qakbot | 39e79ae8d91991013f5d7ea8044ddbdd9c6feb56244c57ca82c0047c78aaff55

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
Size

1.9MB
MD5

82b8bd90e500fb0bf878d6f430c5abec
SHA1

f004c09428f2f18a145212a9e55eef3615858f9c
SHA256

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f
SHA512

82b2e997bf5bc0d08ab8dd921aef3e8d620a61c26f86b6f481845ad694d7b97f65dfa42e1c18b83f0f827cad9df69a409b75d96793e5bd7124c26bc7cb07f881
SSDEEP

49152:Ksjitd+vszAlozTy4g5r8+5eNBABxGNvXreD68f:rihTyfcXreO8f

Score

10^/10

qakbot tchk06 1702463600 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

45.138.74.191:443

65.108.218.24:443

Attributes

camp_date
2023-12-13 10:33:20 +0000 UTC

Signatures

Detect Qakbot Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4308-80-0x000001F619E30000-0x000001F619E5F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4308-84-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4308-85-0x000001F619E00000-0x000001F619E2D000-memory.dmp	family_qakbot_v5
behavioral2/memory/4308-86-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4712-88-0x000002165C0E0000-0x000002165C10E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4712-94-0x000002165C0E0000-0x000002165C10E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4308-104-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4712-108-0x000002165C0E0000-0x000002165C10E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4712-110-0x000002165C0E0000-0x000002165C10E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4712-109-0x000002165C0E0000-0x000002165C10E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4712-111-0x000002165C0E0000-0x000002165C10E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4712-112-0x000002165C0E0000-0x000002165C10E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow	pid	Process
4	4212	msiexec.exe
7	4212	msiexec.exe
12	4212	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E42164EE-5510-4BB6-BA12-B7664EFD3B05}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI670A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6805.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6513.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65CF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E6C.tmp	msiexec.exe
File created	C:\Windows\Installer\e576496.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e576496.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI7E6C.tmp

pid	Process
3724	MSI7E6C.tmp

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMsiExec.exerundll32.exe

pid	Process
5072	MsiExec.exe
5072	MsiExec.exe
5072	MsiExec.exe
5072	MsiExec.exe
5072	MsiExec.exe
5072	MsiExec.exe
5072	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
4308	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000486acc2d320b21400000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000486acc2d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900486acc2d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d486acc2d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000486acc2d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies registry class 12 IoCs

Processes:

