Overview

overview

10

Static

static

PDF_3028225.msi

windows7-x64

10

PDF_3028225.msi

windows10-2004-x64

10

Resubmissions

15-07-2022 15:08

220715-sh9dfsbfb7 10

12-07-2022 16:28

220712-tyx6ssaahj 10

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • resource tags

    arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system
  • submitted
    15-07-2022 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PDF_3028225.msi

  • Size

    484KB

  • MD5

    47847ac5f01e037c1a18becc0dfd4611

  • SHA1

    d6f37b18252787c2c2c31358e741d9b834440331

  • SHA256

    7d1c0c7e4cbfe49926451ab6365455e5f3889fb17e2508afa9f6e2ebeedaa2c1

  • SHA512

    7630b223cddfc31ef7afee9972ab4a5100b048d35f526211e331f4717260e2c29b0962ad35271701b00c5c379f7798004f5140abe8dbc88ddf083d8b2ee78004

Score
10/10
qakbotvip011657631718bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

vip01

Campaign

1657631718

C2

47.23.89.60:993

37.34.253.233:443

196.203.37.215:80

89.211.209.234:2222

81.158.239.251:2078

179.111.8.52:32101

208.107.221.224:443

24.158.23.166:995

66.230.104.103:443

92.132.132.81:2222

24.139.72.117:443

174.80.15.101:2083

24.178.196.158:2222

100.38.242.113:995

37.186.58.99:995

24.55.67.176:443

74.14.5.179:2222

172.114.160.81:443

40.134.246.185:995

63.143.92.99:995
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PDF_3028225.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:944
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
      2⤵
        PID:920
      • C:\Windows\system32\regsvr32.exe
        regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:540
        • C:\Windows\SysWOW64\regsvr32.exe
          -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1612
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1308
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:11 /tn leokczi /ET 17:22 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABBAGQAbwBiAGUARgBvAG4AdABQAGEAYwBrAFwAbQBhAGkAbgAuAGQAbABsACIA" /SC ONCE
              5⤵
              • Creates scheduled task(s)
              PID:1176
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1960
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "000000000000005C"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1720
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {DF0D23CB-0B7E-4503-B714-1250D1E01A74} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABBAGQAbwBiAGUARgBvAG4AdABQAGEAYwBrAFwAbQBhAGkAbgAuAGQAbABsACIA
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:624
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
            4⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:2000

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      589c442fc7a0c70dca927115a700d41e

      SHA1

      66a07dace3afbfd1aa07a47e6875beab62c4bb31

      SHA256

      2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

      SHA512

      1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      340B

      MD5

      b187c0eba69b055624c5b56870681a90

      SHA1

      2f5b77045816b599039a81eb796d3b8b04a31c07

      SHA256

      847c4eb51c85495fa151e06a35b4ff4e37b2e3ef1a52292917ad36e3cfd12536

      SHA512

      6d67d5dfb767b65b1abfdc2364642b120c10bcbe02bb45804a71a9792e185750d9bf344360b67ede807c3b8dc9af0f67183db7920cc55fcb96fe9b351e7458e7

      Download Submit
    • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      777KB

      MD5

      926382093a313282f4a1639944f3fb0c

      SHA1

      851380d94deeb031aad806795d760f3982399850

      SHA256

      1ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8

      SHA512

      f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3

      Download Submit
    • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      777KB

      MD5

      926382093a313282f4a1639944f3fb0c

      SHA1

      851380d94deeb031aad806795d760f3982399850

      SHA256

      1ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8

      SHA512

      f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3

      Download Submit
    • C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
      Filesize

      68B

      MD5

      0308aa2c8dab8a69de41f5d16679bb9b

      SHA1

      c6827bf44a433ff086e787653361859d6f6e2fb3

      SHA256

      0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

      SHA512

      1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

      Download Submit
    • \??\PIPE\wkssvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • \Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      777KB

      MD5

      926382093a313282f4a1639944f3fb0c

      SHA1

      851380d94deeb031aad806795d760f3982399850

      SHA256

      1ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8

      SHA512

      f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3

      Download Submit
    • \Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      777KB

      MD5

      926382093a313282f4a1639944f3fb0c

      SHA1

      851380d94deeb031aad806795d760f3982399850

      SHA256

      1ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8

      SHA512

      f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3

      Download Submit
    • memory/540-59-0x0000000000000000-mapping.dmp
      Download
    • memory/624-86-0x0000000000000000-mapping.dmp
      Download
    • memory/920-58-0x0000000000000000-mapping.dmp
      Download
    • memory/944-54-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1176-79-0x0000000000000000-mapping.dmp
      Download
    • memory/1308-80-0x0000000000080000-0x00000000000A2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1308-73-0x0000000000000000-mapping.dmp
      Download
    • memory/1308-75-0x00000000748B1000-0x00000000748B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1308-78-0x0000000000080000-0x00000000000A2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1492-91-0x0000000000E9B000-0x0000000000EBA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1492-84-0x000007FEF3810000-0x000007FEF436D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1492-85-0x0000000000E94000-0x0000000000E97000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1492-83-0x000007FEF4370000-0x000007FEF4D93000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1492-89-0x0000000000E94000-0x0000000000E97000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1492-81-0x0000000000000000-mapping.dmp
      Download
    • memory/1612-66-0x0000000001E90000-0x0000000001F56000-memory.dmp
      Filesize

      792KB

      Download
    • memory/1612-64-0x0000000075801000-0x0000000075803000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1612-72-0x0000000000150000-0x00000000001D0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1612-71-0x0000000000230000-0x0000000000252000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-70-0x0000000000150000-0x00000000001D0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1612-68-0x0000000000230000-0x0000000000252000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-69-0x0000000000230000-0x0000000000252000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-67-0x0000000000230000-0x0000000000252000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1612-77-0x0000000000230000-0x0000000000252000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2000-90-0x0000000000000000-mapping.dmp
      Download
    • memory/2000-94-0x0000000000670000-0x0000000000736000-memory.dmp
      Filesize

      792KB

      Download
    • memory/2000-95-0x00000000007A0000-0x00000000007C2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2000-96-0x00000000007A0000-0x00000000007C2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2000-97-0x00000000007A0000-0x00000000007C2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2000-98-0x0000000000770000-0x0000000000792000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2000-99-0x00000000007A0000-0x00000000007C2000-memory.dmp
      Filesize

      136KB

      Download