Analysis
-
max time kernel
299s -
max time network
264s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 16:44
Static task
static1
Behavioral task
behavioral1
Sample
83648865d6015e61bf4c45a3aa17b8ce86951bcfc28a70fe36cfc2f597984c4a.msi
Resource
win7-20230220-en
General
-
Target
83648865d6015e61bf4c45a3aa17b8ce86951bcfc28a70fe36cfc2f597984c4a.msi
-
Size
404KB
-
MD5
e381e9903abc3b3c725c53838467a257
-
SHA1
e14b0b365ba6cca98f6f7380617ed1362fee6b89
-
SHA256
83648865d6015e61bf4c45a3aa17b8ce86951bcfc28a70fe36cfc2f597984c4a
-
SHA512
d09765cd4e69471b3b7be51c2d0c6c2178c45101fd5bcffbd2cbbd10958596c1eb0653857bf75ae621e064109756b33df6384bd55179f844d760dcf0df41d3ca
-
SSDEEP
6144:MNVPe+3R6gz8C1psDVw8EAYwzPJLNee9iZiYnCpqvY1dGujAyep5vDhPLu6RAeHE:xxCriEQzPJLNee9Lp1NjAyefvDI6RjE
Malware Config
Extracted
qakbot
404.1346
obama266
1685611378
24.234.220.88:990
70.28.50.223:2078
96.56.197.26:2083
103.123.223.133:443
83.249.198.100:2222
199.27.66.213:443
90.104.151.37:2222
94.204.202.106:443
72.205.104.134:443
65.95.141.84:2222
82.131.141.209:443
77.126.99.230:443
71.38.155.217:443
205.237.67.69:995
84.215.202.8:443
24.234.220.88:465
76.178.148.107:2222
116.74.163.130:443
70.28.50.223:2087
147.147.30.126:2222
173.88.135.179:443
103.140.174.20:2222
77.86.98.236:443
92.149.250.113:2222
96.87.28.170:2222
86.168.210.41:443
176.142.207.63:443
12.172.173.82:32101
86.132.236.117:443
70.50.83.216:2222
161.142.103.187:995
45.62.70.33:443
12.172.173.82:465
178.175.187.254:443
83.110.223.61:443
105.184.209.194:995
41.186.88.38:443
102.156.10.183:443
27.109.19.90:2078
47.205.25.170:443
12.172.173.82:993
76.170.252.153:995
69.242.31.249:443
24.234.220.88:995
125.99.69.178:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
124.122.47.148:443
81.229.117.95:2222
98.145.23.67:443
114.143.176.236:443
103.144.201.48:2078
122.186.210.254:443
69.160.121.6:61201
12.172.173.82:21
72.253.126.216:443
75.109.111.89:443
76.86.31.59:443
116.120.145.170:995
12.172.173.82:50001
81.101.185.146:443
201.244.108.183:995
68.203.69.96:443
103.139.242.6:443
103.42.86.42:995
85.61.165.153:2222
76.16.49.134:443
125.99.76.102:443
184.182.66.109:443
70.28.50.223:32100
50.68.204.71:993
85.57.212.13:3389
41.227.190.59:443
70.28.50.223:3389
31.53.29.235:2222
89.79.229.50:443
50.68.186.195:443
47.199.241.39:443
93.147.235.8:443
75.141.227.169:443
45.243.142.31:995
79.92.15.6:443
85.104.105.67:443
89.129.109.27:2222
86.176.83.44:2222
24.234.220.88:993
89.32.156.5:995
12.172.173.82:22
103.101.203.177:443
70.28.50.223:2083
98.187.21.2:443
70.49.205.198:2222
96.56.197.26:2222
92.9.45.20:2222
86.195.14.72:2222
172.115.17.50:443
100.4.163.158:2222
80.12.88.148:2222
213.64.33.92:2222
113.11.92.30:443
78.192.109.105:2222
47.34.30.133:443
122.184.143.86:443
198.2.51.242:993
165.120.169.171:2222
88.126.94.4:50000
82.125.44.236:2222
117.195.17.148:993
147.219.4.194:443
80.167.196.79:443
92.154.17.149:2222
184.181.75.148:443
95.45.50.93:2222
84.35.26.14:995
201.143.215.69:443
12.172.173.82:2087
50.68.204.71:443
64.121.161.102:443
