Analysis
-
max time kernel
603s -
max time network
605s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 15:35
General
-
Target
CompensationClaim-68254946-09282021.xls
-
Size
137KB
-
MD5
e0574cf808d9b7150bac6b894baec9f0
-
SHA1
6603fa83dbb84f3a0d35982a37dbc5250699a64a
-
SHA256
7fddbdbd20255e29207d6765f7c3d19a235be7e55ca6184a76a74c2175da8bf4
-
SHA512
9f98689c83358a470dd50f9f74fc80147e025acb2b88b3a4c8d100a07b3c159097e56950eeee7a71c490ff2dea85a7fb92b4f354c7d8f3bedb1fb13854f07bb8
Malware Config
Extracted
http://101.99.90.160/44467.7331923611.dat
http://188.165.62.4/44467.7331923611.dat
http://84.32.188.42/44467.7331923611.dat
http://101.99.90.160/44467.7348045139.dat
http://188.165.62.4/44467.7348045139.dat
http://84.32.188.42/44467.7348045139.dat
Extracted
qakbot
402.363
obama105
1632821932
120.151.47.189:443
41.228.22.180:443
39.52.241.3:995
199.27.127.129:443
216.201.162.158:443
136.232.34.70:443
196.217.156.63:995
120.150.218.241:995
95.77.223.148:443
185.250.148.74:443
181.118.183.94:443
105.198.236.99:443
140.82.49.12:443
37.210.152.224:995
89.101.97.139:443
81.241.252.59:2078
27.223.92.142:995
81.250.153.227:2222
73.151.236.31:443
47.22.148.6:443
Signatures
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Windows security bypass 2 TTPs
-
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
-
Drops file in System32 directory 6 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Modifies Internet Explorer settings 1 TTPs 9 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\CompensationClaim-68254946-09282021.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -silent ..\Drezd.red2⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -silent ..\Drezd1.red2⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -silent ..\Drezd2.red2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wpocnxftgn /tr "regsvr32.exe -s \"C:\Users\Admin\Drezd2.red\"" /SC ONCE /Z /ST 17:38 /ET 17:504⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -silent ..\Drezd.red2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -silent ..\Drezd1.red2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -silent ..\Drezd2.red2⤵
- Process spawned unexpected child process
-
C:\Windows\system32\taskeng.exetaskeng.exe {8F45A940-7553-4935-A4A2-F002DA6CA44F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\Drezd2.red"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\Drezd2.red"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Mcypg" /d "0"5⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Dvysyjnbwzhu" /d "0"5⤵
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c set5⤵
-
C:\Windows\SysWOW64\arp.exearp -a5⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
C:\Windows\SysWOW64\net.exenet view /all5⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP5⤵
-
C:\Windows\SysWOW64\net.exenet share5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share6⤵
-
C:\Windows\SysWOW64\route.exeroute print5⤵
-
C:\Windows\SysWOW64\netstat.exenetstat -nao5⤵
- Gathers network information
-
C:\Windows\SysWOW64\net.exenet localgroup5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup6⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Drezd.redMD5
ab8c8cc09d957afa7ca748011d8ae2d5
SHA1fc4e881c04b30da109555901e28e10de5fbd42e5
SHA25609c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7
SHA512e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440
-
C:\Users\Admin\Drezd1.redMD5
ab8c8cc09d957afa7ca748011d8ae2d5
SHA1fc4e881c04b30da109555901e28e10de5fbd42e5
SHA25609c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7
SHA512e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440
-
C:\Users\Admin\Drezd2.redMD5
9194492ef8c1903e4cd81c16f6bc654d
SHA1d0ff82ce8aebd68197ea5308840209855b07432e
SHA2564c08341e0c574bfd2aaaf7ec5286625be6a93af79460a708daeaf0a3a2d21420
SHA51273a8df2c85b8bd7d258e8a6aa9b3a6acb7b52b2fed356bd2c34f79422062ee334f44cf4affb7f4893ce17f016ce23bdbfb05540c37e5d6b5ac8042f76f3e3a36
-
C:\Users\Admin\Drezd2.redMD5
ab8c8cc09d957afa7ca748011d8ae2d5
SHA1fc4e881c04b30da109555901e28e10de5fbd42e5
SHA25609c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7
