Overview

overview

10

Static

static

1

e88610db05...15.msi

windows7-x64

10

e88610db05...15.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi

  • Size

    2.1MB

  • MD5

    723dae8ed3f157e40635681f028328e6

  • SHA1

    aa6dd8df02000fbfc884e687bcafed57f84a83b0

  • SHA256

    e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115

  • SHA512

    4e1829bfc470ea8624dee424db34b2b0f965597c1e300ca62f271727a7fd4dc6c90137d5ca8fd227ba3bad26fee2870788f91b00b225d6a626e99e18476473be

  • SSDEEP

    49152:DNGitd+vszAlozTy4g5r8+5eNBADPGXJXrejhJ8I+jELv6:oihTyfIXreNJ8IpT6

Score
10/10
qakbottchk071702975817bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

C2

116.203.56.11:443

109.107.181.8:443
Attributes
  • camp_date

    2023-12-19 08:50:17 +0000 UTC

Signatures

  • Detect Qakbot Payload 3 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 13 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Loads dropped DLL
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2112
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5C9F477163F3F6F4B1540074D90E186E C
      2⤵
      • Loads dropped DLL
      PID:1248
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1CA0B23CC73AC09D151B57A4FCDC1C33
      2⤵
      • Loads dropped DLL
      PID:2732
    • C:\Windows\Installer\MSI4A0F.tmp
      "C:\Windows\Installer\MSI4A0F.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2524
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1772
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000384" "0000000000000568"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1632
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\System32\wermgr.exe
        C:\Windows\System32\wermgr.exe
        2⤵
          PID:2784

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\f763a64.rbs
        Filesize

        1KB

        MD5

        818b6e28c0ae0f98dd905f82a349e89a

        SHA1

        dae904bd971da90037ee6adfd52f4f293147e791

        SHA256

        599a66f2178635b170ac07a9d145c35cd17478bb18b76f42e38c820eb514106f

        SHA512

        a034151a3984ec2f198f2eb2c57f24a34ea876f1870b142e04ac9fcd7b649dfe64591139dfa2fb63eb4a644366006a56c56ad40552f50a93a7c1487e1697ab40

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07298EE8EBA9732300AE62BDCA6B6898
        Filesize

        1KB

        MD5

        e11e31581aae545302f6176a117b4d95

        SHA1

        743af0529bd032a0f44a83cdd4baa97b7c2ec49a

        SHA256

        2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c

        SHA512

        c63aba6ca79c60a92b3bd26d784a5436e45a626022958bf6c194afc380c7bfb01fadf0b772513bbdbd7f1bb73691b0edb2f60b2f235ec9e0b81c427e04fbe451

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8555326CC9661C9937DC5053B6C38763
        Filesize

        1KB

        MD5

        866912c070f1ecacacc2d5bca55ba129

        SHA1

        b7ab3308d1ea4477ba1480125a6fbda936490cbb

        SHA256

        85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69

        SHA512

        f91e855e0346ac8c3379129154e01488bb22cff7f6a6df2a80f1671e43c5df8acae36fdf5ee0eb2320f287a681a326b6f1df36e8e37aa5597c4797dd6b43b7cf

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        67KB

        MD5

        753df6889fd7410a2e9fe333da83a429

        SHA1

        3c425f16e8267186061dd48ac1c77c122962456e

        SHA256

        b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

        SHA512

        9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07298EE8EBA9732300AE62BDCA6B6898
        Filesize

        312B

        MD5

        fc724d3f81daeadaf3d7e35495b9b332

        SHA1

        ca7d505ba2e01bd1c8b066fd8644c601f72f75ae

        SHA256

        d6baebf58865d5568804618093de17fd82aa40d8f19383a9f979622fa947b381

        SHA512

        7968a08b1656156ec8fa30aed357d44b38d15faf57e1829480c504ae61a17cdc8d9ec8306e626b45001d959a50b93634279dd9786518e23b664a7288cb0100fc

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763
        Filesize

        326B

        MD5

        7a7186815c9df95e92711d311eacdc22

        SHA1

        f1a9c9aa6f2de8e3f3fac7cf0a62806bfdf88960

        SHA256

        ac5deabdb5fab1a1fa1c2e14dd53df0d74098e9281a8e2883f310ed804243bcc

        SHA512

        50408562c2a2a36a7b608a2f75efc831df809610cf91fa828a2f32bc43b82565ecc6298a460a7cdf2d4b5e19534aa142a59289ca9e327b2027503fba99f9c433

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        409a38591435fe40e4eafcaca01f667c

        SHA1

        476908ea1df8f1de1b267228c04372b6992a867c

        SHA256

        6a744dbc211fd8faa0ecab83129d7423c366bfb7d69fd42853ffb404e371efe4

        SHA512

        3a584d08533b39d283da167927be41da5361a1cb39e8ef3e93678961dd7ef6a8e964bd5d1ae0865ed58c389a070af7afb51f8a1b755490c82e7d7a7ca7ad08d9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Cab15D4.tmp
        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\MSI1B1C.tmp
        Filesize

        721KB

        MD5

        5a1f2196056c0a06b79a77ae981c7761

        SHA1

        a880ae54395658f129e24732800e207ecd0b5603

        SHA256

        52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

        SHA512

        9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar170F.tmp
        Filesize

        171KB

        MD5

        9c0c641c06238516f27941aa1166d427

        SHA1

        64cd549fb8cf014fcd9312aa7a5b023847b6c977

        SHA256

        4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

        SHA512

        936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar188B.tmp
        Filesize

        175KB

        MD5

        dd73cead4b93366cf3465c8cd32e2796

        SHA1

        74546226dfe9ceb8184651e920d1dbfb432b314e

        SHA256

        a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

        SHA512

        ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

        Download Submit
      • C:\Users\Admin\AppData\Roaming\AdobeAC.dll
        Filesize

        898KB

        MD5

        88bbf2a743baaf81f7a312be61f90d76

        SHA1

        3719aabc29d5eb58d5d2d2a37066047c67bfc2c6

        SHA256

        12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305

        SHA512

        b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70

        Download Submit
      • C:\Windows\Installer\MSI4A0F.tmp
        Filesize

        397KB

        MD5

        b41e1b0ae2ec215c568c395b0dbb738a

        SHA1

        90d8e50176a1f4436604468279f29a128723c64b

        SHA256

        a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

        SHA512

        828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

        Download Submit
      • memory/2524-317-0x00000000000B0000-0x00000000000B2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2784-332-0x0000000000090000-0x0000000000092000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2900-323-0x0000000001D50000-0x0000000001D7F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2900-327-0x0000000001D80000-0x0000000001DAE000-memory.dmp
        Filesize

        184KB

        Download
      • memory/2900-331-0x0000000001D20000-0x0000000001D4D000-memory.dmp
        Filesize

        180KB

        Download