wermgr.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\qyizjslihygo\6428677d = 049518e8fe6779e5b29702af6d243f78e9f6bf6baae1f944e19ba119848cf5f7e3cb60b201bcf516acc6e36ef0c713c4777e4c010ac90f7daa5e56f6f6d268899f990a0cc4b7a0b4798d5dd041c60e8be318ce1f680f905c4380ee3508d6981cadebe1516658ca8397f61003c6cce3e375	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\qyizjslihygo\702528c8 = 84585d6e5bc3d8e6c7e29686f6738cfb9852794827feaeb7bacf552fb7d9efa8fc20aa7e26bd8825835cf668fc86797cac5e17693cf33ca06754854365a949dde060cce45a3efb93eb4e08bee17abc79bc36d1d3ca4b586a7712cf20b8b3fbd71f88fef26f3b071927c6655a68d09f68cf4d28305d25aeaa051cbd4a6a30607119	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\qyizjslihygo\b7cd7cc8 = a5d608749c91e1277e0fab27128d5944be1afc41976bd2940a5227908e3157294a03823044e7155009f92380a3707db37a7be80d5def12fad1ffcd31c1d58b6cf2	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\qyizjslihygo	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\qyizjslihygo\a88267e3 = 45eb52ebd02d6f3b50cf689551ef1ed06da4436262bb299b34598d43fd81ee85b94d8dab6c349eedcee5a5b4ca6f42757b6f8bf3d3c904c8bd24adf73d825cdaad616b8c5e4a406e05b0644ff0f78947b1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\qyizjslihygo\df7b0256 = 071e28c75138a45a54f7f8bd5c8295ad259f97b12d2dbdc58f3ddbb90f2a73c21d3eecc284690ccd0114fb956f72454558e7727728d0e7536e73659a2fc3b7d4f5b3a7280f1d1734716ecc0b849038ee40cfff122d09cee9e1aff01eba6bac709a54cab1878f2e74c3a0332c0e0bbdf593	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\qyizjslihygo\7b677c56 = a403022a76548f5b3a7eb99e242a3a80adfddac6ce2a73769c885056c6dae72d3d6c09522bb70fb25730e314e02d2ef45a8cbb388a6f1b118bdc118b6f52be4947d50bdd5188944871775424836deb38767bdb89a90c3048ef302dcca2bfbffb4b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\qyizjslihygo\7ae021d1 = a76362e5a42ce742fbe7c1278136973507701bbfd5483f278583cb94b62690c0607fae4223af0442acb3046d2ce6e1699e9e36d2e24738b35f4e50836e4686de66a022cfe937ff97eb09bd6c62ccd8ffb7d5f09535ce3acb43c9776f4c94cd1c90b932776905c9df38c54d3a82510317f6a4cd6b6ef9762db4c9751f9e2c908e33	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\qyizjslihygo\e1e53400 = 04d833b5ba9a1cd2118eea3d9ca6b3c9286ed32858bfef5560f718d92cb730d683d2ca935fc397e94592c5598f15c7e8c09621190a65a58bc369896539bd9868081a8cb41cdb493f0cb83dfadf155e1a8a350917084e1f9d5f96f05f4f6cf5d71864dc6f961acfd2ffa088626d31cd7e42c9e9ef0c3ca1926db5cf8a18bd5437ea	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\qyizjslihygo\e0626987 = 26a8aa222ebaa8ab496642c1e6ffd8cf5e3748ff401b046986c7276d03f806fe614faac76d4dffb300e49b41e3ac4b1407c52a17d4e728d70498d0d392657e07f80d0948981eb6a215a32fa7fe3c38d0269f95d96af5ae0c71a7da889eafe4991af9e0a43e2f4ced91f94161b712e7c37bc6ab73c3128a3e00e02cf74910da96c4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\qyizjslihygo\e0626987 = a4771dc0e7da535ef86f217a465caf898b6053785a5ff9ab8ad1dfee639f251c8e7f0f442d3465440b6d7d637646815521d3be31106d9087c689358239ebdda7f32873b4118ce0f166d151a2beeabb6ee46c32b4fbd0301f97e8c81bf5d2ee4005	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\qyizjslihygo\b64a214f = a470d62843408059a6d7965a7ce17f0d109be9e8ed7c5cf81b8e3ae377ae76e8844a5767031a7ebbe394380e49568f4a019b3b74fa36e3d74150136eb0aaabe4996fa4ce6d887339374c75fdef329e44a51fc4d3f0f3cd114bff5f19a88affb5a1976e7699fe8f7e55ada187a4d938063bb16d55115edb6bf6ddc91e3aa86e5de14520fa51214f17d85289b20d033c6690e9c7fa6f804b4fcc7870b4c25ce4e342	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSI7E6C.tmprundll32.exewermgr.exe

