77.115.208:8443 207.246.77.75:995 207.246.77.75:2222 45.32.211.207:2222 45.32.211.207:443 45.77.115.208:995 144.202.38.185:995 45.77.115.208:2222 207.246.116.237:8443 207.246.116.237:2222 207.246.77.75:8443 207.246.116.237:995 207.246.116.237:443 45.77.117.108:443 45.77.117.108:995 45.77.117.108:8443 45.77.117.108:2222 45.77.115.208:443 89.3.198.238:443 2.232.253.79:995 73.25.124.140:2222 136.232.34.70:443 157.131.108.180:443 217.133.54.140:32100 195.43.173.70:443 86.98.93.124:2078 176.205.222.30:2078 105.96.8.96:443 50.29.166.232:995 27.223.92.142:995 119.153.62.76:3389 47.187.115.228:443 67.6.12.4:443 65.27.228.247:443 23.240.70.80:995 216.201.162.158:443 139.216.137.189:995 64.121.114.87:443 79.129.121.81:995 172.87.157.235:3389 75.118.1.141:443 75.136.26.147:443 96.250.60.138:443 50.244.112.106:443 115.133.243.6:443 47.196.192.184:443 45.46.53.140:2222 105.198.236.101:443 144.139.166.18:443 196.151.252.84:443 71.197.126.250:443 196.221.207.137:995 71.117.132.169:443 74.68.144.202:443 76.25.142.196:443 98.240.24.57:443 144.139.47.206:443 86.245.46.27:2222 173.21.10.71:2222 78.97.207.104:443 86.220.60.133:2222 69.245.102.225:443 94.53.92.42:443 71.74.12.34:443 84.247.55.190:8443 173.25.45.66:443 46.153.55.149:995 78.22.58.205:3389 105.198.236.99:443 24.152.219.253:995 82.76.47.211:443 189.223.234.23:995 96.37.113.36:993 47.187.74.181:443 50.25.89.74:443 174.104.31.209:443 199.19.117.131:443 201.143.235.13:443 189.146.183.105:443 181.48.190.78:443 189.223.97.175:443 47.22.148.6:443 173.70.165.101:995 74.222.204.82:995 75.67.192.125:443 32.210.98.6:443 106.51.52.111:443 59.90.246.200:443 70.49.88.199:2222 186.28.51.27:443 98.252.118.134:443 209.210.187.52:995 189.210.115.207:443 78.63.226.32:443 197.51.82.72:443 193.248.221.184:2222 95.77.223.148:443 71.199.192.62:443 77.211.30.202:995 80.227.5.69:443 77.27.204.204:995 81.97.154.100:443 173.184.119.153:995 38.92.225.121:443 81.150.181.168:2222 90.65.236.181:2222 83.110.103.152:443 73.153.211.227:443 188.25.63.105:443 89.137.211.239:995 202.188.138.162:443 98.173.34.212:995 87.202.87.210:2222 195.12.154.8:443 47.217.24.69:6881 182.48.193.200:443 108.160.123.244:443 96.57.188.174:2222 45.118.216.157:443 84.72.35.226:443 172.115.177.204:2222 86.236.77.68:2222 82.127.125.209:990 176.181.247.197:443 97.69.160.4:2222 90.101.117.122:2222 189.223.201.91:443 140.82.49.12:443 2.7.69.217:2222 83.110.12.140:2222 85.132.36.111:2222 197.45.110.165:995 149.28.99.97:995 45.63.107.192:2222 149.28.98.196:2222 149.28.99.97:2222 144.202.38.185:443 149.28.99.97:443 45.63.107.192:443 45.63.107.192:995 144.202.38.185:2222 149.28.101.90:995 149.28.101.90:2222 149.28.101.90:8443 45.32.211.207:8443 149.28.98.196:995 149.28.98.196:443 45.32.211.207:995 149.28.101.90:443 207.246.77.75:443 45.77.115.208:8443 207.246.77.75:995 207.246.77.75:2222 45.32.211.207:2222 45.32.211.207:443 45.77.115.208:995 144.202.38.185:995 45.77.115.208:2222 207.246.116.237:8443 207.246.116.237:2222 207.246.77.75:8443 207.246.116.237:995 207.246.116.237:443 45.77.117.108:443 45.77.117.108:995 45.77.117.108:8443 45.77.117.108:2222 45.77.115.208:443 89.3.198.238:443 2.232.253.79:995 73.25.124.140:2222 136.232.34.70:443 157.131.108.180:443 217.133.54.140:32100 195.43.173.70:443 86.98.93.124:2078 176.205.222.30:2078 105.96.8.96:443 50.29.166.232:995 27.223.92.142:995 119.153.62.76:3389 47.187.115.228:443 67.6.12.4:443 65.27.228.247:443 23.240.70.80:995 216.201.162.158:443 139.216.137.189:995 64.121.114.87:443 79.129.121.81:995 172.87.157.235:3389 75.118.1.141:443 75.136.26.147:443 96.250.60.138:443 50.244.112.106:443 115.133.243.6:443 47.196.192.184:443 45.46.53.140:2222 105.198.236.101:443 144.139.166.18:443 196.151.252.84:443 71.197.126.250:443 196.221.207.137:995 71.117.132.169:443 74.68.144.202:443 76.25.142.196:443 98.240.24.57:443 144.139.47.206:443 86.245.46.27:2222 173.21.10.71:2222 78.97.207.104:443 86.220.60.133:2222 69.245.102.225:443 94.53.92.42:443 71.74.12.34:443 84.247.55.190:8443 173.25.45.66:443 46.153.55.149:995 78.22.58.205:3389 105.198.236.99:443 24.152.219.253:995 82.76.47.211:443 189.223.234.23:995 96.37.113.36:993 47.187.74.181:443 50.25.89.74:443 174.104.31.209:443 199.19.117.131:443 201.143.235.13:443 189.146.183.105:443 181.48.190.78:443 189.223.97.175:443 47.22.148.6:443 173.70.165.101:995 74.222.204.82:995 75.67.192.125:443 32.210.98.6:443 106.51.52.111:443 59.90.246.200:443 70.49.88.199:2222 186.28.51.27:443 98.252.118.134:443 209.210.187.52:995 189.210.115.207:443

Discovery

Persistence

Process spawned unexpected child process

rundll32.exe

Description

This typically indicates the parent process was compromised via an exploit or macro.

Reported IOCs

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4392	4684	rundll32.exe	EXCEL.EXE

Qakbot/Qbot

Description

Qbot or Qakbot is a sophisticated worm with banking capabilities.

Tags

trojan banker stealer qakbot
Loads dropped DLL
rundll32.exe

Reported IOCs

pid process

4324 rundll32.exe

pid	process
4324	rundll32.exe

Checks SCSI registry key(s)

rundll32.exe

Description

SCSI information is often read in order to detect sandboxing environments.

TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	rundll32.exe

Checks processor information in registry

EXCEL.EXE

Description

Processor information is often read in order to detect sandboxing environments.

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s)
schtasks.exe

Description

Schtasks is often used by malware for persistence or to perform post-infection execution.

Tags

persistence

TTPs

Scheduled Task

Reported IOCs

pid process

660 schtasks.exe

pid	process
660	schtasks.exe

Enumerates system info in registry

EXCEL.EXE

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener
EXCEL.EXE

Reported IOCs

pid process

4684 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses
rundll32.exe

Reported IOCs

pid process

4324 rundll32.exe
4324 rundll32.exe
4324 rundll32.exe
4324 rundll32.exe
Suspicious behavior: MapViewOfSection
rundll32.exe

Reported IOCs

pid process

4324 rundll32.exe
Suspicious use of FindShellTrayWindow
EXCEL.EXE

Reported IOCs

pid process

4684 EXCEL.EXE
4684 EXCEL.EXE

pid	process
4324	rundll32.exe
4324	rundll32.exe
4324	rundll32.exe
4324	rundll32.exe

pid	process
4324	rundll32.exe

Suspicious use of SetWindowsHookEx

EXCEL.EXE

Reported IOCs

pid	process
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE

Suspicious use of WriteProcessMemory

EXCEL.EXErundll32.exerundll32.exeexplorer.exe

Reported IOCs

description	pid	process	target process
PID 4684 wrote to memory of 4392	4684	EXCEL.EXE	rundll32.exe
PID 4684 wrote to memory of 4392	4684	EXCEL.EXE	rundll32.exe
PID 4392 wrote to memory of 4324	4392	rundll32.exe	rundll32.exe
PID 4392 wrote to memory of 4324	4392	rundll32.exe	rundll32.exe
PID 4392 wrote to memory of 4324	4392	rundll32.exe	rundll32.exe
PID 4324 wrote to memory of 528	4324	rundll32.exe	explorer.exe
PID 4324 wrote to memory of 528	4324	rundll32.exe	explorer.exe
PID 4324 wrote to memory of 528	4324	rundll32.exe	explorer.exe
PID 4324 wrote to memory of 528	4324	rundll32.exe	explorer.exe
PID 4324 wrote to memory of 528	4324	rundll32.exe	explorer.exe
PID 528 wrote to memory of 660	528	explorer.exe	schtasks.exe
PID 528 wrote to memory of 660	528	explorer.exe	schtasks.exe
PID 528 wrote to memory of 660	528	explorer.exe	schtasks.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\document-1743692288.xls"

Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:4684

C:\Windows\SYSTEM32\rundll32.exe

rundll32 ..\idefje.ekfd,DllRegisterServer

Process spawned unexpected child process
Suspicious use of WriteProcessMemory

PID:4392

C:\Windows\SysWOW64\rundll32.exe

rundll32 ..\idefje.ekfd,DllRegisterServer

Loads dropped DLL
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory

PID:4324

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Suspicious use of WriteProcessMemory

PID:528

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wbppmmm /tr "regsvr32.exe -s \"\"" /SC ONCE /Z /ST 18:46 /ET 18:58

Creates scheduled task(s)

PID:660

\??\c:\windows\system32\regsvr32.exe

regsvr32.exe -s ""

PID:1280

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

00:00 00:00

C:\Users\Admin\idefje.ekfd

MD5
a8e2e77d6e1159face67ee36e5d4f199

SHA1
e3494981cfbc8c9a2c7a053c3ca4ab662b7f529c

SHA256
307dcd0bd76ec40e3297813e65542bc6480262578d6623825340a5add4fb6bf8

SHA512
c5e1f248a90e3406e690b1a7c3f6e09f4c1b3db5be40786669ba3aa1d48f0e6f2b0060dc3ee098fb76dfb59f2aec14aac5300556c69e214eef542561bc7df273

Download Submit
\Users\Admin\idefje.ekfd

MD5
a8e2e77d6e1159face67ee36e5d4f199

SHA1
e3494981cfbc8c9a2c7a053c3ca4ab662b7f529c

SHA256
307dcd0bd76ec40e3297813e65542bc6480262578d6623825340a5add4fb6bf8

SHA512
c5e1f248a90e3406e690b1a7c3f6e09f4c1b3db5be40786669ba3aa1d48f0e6f2b0060dc3ee098fb76dfb59f2aec14aac5300556c69e214eef542561bc7df273

Download Submit
memory/528-16-0x0000000002720000-0x0000000002755000-memory.dmp

Download
memory/528-14-0x0000000000000000-mapping.dmp

Download
memory/528-17-0x0000000002720000-0x0000000002755000-memory.dmp

Download
memory/660-15-0x0000000000000000-mapping.dmp

Download
memory/4324-12-0x0000000004E20000-0x0000000004E53000-memory.dmp

Download
memory/4324-11-0x0000000000C00000-0x0000000000C01000-memory.dmp

Download
memory/4324-13-0x00000000060A0000-0x00000000060D5000-memory.dmp

Download
memory/4324-9-0x0000000000000000-mapping.dmp

Download
memory/4392-7-0x0000000000000000-mapping.dmp

Download
memory/4684-6-0x00007FFEE8620000-0x00007FFEE8C57000-memory.dmp

Download
memory/4684-5-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Download
memory/4684-4-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Download
memory/4684-3-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Download
memory/4684-2-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Download

document-1743692288.xls

Extracted

Filter: none

Description

Reported IOCs

Description

Tags

Reported IOCs

Description

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Description

Tags

TTPs

Reported IOCs

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title