Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
16-02-2024 21:22
General
-
Target
93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
-
Size
1.9MB
-
MD5
82b8bd90e500fb0bf878d6f430c5abec
-
SHA1
f004c09428f2f18a145212a9e55eef3615858f9c
-
SHA256
93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f
-
SHA512
82b2e997bf5bc0d08ab8dd921aef3e8d620a61c26f86b6f481845ad694d7b97f65dfa42e1c18b83f0f827cad9df69a409b75d96793e5bd7124c26bc7cb07f881
-
SSDEEP
49152:Ksjitd+vszAlozTy4g5r8+5eNBABxGNvXreD68f:rihTyfcXreO8f
Malware Config
Signatures
-
Detect Qakbot Payload 12 IoCs
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Blocklisted process makes network request 3 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 12 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 11 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DBC95F271871F15424A843AA766EE274 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 918F8520D027E9A8AD153156F51951FD2⤵
- Loads dropped DLL
-
C:\Windows\Installer\MSIA0B6.tmp"C:\Windows\Installer\MSIA0B6.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003FC" "00000000000005AC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f769169.rbsFilesize
1KB
MD5e081e70472d4a28e883ead9b33a88d1f
SHA128ebc93be9ced3b53ec1b690c5827fc38d1608a2
SHA2561d13a80f2ed0cf5b6d244a729f02d4cef8a816b3c595a20d499b5297af10f708
SHA5128921a4618e25b806da1ad165eddd2612da581e153a7d19855487eddc13cd2799a994ee0ff37881df0f9cf1359161c8710a120b454906dce9a35336a2c0d6356f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8555326CC9661C9937DC5053B6C38763Filesize
1KB
MD5866912c070f1ecacacc2d5bca55ba129
SHA1b7ab3308d1ea4477ba1480125a6fbda936490cbb
SHA25685666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69
SHA512f91e855e0346ac8c3379129154e01488bb22cff7f6a6df2a80f1671e43c5df8acae36fdf5ee0eb2320f287a681a326b6f1df36e8e37aa5597c4797dd6b43b7cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763Filesize
326B
MD571a221d8e6e872d018e5c7ad1a364c80
SHA198458d075cd60765ea5d3251e2fa1f1149496863
SHA25623c9a9fbcb05ed8b5e13bdb5eb0483a198330a521ebdace0918311271162e3be
SHA5127de131434f674974d23d9d3951691e32627fbd2766b1e1702670468925cd466a38fa279b3856840d5a62b5029d34413389de8c1b6f9a9f184c766c79f727b8c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5de5371ec5630cb6fb76a440956c191b0
SHA14d34b1a725873aaa55b7515a5971355ce307e37c
SHA25667d6c2be19d5c9d00972bf0834e95c283684e16a13688059579a203648081de4
SHA5120bcf847b2de78379155ca673b16fe1a1d8cc9280a71d36d4d8f51d607e02faa1df7b6ca0f4317e01bba3378c20fc6ba93d53c44d56ae594b43a98bf0d4216116
-
C:\Users\Admin\AppData\Local\Temp\Cab3027.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\MSI38B9.tmpFilesize
721KB
MD55a1f2196056c0a06b79a77ae981c7761
SHA1a880ae54395658f129e24732800e207ecd0b5603
SHA25652f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e
SHA5129afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a
-
C:\Users\Admin\AppData\Local\Temp\Tar3049.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Roaming\KROST.dllFilesize
459KB
MD50a29918110937641bbe4a2d5ee5e4272
SHA17d4a6976c1ece81e01d1f16ac5506266d5210734
SHA256780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
SHA512998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
-
C:\Windows\Installer\MSIA0B6.tmpFilesize
397KB
MD5b41e1b0ae2ec215c568c395b0dbb738a
SHA190d8e50176a1f4436604468279f29a128723c64b
SHA256a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca
SHA512828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1504-324-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/1504-339-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/1504-346-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/1504-345-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/1504-342-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/1504-316-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB
-
memory/1504-317-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/1504-340-0x0000000000060000-0x000000000008E000-memory.dmpFilesize
184KB
-
memory/2172-301-0x0000000000280000-0x0000000000282000-memory.dmpFilesize
8KB
-
memory/2600-315-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/2600-338-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB
-
memory/2600-307-0x0000000069140000-0x00000000691BE000-memory.dmpFilesize
504KB
-
memory/2600-309-0x00000000002C0000-0x00000000002EF000-memory.dmpFilesize
188KB
-
memory/2600-314-0x0000000000290000-0x00000000002BD000-memory.dmpFilesize
180KB
-
memory/2600-313-0x0000000180000000-0x000000018002E000-memory.dmpFilesize
184KB