qakbot | 93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
Size

1.9MB
MD5

82b8bd90e500fb0bf878d6f430c5abec
SHA1

f004c09428f2f18a145212a9e55eef3615858f9c
SHA256

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f
SHA512

82b2e997bf5bc0d08ab8dd921aef3e8d620a61c26f86b6f481845ad694d7b97f65dfa42e1c18b83f0f827cad9df69a409b75d96793e5bd7124c26bc7cb07f881
SSDEEP

49152:Ksjitd+vszAlozTy4g5r8+5eNBABxGNvXreD68f:rihTyfcXreO8f

Score

10^/10

qakbot banker stealer trojan

Malware Config

Signatures

Detect Qakbot Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2032-86-0x000002673F130000-0x000002673F15F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2032-90-0x000002673F100000-0x000002673F12D000-memory.dmp	family_qakbot_v5
behavioral2/memory/2032-91-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2032-92-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3300-94-0x000002B034A30000-0x000002B034A5E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3300-100-0x000002B034A30000-0x000002B034A5E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2032-110-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3300-114-0x000002B034A30000-0x000002B034A5E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3300-115-0x000002B034A30000-0x000002B034A5E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3300-116-0x000002B034A30000-0x000002B034A5E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3300-117-0x000002B034A30000-0x000002B034A5E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3300-118-0x000002B034A30000-0x000002B034A5E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

7 2764 msiexec.exe
11 2764 msiexec.exe
13 2764 msiexec.exe

flow	pid	process
7	2764	msiexec.exe
11	2764	msiexec.exe
13	2764	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFAD9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58f548.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF74C.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E42164EE-5510-4BB6-BA12-B7664EFD3B05}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1EF.tmp	msiexec.exe
File created	C:\Windows\Installer\e58f548.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF912.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF990.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI1EF.tmp

pid process

3344 MSI1EF.tmp

pid	process
3344	MSI1EF.tmp

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMsiExec.exerundll32.exe

pid	process
2844	MsiExec.exe
2844	MsiExec.exe
2844	MsiExec.exe
2844	MsiExec.exe
2844	MsiExec.exe
2844	MsiExec.exe
2844	MsiExec.exe
884	MsiExec.exe
884	MsiExec.exe
884	MsiExec.exe
884	MsiExec.exe
2032	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003462af5746133e160000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003462af570000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003462af57000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3462af57000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003462af5700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies registry class 12 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\geuocqbraaj\2a5fe0f1 = 44a39ad2a5c6bf0ff4b5b14d3bf14c525375d6cfe56fade940f36ba5a68005e3d49ea901062702f69bae6e6fdc8a1bc825	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\geuocqbraaj\62bfee95 = 673d73d8383796a5f67aeadcebe7dcc62f14ff299978a4df39e75b384cc8376363a27e9c801568a8ddd9e9e4bb225bdde7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\geuocqbraaj\b15af520 = 6520186a49ecdaf29d4ef157ed56daad984736b84df52299eafad2c9adb9f2726e4a6a73657c7fa1e9af6d3b695d678cdca193660d3f39ffcf57073ae5f02734e1e944cf7d7bcaba24188b2c24f4231b94ac697791133b320c5ba66c192120b5d81505b0c3d8f3ae0431562ef93e8222e3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\geuocqbraaj\ba18a1be = a5f98674fed373dd408d4e8fd2558e236df9822e9400cd29dbd97a6b7a3ec1f55fa9c73282e0160d7f68fa8f8e96c667a2f5dd9543b8baa8d78633d40a86e365e616571143e35abc74dd9039f7aeb48967a9dabdbe8d78bad8d91f39266c2a8f57dd57ff7ab5b858777a7a5010b7631169854d61071806bf845b9f75ef2932ee83	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\geuocqbraaj\15468b20 = 67ced678847a7ff33b74a63a52baac09af4599e390b2add2a88b9a8d397a81362cc4baf56a7d11698b7ac34ae910816147aaf3cd0fb18ca4e75e46f530ee25441e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\geuocqbraaj\7df0f5be = e4450c6e84e5fa3925d9d085606e3ff7bd062f906069d5107aa339550fbd80782349a85d59a8de376b8dce1708db622b485ea4467d7240ea09e18f310ba1875c854562cd59cf2cb8ebea29cfc867735f8967860cc6a45edd6adeeb9368a363657ba0b9e6280a73af4f3ad6b8d6c78d8ce2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\geuocqbraaj\b0dda8a7 = 0739abf1fda0d1dface24433abfef1076620756157af9b5adee6d770987e67481fb8881eeebf26a4db7c36c53d153dccc1fe4b7d97962b5b5750ce2e340053106aaac2f4dbef59704b72c911a7b1c3eca8f221fba2b5d005742b46e3b830963d34adfe3a303f3d0dd997a95da0c475265a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\geuocqbraaj\2bd8bd76 = 645841f87b8b70ae52304debaa105cbd0d85175bed20be3322ece3bc9a34c9ae9bbbbaf49920d4fc8153b59911646e600eb1434eed7b917b635ee6614f2ce87bbd406f5b405d1e6d0788c01f76bcfcce91a0d04ad9999b5d5bbcb0e5f5d16c2218	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\geuocqbraaj	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\geuocqbraaj\7c77a839 = c44d8593b88c8dda8cb865af8bbcb378801f07936371af9c1ffa82856eb24a2285ea849631c55cc5a7d017ceb069ac845ea9678decbff90f7aef0c14c826419201b6d5fb46412471a1a86aa8ccb074540154e25fa6d7ce7d05b0ddf4ba8e178d9830f9373758e58c1ec0253d63ee1de67a4cf9a65b787bff3e22ad0915fb6065e2513dfc3e646792473ab4959a4389af70820e15f8c9196f78e53ffa1a0629082e7d0e22d9a59ac8b2e1f97456c7b468f62db4e5e4cd5d4864074f1908b2ed287b50ddb9d2bc170909dadf0a90bbe527bb74a0b7e066580621cadaad5dd72ae39f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\geuocqbraaj\ae15ee0b = a4bfc61d9086d30f61e335ad7680075569bb1f41f44da4ac896b54a24dc30876af1cf52293f18b5921aa7bc17499a824b6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\geuocqbraaj\2a5fe0f1 = a76d47fbcf486288af62cd29bc60dbd8602e7aa9f1607c7755e46dbf2c84d0e7888f00e60451ce17d0ab612bb4a051e65e7aeb3a5367342e9e637050e158fe9c17f5962d5baa4d01e9b1f0934d870e43f0	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSI1EF.tmprundll32.exewermgr.exe

pid	process
4576	msiexec.exe
4576	msiexec.exe
3344	MSI1EF.tmp
3344	MSI1EF.tmp
2032	rundll32.exe
2032	rundll32.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2764	msiexec.exe
Token: SeSecurityPrivilege	4576	msiexec.exe
Token: SeCreateTokenPrivilege	2764	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2764	msiexec.exe
Token: SeLockMemoryPrivilege	2764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2764	msiexec.exe
Token: SeMachineAccountPrivilege	2764	msiexec.exe
Token: SeTcbPrivilege	2764	msiexec.exe
Token: SeSecurityPrivilege	2764	msiexec.exe
Token: SeTakeOwnershipPrivilege	2764	msiexec.exe
Token: SeLoadDriverPrivilege	2764	msiexec.exe
Token: SeSystemProfilePrivilege	2764	msiexec.exe
Token: SeSystemtimePrivilege	2764	msiexec.exe
Token: SeProfSingleProcessPrivilege	2764	msiexec.exe
Token: SeIncBasePriorityPrivilege	2764	msiexec.exe
Token: SeCreatePagefilePrivilege	2764	msiexec.exe
Token: SeCreatePermanentPrivilege	2764	msiexec.exe
Token: SeBackupPrivilege	2764	msiexec.exe
Token: SeRestorePrivilege	2764	msiexec.exe
Token: SeShutdownPrivilege	2764	msiexec.exe
Token: SeDebugPrivilege	2764	msiexec.exe
Token: SeAuditPrivilege	2764	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2764	msiexec.exe
Token: SeChangeNotifyPrivilege	2764	msiexec.exe
Token: SeRemoteShutdownPrivilege	2764	msiexec.exe
Token: SeUndockPrivilege	2764	msiexec.exe
Token: SeSyncAgentPrivilege	2764	msiexec.exe
Token: SeEnableDelegationPrivilege	2764	msiexec.exe
Token: SeManageVolumePrivilege	2764	msiexec.exe
Token: SeImpersonatePrivilege	2764	msiexec.exe
Token: SeCreateGlobalPrivilege	2764	msiexec.exe
Token: SeCreateTokenPrivilege	2764	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2764	msiexec.exe
Token: SeLockMemoryPrivilege	2764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2764	msiexec.exe
Token: SeMachineAccountPrivilege	2764	msiexec.exe
Token: SeTcbPrivilege	2764	msiexec.exe
Token: SeSecurityPrivilege	2764	msiexec.exe
Token: SeTakeOwnershipPrivilege	2764	msiexec.exe
Token: SeLoadDriverPrivilege	2764	msiexec.exe
Token: SeSystemProfilePrivilege	2764	msiexec.exe
Token: SeSystemtimePrivilege	2764	msiexec.exe
Token: SeProfSingleProcessPrivilege	2764	msiexec.exe
Token: SeIncBasePriorityPrivilege	2764	msiexec.exe
Token: SeCreatePagefilePrivilege	2764	msiexec.exe
Token: SeCreatePermanentPrivilege	2764	msiexec.exe
Token: SeBackupPrivilege	2764	msiexec.exe
Token: SeRestorePrivilege	2764	msiexec.exe
Token: SeShutdownPrivilege	2764	msiexec.exe
Token: SeDebugPrivilege	2764	msiexec.exe
Token: SeAuditPrivilege	2764	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2764	msiexec.exe
Token: SeChangeNotifyPrivilege	2764	msiexec.exe
Token: SeRemoteShutdownPrivilege	2764	msiexec.exe
Token: SeUndockPrivilege	2764	msiexec.exe
Token: SeSyncAgentPrivilege	2764	msiexec.exe
Token: SeEnableDelegationPrivilege	2764	msiexec.exe
Token: SeManageVolumePrivilege	2764	msiexec.exe
Token: SeImpersonatePrivilege	2764	msiexec.exe
Token: SeCreateGlobalPrivilege	2764	msiexec.exe
Token: SeCreateTokenPrivilege	2764	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2764	msiexec.exe
Token: SeLockMemoryPrivilege	2764	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2764 msiexec.exe
2764 msiexec.exe

pid	process
2764	msiexec.exe
2764	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exerundll32.exe

description	pid	process	target process
PID 4576 wrote to memory of 2844	4576	msiexec.exe	MsiExec.exe
PID 4576 wrote to memory of 2844	4576	msiexec.exe	MsiExec.exe
PID 4576 wrote to memory of 2844	4576	msiexec.exe	MsiExec.exe
PID 4576 wrote to memory of 4836	4576	msiexec.exe	srtasks.exe
PID 4576 wrote to memory of 4836	4576	msiexec.exe	srtasks.exe
PID 4576 wrote to memory of 884	4576	msiexec.exe	MsiExec.exe
PID 4576 wrote to memory of 884	4576	msiexec.exe	MsiExec.exe
PID 4576 wrote to memory of 884	4576	msiexec.exe	MsiExec.exe
PID 4576 wrote to memory of 3344	4576	msiexec.exe	MSI1EF.tmp
PID 4576 wrote to memory of 3344	4576	msiexec.exe	MSI1EF.tmp
PID 4576 wrote to memory of 3344	4576	msiexec.exe	MSI1EF.tmp
PID 2032 wrote to memory of 3300	2032	rundll32.exe	wermgr.exe
PID 2032 wrote to memory of 3300	2032	rundll32.exe	wermgr.exe
PID 2032 wrote to memory of 3300	2032	rundll32.exe	wermgr.exe
PID 2032 wrote to memory of 3300	2032	rundll32.exe	wermgr.exe
PID 2032 wrote to memory of 3300	2032	rundll32.exe	wermgr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2764

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 26F15CCF2B78D981C0703ADCD73D52DB C
2⤵
- Loads dropped DLL
PID:2844

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4836

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 400211FAB38EAC1EEB519C1A880CB8D7
2⤵
- Loads dropped DLL
PID:884

C:\Windows\Installer\MSI1EF.tmp
"C:\Windows\Installer\MSI1EF.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1572

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58f549.rbs
Filesize
1KB

MD5
3cd282a3c28961df045084aca2726766

SHA1
b02c6a1e69bec6456fd7344f08ee9a8be718542c

SHA256
16d112b447e7174be1edfd2ff1e948064a0aa485767036643ae24245d7549bfa

SHA512
ca3878b92d873790f4e2cff5e6f1521afd08f2c3bf8c61eb5278df3d1332329722d2e8cdbf39bdf884e07f9b51a9350b788c0c7245c881df6219ae0f3806eb52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05
Filesize
49KB

MD5
cf47d9b6eb681d693027bf1869d719cc

SHA1
7198d84a000b8881a82fe8714832bf7aae703a5b

SHA256
a6871ca9dae4a5f15cd1df69be4bdfcbf9e9f5cbc6c34399f137a87fe9a29fe7

SHA512
5af04ea8b2c01f1431c1e69ac7e53e07261eab2b5de38f0ec28ba63e6a27dda55ff6be9c0c2ea7051c26b16e202c5c5b88b448360226c66701fb1158bc95577b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
Filesize
314B

MD5
2813bfb2d993e2d01810bc5ee8ee81b0

SHA1
233a1f4be8dc59e4e77a2decce6b1cada270ca67

SHA256
bf495caa6ac92dd5d47f402725037133c58920a299288d7b7137cf52036b4979

SHA512
7258a4e15453a2e3dc64f2ed5cc87466f5a873fabc5b905a5791a6ac9b007dc9423ba69a458888a5e87a16935f575fa9ffa605a5e08d995ad21fcfbf7383f2d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
478B

MD5
60a785e5e522c2dce93fed0cd25b1395

SHA1
2370102120dd69f63dce3a6828d69e6f58fb5290

SHA256
7f791beafd52c24920773db074b6e11d0f0cb10827342ff0b056f72981bb541b

SHA512
9b36e2adc68aa5280d8177ad847c733bc5d2330221817b410ce4ad17d25e34b0fce1d5fcf12be98455a47d455a9f3718f886ab1f089fc8cc6c8f489da918a81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1385.tmp
Filesize
254KB

MD5
af81c5b4184108debe7e9035c686842b

SHA1
da57a29910daf925d0bd7edc56f9a109bd4ec87f

SHA256
b867fa9aee49074c7045bc235879269e68e60627979da9c355ba20d9eee8a1f9

SHA512
5bc554fba1c47521989ee094070168d8cf1314ae3f0f86d07dde949a7f56b92608520655fd01fb51253af6ed84fbdd46625407222332863263cdca07ffaef3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1385.tmp
Filesize
427KB

MD5
1e0887091dd193a30632d63884f62058

SHA1
f5543ebf0d533f246406ec6982eb5be1b8b6fa87

SHA256
6e14aa9d30fdd7339ba8340848cd105008007aadb7e30df2e19454f3be0ec667

SHA512
a9fbc5d3bfc6ddad76c65f1f3a0c65beb1b0c0baec8e17de168486be8a70bb96f17cae008e747e17712c8518ba675d4e980d0cd9790a9bd7e0c23cd2c8818d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI13B5.tmp
Filesize
469KB

MD5
f47b2f78d707adb07a646ad44a500f71

SHA1
ab0fd2f47b534752a20ef7545dc997c4829ddd20

SHA256
f5538f48329d3de4ef63f5ca6aef682eb4a48d4b581010193c8d99e136dc7ffd

SHA512
d3eb45d96a29dcd95da3c0bc667cb9dc9b29d9ac4513151f9fdde54bed260902402eb0f22ff5fab0fe9d4e3f09fa15c9e32b22aaaf0019eca795b8d06efd1339

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI13B5.tmp
Filesize
357KB

MD5
f20c9cd3f8e790de09541355b9adb363

SHA1
8a40f6dbb2e5c3ec52fe99dae4112b745503836a

SHA256
8cffbd192a971d0db370ab06e2f828dad0f14ebf88b5fcac4ed4ba8845358a0c

SHA512
9a6fd04fae70ad95279ef66241543a5adc714682b129553bb40e66f7dafc5425a8e3bdd856cf5cf1b9692e0693cb3623539a9b557ab194208c4def781b59aaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1443.tmp
Filesize
387KB

MD5
43cc08b38e015a82e403b991db3c16b3

SHA1
9fcb132b3c200bdaf71018de6c5d80cdad3ff93e

SHA256
a48a0691918885eb285611a793f7e3c6661b6fa56c4c58bb32654636e683c99e

SHA512
45abff4c46a1e095e537f023acd430ec8894f30efb8bb582e653f8b0b9b7ee8fc9d8c51ea62b0637479be5e0dfc57b4247ede90c191a75d91cf2e86fd207d6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1443.tmp
Filesize
585KB

MD5
a8f596a66349f022d26de8dc0c91e313

SHA1
9f80763a03f07106a3894905520404f821f5ca2a

SHA256
7d51f53b4eb7af17db80e79a16cefa4c4bab62cfecd2531611fea5af7d568a5e

SHA512
906d0385063217ef09de7962ae1cf78d7692298d6e05ccfe6357b1546c1692fcfc951aae2603ca8b94549734de1b234a7f9717c4730428de965b55f3cf9e73e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI15DA.tmp
Filesize
262KB

MD5
c20b0f0f1bc014025084cc3785bc7235

SHA1
6f0145bc130180fc94d93e16e0fcd38cb3981f9f

SHA256
854ba850d8448f24e432fab5133030e440407467d2421e68bdd62ee89776ee3a

SHA512
702d9bda927e6e573d3dd0ecf990556da6f4cabb59550618ad41c377c81a4df1e04427f8ee597dbaa7e57884557aa4b2d648a0a1d2ddda65c63d440dc89e3acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI15DA.tmp
Filesize
448KB

MD5
fbafb4c544bcb4ac88e8dbf7cf2a1fc3

SHA1
7e948bd695113a8d678944a912598c2be87ca753

SHA256
02a89d4f7485b4dda6b60a911f27968b08b976d91e3fb2eaa08969fe7070ab6a

SHA512
14b93b62f19aece14527064cb2757699dd75fcb1c075a83342a1da6677c45a51e0d65e468f2519407eb86b35137a07b3d9ddafe5b888f84416e09356ae38b568

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1619.tmp
Filesize
181KB

MD5
da09e41c5647c2b3a69f02a6dfbcaeef

SHA1
b0d17a4b0de6d3cd28d8229be910ddaf9070a4e0

SHA256
e20502894bcaea49a59409fd900051bac2bfb61345d879d48b6e12c9a4340ad4

SHA512
6dd03642e4569627fc879c487f58794595f7e157334bdf1e56dd9569b2273a9c129969982a976fe018872d50721d62349a40b7d485370f7f7b8ba95423f640ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1619.tmp
Filesize
218KB

MD5
135df460f27dd0b97cfd690c03401180

SHA1
21e86fabd372510ecc3ff86008fadd630c461cd0

SHA256
36948a9685bfdf44d71131304443816fb4fb9c3381a6fcded98cf104f687359c

SHA512
112a1b88603638e53074cdbf400028edfe35550bd906d1f242cda6d2cdedd8361140b9fedffd7fa77402fb7491cb0ab02d99bda53aae7e459a1885add92a0eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC8E.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Roaming\KROST.dll
Filesize
459KB

MD5
0a29918110937641bbe4a2d5ee5e4272

SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734

SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3

SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f

Download Submit
C:\Windows\Installer\MSI1EF.tmp
Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
C:\Windows\Installer\MSIF912.tmp
Filesize
448KB

MD5
d853d8831451ec47c8a8eebc5dc404f5

SHA1
0cf1c99986bbb186e184b9c6810a231e661dc89e

SHA256
032f7600debff50877c281d62a9bc1e48f95f3353e97b43f9591e00e27c4a492

SHA512
30c4715fd83ecfd078f2fc7fb6b49f3832ded8a992837ca1e906bf613b342bd0db4658204e1f81bc0ad52f92097033082ac4b077e7a52231048aff2e257b365a

Download Submit
C:\Windows\Installer\MSIF912.tmp
Filesize
266KB

MD5
2f3435ccc1ca5a0557b127167f47473e

SHA1
3b027b70c9dcfd38f7d4aeca55f58f54dbce4023

SHA256
9dfc41d2ade7ac56ca5c3ee42d9a5f19d8cfd4f722f1f735bba038d5746c9705

SHA512
503ebcbd1527f26cf7c8d5e35ffb5571f64ec16c4ca48e5bc198561e2213beb1dac9180c9b4607826b32b680e9b0738d7e3bd0552467d6ab1d40c0184f5e99ac

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
15.5MB

MD5
9a158fb6ec654bdeb3be3dd973c759e8

SHA1
eddb058c847e98b9dc5b58830e618d0459f75e63

SHA256
284bb17f785c72a1862484537766210e0765401e50bd96427c2007bb5cd9ad30

SHA512
9a2d8da83db3e3ee90cf3f4269e0b730604c38aae26a3a10a61562f9daaf7ba920e7f2e09d9029fb6d0e514a09eccf33c27c3a9f2f140a6230d0e04488d5e096

Download Submit
\??\Volume{57af6234-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{119d5c74-6b7a-4d09-8b36-1d20591e4aa5}_OnDiskSnapshotProp
Filesize
6KB

MD5
27a7262da9e0cbfeecf792e34c1b34c2

SHA1
7cbf931f31f9cffc71300cc3cf4675431813c527

SHA256
c53fe2f24601360c5fc19d7d110fdd7a89f2a37d568fe00e6c76c4aedb3f7f26

SHA512
528d96aefb990c752fa87a04099af351568f436f8ac5ed6c975d323672573a8a81c8e708d66d54d437f00d8c3816f91973f2b282e6e9973f886f37386b923081

Download Submit
memory/2032-110-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2032-84-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download
memory/2032-86-0x000002673F130000-0x000002673F15F000-memory.dmp

Filesize
188KB

Download
memory/2032-90-0x000002673F100000-0x000002673F12D000-memory.dmp

Filesize
180KB

Download
memory/2032-91-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2032-92-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/3300-94-0x000002B034A30000-0x000002B034A5E000-memory.dmp

Filesize
184KB

Download
memory/3300-114-0x000002B034A30000-0x000002B034A5E000-memory.dmp

Filesize
184KB

Download
memory/3300-115-0x000002B034A30000-0x000002B034A5E000-memory.dmp

Filesize
184KB

Download
memory/3300-116-0x000002B034A30000-0x000002B034A5E000-memory.dmp

Filesize
184KB

Download
memory/3300-117-0x000002B034A30000-0x000002B034A5E000-memory.dmp

Filesize
184KB

Download
memory/3300-118-0x000002B034A30000-0x000002B034A5E000-memory.dmp

Filesize
184KB

Download
memory/3300-100-0x000002B034A30000-0x000002B034A5E000-memory.dmp

Filesize
184KB

Download
memory/3300-93-0x000002B034A60000-0x000002B034A62000-memory.dmp

Filesize
8KB

Download