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3032 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{4786CB10-2C75-4B19-998C-42F72CDFEBAB} msiexec.exe File opened for modification C:\Windows\Installer\MSIE8AF.tmp msiexec.exe File created C:\Windows\Installer\e56e759.msi msiexec.exe File created C:\Windows\Installer\e56e757.msi msiexec.exe File opened for modification C:\Windows\Installer\e56e757.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exerundll32.exewermgr.exepid process 5084 msiexec.exe 5084 msiexec.exe 3032 rundll32.exe 3032 rundll32.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe 1596 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 544 msiexec.exe Token: SeIncreaseQuotaPrivilege 544 msiexec.exe Token: SeSecurityPrivilege 5084 msiexec.exe Token: SeCreateTokenPrivilege 544 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 544 msiexec.exe Token: SeLockMemoryPrivilege 544 msiexec.exe Token: SeIncreaseQuotaPrivilege 544 msiexec.exe Token: SeMachineAccountPrivilege 544 msiexec.exe Token: SeTcbPrivilege 544 msiexec.exe Token: SeSecurityPrivilege 544 msiexec.exe Token: SeTakeOwnershipPrivilege 544 msiexec.exe Token: SeLoadDriverPrivilege 544 msiexec.exe Token: SeSystemProfilePrivilege 544 msiexec.exe Token: SeSystemtimePrivilege 544 msiexec.exe Token: SeProfSingleProcessPrivilege 544 msiexec.exe Token: SeIncBasePriorityPrivilege 544 msiexec.exe Token: SeCreatePagefilePrivilege 544 msiexec.exe Token: SeCreatePermanentPrivilege 544 msiexec.exe Token: SeBackupPrivilege 544 msiexec.exe Token: SeRestorePrivilege 544 msiexec.exe Token: SeShutdownPrivilege 544 msiexec.exe Token: SeDebugPrivilege 544 msiexec.exe Token: SeAuditPrivilege 544 msiexec.exe Token: SeSystemEnvironmentPrivilege 544 msiexec.exe Token: SeChangeNotifyPrivilege 544 msiexec.exe Token: SeRemoteShutdownPrivilege 544 msiexec.exe Token: SeUndockPrivilege 544 msiexec.exe Token: SeSyncAgentPrivilege 544 msiexec.exe Token: SeEnableDelegationPrivilege 544 msiexec.exe Token: SeManageVolumePrivilege 544 msiexec.exe Token: SeImpersonatePrivilege 544 msiexec.exe Token: SeCreateGlobalPrivilege 544 msiexec.exe Token: SeBackupPrivilege 4672 vssvc.exe Token: SeRestorePrivilege 4672 vssvc.exe Token: SeAuditPrivilege 4672 vssvc.exe Token: SeBackupPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe Token: SeTakeOwnershipPrivilege 5084 msiexec.exe Token: SeRestorePrivilege 5084 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 544 msiexec.exe 544 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exerundll32.exerundll32.exedescription pid process target process PID 5084 wrote to memory of 5116 5084 msiexec.exe srtasks.exe PID 5084 wrote to memory of 5116 5084 msiexec.exe srtasks.exe PID 5084 wrote to memory of 3924 5084 msiexec.exe rundll32.exe PID 5084 wrote to memory of 3924 5084 msiexec.exe rundll32.exe PID 5084 wrote to memory of 1244 5084 msiexec.exe wscript.exe PID 5084 wrote to memory of 1244 5084 msiexec.exe wscript.exe PID 3924 wrote to memory of 3032 3924 rundll32.exe rundll32.exe