Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2023, 10:28
Static task
static1
Behavioral task
behavioral1
Sample
fbe95e4d58b31a15569d3e4ab057bc47abb193c9afacdda186be51b2c1ac582b.msi
Resource
win7-20221111-en
General
-
Target
fbe95e4d58b31a15569d3e4ab057bc47abb193c9afacdda186be51b2c1ac582b.msi
-
Size
384KB
-
MD5
bd0ebd840439189cc64af2d0cd0dd130
-
SHA1
72cef301ca25db6f1aa42f9380ab12ae2e99a725
-
SHA256
fbe95e4d58b31a15569d3e4ab057bc47abb193c9afacdda186be51b2c1ac582b
-
SHA512
b6298e66cb903d58b0877a0fe9725a6fb35dc2a304a5d79532d2cbc20ee3d85667fab7cc305baf5c9b612bfed9026f54a9371de72d00eb22964fcc9ff91f9b2b
-
SSDEEP
6144:Vn1X0lyS6gYhkJceU2iXT+XYhwNabhXx3r6FiNhRfpwt+42OTTF:V1Xw6gzJceU2khmOC4Nhxpwc6X
Malware Config
Extracted
qakbot
404.430
BB12
1675090602
24.9.220.167:443
92.239.81.124:443
12.172.173.82:32101
162.248.14.107:443
213.31.90.183:2222
217.128.200.114:2222
71.31.101.183:443
81.229.117.95:2222
184.68.116.146:2222
86.130.9.183:2222
92.154.45.81:2222
70.64.77.115:443
24.71.120.191:443
86.225.214.138:2222
86.165.225.227:2222
172.90.139.138:2222
92.207.132.174:2222
70.160.80.210:443
58.162.223.233:443
47.61.70.188:2078
119.82.122.226:443
84.35.26.14:995
73.36.196.11:443
24.123.211.131:443
23.251.92.57:2222
208.180.17.32:2222
75.156.125.215:995
47.196.203.73:443
173.178.151.233:443
198.2.51.242:993
103.12.133.134:2222
86.194.156.14:2222
88.126.94.4:50000
75.191.246.70:443
76.80.180.154:995
174.104.184.149:443
12.172.173.82:465
92.154.17.149:2222
77.124.33.54:443
173.18.126.3:443
27.0.48.205:443
197.1.12.81:443
86.250.12.217:2222
93.238.63.3:995
201.244.108.183:995
86.176.37.65:443
72.80.7.6:995
47.34.30.133:443
5.193.24.225:2222
50.68.204.71:993
67.61.71.201:443
49.245.127.223:2222
12.172.173.82:50001
90.162.45.154:2222
87.56.238.53:443
73.165.119.20:443
200.109.207.186:2222
37.14.229.220:2222
12.172.173.82:990
121.121.100.207:995
66.191.69.18:995
74.92.243.113:50000
94.70.92.137:2222
142.119.127.214:2222
181.118.206.65:995
50.68.204.71:995
31.120.202.209:443
41.62.225.148:443
72.88.245.71:443
76.170.252.153:995
184.68.116.146:3389
109.149.148.161:2222
136.35.241.159:443
92.8.190.175:2222
91.68.227.219:443
69.159.158.183:2222
27.109.19.90:2078
206.188.201.143:2222
50.68.204.71:443
69.119.123.159:2222
181.118.183.2:443
172.248.42.122:443
90.78.138.217:2222
83.7.54.167:443
12.172.173.82:2087
75.143.236.149:443
69.133.162.35:443
130.43.172.217:2222
27.99.45.237:2222
125.20.112.94:443
85.59.61.52:2222
47.16.76.122:2222
12.172.173.82:995
79.26.203.25:443
87.202.101.164:50000
86.207.227.152:2222
98.175.176.254:995
105.184.103.7:995
190.249.231.121:443
65.95.85.172:2222
86.172.79.135:443
76.64.202.88:2222
109.11.175.42:2222
89.115.196.99:443
109.148.227.154:443
173.76.49.61:443
175.139.129.94:2222
103.141.50.151:995
183.87.163.165:443
75.98.154.19:443
31.53.29.161:2222
213.67.255.57:2222
85.241.180.94:443
151.65.168.222:443
87.221.197.113:2222
70.77.116.233:443
86.96.72.139:2222
74.214.61.68:443
74.33.196.114:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 3404 rundll32.exe 3404 rundll32.exe 3404 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIFC27.tmp msiexec.exe File created C:\Windows\Installer\e56f91c.msi msiexec.exe File created C:\Windows\Installer\e56f91a.msi msiexec.exe File opened for modification C:\Windows\Installer\e56f91a.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{0C78EFF1-A2C3-4AA0-BF08-9D99C77DCB6A} msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000106161d2e731958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000106161d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900106161d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4064 msiexec.exe 4064 msiexec.exe 3404 rundll32.exe 3404 rundll32.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe 808 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3404 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1300 msiexec.exe Token: SeIncreaseQuotaPrivilege 1300 msiexec.exe Token: SeSecurityPrivilege 4064 msiexec.exe Token: SeCreateTokenPrivilege 1300 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1300 msiexec.exe Token: SeLockMemoryPrivilege 1300 msiexec.exe Token: SeIncreaseQuotaPrivilege 1300 msiexec.exe Token: SeMachineAccountPrivilege 1300 msiexec.exe Token: SeTcbPrivilege 1300 msiexec.exe Token: SeSecurityPrivilege 1300 msiexec.exe Token: SeTakeOwnershipPrivilege 1300 msiexec.exe Token: SeLoadDriverPrivilege 1300 msiexec.exe Token: SeSystemProfilePrivilege 1300 msiexec.exe Token: SeSystemtimePrivilege 1300 msiexec.exe Token: SeProfSingleProcessPrivilege 1300 msiexec.exe Token: SeIncBasePriorityPrivilege 1300 msiexec.exe Token: SeCreatePagefilePrivilege 1300 msiexec.exe Token: SeCreatePermanentPrivilege 1300 msiexec.exe Token: SeBackupPrivilege 1300 msiexec.exe Token: SeRestorePrivilege 1300 msiexec.exe Token: SeShutdownPrivilege 1300 msiexec.exe Token: SeDebugPrivilege 1300 msiexec.exe Token: SeAuditPrivilege 1300 msiexec.exe Token: SeSystemEnvironmentPrivilege 1300 msiexec.exe Token: SeChangeNotifyPrivilege 1300 msiexec.exe Token: SeRemoteShutdownPrivilege 1300 msiexec.exe Token: SeUndockPrivilege 1300 msiexec.exe Token: SeSyncAgentPrivilege 1300 msiexec.exe Token: SeEnableDelegationPrivilege 1300 msiexec.exe Token: SeManageVolumePrivilege 1300 msiexec.exe Token: SeImpersonatePrivilege 1300 msiexec.exe Token: SeCreateGlobalPrivilege 1300 msiexec.exe Token: SeBackupPrivilege 2632 vssvc.exe Token: SeRestorePrivilege 2632 vssvc.exe Token: SeAuditPrivilege 2632 vssvc.exe Token: SeBackupPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1300 msiexec.exe 1300 msiexec.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4064 wrote to memory of 4824 4064 msiexec.exe 93 PID 4064 wrote to memory of 4824 4064 msiexec.exe 93 PID 4064 wrote to memory of 4680 4064 msiexec.exe 95 PID 4064 wrote to memory of 4680 4064 msiexec.exe 95 PID 4064 wrote to memory of 2664 4064 msiexec.exe 96 PID 4064 wrote to memory of 2664 4064 msiexec.exe 96 PID 4680 wrote to memory of 3404 4680 rundll32.exe 97 PID 4680 wrote to memory of 3404 4680 rundll32.exe 97 PID 4680 wrote to memory of 3404 4680 rundll32.exe 97 PID 3404 wrote to memory of 4092 3404 rundll32.exe 98 PID 3404 wrote to memory of 4092 3404 rundll32.exe 98 PID 3404 wrote to memory of 4092 3404 rundll32.exe 98 PID 3404 wrote to memory of 808 3404 rundll32.exe 99 PID 3404 wrote to memory of 808 3404 rundll32.exe 99 PID 3404 wrote to memory of 808 3404 rundll32.exe 99 PID 3404 wrote to memory of 808 3404 rundll32.exe 99 PID 3404 wrote to memory of 808 3404 rundll32.exe 99
