Malware Analysis Report

2024-11-15 09:14

Sample ID 230601-vb15lsfg5s
Target 09345699.js
SHA256 44e029dd6210c4906a82e1f16dd5ebed434efd225dafb92fc560e6ff6d1ee948
Tags
qakbot obama266 1685611378 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44e029dd6210c4906a82e1f16dd5ebed434efd225dafb92fc560e6ff6d1ee948

Threat Level: Known bad

The file 09345699.js was found to be: Known bad.

Malicious Activity Summary

qakbot obama266 1685611378 banker stealer trojan

Qakbot/Qbot

Blocklisted process makes network request

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-01 16:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-01 16:49

Reported

2023-06-01 16:52

Platform

win7-20230220-en

Max time kernel

150s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\09345699.js

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI50E9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB1CE.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\6cb08e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\6cb08c.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\6cb08c.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 868 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\rundll32.exe
PID 1220 wrote to memory of 868 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\rundll32.exe
PID 1220 wrote to memory of 868 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\rundll32.exe
PID 1220 wrote to memory of 1240 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\wscript.exe
PID 1220 wrote to memory of 1240 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\wscript.exe
PID 1220 wrote to memory of 1240 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\wscript.exe
PID 868 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1564 wrote to memory of 1060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1564 wrote to memory of 1060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1564 wrote to memory of 1060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1564 wrote to memory of 1060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1564 wrote to memory of 1060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1564 wrote to memory of 1060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1564 wrote to memory of 1060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\09345699.js

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C8" "0000000000000490"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 garokelka.com udp
NL 217.195.153.225:443 garokelka.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab4C01.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 b5fcc55cffd66f38d548e8b63206c5e6
SHA1 79db08ababfa33a4f644fa8fe337195b5aba44c7
SHA256 7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1
SHA512 aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

C:\Windows\Installer\MSI50E9.tmp

MD5 84582448976f91c7b85a9289112d5dfc
SHA1 0fd91858edae24942722121c5bbe8d851ecd82d6
SHA256 8b86429a795d8cae800a229a94df9141974f18c541d27e04af589962cc36044c
SHA512 d68f0d7dd6631d18c72cd85f6fd04935d2a123f276c7df0d166b1c0c13e9118610b30d7509579069a1e20e4bbb49f758a6ee3ec92b44d65d369df2263cc01971

C:\Config.Msi\6cb08d.rbs

MD5 1819aae44a74096bbe0ba41195c29b57
SHA1 51ed973983b3223afb6217c11c4136cb84fc92d6
SHA256 342a6c51454810ef8bf251c311b856107a5008bb9f00ff0112119308c06ec2fc
SHA512 3272adfd5a289e0e153f076795626424a0a3e7c72caa496dbed1d9ed0e6025c2e7993a7906bb068bd487f704203a55762ed861de5f79765570f59507c0e31e5b

C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

MD5 b0a30ac60658d778ace59353d19c6764
SHA1 7b2d1b208c94b0d37904503f35625c8b37586d8f
SHA256 c24d21fe7d97504e61900353a81ddad838a7892581eaeebc62cb9e208e304c0d
SHA512 3ac78f804a32d75674a6a473e4880e168a61bbebd47f4c2f5cc77bffd8cda11cf1b44922c504537405af3c5261e501a1e01d1c3353a8e517b777e56367a3a696

\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

MD5 b0a30ac60658d778ace59353d19c6764
SHA1 7b2d1b208c94b0d37904503f35625c8b37586d8f
SHA256 c24d21fe7d97504e61900353a81ddad838a7892581eaeebc62cb9e208e304c0d
SHA512 3ac78f804a32d75674a6a473e4880e168a61bbebd47f4c2f5cc77bffd8cda11cf1b44922c504537405af3c5261e501a1e01d1c3353a8e517b777e56367a3a696

\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

MD5 b0a30ac60658d778ace59353d19c6764
SHA1 7b2d1b208c94b0d37904503f35625c8b37586d8f
SHA256 c24d21fe7d97504e61900353a81ddad838a7892581eaeebc62cb9e208e304c0d
SHA512 3ac78f804a32d75674a6a473e4880e168a61bbebd47f4c2f5cc77bffd8cda11cf1b44922c504537405af3c5261e501a1e01d1c3353a8e517b777e56367a3a696

\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

MD5 b0a30ac60658d778ace59353d19c6764
SHA1 7b2d1b208c94b0d37904503f35625c8b37586d8f
SHA256 c24d21fe7d97504e61900353a81ddad838a7892581eaeebc62cb9e208e304c0d
SHA512 3ac78f804a32d75674a6a473e4880e168a61bbebd47f4c2f5cc77bffd8cda11cf1b44922c504537405af3c5261e501a1e01d1c3353a8e517b777e56367a3a696

\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

MD5 b0a30ac60658d778ace59353d19c6764
SHA1 7b2d1b208c94b0d37904503f35625c8b37586d8f
SHA256 c24d21fe7d97504e61900353a81ddad838a7892581eaeebc62cb9e208e304c0d
SHA512 3ac78f804a32d75674a6a473e4880e168a61bbebd47f4c2f5cc77bffd8cda11cf1b44922c504537405af3c5261e501a1e01d1c3353a8e517b777e56367a3a696

memory/1564-128-0x0000000000170000-0x0000000000173000-memory.dmp

memory/1564-130-0x0000000000180000-0x00000000001A4000-memory.dmp

C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs

MD5 0d4c9f15ce74465c59ae36a27f98c817
SHA1 9cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256 d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA512 9bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1060-136-0x00000000000F0000-0x00000000000F2000-memory.dmp

memory/1060-137-0x00000000000C0000-0x00000000000E4000-memory.dmp

memory/1060-143-0x00000000000C0000-0x00000000000E4000-memory.dmp

memory/1060-144-0x00000000000C0000-0x00000000000E4000-memory.dmp

memory/1060-145-0x00000000000C0000-0x00000000000E4000-memory.dmp

memory/1060-146-0x00000000000C0000-0x00000000000E4000-memory.dmp

memory/1060-147-0x00000000000C0000-0x00000000000E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-01 16:49

