qakbot | 2741dcc931824184ae6dcbe112772321dc06676a9bfd9ad496530f77bc321b60

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
Size

5.8MB
MD5

483b57478ab379546ae9fbab1c0185fa
SHA1

e76211f214c1bcd7eb4ab21478d11a50c31d5da7
SHA256

73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3
SHA512

a06f6a98831454f70413efcb6ca97a96440c07bc65e42a8bbfa6c2a6ae7d5dc666d3b96455acdd98089867b9f5ed0cbd98c69bda1c088eb6f3a6c7d702bcb9c4
SSDEEP

98304:mihTySajXEjCVXrepfrULCZf7ACNQB0zmlwXU8ern7beyN:OjjIzULqpQBv17r3eyN

Score

10^/10

qakbot tchk08 1706710954 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1706710954

31.210.173.10:443

185.156.172.62:443

185.113.8.123:443

Attributes

camp_date
2024-01-31 14:22:34 +0000 UTC

Signatures

Detect Qakbot Payload 24 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4520-69-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-71-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-70-0x000001F6672A0000-0x000001F6672CD000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-74-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-73-0x000001F668AA0000-0x000001F668AD0000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-72-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-76-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-75-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-77-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-78-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-79-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-80-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/5040-82-0x000002053FB80000-0x000002053FBB0000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-88-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-89-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/5040-90-0x000002053FB80000-0x000002053FBB0000-memory.dmp	family_qakbot_v5
behavioral2/memory/5040-92-0x000002053FB80000-0x000002053FBB0000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-91-0x000001F668AD0000-0x000001F668B00000-memory.dmp	family_qakbot_v5
behavioral2/memory/5040-93-0x000002053FB80000-0x000002053FBB0000-memory.dmp	family_qakbot_v5
behavioral2/memory/5040-109-0x000002053FB80000-0x000002053FBB0000-memory.dmp	family_qakbot_v5
behavioral2/memory/5040-111-0x000002053FB80000-0x000002053FBB0000-memory.dmp	family_qakbot_v5
behavioral2/memory/5040-112-0x000002053FB80000-0x000002053FBB0000-memory.dmp	family_qakbot_v5
behavioral2/memory/5040-110-0x000002053FB80000-0x000002053FBB0000-memory.dmp	family_qakbot_v5
behavioral2/memory/5040-113-0x000002053FB80000-0x000002053FBB0000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e576774.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e576774.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI689F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI690D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7479.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI699B.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI67B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6860.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9685643A-B981-47EB-9EC6-6DFD99114DFA}	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI699B.tmp

pid process

2348 MSI699B.tmp

pid	process
2348	MSI699B.tmp

Loads dropped DLL 13 IoCs

Processes:

MsiExec.exeMsiExec.exerundll32.exe

pid	process
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
3936	MsiExec.exe
3936	MsiExec.exe
3936	MsiExec.exe
4520	rundll32.exe
3936	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000486acc2d320b21400000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000486acc2d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900486acc2d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d486acc2d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000486acc2d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies registry class 11 IoCs

Processes:

wermgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\yuquaxdbymsbp	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\yuquaxdbymsbp\784033bc = 84060a9e328c4e4c12a3531fb0b9a4dd308ef98b07795f563c8ca449021e37098c1222cceefad1ccb3443bf9a512803a11a40afee4b609958956f75c0bebfab68b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\yuquaxdbymsbp\2e687b74 = 04f5f25243fe1885fa37b13b385694813de59db702d41b07ccbe6a51c06c8b60597bffbf818c1ee0f658ec3456f337f343417c4ae43efc018a8fa7b162f53afc2c9b8406698d9e15f91a8b751ad720f97e5be0eb44af111bf3decc861fb15f6e3bdfab8edf8bd15d9b56c3b2160c973cfbda38634247a4f4a39deb73b3126b12e2b56cc2b5ebbe22506641d1cc594f9c35aaa91dfa09bc5a72f1d8e917726fc0d3503ce7843df1046d771bc46bc8b52eddef9534e1d397823292c1af282e0d903aadc6e72ae199414e30fdfe1499cb16f06a6d18143d38942692561c3fb111b076	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\yuquaxdbymsbp\4759586d = 4714dd938e1f1c35e1dfb50c26c91ba3934e2c6c1a4e2b89a0cf7a098871f3ac4375da2f625e808d7a2fdbd471a02d18bb3469f4050e8b2685af0222c9f9f7bd761775baf5c0ea914d851a9f9b6d81a927a0399131ffc94d90aefd021c06080febb78a7cd8e4be8a7984e3c0de89afe457934dd068304ef32c04a80ded24a93f0c5dcbf65c51c5e62ca063b98b382c1c32	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\yuquaxdbymsbp\e2c27bea = 658026d04acc9907e4aa6043ae0edc8fdffeedb1cad1a8f1335a2fc46f9b0bb01966e7831d45822ab5628e499770a723c3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\yuquaxdbymsbp\79c76e3b = e41a27ddf4cd3329c50aa096251b5f17204e4126e35601c4bd125909d442ceefa36a0374207cf770c7bda4c26d651d82270c9bc177257e47e4bf1e1723e53ac147229ed5f0e5a8f39fe19ae44e89be1160792ffe01d43bf4d0a071d9d58641f2f7079565c81f2c5f6b28b7bbfd9fcf34f759f437b9ba493e734bf1158c8469c86b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\yuquaxdbymsbp\784033bc = e59cdf6cd9568e95c459cfb6e6831633f44a3778d607b7343b6e1e0def4b61ff0909f5d30b41f7b72df5f5f4c783feddd9382251bb1ab7749cc648dd63aeebd642cbb5df278db4a1cfa1d62275adcd1206	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\yuquaxdbymsbp\30a03dd8 = a73463278113e63947acb41762cb7b37aa79d93b3fcb6a0a4f1537c38c1d9b487888232b2136b432a009425a40b27c049e54282d11a8ca83f763d40753492241d43ffb2373dc2f89d1a3e68c0f09bff58fedbcd37113e8e96bf2da445153e83c55a96921bb18e0100515c4302a83657881	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\yuquaxdbymsbp\fc0a3d46 = 44dbf519436710d9febedee7f242c083bce5cb5bc794fcc854fed7e6289c00c2e34f959409d302a48b4c8008f501d0702f23d18d7688d0d6365f91e0f9ff67cf2ccf17d9cb9f956d6546722ca867e27369	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\yuquaxdbymsbp\e345266d = e57c58631c76675645716cd6f39086507f69f93b0b549ed6b942efad7c262307e07e96133c0fa6db774107f0b8569cb3ccb1732e4a738fc5d8c63a1a38d5f1f8c2dc06d9401f4b3c0e3f3aecfdfe8370c9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\yuquaxdbymsbp\2fef26f3 = 455093a96fe562630ac7978369844bd7543cf4b6e590b10ec65bfbe028dd7e9040	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSI699B.tmprundll32.exewermgr.exe

pid	process
4088	msiexec.exe
4088	msiexec.exe
2348	MSI699B.tmp
2348	MSI699B.tmp
4520	rundll32.exe
4520	rundll32.exe
4520	rundll32.exe
4520	rundll32.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe
5040	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2020	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2020	msiexec.exe
Token: SeSecurityPrivilege	4088	msiexec.exe
Token: SeCreateTokenPrivilege	2020	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2020	msiexec.exe
Token: SeLockMemoryPrivilege	2020	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2020	msiexec.exe
Token: SeMachineAccountPrivilege	2020	msiexec.exe
Token: SeTcbPrivilege	2020	msiexec.exe
Token: SeSecurityPrivilege	2020	msiexec.exe
Token: SeTakeOwnershipPrivilege	2020	msiexec.exe
Token: SeLoadDriverPrivilege	2020	msiexec.exe
Token: SeSystemProfilePrivilege	2020	msiexec.exe
Token: SeSystemtimePrivilege	2020	msiexec.exe
Token: SeProfSingleProcessPrivilege	2020	msiexec.exe
Token: SeIncBasePriorityPrivilege	2020	msiexec.exe
Token: SeCreatePagefilePrivilege	2020	msiexec.exe
Token: SeCreatePermanentPrivilege	2020	msiexec.exe
Token: SeBackupPrivilege	2020	msiexec.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeShutdownPrivilege	2020	msiexec.exe
Token: SeDebugPrivilege	2020	msiexec.exe
Token: SeAuditPrivilege	2020	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2020	msiexec.exe
Token: SeChangeNotifyPrivilege	2020	msiexec.exe
Token: SeRemoteShutdownPrivilege	2020	msiexec.exe
Token: SeUndockPrivilege	2020	msiexec.exe
Token: SeSyncAgentPrivilege	2020	msiexec.exe
Token: SeEnableDelegationPrivilege	2020	msiexec.exe
Token: SeManageVolumePrivilege	2020	msiexec.exe
Token: SeImpersonatePrivilege	2020	msiexec.exe
Token: SeCreateGlobalPrivilege	2020	msiexec.exe
Token: SeCreateTokenPrivilege	2020	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2020	msiexec.exe
Token: SeLockMemoryPrivilege	2020	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2020	msiexec.exe
Token: SeMachineAccountPrivilege	2020	msiexec.exe
Token: SeTcbPrivilege	2020	msiexec.exe
Token: SeSecurityPrivilege	2020	msiexec.exe
Token: SeTakeOwnershipPrivilege	2020	msiexec.exe
Token: SeLoadDriverPrivilege	2020	msiexec.exe
Token: SeSystemProfilePrivilege	2020	msiexec.exe
Token: SeSystemtimePrivilege	2020	msiexec.exe
Token: SeProfSingleProcessPrivilege	2020	msiexec.exe
Token: SeIncBasePriorityPrivilege	2020	msiexec.exe
Token: SeCreatePagefilePrivilege	2020	msiexec.exe
Token: SeCreatePermanentPrivilege	2020	msiexec.exe
Token: SeBackupPrivilege	2020	msiexec.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeShutdownPrivilege	2020	msiexec.exe
Token: SeDebugPrivilege	2020	msiexec.exe
Token: SeAuditPrivilege	2020	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2020	msiexec.exe
Token: SeChangeNotifyPrivilege	2020	msiexec.exe
Token: SeRemoteShutdownPrivilege	2020	msiexec.exe
Token: SeUndockPrivilege	2020	msiexec.exe
Token: SeSyncAgentPrivilege	2020	msiexec.exe
Token: SeEnableDelegationPrivilege	2020	msiexec.exe
Token: SeManageVolumePrivilege	2020	msiexec.exe
Token: SeImpersonatePrivilege	2020	msiexec.exe
Token: SeCreateGlobalPrivilege	2020	msiexec.exe
Token: SeCreateTokenPrivilege	2020	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2020	msiexec.exe
Token: SeLockMemoryPrivilege	2020	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2020 msiexec.exe
2020 msiexec.exe

pid	process
2020	msiexec.exe
2020	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exerundll32.exe

description	pid	process	target process
PID 4088 wrote to memory of 2460	4088	msiexec.exe	MsiExec.exe
PID 4088 wrote to memory of 2460	4088	msiexec.exe	MsiExec.exe
PID 4088 wrote to memory of 2460	4088	msiexec.exe	MsiExec.exe
PID 4088 wrote to memory of 3424	4088	msiexec.exe	srtasks.exe
PID 4088 wrote to memory of 3424	4088	msiexec.exe	srtasks.exe
PID 4088 wrote to memory of 3936	4088	msiexec.exe	MsiExec.exe
PID 4088 wrote to memory of 3936	4088	msiexec.exe	MsiExec.exe
PID 4088 wrote to memory of 3936	4088	msiexec.exe	MsiExec.exe
PID 4088 wrote to memory of 2348	4088	msiexec.exe	MSI699B.tmp
PID 4088 wrote to memory of 2348	4088	msiexec.exe	MSI699B.tmp
PID 4088 wrote to memory of 2348	4088	msiexec.exe	MSI699B.tmp
PID 4520 wrote to memory of 5040	4520	rundll32.exe	wermgr.exe
PID 4520 wrote to memory of 5040	4520	rundll32.exe	wermgr.exe
PID 4520 wrote to memory of 5040	4520	rundll32.exe	wermgr.exe
PID 4520 wrote to memory of 5040	4520	rundll32.exe	wermgr.exe
PID 4520 wrote to memory of 5040	4520	rundll32.exe	wermgr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2020

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 70D0505573D063809D386796F95BB569 C
2⤵
- Loads dropped DLL
PID:2460

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3424

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3C7AC310F648A0D280988FF2394B7F58
2⤵
- Loads dropped DLL
PID:3936

C:\Windows\Installer\MSI699B.tmp
"C:\Windows\Installer\MSI699B.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\Acrobat\\MicrosoftOffice15\ClientX64\Acrobat.dll,CfGetPlatformInfo
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1052

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Acrobat\\MicrosoftOffice15\ClientX64\Acrobat.dll,CfGetPlatformInfo
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e576775.rbs
Filesize
1KB

MD5
a6ce02d3a38f63c2825cd6bf92858e56

SHA1
3ac5576323e962b045dd01da33df552fbf8a1091

SHA256
cae7dd2997b9089ac658f2f414c016ad0b5c5932c81b753480cc2f4fd9fc8198

SHA512
e826036a216380fefddfa877603c58333860fa1032c74b3c39146b0d19ffdc5812be9c973b1dc11079b9cbb4bce67eee3db33b841d4c151148ea549ae9d0135e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI37D9.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3ABC.tmp
Filesize
1.1MB

MD5
25e52c5776a81e0c5ccb9bdd4c808c90

SHA1
e42104ef61ae4760a41552292091eb6a5089ced4

SHA256
0831dbcb3799c9e36ea586582e8ef907dcefeb2045351d6774c7ad0ef02a9af2

SHA512
746570c011e501505ec9d09077519bca1a485b0cac66229be6f4715a91ee52d5cc857de26ad8d7a33806ddfa580d2ba9f77759e3764ea761d327fe2f1e881292

Download Submit
C:\Users\Admin\AppData\Roaming\Acrobat\MicrosoftOffice15\ClientX64\Acrobat.dll
Filesize
922KB

MD5
af7364f14a56ae4234d449ff89a2bb7d

SHA1
ce261d1f31bed80417009fbeb5230be37c34e374

SHA256
a59707803f3d94ed9cb429929c832e9b74ce56071a1c2086949b389539788d8a

SHA512
4c6982a5a11578cdd1b2789628787a8a7f08c86e814dfbe717a1e9cb43060b3f9b888948bdc97bcf207d5dd06398a955cab46f2cfc28761b3be15ef40fbc14de

Download Submit
C:\Windows\Installer\MSI6860.tmp
Filesize
512KB

MD5
cf1c334ccb26c604714f1498abdff976

SHA1
67b623802cce46c68c9f99633a5d046f5656d8a2

SHA256
1f11a4f606c3b85f6f979f462f6ce5c9a878c44c738e31a2bd3e6822f6c108df

SHA512
1115b33484072b831a425211938905c026e2b3743485466619994ef72e7069217c60c4cf27648b0d8a82dec8b4731dfe84be49fd906327bf89635afe97c116ff

Download Submit
C:\Windows\Installer\MSI6860.tmp
Filesize
443KB

MD5
3eb77aceaa74f69503e22173a3809585

SHA1
29deee22c7ebe305fd28b602360fa764c40788b5

SHA256
7349288b2e5096356591acee00fef93d91cf6a42e4b602d9761df4f712b648d3

SHA512
1d13916c3bb986a542ef752e1b85b168cee08224c9d51f176ae1f3264e23fd8efb9c2baf93d4fdb9886a2326f4dabd1d49dff6ab682c6f3343ba01f0a5acf9ba

Download Submit
C:\Windows\Installer\MSI699B.tmp
Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
9.6MB

MD5
57d7bf26eda971f6e082505dd8163200

SHA1
3f2729e04d2f245d2136120b3ee586b0a525dd51

SHA256
485db03bb0106931cf2b4887221846de341d2ba7bb7486e982eec77c94d2e6f5

SHA512
e41f42db5234f6d3f9b0c5199f138ab961a18873104abdea6967f9f49a97b46b9f3255cb154e6cc521992c6e9844e7b231e27c59232d78ccc482219ae73e27aa

Download Submit
\??\Volume{2dcc6a48-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1e76820f-a78a-4285-a772-646f0affbf25}_OnDiskSnapshotProp
Filesize
6KB

MD5
c2b76dce0a1a655d33083c41c0ce3198

SHA1
2d4f398c62e35fdbc3d5711450eba07db84fe262

SHA256
d2af9bebaf127d5034c0f66569bfcee5002cb42bc0ed4f129aa01495c0287e9e

SHA512
8e9da3766c535250305c85d66d919b59bf4ee7bf3021c40236c37291da3bc8786a5bb4363abf725ad3801cea74ef3248c33a1b7aa5bf0e4ebeeaa28f7c557dfa

Download Submit
memory/4520-78-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/4520-89-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/4520-73-0x000001F668AA0000-0x000001F668AD0000-memory.dmp

Filesize
192KB

Download
memory/4520-72-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/4520-76-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/4520-75-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/4520-77-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/4520-70-0x000001F6672A0000-0x000001F6672CD000-memory.dmp

Filesize
180KB

Download
memory/4520-79-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/4520-80-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/4520-69-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/4520-71-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/4520-88-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/4520-74-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/4520-91-0x000001F668AD0000-0x000001F668B00000-memory.dmp

Filesize
192KB

Download
memory/5040-92-0x000002053FB80000-0x000002053FBB0000-memory.dmp

Filesize
192KB

Download
memory/5040-90-0x000002053FB80000-0x000002053FBB0000-memory.dmp

Filesize
192KB

Download
memory/5040-93-0x000002053FB80000-0x000002053FBB0000-memory.dmp

Filesize
192KB

Download
memory/5040-109-0x000002053FB80000-0x000002053FBB0000-memory.dmp

Filesize
192KB

Download
memory/5040-111-0x000002053FB80000-0x000002053FBB0000-memory.dmp

Filesize
192KB

Download
memory/5040-112-0x000002053FB80000-0x000002053FBB0000-memory.dmp

Filesize
192KB

Download
memory/5040-110-0x000002053FB80000-0x000002053FBB0000-memory.dmp

Filesize
192KB

Download
memory/5040-113-0x000002053FB80000-0x000002053FBB0000-memory.dmp

Filesize
192KB

Download
memory/5040-82-0x000002053FB80000-0x000002053FBB0000-memory.dmp

Filesize
192KB

Download
memory/5040-81-0x000002053FBB0000-0x000002053FBB2000-memory.dmp

Filesize
8KB

Download