qakbot | 7d1c0c7e4cbfe49926451ab6365455e5f3889fb17e2508afa9f6e2ebeedaa2c1

General

Target

PDF_3028225.msi
Size

484KB
MD5

47847ac5f01e037c1a18becc0dfd4611
SHA1

d6f37b18252787c2c2c31358e741d9b834440331
SHA256

7d1c0c7e4cbfe49926451ab6365455e5f3889fb17e2508afa9f6e2ebeedaa2c1
SHA512

7630b223cddfc31ef7afee9972ab4a5100b048d35f526211e331f4717260e2c29b0962ad35271701b00c5c379f7798004f5140abe8dbc88ddf083d8b2ee78004

Score

10^/10

qakbot vip01 1657631718 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

vip01

Campaign

1657631718

C2

47.23.89.60:993

37.34.253.233:443

196.203.37.215:80

89.211.209.234:2222

81.158.239.251:2078

179.111.8.52:32101

208.107.221.224:443

24.158.23.166:995

66.230.104.103:443

92.132.132.81:2222

24.139.72.117:443

174.80.15.101:2083

24.178.196.158:2222

100.38.242.113:995

37.186.58.99:995

24.55.67.176:443

74.14.5.179:2222

172.114.160.81:443

40.134.246.185:995

63.143.92.99:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

2 1356 msiexec.exe
3 1504 msiexec.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

972 regsvr32.exe
1320 regsvr32.exe

flow	pid	process
2	1356	msiexec.exe
3	1504	msiexec.exe

pid	process
972	regsvr32.exe
1320	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	explorer.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\6c474f.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\6c474e.msi	msiexec.exe
File created	C:\Windows\Installer\6c474f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6c474e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B50.tmp	msiexec.exe
File created	C:\Windows\Installer\6c4751.msi	msiexec.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1460 schtasks.exe

pid	process
1460	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeexplorer.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00aa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oghvuvavrms\99a3b29e = 9e63ede07bc2542e8177d4a989e37146be4a72b04eaa5abad6282b1b297cc6a345aaa243e1bf7aebc472618425aca95790f0377aa007c8c6a1ac9341725301daf728c7c76fc0f7535b2121d048045756153abff407c97c6a22f1608e0ed3a57d24b3eae111863fde2267e604b7ed0d7c55364dad74212c125b395632a96f87c666a8ee0c16f1cfee8f2607ea78e8f0b90fa6fa84dedd24eb966a53eed16bde8b3509e9552089c54535ae99d7	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fkciilk	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oghvuvavrms\9be292e2 = 7559051f565da553c5444656ebbd0eb9c8451a64c3e69712b3b0a641a55a13b00456a40a5f9fc68180d2dfa95cfc3e0d10c17965cbca630e6ccd016ed8246edd5966	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oghvuvavrms\235ef587 = 55f87cb4c8353fb7250a988ffa971f31e7ce0aa9df73ae0753f8e9961c74ef97fc9f95438268071f0b5f92c7f5046b3813ca317a57d115ca9e15d01d8a61ba8ba07f4d45b69ee4167cd1fa3635f6323a740d74526cd61431df97b7ab11b7390fd750e1433e9a38	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oghvuvavrms	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fkciilk\acebb804 = 277d9b603b37d2ab2167f889c210a689db23325e70e3029bf364f44398e1a7c81d50280acbe7221296fb2a5904bcc4fd0f8a4a9454f72511c64ef3c496d5aba25eb63ee4773a0c99d76baea79b4cd53137c1	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{33D9086B-5346-4FCA-B995-6E61BF463933}	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fkciilk\21c80f2f = 04d99dc0e9be3e8fe8f788cf462efbdadd0141285eb965560ef08a9ad9edb16af665f6075210d047b8e608962ff4b465e4985c2e02a93ce8419602a5da6c3c1a595f92297ec9b0d35294fcef	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{33D9086B-5346-4FCA-B995-6E61BF463933}\WpadDecisionReason = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{33D9086B-5346-4FCA-B995-6E61BF463933}\WpadNetworkName = "Network 3"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-5f-d7-0e-fa-22\WpadDecisionReason = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oghvuvavrms\e6eadd68 = d490bbe3e5d8d17ef013dd0b4b4675776ad82826a69f21ecd5f2069abe8b3a42a7c40c4cbe2d75869c917a712c6758dea2e0ffb65b1412e963ae697fb687495fdf06cb8db871ccaeb0d986e13fd2eaab28eb010b	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-5f-d7-0e-fa-22\WpadDecisionTime = e065043b7198d801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fkciilk\5e8160d9 = 23313bed1eacae30163a3a885d650d38d1cfe519fc78c555bdf8cd39c5a115e9bc829e3d29ac03c80ec5fc4467fd42a87ea1d39381bdfcccc2686c4324796ba96c5bfd9cceb21a878e59e7b1c25a6a1efa490e93354f135e8a730309882a4f9e47b003dd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{33D9086B-5346-4FCA-B995-6E61BF463933}\7e-5f-d7-0e-fa-22	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0c891127198d801	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeregsvr32.exeexplorer.exe

pid	process
1504	msiexec.exe
1504	msiexec.exe
972	regsvr32.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

