Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

5q4psw.msi

windows7-x64

10

5q4psw.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30/05/2023, 20:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5q4psw.msi

  • Size

    496KB

  • MD5

    e35727b10193fe55df216a1f9d166997

  • SHA1

    9ddafa77fc9fdea0085e41aa0f3a1ee0d15d9c8a

  • SHA256

    696156d9a4117cba652b18b012db376fddfbd7db8b26a638c760d61b98d3590d

  • SHA512

    2bba74b0b7f5ee8509310030bb45def13b87394e55edf8d0e51595d6cc669f4b2c7497d95331c09c9f7b453f3c9acdeb03e41cd5e5dc14f9ecb9dd9f79d7ad8d

  • SSDEEP

    12288:wn+NgINNEcfjVRMigNFoILI8KviLjvhAol71Q:wnX9gjVRMDqH8fL154

Score
10/10
qakbotobama2651685436052bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.1320

Botnet

obama265

Campaign

1685436052

C2

103.42.86.42:995

174.4.89.3:443

161.142.103.187:995

78.160.146.127:443

84.35.26.14:995

12.172.173.82:20

70.28.50.223:2078

124.149.143.189:2222

70.160.67.203:443

186.64.67.30:443

103.123.223.133:443

94.207.104.225:443

89.114.140.100:443

213.64.33.61:2222

86.176.144.234:2222

72.134.124.16:443

47.34.30.133:443

109.50.149.241:2222

85.104.105.67:443

81.111.108.123:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5q4psw.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1324
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
      2⤵
        PID:1964
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1600
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1188
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000057C" "0000000000000494"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:900

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\6c7b5a.rbs
      Filesize

      8KB

      MD5

      446881e8b314b6f64c3c22bec32511f8

      SHA1

      0a4ad2a10a87bd537dae80ebbef0a8cac41d9aa2

      SHA256

      a013a8cd945205a5b90645012db481de17b71c860083bfaa0345e2789d369eaf

      SHA512

      fcc22d78d706be8191f83ef0912ec1cba8c8563dd82b9d377080ccd1b011128cdac66925b72efaef146d59312b3f278fe56ab7ad5190faae4c8022ac6d51ffd4

      Download Submit

    • C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
      Filesize

      930KB

      MD5

      0c8e5b12b177a199008b2282c7506fff

      SHA1

      0dfee8bae7073512f8bfdabaf0c0b7c882b3864e

      SHA256

      9a407a2f0ba3c0e3ba3cfa2ffd6472db3bc572b8ef08f1fba7139cbd36cc8dca

      SHA512

      6464ec42cccb85e7c067ad9f7c8b804d064a6974e8184bc5134436fad004bf87630869c107bb91f87bdc59f7938a8a157f59a436ce0265c070db32a54c4541b5

      Download Submit

    • C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
      Filesize

      132B

      MD5

      0d4c9f15ce74465c59ae36a27f98c817

      SHA1

      9cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a

      SHA256

      d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a

      SHA512

      9bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f

      Download Submit

    • C:\Windows\Installer\6c7b58.msi
      Filesize

      496KB

      MD5

      e35727b10193fe55df216a1f9d166997

      SHA1

      9ddafa77fc9fdea0085e41aa0f3a1ee0d15d9c8a

      SHA256

      696156d9a4117cba652b18b012db376fddfbd7db8b26a638c760d61b98d3590d

      SHA512

      2bba74b0b7f5ee8509310030bb45def13b87394e55edf8d0e51595d6cc669f4b2c7497d95331c09c9f7b453f3c9acdeb03e41cd5e5dc14f9ecb9dd9f79d7ad8d

      Download Submit

    • \Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
      Filesize

      930KB

      MD5

      0c8e5b12b177a199008b2282c7506fff

      SHA1

      0dfee8bae7073512f8bfdabaf0c0b7c882b3864e

      SHA256

      9a407a2f0ba3c0e3ba3cfa2ffd6472db3bc572b8ef08f1fba7139cbd36cc8dca

      SHA512

      6464ec42cccb85e7c067ad9f7c8b804d064a6974e8184bc5134436fad004bf87630869c107bb91f87bdc59f7938a8a157f59a436ce0265c070db32a54c4541b5

      Download Submit

    • \Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
      Filesize

      930KB

      MD5

      0c8e5b12b177a199008b2282c7506fff

      SHA1

      0dfee8bae7073512f8bfdabaf0c0b7c882b3864e

      SHA256

      9a407a2f0ba3c0e3ba3cfa2ffd6472db3bc572b8ef08f1fba7139cbd36cc8dca

      SHA512

      6464ec42cccb85e7c067ad9f7c8b804d064a6974e8184bc5134436fad004bf87630869c107bb91f87bdc59f7938a8a157f59a436ce0265c070db32a54c4541b5

      Download Submit

    • \Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
      Filesize

      930KB

      MD5

      0c8e5b12b177a199008b2282c7506fff

      SHA1

      0dfee8bae7073512f8bfdabaf0c0b7c882b3864e

      SHA256

      9a407a2f0ba3c0e3ba3cfa2ffd6472db3bc572b8ef08f1fba7139cbd36cc8dca

      SHA512

      6464ec42cccb85e7c067ad9f7c8b804d064a6974e8184bc5134436fad004bf87630869c107bb91f87bdc59f7938a8a157f59a436ce0265c070db32a54c4541b5

      Download Submit

    • \Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
      Filesize

      930KB

      MD5

      0c8e5b12b177a199008b2282c7506fff

      SHA1

      0dfee8bae7073512f8bfdabaf0c0b7c882b3864e

      SHA256

      9a407a2f0ba3c0e3ba3cfa2ffd6472db3bc572b8ef08f1fba7139cbd36cc8dca

      SHA512

      6464ec42cccb85e7c067ad9f7c8b804d064a6974e8184bc5134436fad004bf87630869c107bb91f87bdc59f7938a8a157f59a436ce0265c070db32a54c4541b5

      Download Submit

    • memory/1600-90-0x00000000000F0000-0x00000000000F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1600-91-0x00000000000C0000-0x00000000000E4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1600-97-0x00000000000C0000-0x00000000000E4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1600-99-0x00000000000C0000-0x00000000000E4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1600-100-0x00000000000C0000-0x00000000000E4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1600-101-0x00000000000C0000-0x00000000000E4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1600-102-0x00000000000C0000-0x00000000000E4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1828-83-0x00000000001F0000-0x0000000000214000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1828-89-0x0000000010000000-0x0000000010200000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1828-82-0x0000000000160000-0x0000000000163000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1828-98-0x0000000010000000-0x0000000010200000-memory.dmp

      Filesize

      2.0MB

      Download