Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-05-2021 13:30
Static task
static1
Behavioral task
behavioral1
Sample
catalog-2032366526.xls
Resource
win7v20210410
General
-
Target
catalog-2032366526.xls
-
Size
367KB
-
MD5
090811fa4bbb26277eebc82843f3d70e
-
SHA1
135d07236adba8e6441c72df1b7f2c459505583c
-
SHA256
11dad18ad216bbbf97891c947ef3b70acd0c5a9a0ce80a9f5c4bcaecd7275164
-
SHA512
469ec22e3b2e86bdc5f6d32e3e299ee69f0d12620c0f7486361f19258e7900b3892c8a5d2b1257bdd0188cbe5f9bae7e489dd3f4f17cd5cd81b69abdfa7738d0
Malware Config
Extracted
qakbot
402.68
tr
1619706851
24.117.107.120:443
190.85.91.154:443
72.252.201.69:443
189.210.115.207:443
71.41.184.10:3389
81.97.154.100:443
50.29.166.232:995
140.82.49.12:443
75.137.47.174:443
71.74.12.34:443
73.25.124.140:2222
149.28.99.97:2222
45.77.115.208:2222
45.32.211.207:995
207.246.116.237:443
149.28.99.97:443
207.246.77.75:443
149.28.98.196:995
207.246.116.237:2222
45.77.115.208:8443
207.246.77.75:995
207.246.77.75:2222
45.32.211.207:443
95.77.223.148:443
45.32.211.207:8443
149.28.98.196:2222
144.202.38.185:443
207.246.77.75:8443
207.246.116.237:8443
149.28.101.90:2222
45.77.117.108:8443
45.77.117.108:443
149.28.98.196:443
45.77.117.108:2222
149.28.99.97:995
149.28.101.90:443
45.77.115.208:995
144.202.38.185:2222
149.28.101.90:995
144.202.38.185:995
45.77.115.208:443
45.32.211.207:2222
45.77.117.108:995
149.28.101.90:8443
207.246.116.237:995
98.192.185.86:443
24.139.72.117:443
216.201.162.158:443
47.196.192.184:443
47.22.148.6:443
71.187.170.235:443
151.205.102.42:443
75.67.192.125:443
24.179.77.148:443
197.45.110.165:995
105.198.236.99:443
136.232.34.70:443
71.163.222.243:443
105.198.236.101:443
45.63.107.192:995
144.139.47.206:443
115.133.243.6:443
27.223.92.142:995
76.25.142.196:443
75.118.1.141:443
50.244.112.106:443
45.46.53.140:2222
173.21.10.71:2222
98.252.118.134:443
45.63.107.192:443
45.63.107.192:2222
109.12.111.14:443
24.55.112.61:443
172.78.36.91:443
73.151.236.31:443
188.26.91.212:443
24.229.150.54:995
72.240.200.181:2222
67.165.206.193:993
67.8.103.21:443
24.226.156.153:443
186.31.46.121:443
81.214.126.173:2222
92.59.35.196:2222
92.96.3.180:2078
108.29.32.102:443
78.63.226.32:443
96.37.113.36:993
86.133.126.195:443
83.196.56.65:2222
83.110.108.100:2222
24.152.219.253:995
184.185.103.157:443
195.6.1.154:2222
76.168.147.166:993
86.220.62.251:2222
97.69.160.4:2222
90.65.236.181:2222
96.61.23.88:995
64.121.114.87:443
222.153.174.162:995
77.27.207.217:995
24.95.61.62:443
77.211.30.202:995
125.62.192.220:443
195.12.154.8:443
68.186.192.69:443
71.117.132.169:443
96.21.251.127:2222
71.199.192.62:443
70.168.130.172:995
82.12.157.95:995
209.210.187.52:995
209.210.187.52:443
67.6.12.4:443
189.222.59.177:443
174.104.22.30:443
142.117.191.18:2222
189.146.183.105:443
213.60.147.140:443
196.221.207.137:995
108.46.145.30:443
187.250.238.164:995
2.7.116.188:2222
195.43.173.70:443
106.250.150.98:443
45.67.231.247:443
83.110.103.152:443
83.110.9.71:2222
78.97.207.104:443
59.90.246.200:443
80.227.5.69:443
125.63.101.62:443
86.236.77.68:2222
109.106.69.138:2222
84.72.35.226:443
217.133.54.140:32100
197.161.154.132:443
89.137.211.239:995
74.222.204.82:995
122.148.156.131:995
156.223.110.23:443
144.139.166.18:443
202.185.166.181:443
76.94.200.148:995
71.63.120.101:443
196.151.252.84:443
202.188.138.162:443
74.68.144.202:443
69.58.147.82:2078
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1996 3920 rundll32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1924 3920 rundll32.exe EXCEL.EXE -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeregsvr32.exepid process 1512 rundll32.exe 1512 rundll32.exe 2156 regsvr32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2200 2156 WerFault.exe regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3920 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rundll32.exeWerFault.exepid process 1512 rundll32.exe 1512 rundll32.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1512 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2200 WerFault.exe Token: SeBackupPrivilege 2200 WerFault.exe Token: SeDebugPrivilege 2200 WerFault.