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fbe95e4d58b31a15569d3e4ab057bc47abb193c9afacdda186be51b2c1ac582b.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1300
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4824
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\TeamViewer\main.dll,Updt2⤵
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\TeamViewer\main.dll,Updt3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:4092
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:808
-
-
-
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\TeamViewer\notify.vbs2⤵PID:2664
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
594KB
MD584ad21a10cef3176d5a1604f28adeb3c
SHA172efd8d98e6a8ffb3a45d07796bbf794b5c8795d
SHA2565ab4fc385b86f965460682420dc45b840225b2b0db16b38e8e6a0c54965d91c2
SHA512469be94d72fc09f453acdc024fd3aa1dc691e5930ec70f592460f1f1e90f3e2742079896ecd7fb353eb5e5fc77f9b4be3aec3119455d5e883381858b9d608cab
-
Filesize
594KB
MD584ad21a10cef3176d5a1604f28adeb3c
SHA172efd8d98e6a8ffb3a45d07796bbf794b5c8795d
SHA2565ab4fc385b86f965460682420dc45b840225b2b0db16b38e8e6a0c54965d91c2
SHA512469be94d72fc09f453acdc024fd3aa1dc691e5930ec70f592460f1f1e90f3e2742079896ecd7fb353eb5e5fc77f9b4be3aec3119455d5e883381858b9d608cab
-
Filesize
88B
MD5203e5b101aa817c99cc11a8450d12115
SHA124910eccaf2640f08d1c8948491dbe179bb044b9
SHA256f8f5710726a31e7f50a4ca4a701fac52ccb2da518d5398b22d3853418a380371
SHA512a1edb4501e13ca2495f1a36eb055256d0d786d17bbfa155ee3ab2767ae5953e10b3e6bdf1debfd81fc23e8e8433d95b67bfac1baf3aff8fb19afa63c90cdd7aa
-
Filesize
2.1MB
MD5f530495445432d6ae00f2b0f08f7c804
SHA1f66f538b95b1a924c8392fbe7743d193d78eb50c
SHA2565cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b
SHA5122b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8
-
Filesize
2.1MB
MD5f530495445432d6ae00f2b0f08f7c804
SHA1f66f538b95b1a924c8392fbe7743d193d78eb50c
SHA2565cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b
SHA5122b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8
-
Filesize
23.0MB
MD59010740c42216ac30a847db3b9ee3e9d
SHA16c3ae1a2c1ded9956e70934f1c81101ceae0cf23
SHA256e833c4f7f3a4ee3ba94e5ba3d429cdb75acd71e8abe2091b90b0343530ae723e
SHA5126581768f7dfaab8ef4d3ea3b3381e90251c1add7209da1532e33aa1bec89e676466e1851edb7a4a64340555e57a049f4af57f25a9383d56eea6c68215f8adc65
-
\??\Volume{d2616110-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cc524edf-7189-4a36-a8fd-6dede8d3642e}_OnDiskSnapshotProp
Filesize5KB
MD51f6881ddb0fa794b4c423c48a110b3df
SHA1e430e471120ba442f26ad5d6380d7c5b9e7c4ab3
SHA256ced2e455117015d15157d0a15c8187c4f985d9826bdc50d26d380ee519cc6440
SHA51229f774f34574bc99440975f66ee450c6a0469e6e4de5321bc4138eb2cf7ee8e65a9864ce21bd2333f768db88d9bf6d2b9ebaca4014276d4bf9f2e1e32b70e64b