Overview

overview

10

Static

static

8

Cancellati...5.xlsb

windows7_x64

10

Cancellati...5.xlsb

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    09-05-2022 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cancellation-1617961783$-May5.xlsb

  • Size

    65KB

  • MD5

    50b9d40af63502d875146f3534b3fdcd

  • SHA1

    fd9310a452b43d05bb59b141f31dae7ca86a6c60

  • SHA256

    21af29b0997577c1bb039c379e50372ad7df0b1d36a33bc8528489d24abb3858

  • SHA512

    c18a245cfc03328a8af11ed09cf6b51ea99d292fd135cd81d569020fea8f4f2c42599476f6b9e6f8804ce22ea29f2b52d762c83ceb1deaf3730268adc6b38608

Score
10/10
qakbotobama1821651756499bankerstealertrojan

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

qakbot

Version

403.683

Botnet

obama182

Campaign

1651756499

C2

103.107.113.120:443

80.11.74.81:2222

177.102.2.175:32101

24.178.196.158:2222

91.177.173.10:995

181.208.248.227:443

176.67.56.94:443

202.134.152.2:2222

148.0.57.85:443

179.179.162.9:993

40.134.246.185:995

37.186.54.254:995

196.203.37.215:80

120.150.218.241:995

208.107.221.224:443

113.53.151.59:443

70.46.220.114:443

69.14.172.24:443

108.60.213.141:443

24.55.67.176:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Cancellation-1617961783$-May5.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s calc
      2⤵
      • Process spawned unexpected child process
      PID:1924
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 C:\Merto\Byrost\Veonse.OOOCCCXXX
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bffeeaaref /tr "regsvr32.exe -s \"C:\Merto\Byrost\Veonse.OOOCCCXXX\"" /SC ONCE /Z /ST 00:10 /ET 00:22
          4⤵
          • Creates scheduled task(s)
          PID:636
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 C:\Merto\Byrost\Veonsea.OOOCCCXXX
      2⤵
      • Process spawned unexpected child process
      PID:1220
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 C:\Merto\Byrost\Veonseb.OOOCCCXXX
      2⤵
      • Process spawned unexpected child process
      PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Merto\Byrost\Veonse.OOOCCCXXX
    Filesize

    855KB

    MD5

    34d915beda1a784bde837790912a379b

    SHA1

    9f12ba557610e93305981a142830f039e6e18a44

    SHA256

    ceef84bb169ff21a56ae58842420d4ba0fb73e9a3637bd7d4a5c2c8731554ac0

    SHA512

    30c703ef478ab80ed9db0be6cb5451a2fc731d4db6d6a62a922394e4731e8b45b8a9a3f8b0196ac6dde25293ab058442f77ec4e2270c2ac1f2e328581cf47ece

    Download Submit
  • \Merto\Byrost\Veonse.OOOCCCXXX
    Filesize

    855KB

    MD5

    34d915beda1a784bde837790912a379b

    SHA1

    9f12ba557610e93305981a142830f039e6e18a44

    SHA256

    ceef84bb169ff21a56ae58842420d4ba0fb73e9a3637bd7d4a5c2c8731554ac0

    SHA512

    30c703ef478ab80ed9db0be6cb5451a2fc731d4db6d6a62a922394e4731e8b45b8a9a3f8b0196ac6dde25293ab058442f77ec4e2270c2ac1f2e328581cf47ece

    Download Submit
  • memory/556-55-0x00000000714D1000-0x00000000714D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/556-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/556-57-0x00000000724BD000-0x00000000724C8000-memory.dmp
    Filesize

    44KB

    Download
  • memory/556-58-0x00000000755C1000-0x00000000755C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/556-54-0x000000002F5A1000-0x000000002F5A4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/636-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1076-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1076-77-0x00000000000C0000-0x00000000000E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1076-72-0x000000006C431000-0x000000006C433000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1220-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1788-66-0x00000000002C0000-0x00000000002E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1788-69-0x0000000000220000-0x0000000000242000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1788-68-0x00000000002C0000-0x00000000002E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1788-67-0x00000000002C0000-0x00000000002E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1788-65-0x0000000001F00000-0x0000000001FDA000-memory.dmp
    Filesize

    872KB

    Download
  • memory/1788-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1924-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1972-75-0x0000000000000000-mapping.dmp
    Download