PID 3924 wrote to memory of 3032 3924 rundll32.exe rundll32.exe PID 3924 wrote to memory of 3032 3924 rundll32.exe rundll32.exe PID 3032 wrote to memory of 1596 3032 rundll32.exe wermgr.exe PID 3032 wrote to memory of 1596 3032 rundll32.exe wermgr.exe PID 3032 wrote to memory of 1596 3032 rundll32.exe wermgr.exe PID 3032 wrote to memory of 1596 3032 rundll32.exe wermgr.exe PID 3032 wrote to memory of 1596 3032 rundll32.exe wermgr.exe PID 3032 wrote to memory of 1596 3032 rundll32.exe wermgr.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\83648865d6015e61bf4c45a3aa17b8ce86951bcfc28a70fe36cfc2f597984c4a.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:544
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:5116
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596
-
-
-
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs2⤵PID:1244
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5bdb89c266187de7cf94d21a1b1f4eb2e
SHA17e91aead263526362432d8f88c2e0e97116eb7b4
SHA256930eef4450e8d819a15a196598b45098b07c5d56e3498f40132f7ca1bd50e92f
SHA5122ec98d0594aa6b9f48d6c0b9bf53e708fdcea62385595a13e978d85d8aee7df49baaa38b7ba0840da54b1cc8599fe9ad2aa8f2b16edfe88c362475fd56edf675
-
Filesize
752KB
MD52185add4a967f3d974a73fc9b842633b
SHA1ec64fe7e0409efbf0854c2158569f2f6d6c053a3
SHA2568919918640ed4cf30c6a6a200a7ed768b38d11e247a17266816fa96411404e03
SHA512e9a9b55ead2afbfb15183394ffb949ad253eabcd756f22561d4b1aa4838a64a057d50343c6518c2c940af22e77a0a0dcbe562a3e138d4766838d08fe11af7066
-
Filesize
752KB
MD52185add4a967f3d974a73fc9b842633b
SHA1ec64fe7e0409efbf0854c2158569f2f6d6c053a3
SHA2568919918640ed4cf30c6a6a200a7ed768b38d11e247a17266816fa96411404e03
SHA512e9a9b55ead2afbfb15183394ffb949ad253eabcd756f22561d4b1aa4838a64a057d50343c6518c2c940af22e77a0a0dcbe562a3e138d4766838d08fe11af7066
-
Filesize
132B
MD50d4c9f15ce74465c59ae36a27f98c817
SHA19cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA5129bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f
-
Filesize
404KB
MD5e381e9903abc3b3c725c53838467a257
SHA1e14b0b365ba6cca98f6f7380617ed1362fee6b89
SHA25683648865d6015e61bf4c45a3aa17b8ce86951bcfc28a70fe36cfc2f597984c4a
SHA512d09765cd4e69471b3b7be51c2d0c6c2178c45101fd5bcffbd2cbbd10958596c1eb0653857bf75ae621e064109756b33df6384bd55179f844d760dcf0df41d3ca
-
Filesize
23.0MB
MD582dd66aa224dea1ad210d939ea651952
SHA1f65318c53d8c4b7e4acfd01278a6d5cab19d6453
SHA25678979e24d9bb51ee7b1bc17fd4a1a46fe8dfa5f39f823bdce4b824439d3fd040
SHA51242c9007f4564d6b5de3e825dd33b26d2f32f7dfe29f2a393b53127f153b1c6f96de34649e2a6a603ee2efb4596ac68d80272d8511f43a329f5ced5bf3b04c08f
-
\??\Volume{af0fc727-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5c6bc1a0-ba0a-4d42-9a05-fea9c4b09b66}_OnDiskSnapshotProp
Filesize5KB
MD5d4dbff5df7fd53ebbaf3d6950d18e06b
SHA12cb1530d7ab75d029b72258176c132d7bff8a501
SHA25679d9fb2a602a7d45287bc4bbac969275811ca5c8fe8cb0d6b3ec84590b3c5a82
SHA512fb9632a399a0736c239b0c0a26d64fd68ab1a8bd68d88fd2fec3495e8dcda95991196de7233be7dbe19b494445a41f95bf89434b9d2e60293d1b0096d4a3e176