Reported

2023-06-01 16:52

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

145s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\09345699.js

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE7C6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e56e769.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI740C.tmp C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\wscript.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4844 wrote to memory of 4084 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4844 wrote to memory of 4084 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4844 wrote to memory of 4460 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\rundll32.exe
PID 4844 wrote to memory of 4460 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\rundll32.exe
PID 4844 wrote to memory of 4404 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\wscript.exe
PID 4844 wrote to memory of 4404 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\wscript.exe
PID 4460 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4460 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4460 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1532 wrote to memory of 2384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1532 wrote to memory of 2384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1532 wrote to memory of 2384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1532 wrote to memory of 2384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1532 wrote to memory of 2384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1532 wrote to memory of 2384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\09345699.js

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 garokelka.com udp
NL 217.195.153.225:443 garokelka.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 225.153.195.217.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.250.217.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
IE 13.69.239.73:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 8.238.178.254:80 tcp
NL 8.238.178.254:80 tcp
NL 8.238.178.254:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

C:\Windows\Installer\MSI740C.tmp

MD5 6ae8d648f8a9146b7f95b3a7073575d0
SHA1 f980c6e727aeb59bf3e6e77d3169448989995ad0
SHA256 e4740d41deca81aedd912cc1f1cb5a52dbf9a8d7dfdaa8adbcb6da119379fe3d
SHA512 50b30cee011918cd584c08b64871373edd5284af3cbaef04174ec48c63ab35ae8de8e85d35d1c2e9bfb389fcf1d9a7dcf0f246c958191beacd0e14557a65e054

C:\Config.Msi\e56e768.rbs

MD5 379d34377a77bc33f20a6f5ccb7e6f82
SHA1 43b5dc4ccb006bf632d3a6be1ee6437ca4d8a7bc
SHA256 4adefbf654ed39c6ce87251ab5f7e3168ec45ef82259a4f6f814dd4f77cf1215
SHA512 979fdc69c0a1742181213ee75131c5a0652a0fe56c62cb1d4626dac36b60743ab42e7c4d7d2d5342b9d148b830cfa972a73076387a0151a5149dddb6e60e33be

C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

MD5 f8090ce52ba92370700730571eae8324
SHA1 a23475ba810e5aa65de0b3b6b566a3407015e4a1
SHA256 34185364f0df3da1b86d02067a7e6641ac0e89cb8f03da38186c3bb2413c9dfb
SHA512 d0659e9b21dc8a8ef14543ff480133ef4c220e737dc91b13df6564c4f505ded6f51b7d6822cc7e08f00d711b2afce8042bba3148d70bbcc7cc4f65d74a6b967d

C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs

MD5 0d4c9f15ce74465c59ae36a27f98c817
SHA1 9cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256 d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA512 9bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f

C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

MD5 f8090ce52ba92370700730571eae8324
SHA1 a23475ba810e5aa65de0b3b6b566a3407015e4a1
SHA256 34185364f0df3da1b86d02067a7e6641ac0e89cb8f03da38186c3bb2413c9dfb
SHA512 d0659e9b21dc8a8ef14543ff480133ef4c220e737dc91b13df6564c4f505ded6f51b7d6822cc7e08f00d711b2afce8042bba3148d70bbcc7cc4f65d74a6b967d

memory/1532-165-0x00000000009A0000-0x00000000009A3000-memory.dmp

memory/1532-166-0x00000000009B0000-0x00000000009D4000-memory.dmp

memory/2384-171-0x0000000000DE0000-0x0000000000DE2000-memory.dmp

memory/2384-172-0x0000000000DB0000-0x0000000000DD4000-memory.dmp

memory/2384-178-0x0000000000DB0000-0x0000000000DD4000-memory.dmp

memory/2384-179-0x0000000000DB0000-0x0000000000DD4000-memory.dmp

memory/2384-180-0x0000000000DB0000-0x0000000000DD4000-memory.dmp

memory/2384-181-0x0000000000DB0000-0x0000000000DD4000-memory.dmp

memory/2384-182-0x0000000000DB0000-0x0000000000DD4000-memory.dmp

\??\Volume{4cc777a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3465b196-19a7-4dc8-9a83-b28a3081ed43}_OnDiskSnapshotProp

MD5 a2e5fa84771bd7d437ce2e143fef16d3
SHA1 e67f90bb92fd5902bc0a073c630d1fdbc9667423
SHA256 0082d4cbaad0c100cf30acef0e7e896bddabaa55a89c102f7f3c95cc53b9d09d
SHA512 69795c027e619cdf7d9507786bf0349316286f17d942f615bba850b434a427dbc946f0cdc64e89f56d84288e40bd7eb6fee0e02a5140f9812f8ea69d95f8beba

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 b9d924a15f53d4fa564bd4d403d71d9a
SHA1 4b42857c08be8b39bb6840cec2bd56253a2f05ce
SHA256 9d4432c8ce4eef54dbf3c5fd45503c77941235465aea7e5230e26c58abc104ef
SHA512 75cb67a44baefa3dfc68dd83f88b1ff9d45d9447e76565a14a0c8a211b7e5bd28587a9468d1f5da0caae134448c8149bdf3570120dfe178e91818526f406e6bb