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 3920 EXCEL.EXE 3920 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exeexplorer.exeregsvr32.exedescription pid process target process PID 3920 wrote to memory of 1996 3920 EXCEL.EXE rundll32.exe PID 3920 wrote to memory of 1996 3920 EXCEL.EXE rundll32.exe PID 1996 wrote to memory of 1512 1996 rundll32.exe rundll32.exe PID 1996 wrote to memory of 1512 1996 rundll32.exe rundll32.exe PID 1996 wrote to memory of 1512 1996 rundll32.exe rundll32.exe PID 1512 wrote to memory of 3144 1512 rundll32.exe explorer.exe PID 1512 wrote to memory of 3144 1512 rundll32.exe explorer.exe PID 1512 wrote to memory of 3144 1512 rundll32.exe explorer.exe PID 1512 wrote to memory of 3144 1512 rundll32.exe explorer.exe PID 1512 wrote to memory of 3144 1512 rundll32.exe explorer.exe PID 3920 wrote to memory of 1924 3920 EXCEL.EXE rundll32.exe PID 3920 wrote to memory of 1924 3920 EXCEL.EXE rundll32.exe PID 3144 wrote to memory of 3936 3144 explorer.exe schtasks.exe PID 3144 wrote to memory of 3936 3144 explorer.exe schtasks.exe PID 3144 wrote to memory of 3936 3144 explorer.exe schtasks.exe PID 2192 wrote to memory of 2156 2192 regsvr32.exe regsvr32.exe PID 2192 wrote to memory of 2156 2192 regsvr32.exe regsvr32.exe PID 2192 wrote to memory of 2156 2192 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\catalog-2032366526.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\ritofm.cvm,DllRegisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\ritofm.cvm,DllRegisterServer3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gcqeieuj /tr "regsvr32.exe -s \"C:\Users\Admin\ritofm.cvm\"" /SC ONCE /Z /ST 15:29 /ET 15:415⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\ritofm.cvm1,DllRegisterServer2⤵
- Process spawned unexpected child process
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\ritofm.cvm"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\ritofm.cvm"2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 5963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\ritofm.cvmMD5
3204cb6d305acc436e09d757cba3a9dc
SHA1a58d221b113971c4084db930ec96bbc40f834be0
SHA256074db34f0d313635c8dc7a3f2c24dd9eef990bdb61aa9da617ac9d719645d177
SHA512f72e5f2ed7a2e5ebddccd3dec77060fe42df698169ca83a016e172d15674e405b48b00cafbc68f94a2f73e0cc1883583fcfc13aff79c940198a6f63f5428af86
-
C:\Users\Admin\ritofm.cvmMD5
ba2e00831a081ead1ca285ec389eafee
SHA11beed63213f4b667a2cb9ce6ebe13a5e164344d8
SHA25632bde54ca58893260b8d87c6a4edc48c16dd9115748cd4eeeb7cf9a822089c43
SHA512e02f5c31bd98f82778d253722023a193f4ebd893142e8d9caeea6a7f5dcfbbe537e085245de496b784aef96a0ccab2cbb27688e9f5489d18eb187776381eabaf
-
\Users\Admin\ritofm.cvmMD5
3204cb6d305acc436e09d757cba3a9dc
SHA1a58d221b113971c4084db930ec96bbc40f834be0
SHA256074db34f0d313635c8dc7a3f2c24dd9eef990bdb61aa9da617ac9d719645d177
SHA512f72e5f2ed7a2e5ebddccd3dec77060fe42df698169ca83a016e172d15674e405b48b00cafbc68f94a2f73e0cc1883583fcfc13aff79c940198a6f63f5428af86
-
\Users\Admin\ritofm.cvmMD5
3204cb6d305acc436e09d757cba3a9dc
SHA1a58d221b113971c4084db930ec96bbc40f834be0
SHA256074db34f0d313635c8dc7a3f2c24dd9eef990bdb61aa9da617ac9d719645d177
SHA512f72e5f2ed7a2e5ebddccd3dec77060fe42df698169ca83a016e172d15674e405b48b00cafbc68f94a2f73e0cc1883583fcfc13aff79c940198a6f63f5428af86
-
\Users\Admin\ritofm.cvmMD5
ba2e00831a081ead1ca285ec389eafee
SHA11beed63213f4b667a2cb9ce6ebe13a5e164344d8
SHA25632bde54ca58893260b8d87c6a4edc48c16dd9115748cd4eeeb7cf9a822089c43
SHA512e02f5c31bd98f82778d253722023a193f4ebd893142e8d9caeea6a7f5dcfbbe537e085245de496b784aef96a0ccab2cbb27688e9f5489d18eb187776381eabaf
-
memory/1512-184-0x0000000001110000-0x0000000001150000-memory.dmpFilesize
256KB
-
memory/1512-185-0x00000000011D0000-0x000000000120D000-memory.dmpFilesize
244KB
-
memory/1512-181-0x0000000000000000-mapping.dmp
-
memory/1924-188-0x0000000000000000-mapping.dmp
-
memory/1996-179-0x0000000000000000-mapping.dmp
-
memory/2156-191-0x0000000000000000-mapping.dmp
-
memory/3144-186-0x0000000000000000-mapping.dmp
-
memory/3144-187-0x0000000002F50000-0x0000000002F8D000-memory.dmpFilesize
244KB
-
memory/3920-123-0x000001B55E3E0000-0x000001B5602D5000-memory.dmpFilesize
31.0MB
-
memory/3920-122-0x00007FF9EFDA0000-0x00007FF9F0E8E000-memory.dmpFilesize
16.9MB
-
memory/3920-121-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3920-114-0x00007FF614540000-0x00007FF617AF6000-memory.dmpFilesize
53.7MB
-
memory/3920-118-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3920-117-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3920-116-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3920-115-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmpFilesize
64KB
-
memory/3936-189-0x0000000000000000-mapping.dmp