Windows Analysis Report plan-1053707320.xlsb

Overview

General Information

Sample Name: plan-1053707320.xlsb
Analysis ID: 440105
MD5: 4854b4dcfa441032f2f54bf2834e894f
SHA1: fa24422834d0f6ce6d3e35a8b0f15a906cdf9823
SHA256: 68741c1f5df351dc186805c2c30a79653fd52ce21e2fb2aa34ff0687120343cf
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Schedule system process
Yara detected Qbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.2.regsvr32.exe.10000000.3.unpack Malware Configuration Extractor: Qbot {"C2 list": ["204.97.97.215:21858", "70.154.48.62:44327", "70.31.11.245:7267", "213.191.161.231:29643", "153.239.78.184:38503", "78.214.129.166:38539", "254.124.232.207:39310", "109.164.21.24:64901", "141.215.250.177:22875", "227.244.119.210:52552", "174.179.129.208:15267", "111.112.232.190:48521", "255.28.73.185:49979", "141.103.36.51:3939", "116.110.10.187:25167", "85.180.25.176:32726", "79.254.143.27:14876", "235.218.248.190:29975", "161.4.87.73:5800", "224.200.240.56:14635", "9.155.72.32:55392", "216.67.224.194:53640", "141.121.237.255:1461", "121.42.239.196:13549", "179.179.31.112:63026", "218.134.37.166:33358", "239.135.100.181:9787", "239.242.36.114:27696", "60.26.149.129:8707", "114.86.119.195:36123", "154.85.103.18:33933", "141.204.72.150:28929", "229.176.154.40:1991", "206.193.4.142:60112", "113.150.134.145:14637", "182.192.0.153:3039", "37.235.119.158:25257", "118.217.148.55:40918", "157.238.131.159:17525", "120.231.33.231:39242", "113.196.247.102:57216", "39.96.161.153:21974", "37.95.209.127:37781", "88.221.119.43:55621", "49.191.149.88:15536", "25.203.154.171:56937", "160.244.29.108:63666", "227.245.195.188:38491", "11.191.229.149:48178", "29.223.190.224:4552", "144.140.245.179:62583", "199.3.125.195:31574", "37.158.174.86:39635", "19.119.17.26:61415", "18.218.204.94:25156", "17.147.2.193:34433", "232.165.224.232:64576", "255.113.254.238:35466", "244.159.158.34:29113", "6.247.120.152:5539", "20.23.44.234:12808", "68.58.107.122:40009", "177.71.146.158:14858", "218.154.172.108:36509", "59.198.167.253:53302", "45.116.255.72:7036", "11.48.233.235:37824", "181.50.13.209:4123", "8.141.223.46:63405", "196.248.106.49:5168", "123.119.149.61:15034", "158.237.184.100:6941", "47.102.246.133:28795", "245.30.65.166:57241", "96.17.6.131:61427", "158.127.33.70:13273", "171.113.240.107:55225", "29.188.217.91:11621", "233.26.116.125:35782", "103.200.182.78:41414", "212.166.144.41:13766", "225.167.47.169:10108", "218.233.238.210:11757", "61.149.157.113:33452", "224.147.98.25:43134", "215.16.240.69:58681", "69.158.146.64:33703", "43.93.98.34:24929", "94.211.166.245:8677", "237.58.8.158:44902", "22.105.125.67:37017", "228.204.65.194:22014", "240.58.16.219:55052", "160.25.48.169:7011", "48.255.58.190:27057", "12.207.95.189:15569", "100.104.109.104:51319", "154.195.229.221:35588", "98.133.117.21:26241", "124.177.25.94:55126", "59.211.38.81:7832", "197.103.23.2:43598", "123.210.126.131:49328", "192.204.246.62:53778", "220.178.117.122:65405", "32.177.158.150:9600", "186.12.160.146:13500", "217.11.103.56:65312", "183.137.66.59:24965", "73.73.123.212:54786", "84.4.148.67:50685", "173.176.181.154:13839", "216.1.166.66:2080", "144.122.242.245:52290", "115.127.247.89:14716", "25.5.112.94:8779", "40.151.136.48:36008", "78.114.25.179:8887", "185.149.69.37:4676", "66.204.28.22:17430", "50.138.243.152:7941", "195.170.56.121:46373", "189.236.221.185:38192", "39.35.83.72:15610", "213.64.255.229:34462", "27.98.20.110:25605", "250.34.90.10:20014", "55.164.192.159:18
Multi AV Scanner detection for submitted file
Source: plan-1053707320.xlsb Virustotal: Detection: 25% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ka[1].htm Joe Sandbox ML: detected
Source: C:\Users\user\gihi1.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ka[1].htm Joe Sandbox ML: detected
Source: C:\Users\user\gihi2.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.regsvr32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.2.regsvr32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 3.2.explorer.exe.510000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 7.2.explorer.exe.110000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.3:49727 version: TLS 1.2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000BB22 FindFirstFileW,FindNextFileW, 2_2_1000BB22

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\gihi1.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\gihi2.dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: ka[1].htm.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: carpascapital.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49724 -> 50.116.92.246:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49724 -> 50.116.92.246:443

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS traffic detected: queries for: carpascapital.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.cortana.ai
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.office.net
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.onedrive.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://augloop.office.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: intlsheet1.bin String found in binary or memory: https://carpascapital.com/gBPg8MtsGbv/ka.html
Source: intlsheet1.bin String found in binary or memory: https://carpascapital.com/gBPg8MtsGbv/ka.html%
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://cdn.entity.
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://cortana.ai
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://cortana.ai/api
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://cr.office.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://directory.services.
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://graph.windows.net
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://graph.windows.net/
Source: intlsheet1.bin String found in binary or memory: https://gruasphenbogota.com/C74hwGGxi/ka.html
Source: intlsheet1.bin String found in binary or memory: https://gruasphenbogota.com/C74hwGGxi/ka.html%
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://login.windows.local
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://management.azure.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://management.azure.com/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://messaging.office.com/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://officeapps.live.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://onedrive.live.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://outlook.office.com/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://settings.outlook.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://tasks.office.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown HTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.116.92.246:443 -> 192.168.2.3:49727 version: TLS 1.2

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000002.00000002.237315592.0000000000E00000.00000004.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 00000007.00000002.247270585.0000000000110000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 00000004.00000002.246220132.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 00000003.00000002.508377992.0000000000510000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 2.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 3.2.explorer.exe.510000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 4.2.regsvr32.exe.4ba0000.2.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 2.2.regsvr32.exe.e00000.2.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 7.2.explorer.exe.110000.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 2.2.regsvr32.exe.e00000.2.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 7.2.explorer.exe.110000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 4.2.regsvr32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 4.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 3.2.explorer.exe.510000.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. 15 16 0 Protected Vie
Source: Screenshot number: 4 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start 19 the decryption of the docum
Source: Screenshot number: 8 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Screenshot number: 8 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Found Excel 4.0 Macro with suspicious formulas
Source: plan-1053707320.xlsb Initial sample: CALL
Found abnormal large hidden Excel 4.0 Macro sheet
Source: plan-1053707320.xlsb Initial sample: Sheet size: 22026
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ka[1].htm Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\gihi2.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\gihi1.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\ka[1].htm Jump to dropped file
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000DDC7 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,memcpy,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 2_2_1000DDC7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000E23A memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW, 2_2_1000E23A
Creates files inside the system directory
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 2_2_00DB4F80
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB2A87 2_2_00DB2A87
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB6956 2_2_00DB6956
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB31D8 2_2_00DB31D8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB88DE 2_2_00DB88DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB90DE 2_2_00DB90DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB94F8 2_2_00DB94F8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB7BF5 2_2_00DB7BF5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DBBAEC 2_2_00DBBAEC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB11BE 2_2_00DB11BE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DBA4BE 2_2_00DBA4BE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4AB1 2_2_00DB4AB1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DBB1A1 2_2_00DBB1A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB725E 2_2_00DB725E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB875E 2_2_00DB875E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4149 2_2_00DB4149
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DBBC4E 2_2_00DBBC4E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DBB877 2_2_00DBB877
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DBAB67 2_2_00DBAB67
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB9664 2_2_00DB9664
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB330B 2_2_00DB330B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB1000 2_2_00DB1000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB9939 2_2_00DB9939
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB8A38 2_2_00DB8A38
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB6131 2_2_00DB6131
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DBA637 2_2_00DBA637
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DBAA35 2_2_00DBAA35
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB3820 2_2_00DB3820
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10012420 2_2_10012420
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000F045 2_2_1000F045
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018490 2_2_10018490
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10014CBF 2_2_10014CBF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100110C0 2_2_100110C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018D30 2_2_10018D30
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10011968 2_2_10011968
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100155B5 2_2_100155B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100109C5 2_2_100109C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100149C5 2_2_100149C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10013DF7 2_2_10013DF7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100115FD 2_2_100115FD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001C24F 2_2_1001C24F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10010A6B 2_2_10010A6B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10011EBA 2_2_10011EBA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001B6CA 2_2_1001B6CA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10011721 2_2_10011721
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10005394 2_2_10005394
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001E7D6 2_2_1001E7D6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_0051F045 3_2_0051F045
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_00522420 3_2_00522420
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_005210C0 3_2_005210C0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_00528490 3_2_00528490
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_00524CBF 3_2_00524CBF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_00521968 3_2_00521968
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_00528D30 3_2_00528D30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_005209C5 3_2_005209C5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_005249C5 3_2_005249C5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_00523DF7 3_2_00523DF7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_005215FD 3_2_005215FD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_005255B5 3_2_005255B5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_0052C24F 3_2_0052C24F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_00520A6B 3_2_00520A6B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_0052B6CA 3_2_0052B6CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_00521EBA 3_2_00521EBA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_00521721 3_2_00521721
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_0052E7D6 3_2_0052E7D6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_00515394 3_2_00515394
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B52A87 4_2_04B52A87
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B54F80 4_2_04B54F80
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B56956 4_2_04B56956
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B54AB1 4_2_04B54AB1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B511BE 4_2_04B511BE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B5A4BE 4_2_04B5A4BE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B5B1A1 4_2_04B5B1A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B57BF5 4_2_04B57BF5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B594F8 4_2_04B594F8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B5BAEC 4_2_04B5BAEC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B588DE 4_2_04B588DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B590DE 4_2_04B590DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B531D8 4_2_04B531D8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B5AA35 4_2_04B5AA35
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B5A637 4_2_04B5A637
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B56131 4_2_04B56131
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B59939 4_2_04B59939
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B58A38 4_2_04B58A38
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B53820 4_2_04B53820
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B51000 4_2_04B51000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B5330B 4_2_04B5330B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B5B877 4_2_04B5B877
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B59664 4_2_04B59664
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B5AB67 4_2_04B5AB67
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B5875E 4_2_04B5875E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B5725E 4_2_04B5725E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B5BC4E 4_2_04B5BC4E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B54149 4_2_04B54149
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00122420 7_2_00122420
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_0011F045 7_2_0011F045
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00128490 7_2_00128490
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00124CBF 7_2_00124CBF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_001210C0 7_2_001210C0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00128D30 7_2_00128D30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00121968 7_2_00121968
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_001255B5 7_2_001255B5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_001209C5 7_2_001209C5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_001249C5 7_2_001249C5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00123DF7 7_2_00123DF7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_001215FD 7_2_001215FD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_0012C24F 7_2_0012C24F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00120A6B 7_2_00120A6B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00121EBA 7_2_00121EBA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_0012B6CA 7_2_0012B6CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00121721 7_2_00121721
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00115394 7_2_00115394
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_0012E7D6 7_2_0012E7D6
One or more processes crash
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 652
PE file does not import any functions
Source: gihi2.dll.7.dr Static PE information: No import functions for PE file found
Source: gihi1.dll.3.dr Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Yara signature match
Source: 00000002.00000002.237315592.0000000000E00000.00000004.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000007.00000002.247270585.0000000000110000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000004.00000002.246220132.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000003.00000002.508377992.0000000000510000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 2.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 3.2.explorer.exe.510000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 4.2.regsvr32.exe.4ba0000.2.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 2.2.regsvr32.exe.e00000.2.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 7.2.explorer.exe.110000.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 2.2.regsvr32.exe.e00000.2.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 7.2.explorer.exe.110000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 4.2.regsvr32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 4.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 3.2.explorer.exe.510000.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSB@20/18@2/1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000A1C7 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,FindCloseChangeNotification, 2_2_1000A1C7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10009CB8 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 2_2_10009CB8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10002297 StartServiceCtrlDispatcherA, 2_2_10002297
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10002297 StartServiceCtrlDispatcherA, 2_2_10002297
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{D63735A2-9794-4801-AD70-02CA72DB3867}
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\WERReportingForProcess5312
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\WERReportingForProcess2124
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{D63735A2-9794-4801-AD70-02CA72DB3867}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{35E6C3B9-F87F-4BE3-AB5E-425C5FD9022A}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{41A04B68-E562-4035-81B4-C1F805A739E1} - OProcSessId.dat Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: plan-1053707320.xlsb Virustotal: Detection: 25%
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi2.dll
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn nowkkbo /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:45 /ET 20:57
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\gihi1.dll'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\gihi1.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 652
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\gihi1.dll'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\gihi1.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 652
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi1.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi2.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn nowkkbo /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:45 /ET 20:57 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\gihi1.dll' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\gihi1.dll' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: plan-1053707320.xlsb Initial sample: OLE zip file path = xl/media/image1.png
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000E5F3 LoadLibraryA,GetProcAddress, 2_2_1000E5F3
PE file contains sections with non-standard names
Source: ka[1].htm.0.dr Static PE information: section name: .code
Source: ka[1].htm.0.dr Static PE information: section name: .rdataf
Source: gihi1.dll.3.dr Static PE information: section name: .code
Source: gihi1.dll.3.dr Static PE information: section name: .rdataf
Source: gihi2.dll.7.dr Static PE information: section name: .code
Source: gihi2.dll.7.dr Static PE information: section name: .rdataf
Registers a DLL
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\gihi1.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx 2_2_00DB4F90
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00DB4FA4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx 2_2_00DB4FEC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push 00000000h; mov dword ptr [esp], ecx 2_2_00DB5020
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00DB504C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00DB50E1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_00DB50ED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_00DB510C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00DB516E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00DB5194
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_00DB51A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00DB53F3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_00DB540D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push 00000000h; mov dword ptr [esp], esi 2_2_00DB5418
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00DB543F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00DB547B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push 00000000h; mov dword ptr [esp], esi 2_2_00DB5508
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push 00000000h; mov dword ptr [esp], ecx 2_2_00DB5541
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00DB556A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 2_2_00DB55C3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push 00000000h; mov dword ptr [esp], edi 2_2_00DB566B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_00DB569C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_00DB56A8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00DB56E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push 00000000h; mov dword ptr [esp], edx 2_2_00DB575B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-08h]; mov dword ptr [esp], edx 2_2_00DB57B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-10h]; mov dword ptr [esp], ecx 2_2_00DB5806
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 2_2_00DB580C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00DB5818
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 2_2_00DB58B1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB4F80 push dword ptr [ebp-10h]; mov dword ptr [esp], edx 2_2_00DB58B7
Source: initial sample Static PE information: section name: .code entropy: 6.95430407678

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ka[1].htm Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\gihi2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\gihi1.dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\ka[1].htm Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\gihi2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\gihi1.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\ka[1].htm Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ka[1].htm Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\gihi2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\gihi1.dll Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn nowkkbo /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:45 /ET 20:57
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10002297 StartServiceCtrlDispatcherA, 2_2_10002297

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 4784 base: 13AF380 value: E9 83 38 16 FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5440 base: 13AF380 value: E9 83 38 D6 FE Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to evade analysis by execution special instruction which cause usermode exception
Source: C:\Windows\SysWOW64\WerFault.exe Special instruction interceptor: First address: 00000000678011EF instructions 0FC7C8 caused by: Known instruction #UD exception
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ka[1].htm Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\ka[1].htm Jump to dropped file
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\explorer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4552 Thread sleep count: 111 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5904 Thread sleep time: -112000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 204 Thread sleep count: 111 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3288 Thread sleep count: 62 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000BB22 FindFirstFileW,FindNextFileW, 2_2_1000BB22
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000EB53 GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetSystemMetrics,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW, 2_2_1000EB53
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000E5F3 LoadLibraryA,GetProcAddress, 2_2_1000E5F3
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00DB1000 push dword ptr fs:[00000030h] 2_2_00DB1000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_04B51000 push dword ptr fs:[00000030h] 4_2_04B51000
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_2_00512A6B RtlAddVectoredExceptionHandler, 3_2_00512A6B

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 540000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 140000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 4784 base: 540000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 4784 base: 13AF380 value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5440 base: 140000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5440 base: 13AF380 value: E9 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 540000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 13AF380 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 140000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 13AF380 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: explorer.exe, 00000003.00000002.510109645.0000000003660000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000002.510109645.0000000003660000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.510109645.0000000003660000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.510109645.0000000003660000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000B036 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 2_2_1000B036
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001354E LookupAccountNameW,LookupAccountNameW,LookupAccountNameW, 2_2_1001354E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000EB53 GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetSystemMetrics,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW, 2_2_1000EB53

Stealing of Sensitive Information:

barindex
Yara detected Qbot
Source: Yara match File source: 00000002.00000002.237315592.0000000000E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.246220132.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.4ba0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.e00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.explorer.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.e00000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.explorer.exe.510000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Qbot
Source: Yara match File source: 00000002.00000002.237315592.0000000000E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.246220132.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.4ba0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.e00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.explorer.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.e00000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.explorer.exe.510000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440105 Sample: plan-1053707320.xlsb Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 10 other signatures 2->61 9 EXCEL.EXE 27 43 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 51 gruasphenbogota.com 50.116.92.246, 443, 49724, 49727 UNIFIEDLAYER-AS-1US United States 9->51 53 carpascapital.com 9->53 41 C:\Users\user\AppData\Local\...\ka[1].htm, PE32 9->41 dropped 43 C:\Users\user\AppData\Local\...\ka[1].htm, PE32 9->43 dropped 45 C:\Users\user\...\~$plan-1053707320.xlsb, data 9->45 dropped 73 Document exploit detected (creates forbidden files) 9->73 75 Document exploit detected (UrlDownloadToFile) 9->75 18 regsvr32.exe 9->18         started        21 regsvr32.exe 9->21         started        23 regsvr32.exe 14->23         started        25 regsvr32.exe 16->25         started        file5 signatures6 process7 signatures8 63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->63 65 Injects code into the Windows Explorer (explorer.exe) 18->65 67 Writes to foreign memory regions 18->67 27 explorer.exe 8 1 18->27         started        69 Allocates memory in foreign processes 21->69 71 Maps a DLL or memory area into another process 21->71 31 explorer.exe 21->31         started        33 WerFault.exe 20 9 23->33         started        35 WerFault.exe 9 25->35         started        process9 file10 47 C:\Users\user\gihi1.dll, PE32 27->47 dropped 77 Drops PE files to the user root directory 27->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 27->79 37 schtasks.exe 1 27->37         started        49 C:\Users\user\gihi2.dll, PE32 31->49 dropped 81 Tries to evade analysis by execution special instruction which cause usermode exception 33->81 signatures11 process12 process13 39 conhost.exe 37->39         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
50.116.92.246
 carpascapital.com United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
carpascapital.com 50.116.92.246 true
gruasphenbogota.com 50.116.92.246 true