972 regsvr32.exe

pid	process
972	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exe

description	pid	process
Token: SeShutdownPrivilege	1356	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1356	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeTakeOwnershipPrivilege	1504	msiexec.exe
Token: SeSecurityPrivilege	1504	msiexec.exe
Token: SeCreateTokenPrivilege	1356	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1356	msiexec.exe
Token: SeLockMemoryPrivilege	1356	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1356	msiexec.exe
Token: SeMachineAccountPrivilege	1356	msiexec.exe
Token: SeTcbPrivilege	1356	msiexec.exe
Token: SeSecurityPrivilege	1356	msiexec.exe
Token: SeTakeOwnershipPrivilege	1356	msiexec.exe
Token: SeLoadDriverPrivilege	1356	msiexec.exe
Token: SeSystemProfilePrivilege	1356	msiexec.exe
Token: SeSystemtimePrivilege	1356	msiexec.exe
Token: SeProfSingleProcessPrivilege	1356	msiexec.exe
Token: SeIncBasePriorityPrivilege	1356	msiexec.exe
Token: SeCreatePagefilePrivilege	1356	msiexec.exe
Token: SeCreatePermanentPrivilege	1356	msiexec.exe
Token: SeBackupPrivilege	1356	msiexec.exe
Token: SeRestorePrivilege	1356	msiexec.exe
Token: SeShutdownPrivilege	1356	msiexec.exe
Token: SeDebugPrivilege	1356	msiexec.exe
Token: SeAuditPrivilege	1356	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1356	msiexec.exe
Token: SeChangeNotifyPrivilege	1356	msiexec.exe
Token: SeRemoteShutdownPrivilege	1356	msiexec.exe
Token: SeUndockPrivilege	1356	msiexec.exe
Token: SeSyncAgentPrivilege	1356	msiexec.exe
Token: SeEnableDelegationPrivilege	1356	msiexec.exe
Token: SeManageVolumePrivilege	1356	msiexec.exe
Token: SeImpersonatePrivilege	1356	msiexec.exe
Token: SeCreateGlobalPrivilege	1356	msiexec.exe
Token: SeBackupPrivilege	2028	vssvc.exe
Token: SeRestorePrivilege	2028	vssvc.exe
Token: SeAuditPrivilege	2028	vssvc.exe
Token: SeBackupPrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	768	DrvInst.exe
Token: SeRestorePrivilege	768	DrvInst.exe
Token: SeRestorePrivilege	768	DrvInst.exe
Token: SeRestorePrivilege	768	DrvInst.exe
Token: SeRestorePrivilege	768	DrvInst.exe
Token: SeRestorePrivilege	768	DrvInst.exe
Token: SeRestorePrivilege	768	DrvInst.exe
Token: SeLoadDriverPrivilege	768	DrvInst.exe
Token: SeLoadDriverPrivilege	768	DrvInst.exe
Token: SeLoadDriverPrivilege	768	DrvInst.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeTakeOwnershipPrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeTakeOwnershipPrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeTakeOwnershipPrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeTakeOwnershipPrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeTakeOwnershipPrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeTakeOwnershipPrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeTakeOwnershipPrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1356 msiexec.exe
1356 msiexec.exe

pid	process
1356	msiexec.exe
1356	msiexec.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

msiexec.exeregsvr32.exeregsvr32.exeexplorer.exetaskeng.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 1504 wrote to memory of 1052	1504	msiexec.exe	regsvr32.exe
PID 1504 wrote to memory of 1052	1504	msiexec.exe	regsvr32.exe
PID 1504 wrote to memory of 1052	1504	msiexec.exe	regsvr32.exe
PID 1504 wrote to memory of 1052	1504	msiexec.exe	regsvr32.exe
PID 1504 wrote to memory of 1052	1504	msiexec.exe	regsvr32.exe
PID 1504 wrote to memory of 1016	1504	msiexec.exe	wscript.exe
PID 1504 wrote to memory of 1016	1504	msiexec.exe	wscript.exe
PID 1504 wrote to memory of 1016	1504	msiexec.exe	wscript.exe
PID 1052 wrote to memory of 972	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 972	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 972	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 972	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 972	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 972	1052	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 972	1052	regsvr32.exe	regsvr32.exe
PID 972 wrote to memory of 1528	972	regsvr32.exe	explorer.exe
PID 972 wrote to memory of 1528	972	regsvr32.exe	explorer.exe
PID 972 wrote to memory of 1528	972	regsvr32.exe	explorer.exe
PID 972 wrote to memory of 1528	972	regsvr32.exe	explorer.exe
PID 972 wrote to memory of 1528	972	regsvr32.exe	explorer.exe
PID 972 wrote to memory of 1528	972	regsvr32.exe	explorer.exe
PID 1528 wrote to memory of 1460	1528	explorer.exe	schtasks.exe
PID 1528 wrote to memory of 1460	1528	explorer.exe	schtasks.exe
PID 1528 wrote to memory of 1460	1528	explorer.exe	schtasks.exe
PID 1528 wrote to memory of 1460	1528	explorer.exe	schtasks.exe
PID 1704 wrote to memory of 1292	1704	taskeng.exe	powershell.exe
PID 1704 wrote to memory of 1292	1704	taskeng.exe	powershell.exe
PID 1704 wrote to memory of 1292	1704	taskeng.exe	powershell.exe
PID 1292 wrote to memory of 1672	1292	powershell.exe	regsvr32.exe
PID 1292 wrote to memory of 1672	1292	powershell.exe	regsvr32.exe
PID 1292 wrote to memory of 1672	1292	powershell.exe	regsvr32.exe
PID 1292 wrote to memory of 1672	1292	powershell.exe	regsvr32.exe
PID 1292 wrote to memory of 1672	1292	powershell.exe	regsvr32.exe
PID 1672 wrote to memory of 1320	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 1320	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 1320	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 1320	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 1320	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 1320	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 1320	1672	regsvr32.exe	regsvr32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PDF_3028225.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1356

