Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 17:51
Static task
static1
Behavioral task
behavioral1
Sample
ajijjq69a4i.msi
Resource
win7-20230220-en
General
-
Target
ajijjq69a4i.msi
-
Size
404KB
-
MD5
4d9345ecd4f4536758a4dd378aff7ae5
-
SHA1
dd7e9082e247a08141d167fd54a4a6d069768f55
-
SHA256
37f05f27b5eb0d7debf1af4c9042a2ab6f306c94bdb6a365382100e99a92b321
-
SHA512
bc3f088499409c5977b6dfa346dd5ac53a3db18f429dcf7e28fd5f0328eb52a0b948ffd46a75cc679a5fb6181e7dace07682af6e15e960234834eaa422a77c0c
-
SSDEEP
6144:xnVPe+3R6gz8C1psDVw8EAYwzPJLNee9iZiYnCpqvY1dGujAyep5vDYs+vANHV:yxCriEQzPJLNee9Lp1NjAyefvDYs+gV
Malware Config
Extracted
qakbot
404.1346
obama266
1685611378
24.234.220.88:990
70.28.50.223:2078
96.56.197.26:2083
103.123.223.133:443
83.249.198.100:2222
199.27.66.213:443
90.104.151.37:2222
94.204.202.106:443
72.205.104.134:443
65.95.141.84:2222
82.131.141.209:443
77.126.99.230:443
71.38.155.217:443
205.237.67.69:995
84.215.202.8:443
24.234.220.88:465
76.178.148.107:2222
116.74.163.130:443
70.28.50.223:2087
147.147.30.126:2222
173.88.135.179:443
103.140.174.20:2222
77.86.98.236:443
92.149.250.113:2222
96.87.28.170:2222
86.168.210.41:443
176.142.207.63:443
12.172.173.82:32101
86.132.236.117:443
70.50.83.216:2222
161.142.103.187:995
45.62.70.33:443
12.172.173.82:465
178.175.187.254:443
83.110.223.61:443
105.184.209.194:995
41.186.88.38:443
102.156.10.183:443
27.109.19.90:2078
47.205.25.170:443
12.172.173.82:993
76.170.252.153:995
69.242.31.249:443
24.234.220.88:995
125.99.69.178:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
124.122.47.148:443
81.229.117.95:2222
98.145.23.67:443
114.143.176.236:443
103.144.201.48:2078
122.186.210.254:443
69.160.121.6:61201
12.172.173.82:21
72.253.126.216:443
75.109.111.89:443
76.86.31.59:443
116.120.145.170:995
12.172.173.82:50001
81.101.185.146:443
201.244.108.183:995
68.203.69.96:443
103.139.242.6:443
103.42.86.42:995
85.61.165.153:2222
76.16.49.134:443
125.99.76.102:443
184.182.66.109:443
70.28.50.223:32100
50.68.204.71:993
85.57.212.13:3389
41.227.190.59:443
70.28.50.223:3389
31.53.29.235:2222
89.79.229.50:443
50.68.186.195:443
47.199.241.39:443
93.147.235.8:443
75.141.227.169:443
45.243.142.31:995
79.92.15.6:443
85.104.105.67:443
89.129.109.27:2222
86.176.83.44:2222
24.234.220.88:993
89.32.156.5:995
12.172.173.82:22
103.101.203.177:443
70.28.50.223:2083
98.187.21.2:443
70.49.205.198:2222
96.56.197.26:2222
92.9.45.20:2222
86.195.14.72:2222
172.115.17.50:443
100.4.163.158:2222
80.12.88.148:2222
213.64.33.92:2222
113.11.92.30:443
78.192.109.105:2222
47.34.30.133:443
122.184.143.86:443
198.2.51.242:993
165.120.169.171:2222
88.126.94.4:50000
82.125.44.236:2222
117.195.17.148:993
147.219.4.194:443
80.167.196.79:443
92.154.17.149:2222
184.181.75.148:443
95.45.50.93:2222
84.35.26.14:995
201.143.215.69:443
12.172.173.82:2087
50.68.204.71:443
64.121.161.102:443
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4896 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6F551EAC-B124-4A9F-9224-C7220B193560} msiexec.exe File opened for modification C:\Windows\Installer\MSID631.tmp msiexec.exe File created C:\Windows\Installer\e56d539.msi msiexec.exe File created C:\Windows\Installer\e56d537.msi msiexec.exe File opened for modification C:\Windows\Installer\e56d537.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000036d9561f42561000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000036d95610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900036d9561000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000036d956100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000036d956100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exerundll32.exewermgr.exepid process 4716 msiexec.exe 4716 msiexec.exe 4896 rundll32.exe 4896 rundll32.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe 2216 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3372 msiexec.exe Token: SeIncreaseQuotaPrivilege 3372 msiexec.exe Token: SeSecurityPrivilege 4716 msiexec.exe Token: SeCreateTokenPrivilege 3372 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3372 msiexec.exe Token: SeLockMemoryPrivilege 3372 msiexec.exe Token: SeIncreaseQuotaPrivilege 3372 msiexec.exe Token: SeMachineAccountPrivilege 3372 msiexec.exe Token: SeTcbPrivilege 3372 msiexec.exe Token: SeSecurityPrivilege 3372 msiexec.exe Token: SeTakeOwnershipPrivilege 3372 msiexec.exe Token: SeLoadDriverPrivilege 3372 msiexec.exe Token: SeSystemProfilePrivilege 3372 msiexec.exe Token: SeSystemtimePrivilege 3372 msiexec.exe Token: SeProfSingleProcessPrivilege 3372 msiexec.exe Token: SeIncBasePriorityPrivilege 3372 msiexec.exe Token: SeCreatePagefilePrivilege 3372 msiexec.exe Token: SeCreatePermanentPrivilege 3372 msiexec.exe Token: SeBackupPrivilege 3372 msiexec.exe Token: SeRestorePrivilege 3372 msiexec.exe Token: SeShutdownPrivilege 3372 msiexec.exe Token: SeDebugPrivilege 3372 msiexec.exe Token: SeAuditPrivilege 3372 msiexec.exe Token: SeSystemEnvironmentPrivilege 3372 msiexec.exe Token: SeChangeNotifyPrivilege 3372 msiexec.exe Token: SeRemoteShutdownPrivilege 3372 msiexec.exe Token: SeUndockPrivilege 3372 msiexec.exe Token: SeSyncAgentPrivilege 3372 msiexec.exe Token: SeEnableDelegationPrivilege 3372 msiexec.exe Token: SeManageVolumePrivilege 3372 msiexec.exe Token: SeImpersonatePrivilege 3372 msiexec.exe Token: SeCreateGlobalPrivilege 3372 msiexec.exe Token: SeBackupPrivilege 2632 vssvc.exe Token: SeRestorePrivilege 2632 vssvc.exe Token: SeAuditPrivilege 2632 vssvc.exe Token: SeBackupPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3372 msiexec.exe 3372 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exerundll32.exerundll32.exedescription pid process target process PID 4716 wrote to memory of 2544 4716 msiexec.exe srtasks.exe PID 4716 wrote to memory of 2544 4716 msiexec.exe srtasks.exe PID 4716 wrote to memory of 2732 4716 msiexec.exe rundll32.exe PID 4716 wrote to memory of 2732 4716 msiexec.exe rundll32.exe PID 4716 wrote to memory of 3776 4716 msiexec.exe wscript.exe PID 4716 wrote to memory of 3776 4716 msiexec.exe wscript.exe PID 2732 wrote to memory of 4896 2732 rundll32.exe rundll32.exe PID 2732 wrote to memory of 4896 2732 rundll32.exe rundll32.exe PID 2732 wrote to memory of 4896 2732 rundll32.exe rundll32.exe PID 4896 wrote to memory of 2216 4896 rundll32.exe wermgr.exe PID 4896 wrote to memory of 2216 4896 rundll32.exe wermgr.exe PID 4896 wrote to memory of 2216 4896 rundll32.exe wermgr.exe PID 4896 wrote to memory of 2216 4896 rundll32.exe wermgr.exe PID 4896 wrote to memory of 2216 4896 rundll32.exe wermgr.exe PID 4896 wrote to memory of 2216 4896 rundll32.exe wermgr.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ajijjq69a4i.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3372
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2544
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2216
-
-
-
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs2⤵PID:3776
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5eeef269bcb27de781cac6da5bfd4ed8f
SHA1ce50083474cca6c178e889bc8873e5a3e5abfb61
SHA256b3ea304d4856577cf98113bc2d86ba4f2a441b260fcbe0bf77db42a9e9ac47f2
SHA512f6e8cfb5088d495dfe14efde6928ba7fa090755471853f4bdc6b6c4f29946ce85ccbeeff8ebc0bfc8c627d9102f97657c52af186ac90acd1a6bf6ffe6cf01e9d
-
Filesize
752KB
MD5ef5580960c70965f57577aefae264474
SHA14cd6a65bc7f0230df3d79e5647c3e6fb052265e4
SHA256f901b16f53f39d074b008bca1e4ffa6403ca3b9159b94bcafa9ae838a3ac425e
SHA5125ea04aee0da2f3ad5b8a565387cffc0780be21d30e07c8fde044083c7e8e716ec851c9ec2b19259132615b0d1725d79be64a85eeee2f1a5d9c9153523c4a8ace
-
Filesize
752KB
MD5ef5580960c70965f57577aefae264474
SHA14cd6a65bc7f0230df3d79e5647c3e6fb052265e4
SHA256f901b16f53f39d074b008bca1e4ffa6403ca3b9159b94bcafa9ae838a3ac425e
SHA5125ea04aee0da2f3ad5b8a565387cffc0780be21d30e07c8fde044083c7e8e716ec851c9ec2b19259132615b0d1725d79be64a85eeee2f1a5d9c9153523c4a8ace
-
Filesize
132B
MD50d4c9f15ce74465c59ae36a27f98c817
SHA19cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA5129bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f
-
Filesize
404KB
MD54d9345ecd4f4536758a4dd378aff7ae5
SHA1dd7e9082e247a08141d167fd54a4a6d069768f55
SHA25637f05f27b5eb0d7debf1af4c9042a2ab6f306c94bdb6a365382100e99a92b321
SHA512bc3f088499409c5977b6dfa346dd5ac53a3db18f429dcf7e28fd5f0328eb52a0b948ffd46a75cc679a5fb6181e7dace07682af6e15e960234834eaa422a77c0c
-
Filesize
23.0MB
MD57bb343efc16025f9e506722041ab1fec
SHA106ed58958c1c420544b27a4ac6ba7b66b01f6619
SHA2561289f7ea3a0bed4fe1ddbc09df34002273ecf742576fafaba80839b4438d37c1
SHA512e3cf664d45061e78d98f617fa635345c2efd4272362d556f7d02fc516573091e98d18a83dd07fbe979337143e343f060215be773180b33a26e80431b41c30ad9
-
\??\Volume{61956d03-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5d429d21-8915-49d0-8590-62e72301bc7e}_OnDiskSnapshotProp
Filesize5KB
MD59f068c527ddb72a0e6332816aef680a1
SHA1c76832954706846bba01daf65882b9784c3c2dfb
SHA256e802e22fd82ce8c05131eb359c5bd43379cbcdbc0fca183ece7f6d6e597947a1
SHA512b186c25730fde19c235fc1e46cd3d62ea25ed247e057474b46bfa4097d515cde8b818c5cbd766bea709f201e2ec55725894c0a02f2ed5e81c4353906e619fb6d