SHA512e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440
-
C:\Users\Admin\Drezd2.redMD5
ab8c8cc09d957afa7ca748011d8ae2d5
SHA1fc4e881c04b30da109555901e28e10de5fbd42e5
SHA25609c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7
SHA512e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\Drezd.redMD5
ab8c8cc09d957afa7ca748011d8ae2d5
SHA1fc4e881c04b30da109555901e28e10de5fbd42e5
SHA25609c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7
SHA512e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440
-
\Users\Admin\Drezd1.redMD5
ab8c8cc09d957afa7ca748011d8ae2d5
SHA1fc4e881c04b30da109555901e28e10de5fbd42e5
SHA25609c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7
SHA512e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440
-
\Users\Admin\Drezd2.redMD5
ab8c8cc09d957afa7ca748011d8ae2d5
SHA1fc4e881c04b30da109555901e28e10de5fbd42e5
SHA25609c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7
SHA512e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440
-
\Users\Admin\Drezd2.redMD5
ab8c8cc09d957afa7ca748011d8ae2d5
SHA1fc4e881c04b30da109555901e28e10de5fbd42e5
SHA25609c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7
SHA512e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440
-
memory/308-95-0x0000000000080000-0x00000000000A1000-memory.dmpFilesize
132KB
-
memory/308-90-0x0000000000000000-mapping.dmp
-
memory/516-129-0x0000000000000000-mapping.dmp
-
memory/524-68-0x0000000000000000-mapping.dmp
-
memory/668-66-0x0000000000000000-mapping.dmp
-
memory/816-82-0x0000000000000000-mapping.dmp
-
memory/816-83-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmpFilesize
8KB
-
memory/816-132-0x0000000000000000-mapping.dmp
-
memory/832-121-0x0000000000000000-mapping.dmp
-
memory/864-124-0x0000000000000000-mapping.dmp
-
memory/968-103-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/968-102-0x000000006BC40000-0x000000006BD12000-memory.dmpFilesize
840KB
-
memory/968-97-0x0000000000000000-mapping.dmp
-
memory/984-133-0x0000000000000000-mapping.dmp
-
memory/1012-107-0x0000000000000000-mapping.dmp
-
memory/1012-113-0x000000006BC40000-0x000000006BD12000-memory.dmpFilesize
840KB
-
memory/1036-96-0x0000000000000000-mapping.dmp
-
memory/1068-76-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/1068-74-0x000000006BC40000-0x000000006BC61000-memory.dmpFilesize
132KB
-
memory/1068-75-0x000000006BC40000-0x000000006BD12000-memory.dmpFilesize
840KB
-
memory/1068-70-0x0000000000000000-mapping.dmp
-
memory/1120-123-0x0000000000000000-mapping.dmp
-
memory/1140-114-0x0000000000000000-mapping.dmp
-
memory/1140-120-0x0000000000080000-0x00000000000A1000-memory.dmpFilesize
132KB
-
memory/1440-127-0x0000000000000000-mapping.dmp
-
memory/1580-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1580-63-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB
-
memory/1580-64-0x000000006C911000-0x000000006C913000-memory.dmpFilesize
8KB
-
memory/1580-60-0x000000002F771000-0x000000002F774000-memory.dmpFilesize
12KB
-
memory/1580-61-0x0000000070FB1000-0x0000000070FB3000-memory.dmpFilesize
8KB
-
memory/1580-65-0x0000000006100000-0x0000000006102000-memory.dmpFilesize
8KB
-
memory/1592-122-0x0000000000000000-mapping.dmp
-
memory/1640-130-0x0000000000000000-mapping.dmp
-
memory/1660-111-0x0000000000080000-0x00000000000A1000-memory.dmpFilesize
132KB
-
memory/1660-104-0x0000000000000000-mapping.dmp
-
memory/1732-126-0x0000000000000000-mapping.dmp
-
memory/1748-128-0x0000000000000000-mapping.dmp
-
memory/1792-131-0x0000000000000000-mapping.dmp
-
memory/1844-80-0x0000000000000000-mapping.dmp
-
memory/1888-93-0x0000000000000000-mapping.dmp
-
memory/1912-77-0x0000000000000000-mapping.dmp
-
memory/1912-79-0x000000006BA31000-0x000000006BA33000-memory.dmpFilesize
8KB
-
memory/1912-81-0x0000000000080000-0x00000000000A1000-memory.dmpFilesize
132KB
-
memory/2004-94-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2004-85-0x0000000000000000-mapping.dmp
-
memory/2004-88-0x000000006B240000-0x000000006B261000-memory.dmpFilesize
132KB
-
memory/2004-89-0x000000006B240000-0x000000006B312000-memory.dmpFilesize
840KB
-
memory/2020-117-0x0000000000000000-mapping.dmp