qakbot | e443c61de95ddab96eb2f2658ace7b6d9b03dc3b9b37068396ecd655eb543aec

General

Target

documents-1472621861.xlsb
Size

94KB
MD5

7046115d4093bb8a33ae64df0a85c4dd
SHA1

602a43d4665ea83f3e1d0f1bc27ce83f515e6360
SHA256

e443c61de95ddab96eb2f2658ace7b6d9b03dc3b9b37068396ecd655eb543aec
SHA512

99c0183e937ab6a272fc4fda56eb4eac1e845d1f99a994290e3b380974e973be340b972d5d5186377f5448d949133b7e00790dbd05869b56bd2916c111dc1ef5

Score

10^/10

qakbot tr 1618398298 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tr

Campaign

1618398298

C2

47.196.192.184:443

216.201.162.158:443

136.232.34.70:443

71.41.184.10:3389

140.82.49.12:443

45.63.107.192:2222

45.63.107.192:443

149.28.98.196:443

45.32.211.207:443

144.202.38.185:443

45.77.115.208:2222

45.77.115.208:8443

207.246.116.237:995

45.77.117.108:443

149.28.99.97:443

149.28.99.97:995

149.28.98.196:995

45.32.211.207:995

45.32.211.207:2222

149.28.98.196:2222

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3880	4656	rundll32.exe	67
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3852	4656	rundll32.exe	67
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4040	4656	rundll32.exe	67
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4072	4656	rundll32.exe	67
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4372	4656	rundll32.exe	67

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Loads dropped DLL 2 IoCs

pid	Process
4032	rundll32.exe
4592	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4240	4592	WerFault.exe	90

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4348	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4656	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4032	rundll32.exe
4032	rundll32.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4032	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4240	WerFault.exe
Token: SeBackupPrivilege	4240	WerFault.exe
Token: SeDebugPrivilege	4240	WerFault.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4656	EXCEL.EXE
4656	EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4656	EXCEL.EXE
4656	EXCEL.EXE
4656	EXCEL.EXE
4656	EXCEL.EXE
4656	EXCEL.EXE
4656	EXCEL.EXE
4656	EXCEL.EXE
4656	EXCEL.EXE
4656	EXCEL.EXE
4656	EXCEL.EXE
4656	EXCEL.EXE
4656	EXCEL.EXE
4656	EXCEL.EXE
4656	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3880	4656	EXCEL.EXE	80
PID 4656 wrote to memory of 3880	4656	EXCEL.EXE	80
PID 4656 wrote to memory of 3852	4656	EXCEL.EXE	81
PID 4656 wrote to memory of 3852	4656	EXCEL.EXE	81
PID 4656 wrote to memory of 4040	4656	EXCEL.EXE	82
PID 4656 wrote to memory of 4040	4656	EXCEL.EXE	82
PID 4656 wrote to memory of 4072	4656	EXCEL.EXE	83
PID 4656 wrote to memory of 4072	4656	EXCEL.EXE	83
PID 4072 wrote to memory of 4032	4072	rundll32.exe	84
PID 4072 wrote to memory of 4032	4072	rundll32.exe	84
PID 4072 wrote to memory of 4032	4072	rundll32.exe	84
PID 4032 wrote to memory of 1836	4032	rundll32.exe	85
PID 4032 wrote to memory of 1836	4032	rundll32.exe	85
PID 4032 wrote to memory of 1836	4032	rundll32.exe	85
PID 4032 wrote to memory of 1836	4032	rundll32.exe	85
PID 4032 wrote to memory of 1836	4032	rundll32.exe	85
PID 4656 wrote to memory of 4372	4656	EXCEL.EXE	86
PID 4656 wrote to memory of 4372	4656	EXCEL.EXE	86
PID 1836 wrote to memory of 4348	1836	explorer.exe	87
PID 1836 wrote to memory of 4348	1836	explorer.exe	87
PID 1836 wrote to memory of 4348	1836	explorer.exe	87
PID 4600 wrote to memory of 4592	4600	regsvr32.exe	90
PID 4600 wrote to memory of 4592	4600	regsvr32.exe	90
PID 4600 wrote to memory of 4592	4600	regsvr32.exe	90

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\documents-1472621861.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\wiroe.oer1,DllRegisterServer
  2⤵
  - Process spawned unexpected child process
  PID:3880
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\wiroe.oer2,DllRegisterServer
  2⤵
  - Process spawned unexpected child process
  PID:3852
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\wiroe.oer3,DllRegisterServer
  2⤵
  - Process spawned unexpected child process
  PID:4040
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\wiroe.oer4,DllRegisterServer
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 ..\wiroe.oer4,DllRegisterServer
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qhgyhxg /tr "regsvr32.exe -s \"C:\Users\Admin\wiroe.oer4\"" /SC ONCE /Z /ST 16:18 /ET 16:30
        5⤵
        Creates scheduled task(s)
        
        PID:4348
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\wiroe.oer5,DllRegisterServer
  2⤵
  - Process spawned unexpected child process
  PID:4372

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\wiroe.oer4"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\wiroe.oer4"
  2⤵
  - Loads dropped DLL
  PID:4592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 180
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1836-192-0x0000000000570000-0x00000000005A9000-memory.dmp

Filesize
228KB

Download
memory/4032-187-0x0000000004E50000-0x0000000004E92000-memory.dmp

Filesize
264KB

Download
memory/4032-188-0x0000000004EE0000-0x0000000004F19000-memory.dmp

Filesize
228KB

Download
memory/4032-186-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/4656-118-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4656-117-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4656-121-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4656-123-0x000001CDAF030000-0x000001CDB0F25000-memory.dmp

Filesize
31.0MB

Download
memory/4656-114-0x00007FF79B800000-0x00007FF79EDB6000-memory.dmp

Filesize
53.7MB

Download
memory/4656-122-0x00007FFA589E0000-0x00007FFA59ACE000-memory.dmp

Filesize
16.9MB

Download
memory/4656-116-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4656-115-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads