Analysis Overview
SHA256
20d33b79e5c5fceee471966035b5d60d8b09e62b8024c34688c864c576d271ff
Threat Level: Known bad
The file quakbot_modified.xls was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-01 21:42
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-01 21:42
Reported
2023-03-01 21:44
Platform
win10v2004-20230220-en
Max time kernel
95s
Max time network
103s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1056 wrote to memory of 3884 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\regsvr32.exe |
| PID 1056 wrote to memory of 3884 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\regsvr32.exe |
| PID 1056 wrote to memory of 1908 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\regsvr32.exe |
| PID 1056 wrote to memory of 1908 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\regsvr32.exe |
| PID 1056 wrote to memory of 548 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\regsvr32.exe |
| PID 1056 wrote to memory of 548 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\regsvr32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\quakbot_modified.xlsb"
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 /s calc
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 C:\Hefaggad\Ukdfaovkga\Buuefafa.dll
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 C:\Hefaggad\Ukdfaovkga\Buuefafb.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | insomnihack.ch | udp |
| US | 172.67.135.100:80 | insomnihack.ch | tcp |
| US | 172.67.135.100:443 | insomnihack.ch | tcp |
| US | 8.8.8.8:53 | 100.135.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 52.168.117.169:443 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.247.210.254:80 | tcp | |
| US | 8.8.8.8:53 | 85.48.222.23.in-addr.arpa | udp |
| US | 8.247.210.254:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | api.msn.com | tcp |
Files
memory/1056-133-0x00007FF993C30000-0x00007FF993C40000-memory.dmp
memory/1056-134-0x00007FF993C30000-0x00007FF993C40000-memory.dmp
memory/1056-135-0x00007FF993C30000-0x00007FF993C40000-memory.dmp
memory/1056-136-0x00007FF993C30000-0x00007FF993C40000-memory.dmp
memory/1056-137-0x00007FF993C30000-0x00007FF993C40000-memory.dmp
memory/1056-138-0x00007FF9912D0000-0x00007FF9912E0000-memory.dmp
memory/1056-139-0x00007FF9912D0000-0x00007FF9912E0000-memory.dmp
C:\Hefaggad\Ukdfaovkga\Buuefafa.dll
| MD5 | 98cba201e6c4f835e8b98e591bb131bb |
| SHA1 | 89fa1c714cf978517d9de54b6a5cbdbb7b6fd1a8 |
| SHA256 | 9eaeb027e0b9fc6ff89cc287fe856927776f4019945b1597d5d79e4c38b45492 |
| SHA512 | da23af6d6afec40f1774a4b89cccc862a7d6f2e9fd3749a24a6b810b31cd971584d30604292dc2f276b81b71531c24e3377720f9a33f426de8f87c4671e6af7d |