Overview

overview

10

Static

static

8

documents-...4.xlsm

windows7_x64

10

documents-...4.xlsm

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-04-2021 16:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    documents-122179384.xlsm

  • Size

    95KB

  • MD5

    64ce728339d9ca928a4f2643b6098dda

  • SHA1

    43fb58a8536b4b97cb812f8c02329703d3085cc7

  • SHA256

    b93a9e972d297bb2a0ae163d5c9a087bf29dc5db48eaab8d9e0e5560f48065c0

  • SHA512

    4b83a359690fc96c994d807ddf059393c916723dbcb5776c4cbfe1551c821365da6b8f85c1046739e563e357229a1eba6689967ce5dd20117cfc88440bd070ec

Score
10/10
qakbottr1618225074bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

tr

Campaign

1618225074

C2

197.45.110.165:995

216.201.162.158:443

71.74.12.34:443

45.63.107.192:2222

149.28.101.90:2222

45.32.211.207:443

45.32.211.207:995

45.32.211.207:8443

45.32.211.207:2222

149.28.99.97:995

149.28.98.196:443

149.28.101.90:443

149.28.101.90:8443

207.246.77.75:2222

207.246.116.237:443

207.246.116.237:995

207.246.116.237:2222

45.77.117.108:995

149.28.99.97:443

45.63.107.192:443

Signatures

  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 2 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\documents-122179384.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\urlefv.wir,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:4044
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\urlefv.wir1,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:3904
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\urlefv.wir2,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:3856
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\urlefv.wir3,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:3712
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\urlefv.wir4,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 ..\urlefv.wir4,DllRegisterServer
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1048
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4068
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dezyytvfak /tr "regsvr32.exe -s \"C:\Users\Admin\urlefv.wir4\"" /SC ONCE /Z /ST 16:41 /ET 16:53
            5⤵
            • Creates scheduled task(s)
            PID:1156
  • \??\c:\windows\system32\regsvr32.exe
    regsvr32.exe -s "C:\Users\Admin\urlefv.wir4"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Windows\SysWOW64\regsvr32.exe
      -s "C:\Users\Admin\urlefv.wir4"
      2⤵
      • Loads dropped DLL
      PID:860
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 596
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\urlefv.wir4
    MD5

    31a68eef07c6c6113152cf9cd86d196e

    SHA1

    3f23f15b220a9731c5a98ce90ad950d345de4fcf

    SHA256

    593ad02f675cb99b6645b26b2bc5bb92d8ab6962629eae6fbe1a1e330613e056

    SHA512

    9f478314a259ab6e2ae33076d59bc48fa395fa89189e3b01308d01de4abdad3e979a2bca5f33d689ee029edbe5962d4cdf71dd00b6f269fe732dfe601d6390a5

    Download Submit

  • C:\Users\Admin\urlefv.wir4
    MD5

    01160c728a6c98035a8b48e54bfb84b5

    SHA1

    0162a30e2ef6323cdff4588cc3e90c1fca6bb1fa

    SHA256

    71a8c70c2793309b14822b94333aa3775d8f472402eb9afbdd07b62fa29f77ca

    SHA512

    dd1864972179da1004e9cb735de873bf70ed5c4794df2a49b4ddb6841bce59dc14e7c2e635c965054f60f717514fce4c29c7eee62fb5c26caa1c025452094938

    Download Submit

  • \Users\Admin\urlefv.wir4
    MD5

    31a68eef07c6c6113152cf9cd86d196e

    SHA1

    3f23f15b220a9731c5a98ce90ad950d345de4fcf

    SHA256

    593ad02f675cb99b6645b26b2bc5bb92d8ab6962629eae6fbe1a1e330613e056

    SHA512

    9f478314a259ab6e2ae33076d59bc48fa395fa89189e3b01308d01de4abdad3e979a2bca5f33d689ee029edbe5962d4cdf71dd00b6f269fe732dfe601d6390a5

    Download Submit

  • \Users\Admin\urlefv.wir4
    MD5

    01160c728a6c98035a8b48e54bfb84b5

    SHA1

    0162a30e2ef6323cdff4588cc3e90c1fca6bb1fa

    SHA256

    71a8c70c2793309b14822b94333aa3775d8f472402eb9afbdd07b62fa29f77ca

    SHA512

    dd1864972179da1004e9cb735de873bf70ed5c4794df2a49b4ddb6841bce59dc14e7c2e635c965054f60f717514fce4c29c7eee62fb5c26caa1c025452094938

    Download Submit

  • memory/860-194-0x0000000000000000-mapping.dmp

    Download

  • memory/1048-189-0x0000000004EC0000-0x0000000004ED9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1048-188-0x0000000004E70000-0x0000000004E9D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1048-187-0x00000000030B0000-0x00000000030B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1048-185-0x0000000000000000-mapping.dmp

    Download

  • memory/1104-183-0x0000000000000000-mapping.dmp

    Download

  • memory/1156-191-0x0000000000000000-mapping.dmp

    Download

  • memory/3712-182-0x0000000000000000-mapping.dmp

    Download

  • memory/3856-181-0x0000000000000000-mapping.dmp

    Download

  • memory/3904-180-0x0000000000000000-mapping.dmp

    Download

  • memory/4044-179-0x0000000000000000-mapping.dmp

    Download

  • memory/4048-123-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4048-122-0x00007FFDC1130000-0x00007FFDC3025000-memory.dmp

    Filesize

    31.0MB

    Download

  • memory/4048-121-0x00007FFDC3210000-0x00007FFDC42FE000-memory.dmp

    Filesize

    16.9MB

    Download

  • memory/4048-118-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4048-114-0x00007FF79D320000-0x00007FF7A08D6000-memory.dmp

    Filesize

    53.7MB

    Download

  • memory/4048-117-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4048-116-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4048-115-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4068-190-0x0000000000000000-mapping.dmp

    Download

  • memory/4068-192-0x0000000000890000-0x00000000008A9000-memory.dmp

    Filesize

    100KB

    Download