Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 09:54
Behavioral task
behavioral1
Sample
a.xlsb
Resource
win7v20210410
General
-
Target
a.xlsb
-
Size
155KB
-
MD5
79d94d53703ee58ab2aac1782cbd6939
-
SHA1
16a918e278d56ed854a3314d2a4ea907001195fc
-
SHA256
80afad8cad6c0a84c232d5d17354b11ff9e5920d65c2552047801bc73a8bec82
-
SHA512
912a3ea6a5f75b35376ac34b03605ffd660376ad2f201648a0b73b79159c35f051842ba0585ad075bdd2424940dc671082f2cdf178e53c4c6cfdd072c3a7dcd9
Malware Config
Extracted
https://shadiinfo.com/2DP6mQeg/pt.html
https://treasurechestcaribbean.com/pZ2Z61bqa/pt.html
Extracted
qakbot
402.68
tr
1623225382
190.85.91.154:443
140.82.49.12:443
105.198.236.101:443
68.186.192.69:443
24.95.61.62:443
90.65.234.26:2222
197.45.110.165:995
96.61.23.88:995
172.78.51.35:443
184.185.103.157:443
71.163.222.223:443
27.223.92.142:995
24.179.77.236:443
97.69.160.4:2222
188.26.91.212:443
75.67.192.125:443
24.152.219.253:995
92.59.35.196:2222
47.22.148.6:443
216.201.162.158:443
76.25.142.196:443
81.97.154.100:443
81.214.126.173:2222
71.41.184.10:3389
83.110.109.189:2222
125.239.44.146:995
144.139.47.206:443
75.118.1.141:443
175.136.38.142:443
98.192.185.86:443
67.165.206.193:993
73.151.236.31:443
173.21.10.71:2222
45.46.53.140:2222
71.74.12.34:443
45.63.107.192:2222
45.63.107.192:443
45.32.211.207:443
45.32.211.207:8443
149.28.101.90:995
207.246.116.237:8443
207.246.116.237:995
207.246.116.237:2222
45.77.117.108:2222
45.77.117.108:8443
149.28.98.196:995
149.28.101.90:443
45.77.117.108:443
45.32.211.207:995
45.32.211.207:2222
45.77.115.208:995
149.28.98.196:2222
207.246.77.75:995
45.77.115.208:8443
207.246.77.75:2222
144.202.38.185:443
207.246.116.237:443
149.28.101.90:2222
149.28.101.90:8443
45.77.115.208:2222
45.77.115.208:443
45.77.117.108:995
149.28.98.196:443
144.202.38.185:995
207.246.77.75:8443
207.246.77.75:443
144.202.38.185:2222
98.252.118.134:443
149.28.99.97:443
149.28.99.97:995
149.28.99.97:2222
45.63.107.192:995
189.210.115.207:443
105.198.236.99:443
72.252.201.69:443
151.205.102.42:443
86.220.62.251:2222
75.137.47.174:443
72.240.200.181:2222
95.77.223.148:443
24.55.112.61:443
24.229.150.54:995
109.12.111.14:443
24.139.72.117:443
136.232.34.70:443
50.29.166.232:995
92.96.3.180:2078
71.187.170.235:443
68.204.7.158:443
108.27.245.228:443
83.196.56.65:2222
50.244.112.106:443
96.37.113.36:993
24.122.166.173:443
73.25.124.140:2222
86.173.143.211:443
47.196.213.73:443
186.154.175.13:443
70.163.161.79:443
78.63.226.32:443
195.6.1.154:2222
76.168.147.166:993
64.121.114.87:443
77.27.207.217:995
31.4.242.233:995
125.62.192.220:443
195.12.154.8:443
71.117.132.169:443
96.21.251.127:2222
71.199.192.62:443
70.168.130.172:995
82.12.157.95:995
209.210.187.52:995
209.210.187.52:443
67.6.12.4:443
189.222.59.177:443
174.104.22.30:443
142.117.191.18:2222
189.146.183.105:443
213.60.147.140:443
196.221.207.137:995
108.46.145.30:443
187.250.238.164:995
2.7.116.188:2222
195.43.173.70:443
106.250.150.98:443
45.67.231.247:443
83.110.103.152:443
83.110.9.71:2222
78.97.207.104:443
59.90.246.200:443
80.227.5.69:443
125.63.101.62:443
86.236.77.68:2222
109.106.69.138:2222
84.72.35.226:443
217.133.54.140:32100
197.161.154.132:443
89.137.211.239:995
74.222.204.82:995
122.148.156.131:995
156.223.110.23:443
144.139.166.18:443
202.185.166.181:443
76.94.200.148:995
71.63.120.101:443
196.151.252.84:443
202.188.138.162:443
74.68.144.202:443
69.58.147.82:2078
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exeregsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 8 624 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3176 624 regsvr32.exe EXCEL.EXE -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 732 regsvr32.exe 1412 regsvr32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2760 1412 WerFault.exe regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 624 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
regsvr32.exeWerFault.exepid process 732 regsvr32.exe 732 regsvr32.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
