| File name: | 2022-02-24-Qakbot-malspam1603-UTC.eml |
| Full analysis: | https://app.any.run/tasks/7779b0b3-fb59-4c3c-9d4f-7966130598f7 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | February 24, 2022, 16:23:14 |
| OS: | Windows 10 Professional (build: 16299, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | message/rfc822 |
| File info: | news or mail, ISO-8859 text, with CRLF line terminators |
| MD5: | 7F3B8F98FF5E76A5BA57F1A4C682424C |
| SHA1: | C849C90E56707B21D471BB3D412CB3246D1AB75A |
| SHA256: | F0509BEB4692CEDF95E68286385FB4E984E758504293691437E8DB2F2D48F96D |
| SSDEEP: | 48:kYKI5AFWpCR1fQZhbqlIk9Zi6sG5SdI49A116kWOGnre:kdI57vb6Ik9syIdIX1kOGe |
MALICIOUS
Executable content was dropped or overwritten
- EXCEL.EXE (PID: 2732)
SUSPICIOUS
Reads the time zone
- OUTLOOK.EXE (PID: 1864)
Reads the date of Windows installation
- OUTLOOK.EXE (PID: 1864)
- OpenWith.exe (PID: 1116)
Executed via COM
- OpenWith.exe (PID: 1116)
- rundll32.exe (PID: 3916)
Checks supported languages
- WinRAR.exe (PID: 1196)
Reads the computer name
- WinRAR.exe (PID: 1196)
Drops a file with too old compile date
- EXCEL.EXE (PID: 2732)
INFO
Reads CPU info
- OUTLOOK.EXE (PID: 1864)
- EXCEL.EXE (PID: 2732)
Checks supported languages
- OUTLOOK.EXE (PID: 1864)
- OpenWith.exe (PID: 1116)
- chrome.exe (PID: 1728)
- chrome.exe (PID: 3524)
- chrome.exe (PID: 2488)
- chrome.exe (PID: 3856)
- chrome.exe (PID: 3912)
- chrome.exe (PID: 3008)
- chrome.exe (PID: 2852)
- chrome.exe (PID: 704)
- chrome.exe (PID: 464)
- chrome.exe (PID: 3792)
- chrome.exe (PID: 80)
- EXCEL.EXE (PID: 2732)
Reads Environment values
- OUTLOOK.EXE (PID: 1864)
- EXCEL.EXE (PID: 2732)
Reads the computer name
- OUTLOOK.EXE (PID: 1864)
- OpenWith.exe (PID: 1116)
- chrome.exe (PID: 3524)
- chrome.exe (PID: 2488)
- chrome.exe (PID: 704)
- EXCEL.EXE (PID: 2732)
Reads the software policy settings
- OUTLOOK.EXE (PID: 1864)
- chrome.exe (PID: 3524)
- EXCEL.EXE (PID: 2732)
Reads settings of System Certificates
- OUTLOOK.EXE (PID: 1864)
- chrome.exe (PID: 3524)
- EXCEL.EXE (PID: 2732)
Creates files in the user directory
- OUTLOOK.EXE (PID: 1864)
- EXCEL.EXE (PID: 2732)
Checks Windows Trust Settings
- OUTLOOK.EXE (PID: 1864)
- EXCEL.EXE (PID: 2732)
Application launched itself
- chrome.exe (PID: 3524)
Reads the hosts file
- chrome.exe (PID: 3524)
Scans artifacts that could help determine the target
- OUTLOOK.EXE (PID: 1864)
- EXCEL.EXE (PID: 2732)
Manual execution by user
- WinRAR.exe (PID: 1196)
- EXCEL.EXE (PID: 2732)
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 2732)
- OUTLOOK.EXE (PID: 1864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .eml | | | E-Mail message (Var. 2) (100) |
|---|
Total processes
68
Monitored processes
17
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 80 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1580,2591997622798500841,14648610862478233199,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=15781798278533158072 --mojo-platform-channel-handle=5240 --ignored=" --type=renderer " /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.86 Modules
| |||||||||||||||
| 464 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,2591997622798500841,14648610862478233199,131072 --disable-gpu-compositing --service-pipe-token=14641623304723435048 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14641623304723435048 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.86 Modules
| |||||||||||||||
| 704 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,2591997622798500841,14648610862478233199,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=13301245348138211565 --mojo-platform-channel-handle=4900 /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 73.0.3683.86 Modules
| |||||||||||||||
| 1116 | C:\WINDOWS\system32\OpenWith.exe -Embedding | C:\WINDOWS\system32\OpenWith.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1196 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\1.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 1728 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=696 --on-initialized-event-handle=672 --parent-handle=676 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 73.0.3683.86 Modules
| |||||||||||||||
| 1864 | "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\2022-02-24-Qakbot-malspam1603-UTC.eml" | C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 16.0.11929.20300 Modules
| |||||||||||||||
| 2488 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,2591997622798500841,14648610862478233199,131072 --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=2244382796772020218 --mojo-platform-channel-handle=1612 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.86 Modules
| |||||||||||||||
| 2732 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\Payment-1623245345-Feb-24.xlsb" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 16.0.11929.20300 Modules
| |||||||||||||||
| 2852 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,2591997622798500841,14648610862478233199,131072 --service-pipe-token=3426689768404843 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3426689768404843 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.86 Modules
| |||||||||||||||
Total events
18 623
Read events
17 982
Write events
562
Delete events
79
Modification events
| (PID) Process: | (1864) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling |
| Operation: | write | Name: | 6 |
Value: 01580C0000000010004C4F992E01000000000000001300000000000000 | |||
| (PID) Process: | (1864) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Logging |
| Operation: | write | Name: | (default) |
Value: C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK-20220224T1723220755-v2.etl | |||
| (PID) Process: | (1864) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1864) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession |
| Operation: | write | Name: | CantBootResolution |
Value: BootSuccess | |||
| (PID) Process: | (1864) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession |
| Operation: | write | Name: | ProfileBeingOpened |
Value: NoMail | |||
| (PID) Process: | (1864) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession |
| Operation: | write | Name: | SessionId |
Value: 5D551AE5-D73D-4F6B-B29A-BE67D9CA28B0 | |||
| (PID) Process: | (1864) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1864) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics |
| Operation: | write | Name: | OutlookBootFlag |
Value: 1 | |||
| (PID) Process: | (1864) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (1864) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | de-de |
Value: 2 | |||
Executable files
2
Suspicious files
40
Text files
76
Unknown types
9
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1864 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
| 3524 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3524 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3524 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3524 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3524 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT | — | |
MD5:— | SHA256:— | |||
| 3524 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old | — | |
MD5:— | SHA256:— | |||
| 1864 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:— | SHA256:— | |||
| 1864 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\541Y8AFM9QR7T0N74IF3.temp | binary | |
MD5:— | SHA256:— | |||
| 1864 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
17
DNS requests
12
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 304 | 52.152.110.14:443 | https://sls.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x86/10.0.16299.0/0?CH=469&L=en-US&P=&PT=0x30&WUA=10.0.16299.98&MK=DELL&MD=DELL | US | — | — | whitelisted |
2732 | EXCEL.EXE | GET | — | 67.43.234.56:80 | http://67.43.234.56/44616,725803588.dat | CA | — | — | suspicious |
1864 | OUTLOOK.EXE | GET | 200 | 13.107.42.16:443 | https://config.edge.skype.com/config/v2/Office/outlook/16.0.11929.20300/Production/CC?&Clientid=%7b082078A9-BB8F-421B-9363-C2C17BA0E563%7d&Application=outlook&Platform=win32&Version=16.0.11929.20300&MsoVersion=16.0.11929.20298&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7bED07BA67-AE35-4354-A544-4905A5DF6145%7d&LabMachine=false | US | text | 170 Kb | malicious |
3524 | chrome.exe | GET | 200 | 116.202.117.165:80 | http://paigham.tv/liv/iBx/JAD/DTp/sr7CnxX.zip | IN | compressed | 248 Kb | whitelisted |
3524 | chrome.exe | GET | 200 | 142.250.186.131:443 | https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=73 | US | compressed | 107 Kb | whitelisted |
2732 | EXCEL.EXE | GET | 200 | 185.81.113.214:80 | http://185.81.113.214/44616,725803588.dat | GB | executable | 844 Kb | suspicious |
2732 | EXCEL.EXE | GET | 200 | 13.107.42.16:443 | https://config.edge.skype.com/config/v2/Office/excel/16.0.11929.20300/Production/CC?&Clientid=%7b082078A9-BB8F-421B-9363-C2C17BA0E563%7d&Application=excel&Platform=win32&Version=16.0.11929.20300&MsoVersion=16.0.11929.20298&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7bEEFF69B8-2F44-43AC-A12A-F5DC5515D444%7d&LabMachine=false | US | text | 178 Kb | malicious |
2600 | sihclient.exe | GET | 200 | 2.18.233.62:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | der | 813 b | whitelisted |
2732 | EXCEL.EXE | POST | 200 | 20.189.173.13:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | US | binary | 66 b | whitelisted |
— | — | GET | 200 | 52.152.110.14:443 | https://sls.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x86/10.0.16299.0/0?CH=469&L=en-US&P=&PT=0x30&WUA=10.0.16299.98&MK=DELL&MD=DELL | US | compressed | 24.8 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1864 | OUTLOOK.EXE | 13.107.42.16:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
2600 | sihclient.exe | 2.18.233.62:80 | — | Akamai International B.V. | — | whitelisted |
1864 | OUTLOOK.EXE | 52.178.17.3:443 | self.events.data.microsoft.com | Microsoft Corporation | NL | suspicious |
3524 | chrome.exe | 116.202.117.165:80 | paigham.tv | 334,Udyog Vihar | IN | suspicious |
3524 | chrome.exe | 142.250.186.131:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
3524 | chrome.exe | 142.250.185.173:443 | accounts.google.com | Google Inc. | US | suspicious |
3524 | chrome.exe | 142.250.185.132:443 | www.google.com | Google Inc. | US | whitelisted |
3524 | chrome.exe | 142.250.186.99:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
3524 | chrome.exe | 142.250.185.78:443 | clients4.google.com | Google Inc. | US | whitelisted |
2732 | EXCEL.EXE | 20.189.173.13:443 | self.events.data.microsoft.com | Microsoft Corporation | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
self.events.data.microsoft.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
paigham.tv |
| whitelisted |
www.google.com |
| malicious |
ssl.gstatic.com |
| whitelisted |
clients4.google.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
config.edge.skype.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2732 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
2732 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2732 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
2732 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2732 | EXCEL.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
2732 | EXCEL.EXE | Misc activity | ET INFO EXE - Served Attached HTTP |
Process | Message |
|---|---|
OUTLOOK.EXE | Reminder Queue Starts ===========================:
|
OUTLOOK.EXE | ReminderQueue: Hrinitialize hr = 0
|
OUTLOOK.EXE | ReminderQueueBase:InitializeTable hr=0
|
OUTLOOK.EXE | ReminderQueue: ProcessNotification: End<-----
|