pid	Process
4008	msiexec.exe
4008	msiexec.exe
3724	MSI7E6C.tmp
3724	MSI7E6C.tmp
4308	rundll32.exe
4308	rundll32.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe
4712	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	4212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4212	msiexec.exe
Token: SeSecurityPrivilege	4008	msiexec.exe
Token: SeCreateTokenPrivilege	4212	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4212	msiexec.exe
Token: SeLockMemoryPrivilege	4212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4212	msiexec.exe
Token: SeMachineAccountPrivilege	4212	msiexec.exe
Token: SeTcbPrivilege	4212	msiexec.exe
Token: SeSecurityPrivilege	4212	msiexec.exe
Token: SeTakeOwnershipPrivilege	4212	msiexec.exe
Token: SeLoadDriverPrivilege	4212	msiexec.exe
Token: SeSystemProfilePrivilege	4212	msiexec.exe
Token: SeSystemtimePrivilege	4212	msiexec.exe
Token: SeProfSingleProcessPrivilege	4212	msiexec.exe
Token: SeIncBasePriorityPrivilege	4212	msiexec.exe
Token: SeCreatePagefilePrivilege	4212	msiexec.exe
Token: SeCreatePermanentPrivilege	4212	msiexec.exe
Token: SeBackupPrivilege	4212	msiexec.exe
Token: SeRestorePrivilege	4212	msiexec.exe
Token: SeShutdownPrivilege	4212	msiexec.exe
Token: SeDebugPrivilege	4212	msiexec.exe
Token: SeAuditPrivilege	4212	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4212	msiexec.exe
Token: SeChangeNotifyPrivilege	4212	msiexec.exe
Token: SeRemoteShutdownPrivilege	4212	msiexec.exe
Token: SeUndockPrivilege	4212	msiexec.exe
Token: SeSyncAgentPrivilege	4212	msiexec.exe
Token: SeEnableDelegationPrivilege	4212	msiexec.exe
Token: SeManageVolumePrivilege	4212	msiexec.exe
Token: SeImpersonatePrivilege	4212	msiexec.exe
Token: SeCreateGlobalPrivilege	4212	msiexec.exe
Token: SeCreateTokenPrivilege	4212	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4212	msiexec.exe
Token: SeLockMemoryPrivilege	4212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4212	msiexec.exe
Token: SeMachineAccountPrivilege	4212	msiexec.exe
Token: SeTcbPrivilege	4212	msiexec.exe
Token: SeSecurityPrivilege	4212	msiexec.exe
Token: SeTakeOwnershipPrivilege	4212	msiexec.exe
Token: SeLoadDriverPrivilege	4212	msiexec.exe
Token: SeSystemProfilePrivilege	4212	msiexec.exe
Token: SeSystemtimePrivilege	4212	msiexec.exe
Token: SeProfSingleProcessPrivilege	4212	msiexec.exe
Token: SeIncBasePriorityPrivilege	4212	msiexec.exe
Token: SeCreatePagefilePrivilege	4212	msiexec.exe
Token: SeCreatePermanentPrivilege	4212	msiexec.exe
Token: SeBackupPrivilege	4212	msiexec.exe
Token: SeRestorePrivilege	4212	msiexec.exe
Token: SeShutdownPrivilege	4212	msiexec.exe
Token: SeDebugPrivilege	4212	msiexec.exe
Token: SeAuditPrivilege	4212	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4212	msiexec.exe
Token: SeChangeNotifyPrivilege	4212	msiexec.exe
Token: SeRemoteShutdownPrivilege	4212	msiexec.exe
Token: SeUndockPrivilege	4212	msiexec.exe
Token: SeSyncAgentPrivilege	4212	msiexec.exe
Token: SeEnableDelegationPrivilege	4212	msiexec.exe
Token: SeManageVolumePrivilege	4212	msiexec.exe
Token: SeImpersonatePrivilege	4212	msiexec.exe
Token: SeCreateGlobalPrivilege	4212	msiexec.exe
Token: SeCreateTokenPrivilege	4212	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4212	msiexec.exe
Token: SeLockMemoryPrivilege	4212	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
4212	msiexec.exe
4212	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exerundll32.exe

description	pid	Process	procid_target
PID 4008 wrote to memory of 5072	4008	msiexec.exe	92
PID 4008 wrote to memory of 5072	4008	msiexec.exe	92
PID 4008 wrote to memory of 5072	4008	msiexec.exe	92
PID 4008 wrote to memory of 3460	4008	msiexec.exe	97
PID 4008 wrote to memory of 3460	4008	msiexec.exe	97
PID 4008 wrote to memory of 1472	4008	msiexec.exe	99
PID 4008 wrote to memory of 1472	4008	msiexec.exe	99
PID 4008 wrote to memory of 1472	4008	msiexec.exe	99
PID 4008 wrote to memory of 3724	4008	msiexec.exe	100
PID 4008 wrote to memory of 3724	4008	msiexec.exe	100
PID 4008 wrote to memory of 3724	4008	msiexec.exe	100
PID 4308 wrote to memory of 4712	4308	rundll32.exe	102
PID 4308 wrote to memory of 4712	4308	rundll32.exe	102
PID 4308 wrote to memory of 4712	4308	rundll32.exe	102
PID 4308 wrote to memory of 4712	4308	rundll32.exe	102
PID 4308 wrote to memory of 4712	4308	rundll32.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4212

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5C87B06F79F86E3E3DF96FA54B63C8A7 C
  2⤵
  - Loads dropped DLL
  PID:5072
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3460
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F7B4DDE0D4D006D4C9AFB76085BED6D1
  2⤵
  - Loads dropped DLL
  PID:1472
- C:\Windows\Installer\MSI7E6C.tmp
  "C:\Windows\Installer\MSI7E6C.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3400

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e576497.rbs

Filesize
1KB

MD5
9544fb59fa96fb30d422da0e2ec2135f

SHA1
ce318218a10ad98da09a06e4f2e6686294795f5c

SHA256
ca7290dda23cec4d50d701db9b455bbc095bca51a90a413af8a7659f02ecc14f

SHA512
a1675598940886dfd758fcafbc513155027ac3d57cfb0a64f21da82589686c10b4ebe0ebed666d81be2f263c562564c0a634026cea593adf8bea3494bc46e3ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
50KB

MD5
e60b6fd9e945b2f60b6c07730604f545

SHA1
618025126dc2f02ea6b13839ee77a0003e95a413

SHA256
cb086b9e482866eb88005e4a03590c8e7de687e868027291095a0a463e028470

SHA512
dd77ba16e1239e81d2ed50f7f3b947e8cecb23f0072a24303e4732f3b5ac0b222dd1ccec063a42c54c505d94df10a778d5bf8cce66e8dc88e1be605af74a42ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
0297eac6c94c477701170634251497dc

SHA1
bfd34535403b2171eb4ff5312f46088d1d9c4f45

SHA256
f026b2b550eae72fa6c1d7c92327cdd5047df9229628ed05bc8b6d45fc311cb5

SHA512
428ff1601c97232bb457557b403c3bc649ea234f0a115cf175f84830f67bc0bb018eeeffda366437ade9830d9bdc53d8bd08ba1d006f8bf0c1d1470da8ac8691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
193a7c431ce38b02d31a9e4a719f7d26

SHA1
f0420fac3d86189d6214a8f275117b1a61cd69b2

SHA256
d50e2b09731241669e462daeb90fc7ab570fb3fe28cca8d403e14fc829306a9b

SHA512
b3642449836e6859c0fe257705f9e5d780b0ecf46da22e0786db3882459ab6227c216769b9acb3b7c793902389e8a007732f9f721944321794abdb036e426d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3652.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Roaming\KROST.dll

Filesize
459KB

MD5
0a29918110937641bbe4a2d5ee5e4272

SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734

SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3

SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f

Download Submit
C:\Windows\Installer\MSI7E6C.tmp

Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
6.4MB

MD5
dfc727adbbd7bf91dbbb5dba76a47a4e

SHA1
0bb5c5e958a397823f5125331be18c6791fc7525

SHA256
bb6900e7dcfe0f27c55dc846c63ea1f8e23741eb9d9a9a9307333d3ee1848e67

SHA512
f9f44118daf42de383452fb50ffe0cff5b5af316bd085d780a8e1fc5072d37fe56bc541ce450a58541cc2f554541564736c25e71c1eed7632950e602be2a02c1

Download Submit
\??\Volume{2dcc6a48-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{881f4f4d-0bcd-41de-9dca-b6b9fbd884fe}_OnDiskSnapshotProp

Filesize
6KB

MD5
904fea097f390cbe81e7df7027a1131f

SHA1
50ec84b3ef223d746fc60b415b122fb3cfa8b402

SHA256
fbaadea95e9e8cea0a83cd51b288c404bd3d25baf93d6dffaa1818a7a5844033

SHA512
0694285dd59bc54b1f48c2678bd20d6f192403da17148f6b229532f7a6726779e5b7730209475f0328cb4aee11a3c46ea19423b64db53f0edeab2d04691a7132

Download Submit
memory/4308-86-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/4308-104-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/4308-84-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/4308-79-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download
memory/4308-80-0x000001F619E30000-0x000001F619E5F000-memory.dmp

Filesize
188KB

Download
memory/4308-85-0x000001F619E00000-0x000001F619E2D000-memory.dmp

Filesize
180KB

Download
memory/4712-108-0x000002165C0E0000-0x000002165C10E000-memory.dmp

Filesize
184KB

Download
memory/4712-94-0x000002165C0E0000-0x000002165C10E000-memory.dmp

Filesize
184KB

Download
memory/4712-110-0x000002165C0E0000-0x000002165C10E000-memory.dmp

Filesize
184KB

Download
memory/4712-109-0x000002165C0E0000-0x000002165C10E000-memory.dmp

Filesize
184KB

Download
memory/4712-111-0x000002165C0E0000-0x000002165C10E000-memory.dmp

Filesize
184KB

Download
memory/4712-112-0x000002165C0E0000-0x000002165C10E000-memory.dmp

Filesize
184KB

Download
memory/4712-88-0x000002165C0E0000-0x000002165C10E000-memory.dmp

Filesize
184KB

Download
memory/4712-87-0x000002165C110000-0x000002165C112000-memory.dmp

Filesize
8KB

Download