regsvr32.exepid process 732 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2760 WerFault.exe Token: SeBackupPrivilege 2760 WerFault.exe Token: SeDebugPrivilege 2760 WerFault.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EXCEL.EXEregsvr32.exeregsvr32.exeexplorer.exeregsvr32.exedescription pid process target process PID 624 wrote to memory of 3512 624 EXCEL.EXE splwow64.exe PID 624 wrote to memory of 3512 624 EXCEL.EXE splwow64.exe PID 624 wrote to memory of 8 624 EXCEL.EXE regsvr32.exe PID 624 wrote to memory of 8 624 EXCEL.EXE regsvr32.exe PID 8 wrote to memory of 732 8 regsvr32.exe regsvr32.exe PID 8 wrote to memory of 732 8 regsvr32.exe regsvr32.exe PID 8 wrote to memory of 732 8 regsvr32.exe regsvr32.exe PID 732 wrote to memory of 3868 732 regsvr32.exe explorer.exe PID 732 wrote to memory of 3868 732 regsvr32.exe explorer.exe PID 732 wrote to memory of 3868 732 regsvr32.exe explorer.exe PID 732 wrote to memory of 3868 732 regsvr32.exe explorer.exe PID 732 wrote to memory of 3868 732 regsvr32.exe explorer.exe PID 624 wrote to memory of 3176 624 EXCEL.EXE regsvr32.exe PID 624 wrote to memory of 3176 624 EXCEL.EXE regsvr32.exe PID 3868 wrote to memory of 3600 3868 explorer.exe schtasks.exe PID 3868 wrote to memory of 3600 3868 explorer.exe schtasks.exe PID 3868 wrote to memory of 3600 3868 explorer.exe schtasks.exe PID 3380 wrote to memory of 1412 3380 regsvr32.exe regsvr32.exe PID 3380 wrote to memory of 1412 3380 regsvr32.exe regsvr32.exe PID 3380 wrote to memory of 1412 3380 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 -s ..\covi1.dll2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s ..\covi1.dll3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn quwxulmxnc /tr "regsvr32.exe -s \"C:\Users\Admin\covi1.dll\"" /SC ONCE /Z /ST 11:53 /ET 12:055⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 -s ..\covi2.dll2⤵
- Process spawned unexpected child process
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\covi1.dll"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\covi1.dll"2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 5963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\covi1.dllMD5
dbf8ea4418afb979a09b782cfbdaccbb
SHA103aa8b79fe5289a65c7327524dd052d1134bf537
SHA256e0934288689e1796773b1eeffe0098c40962335d883a4b4dbad87e68d975f548
SHA512128d0cec8aaa9dfedba6e98d50747f5200fe7b68f82c7f969a89537d7f5e9ebab47df8b38f1f6ecdc1bbfa56c2d4614e4286454a2bf72f9aa8eb6e65ed1e771b
-
C:\Users\Admin\covi1.dllMD5
6edc1d62b0dd8681da9f35cc7320f44b
SHA15bfd270a9b7a28a26a29c56c825d93cb84242dc1
SHA256c74ac403d16f8a943741b28876ce112feb57fab8e9ca7af2310f9ba46d6de482
SHA512a7f1014eae1b8552521abfcafcbf23ea4962b424d927f168cb3072aaf685ca6a383e1754284bacf0c441dd10e557998f0749ecbb463a751be3045a6dd232af9b
-
\Users\Admin\covi1.dllMD5
dbf8ea4418afb979a09b782cfbdaccbb
SHA103aa8b79fe5289a65c7327524dd052d1134bf537
SHA256e0934288689e1796773b1eeffe0098c40962335d883a4b4dbad87e68d975f548
SHA512128d0cec8aaa9dfedba6e98d50747f5200fe7b68f82c7f969a89537d7f5e9ebab47df8b38f1f6ecdc1bbfa56c2d4614e4286454a2bf72f9aa8eb6e65ed1e771b
-
\Users\Admin\covi1.dllMD5
6edc1d62b0dd8681da9f35cc7320f44b
SHA15bfd270a9b7a28a26a29c56c825d93cb84242dc1
SHA256c74ac403d16f8a943741b28876ce112feb57fab8e9ca7af2310f9ba46d6de482
SHA512a7f1014eae1b8552521abfcafcbf23ea4962b424d927f168cb3072aaf685ca6a383e1754284bacf0c441dd10e557998f0749ecbb463a751be3045a6dd232af9b
-
memory/8-180-0x0000000000000000-mapping.dmp
-
memory/624-121-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/624-122-0x00007FFCABD00000-0x00007FFCACDEE000-memory.dmpFilesize
16.9MB
-
memory/624-123-0x00007FFCA9E00000-0x00007FFCABCF5000-memory.dmpFilesize
31.0MB
-
memory/624-115-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/624-114-0x00007FF7E8160000-0x00007FF7EB716000-memory.dmpFilesize
53.7MB
-
memory/624-118-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/624-116-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/624-117-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/732-184-0x0000000004C90000-0x0000000004CB3000-memory.dmpFilesize
140KB
-
memory/732-185-0x0000000010000000-0x0000000010076000-memory.dmpFilesize
472KB
-
memory/732-182-0x0000000000000000-mapping.dmp
-
memory/1412-191-0x0000000000000000-mapping.dmp
-
memory/3176-187-0x0000000000000000-mapping.dmp
-
memory/3512-179-0x0000000000000000-mapping.dmp
-
memory/3600-188-0x0000000000000000-mapping.dmp
-
memory/3868-186-0x0000000000000000-mapping.dmp
-
memory/3868-189-0x0000000000C30000-0x0000000000C6D000-memory.dmpFilesize
244KB