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\regsvr32.exe
regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\regsvr32.exe
-n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:34 /tn lmzhabdc /ET 17:45 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABBAGQAbwBiAGUARgBvAG4AdABQAGEAYwBrAFwAbQBhAGkAbgAuAGQAbABsACIA" /SC ONCE
5⤵
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
2⤵
PID:1016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000494" "0000000000000060"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\taskeng.exe
taskeng.exe {5B6F1B80-EFB4-43C2-BE72-0C3CA7CC32B6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABBAGQAbwBiAGUARgBvAG4AdABQAGEAYwBrAFwAbQBhAGkAbgAuAGQAbABsACIA
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\regsvr32.exe
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
1⤵
- Loads dropped DLL
PID:1320

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
81180e6505eafdf7950673b3e510e370

SHA1
b9adb7725c8910f87728ec4f4a68ccb7c7bf470c

SHA256
c8acca13997e628aed88c556833c0b9622a948efa4584262cd974f812b9a5504

SHA512
a23844fb64c2ebfb6d3d771c341a08007c60b409037b6eedcee335c1e9c6bb76005abb3e5ceeb71d1d32d0a0129f4fa7dd892e79943bdb60b4649c390e1e7e7f

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
Filesize
777KB

MD5
926382093a313282f4a1639944f3fb0c

SHA1
851380d94deeb031aad806795d760f3982399850

SHA256
1ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8

SHA512
f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
Filesize
777KB

MD5
926382093a313282f4a1639944f3fb0c

SHA1
851380d94deeb031aad806795d760f3982399850

SHA256
1ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8

SHA512
f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\AdobeFontPack\main.dll
Filesize
777KB

MD5
926382093a313282f4a1639944f3fb0c

SHA1
851380d94deeb031aad806795d760f3982399850

SHA256
1ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8

SHA512
f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3

Download Submit
\Users\Admin\AppData\Local\AdobeFontPack\main.dll
Filesize
777KB

MD5
926382093a313282f4a1639944f3fb0c

SHA1
851380d94deeb031aad806795d760f3982399850

SHA256
1ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8

SHA512
f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3

Download Submit
memory/972-68-0x0000000000610000-0x0000000000632000-memory.dmp

Filesize
136KB

Download
memory/972-64-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/972-66-0x0000000000311000-0x000000000039A000-memory.dmp

Filesize
548KB

Download
memory/972-67-0x0000000000610000-0x0000000000632000-memory.dmp

Filesize
136KB

Download
memory/972-76-0x0000000000610000-0x0000000000632000-memory.dmp

Filesize
136KB

Download
memory/972-69-0x0000000000610000-0x0000000000632000-memory.dmp

Filesize
136KB

Download
memory/972-70-0x00000000005E0000-0x0000000000602000-memory.dmp

Filesize
136KB

Download
memory/972-71-0x0000000000610000-0x0000000000632000-memory.dmp

Filesize
136KB

Download
memory/972-62-0x0000000000000000-mapping.dmp

Download
memory/1016-60-0x0000000000000000-mapping.dmp

Download
memory/1052-58-0x0000000000000000-mapping.dmp

Download
memory/1292-82-0x000007FEF2920000-0x000007FEF3343000-memory.dmp

Filesize
10.1MB

Download
memory/1292-84-0x0000000001254000-0x0000000001257000-memory.dmp

Filesize
12KB

Download
memory/1292-87-0x000000000125B000-0x000000000127A000-memory.dmp

Filesize
124KB

Download
memory/1292-85-0x000000000125B000-0x000000000127A000-memory.dmp

Filesize
124KB

Download
memory/1292-80-0x0000000000000000-mapping.dmp

Download
memory/1292-83-0x000007FEF1DC0000-0x000007FEF291D000-memory.dmp

Filesize
11.4MB

Download
memory/1320-90-0x0000000000000000-mapping.dmp

Download
memory/1356-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/1460-78-0x0000000000000000-mapping.dmp

Download
memory/1528-77-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1528-79-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1528-74-0x00000000740F1000-0x00000000740F3000-memory.dmp

Filesize
8KB

Download
memory/1528-72-0x0000000000000000-mapping.dmp

Download
memory/1672-86-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads