document-1743692288.xls

General
Target

document-1743692288.xls

Filesize

88KB

Completed

18-02-2021 18:50

Score
10 /10
MD5

fa1f35763e1c13386feca469dd16a22b

SHA1

1cbfc5e62e085bba8366cc077dfc91923a8ceefd

SHA256

c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54

Malware Config

Extracted

Family qakbot
Botnet tr
Campaign 1613385567
C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

195.12.154.8:443

47.217.24.69:6881

182.48.193.200:443

108.160.123.244:443

96.57.188.174:2222

45.118.216.157:443

84.72.35.226:443

172.115.177.204:2222

86.236.77.68:2222

82.127.125.209:990

176.181.247.197:443

97.69.160.4:2222

90.101.117.122:2222

189.223.201.91:443

140.82.49.12:443

2.7.69.217:2222

83.110.12.140:2222

85.132.36.111:2222

197.45.110.165:995

149.28.99.97:995

45.63.107.192:2222

149.28.98.196:2222

149.28.99.97:2222

144.202.38.185:443

149.28.99.97:443

45.63.107.192:443

45.63.107.192:995

144.202.38.185:2222

149.28.101.90:995

149.28.101.90:2222

Signatures 13

Filter: none

Discovery
Persistence
  • Process spawned unexpected child process
    rundll32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process43924684rundll32.exeEXCEL.EXE
  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    4324rundll32.exe
  • Checks SCSI registry key(s)
    rundll32.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000rundll32.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDescrundll32.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Servicerundll32.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000rundll32.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDescrundll32.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Servicerundll32.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    660schtasks.exe
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4684EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    4324rundll32.exe
    4324rundll32.exe
    4324rundll32.exe
    4324rundll32.exe
  • Suspicious behavior: MapViewOfSection
    rundll32.exe

    Reported IOCs

    pidprocess
    4324rundll32.exe
  • Suspicious use of FindShellTrayWindow
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4684EXCEL.EXE
    4684EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4684EXCEL.EXE
    4684EXCEL.EXE
    4684EXCEL.EXE
    4684EXCEL.EXE
    4684EXCEL.EXE
    4684EXCEL.EXE
    4684EXCEL.EXE
    4684EXCEL.EXE
    4684EXCEL.EXE
    4684EXCEL.EXE
    4684EXCEL.EXE
    4684EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXErundll32.exerundll32.exeexplorer.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4684 wrote to memory of 43924684EXCEL.EXErundll32.exe
    PID 4684 wrote to memory of 43924684EXCEL.EXErundll32.exe
    PID 4392 wrote to memory of 43244392rundll32.exerundll32.exe
    PID 4392 wrote to memory of 43244392rundll32.exerundll32.exe
    PID 4392 wrote to memory of 43244392rundll32.exerundll32.exe
    PID 4324 wrote to memory of 5284324rundll32.exeexplorer.exe
    PID 4324 wrote to memory of 5284324rundll32.exeexplorer.exe
    PID 4324 wrote to memory of 5284324rundll32.exeexplorer.exe
    PID 4324 wrote to memory of 5284324rundll32.exeexplorer.exe
    PID 4324 wrote to memory of 5284324rundll32.exeexplorer.exe
    PID 528 wrote to memory of 660528explorer.exeschtasks.exe
    PID 528 wrote to memory of 660528explorer.exeschtasks.exe
    PID 528 wrote to memory of 660528explorer.exeschtasks.exe
Processes 6
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\document-1743692288.xls"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\idefje.ekfd,DllRegisterServer
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 ..\idefje.ekfd,DllRegisterServer
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        PID:4324
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          Suspicious use of WriteProcessMemory
          PID:528
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wbppmmm /tr "regsvr32.exe -s \"\"" /SC ONCE /Z /ST 18:46 /ET 18:58
            Creates scheduled task(s)
            PID:660
  • \??\c:\windows\system32\regsvr32.exe
    regsvr32.exe -s ""
    PID:1280
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\idefje.ekfd

                        MD5

                        a8e2e77d6e1159face67ee36e5d4f199

                        SHA1

                        e3494981cfbc8c9a2c7a053c3ca4ab662b7f529c

                        SHA256

                        307dcd0bd76ec40e3297813e65542bc6480262578d6623825340a5add4fb6bf8

                        SHA512

                        c5e1f248a90e3406e690b1a7c3f6e09f4c1b3db5be40786669ba3aa1d48f0e6f2b0060dc3ee098fb76dfb59f2aec14aac5300556c69e214eef542561bc7df273

                      • \Users\Admin\idefje.ekfd

                        MD5

                        a8e2e77d6e1159face67ee36e5d4f199

                        SHA1

                        e3494981cfbc8c9a2c7a053c3ca4ab662b7f529c

                        SHA256

                        307dcd0bd76ec40e3297813e65542bc6480262578d6623825340a5add4fb6bf8

                        SHA512

                        c5e1f248a90e3406e690b1a7c3f6e09f4c1b3db5be40786669ba3aa1d48f0e6f2b0060dc3ee098fb76dfb59f2aec14aac5300556c69e214eef542561bc7df273

                      • memory/528-16-0x0000000002720000-0x0000000002755000-memory.dmp

                      • memory/528-14-0x0000000000000000-mapping.dmp

                      • memory/528-17-0x0000000002720000-0x0000000002755000-memory.dmp

                      • memory/660-15-0x0000000000000000-mapping.dmp

                      • memory/4324-12-0x0000000004E20000-0x0000000004E53000-memory.dmp

                      • memory/4324-11-0x0000000000C00000-0x0000000000C01000-memory.dmp

                      • memory/4324-13-0x00000000060A0000-0x00000000060D5000-memory.dmp

                      • memory/4324-9-0x0000000000000000-mapping.dmp

                      • memory/4392-7-0x0000000000000000-mapping.dmp

                      • memory/4684-6-0x00007FFEE8620000-0x00007FFEE8C57000-memory.dmp

                      • memory/4684-5-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

                      • memory/4684-4-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

                      • memory/4684-3-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

                      • memory/4684-2-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp