File name:	2020-11-05-Qakbot-malspam.eml
Full analysis:	https://app.any.run/tasks/03119661-5abb-4ca9-926f-e0b10d8af19e
Verdict:	Malicious activity
Analysis date:	November 05, 2020, 16:09:55
OS:	Windows 10 Professional (build: 16299, 64 bit)
Tags:	maldoc-42
Indicators:
MIME:	message/rfc822
File info:	RFC 822 mail, ASCII text, with CRLF line terminators
MD5:	AD2D2B99B91009359763CBCF2B24C527
SHA1:	D6D0B1660ED42D142201B1426A3EEBC595E5A7B5
SHA256:	DE1117731FCB2E3B322F3C2950386A109A65E99621674513B2D1450F625B44CC
SSDEEP:	768:ggMBxsiySaTliWg6gkhusqrJ0yQeQZ6PE0nfGdhT:PM7sBxTcWg6xgAe/PXnfGdF


(PID) Process:	(2172) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	6
Value: 017C11000000001000284FFA2E01000000000000000300000000000000
(PID) Process:	(2172) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\OUTLOOK\2172
Operation:	write	Name:	0
Value: 0B0E10D60EC7F6EFE22443B883FC57C3C09CB8230046F3B082C6E2F1ACEB016A0410240044FA5D64A89E01008500A907556E6B6E6F776EC9062E22504F38414E6B6373746B636172474A6766584B757268766239486548717741554A6E78536E416A3275354D3D2200
(PID) Process:	(2172) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Logging
Operation:	write	Name:	(default)
Value: C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK-20201105T1110200444-v2.etl
(PID) Process:	(2172) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2172) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	CantBootResolution
Value: BootSuccess
(PID) Process:	(2172) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	ProfileBeingOpened
Value: Outlook
(PID) Process:	(2172) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	SessionId
Value: A8D02E06-7F60-429E-AE14-BF99173D2779
(PID) Process:	(2172) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2172) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	write	Name:	OutlookBootFlag
Value: 1
(PID) Process:	(2172) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2

PID	Process	Filename		Type
2172	OUTLOOK.EXE	C:\Users\admin\Desktop\ElectionInterference_2084240574.zip\:Zone.Identifier:$DATA		—
		MD5:—	SHA256:—
2172	OUTLOOK.EXE	C:\Users\admin\Documents\Outlook Files\~Outlook1.pst.tmp		—
		MD5:—	SHA256:—
2172	OUTLOOK.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp		—
		MD5:—	SHA256:—
2172	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{3B77C9BA-2B63-45E6-B9CB-D8A9BA17F147}.tmp		—
		MD5:—	SHA256:—
2172	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AA630352-1C21-473B-BCFA-C5E3A556D42A		xml
		MD5:—	SHA256:—
2172	OUTLOOK.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.srs		srs
		MD5:—	SHA256:—
2172	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log		text
		MD5:—	SHA256:—
2172	OUTLOOK.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm		pgc
		MD5:—	SHA256:—
2172	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Temp\.ses		text
		MD5:—	SHA256:—
2172	OUTLOOK.EXE	C:\Users\admin\Desktop\ElectionInterference_2084240574.zip		compressed
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1928	svchost.exe	GET	200	52.109.52.36:443	https://messaging.office.com/lifecycle/legacygetcustommessage16?app=6&ui=en-US&src=Office_CanvasBoot_Win32&messagetype=Canvas&hwid=04111-083-043729&ver=16.0.12026&lc=en-CA&platform=10%3A0%3A16299%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA044%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BF6C70ED6-E2EF-4324-B883-FC57C3C09CB8%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofgg6vdq3anjh131%2Cofrntm2bbmxkw431%22%7D	JP	xml	495 b	whitelisted
1928	svchost.exe	GET	200	52.109.76.6:443	https://officeclient.microsoft.com/config16/?syslcid=4105&build=16.0.12026&crev=3	IE	xml	127 Kb	whitelisted
1928	svchost.exe	GET	200	52.109.52.36:443	https://messaging.office.com/lifecycle/legacygetcustommessage16?app=6&ui=en-US&src=Office_CanvasLocalSaveDocument_Win32&messagetype=Canvas&hwid=04111-083-043729&ver=16.0.12026&lc=en-CA&platform=10%3A0%3A16299%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA044%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BF6C70ED6-E2EF-4324-B883-FC57C3C09CB8%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofgg6vdq3anjh131%2Cofrntm2bbmxkw431%22%7D	JP	xml	495 b	whitelisted
1928	svchost.exe	POST	400	40.90.137.124:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	210 b	whitelisted
1928	svchost.exe	POST	200	40.90.137.124:443	https://login.live.com/RST2.srf	US	xml	1.29 Kb	whitelisted
1928	svchost.exe	POST	200	40.90.137.124:443	https://login.live.com/RST2.srf	US	xml	11.1 Kb	whitelisted
1928	svchost.exe	GET	200	52.109.88.5:443	https://odc.officeapps.live.com/odc/servicemanager/catalog?lcid=1033&syslcid=4105&uilcid=1033&app=5&ver=16&schema=8	NL	xml	28.3 Kb	whitelisted
1928	svchost.exe	POST	200	40.90.137.124:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	16.7 Kb	whitelisted
1928	svchost.exe	POST	200	40.90.137.124:443	https://login.live.com/RST2.srf	US	xml	1.98 Kb	whitelisted
1928	svchost.exe	POST	200	40.90.137.124:443	https://login.live.com/RST2.srf	US	xml	11.1 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4480	EXCEL.EXE	74.221.216.140:80	sglr2.revpdev.com	Level 3 Communications, Inc.	US	malicious
2172	OUTLOOK.EXE	52.109.52.36:443	messaging.office.com	Microsoft Corporation	JP	unknown
1076	svchost.exe	40.90.137.124:443	login.live.com	Microsoft Corporation	US	unknown
2172	OUTLOOK.EXE	52.109.76.6:443	officeclient.microsoft.com	Microsoft Corporation	IE	whitelisted
2172	OUTLOOK.EXE	52.109.76.124:443	roaming.officeapps.live.com	Microsoft Corporation	IE	whitelisted
2172	OUTLOOK.EXE	52.225.255.33:443	config.edge.skype.com	Microsoft Corporation	US	unknown
2172	OUTLOOK.EXE	52.114.133.60:443	self.events.data.microsoft.com	Microsoft Corporation	US	suspicious
2172	OUTLOOK.EXE	52.109.88.5:443	odc.officeapps.live.com	Microsoft Corporation	NL	whitelisted
2172	OUTLOOK.EXE	52.109.8.21:443	nexusrules.officeapps.live.com	Microsoft Corporation	US	whitelisted
4480	EXCEL.EXE	52.109.76.6:443	officeclient.microsoft.com	Microsoft Corporation	IE	whitelisted

Domain	IP	Reputation
officeclient.microsoft.com	52.109.76.6	whitelisted
config.edge.skype.com	52.225.255.33 13.107.43.23	malicious
roaming.officeapps.live.com	52.109.76.124	whitelisted
login.live.com	40.90.137.124 40.90.23.208 40.90.23.247 40.90.137.127 40.90.137.126 40.90.23.153 40.90.23.206 40.90.137.125	whitelisted
messaging.office.com	52.109.52.36	whitelisted
self.events.data.microsoft.com	52.114.133.60 52.114.133.61 52.114.158.91 52.114.159.112	whitelisted
odc.officeapps.live.com	52.109.88.5	whitelisted
nexusrules.officeapps.live.com	52.109.8.21	whitelisted
fs.microsoft.com	104.108.144.60	whitelisted
sglr2.revpdev.com	74.221.216.140	malicious

Process	Message
OUTLOOK.EXE	ReminderQueueBase:InitializeTable hr=0
OUTLOOK.EXE	ReminderQueue: ProcessNotification: End<-----
OUTLOOK.EXE	ReminderQueue: Hrinitialize hr = 0
OUTLOOK.EXE	Reminder Queue Starts ===========================:

General Info

2020-11-05-Qakbot-malspam.eml

AD2D2B99B91009359763CBCF2B24C527

D6D0B1660ED42D142201B1426A3EEBC595E5A7B5

DE1117731FCB2E3B322F3C2950386A109A65E99621674513B2D1450F625B44CC

768:ggMBxsiySaTliWg6gkhusqrJ0yQeQZ6PE0nfGdhT:PM7sBxTcWg6xgAe/PXnfGdF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executed via COM

INFO

Reads Environment values

Reads the software policy settings

Reads the machine GUID from the registry

Reads settings of System Certificates

Creates files in the user directory

Manual execution by user

Scans artifacts that could help determine the target

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings