Overview

overview

10

Static

static

1

93a98b919a...7f.msi

windows7-x64

10

93a98b919a...7f.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi

  • Size

    1.9MB

  • MD5

    82b8bd90e500fb0bf878d6f430c5abec

  • SHA1

    f004c09428f2f18a145212a9e55eef3615858f9c

  • SHA256

    93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f

  • SHA512

    82b2e997bf5bc0d08ab8dd921aef3e8d620a61c26f86b6f481845ad694d7b97f65dfa42e1c18b83f0f827cad9df69a409b75d96793e5bd7124c26bc7cb07f881

  • SSDEEP

    49152:Ksjitd+vszAlozTy4g5r8+5eNBABxGNvXreD68f:rihTyfcXreO8f

Score
10/10
qakbottchk061702463600bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

C2

45.138.74.191:443

65.108.218.24:443
Attributes
  • camp_date

    2023-12-13 10:33:20 +0000 UTC

Signatures

  • Detect Qakbot Payload 12 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2072
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DB0381FCE957C0F8CE2639342405DCD9 C
      2⤵
      • Loads dropped DLL
      PID:1956
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B1D00F474DD7465CE2A7AD1B2717B75E
      2⤵
      • Loads dropped DLL
      PID:2636
    • C:\Windows\Installer\MSI236C.tmp
      "C:\Windows\Installer\MSI236C.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2780
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1980
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000570" "00000000000005BC"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:844
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\System32\wermgr.exe
        C:\Windows\System32\wermgr.exe
        2⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:1940

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f7709a4.rbs
      Filesize

      1KB

      MD5

      7c71fba3c4471cbd26384440d3fd0ef1

      SHA1

      969c03b1f15228eeb03d2ed8c43e5b80c52460a4

      SHA256

      ad00ce91efe03f4667b1ed852ca86acc52fb5c9ba0d7d9d6a2de3217bf390c79

      SHA512

      78337b2c0e74c32d0af3d01b849b8f48c2bfa5aa6dd6efee7caeb9e41804f64f029026d97525eec0ce4f232cf627b864e466fff63b09c7cf197b228176621fa8

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8555326CC9661C9937DC5053B6C38763
      Filesize

      1KB

      MD5

      866912c070f1ecacacc2d5bca55ba129

      SHA1

      b7ab3308d1ea4477ba1480125a6fbda936490cbb

      SHA256

      85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69

      SHA512

      f91e855e0346ac8c3379129154e01488bb22cff7f6a6df2a80f1671e43c5df8acae36fdf5ee0eb2320f287a681a326b6f1df36e8e37aa5597c4797dd6b43b7cf

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763
      Filesize

      326B

      MD5

      b2f7b4e4775728a70b600bd0aac9e81f

      SHA1

      3747169e20dabd00662e3bbd2f68cb3ba7a49303

      SHA256

      3f3389357fc8fe1a0b3e294b933c752f0bd8dbd8a77c731b940ae999bcadf231

      SHA512

      e38edabadf2042c3000422e07309366daa08486763856be0d96cdf18cc4a328a88b6609431ad0c0fb890897fad727874df32a5a3d295627a9b8999fbc6c105b8

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      f63e0e21cf73a130f73bd99630086a39

      SHA1

      cb8323410ae730b4254bde7cbb57f172dcac7834

      SHA256

      5599fb1c998ec6505381052daa6590cee73a3972d6d16ff5dd2655c4ff3418a6

      SHA512

      e2da7f5f29fa1007365b8e29bd038141b2714896ab1a5f511006ecdac19317cdadcde4d1af49ba4485d1d8f5051bf0ceacba2c7d16f1f1ccf3733eb8b27cf588

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab9677.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSI9F19.tmp
      Filesize

      721KB

      MD5

      5a1f2196056c0a06b79a77ae981c7761

      SHA1

      a880ae54395658f129e24732800e207ecd0b5603

      SHA256

      52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

      SHA512

      9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar969A.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar9883.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\KROST.dll
      Filesize

      459KB

      MD5

      0a29918110937641bbe4a2d5ee5e4272

      SHA1

      7d4a6976c1ece81e01d1f16ac5506266d5210734

      SHA256

      780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3

      SHA512

      998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f

      Download Submit
    • C:\Windows\Installer\MSI236C.tmp
      Filesize

      397KB

      MD5

      b41e1b0ae2ec215c568c395b0dbb738a

      SHA1

      90d8e50176a1f4436604468279f29a128723c64b

      SHA256

      a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

      SHA512

      828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

      Download Submit
    • memory/1488-320-0x0000000069140000-0x00000000691BE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/1488-345-0x0000000180000000-0x000000018002E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1488-321-0x0000000000130000-0x000000000015F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1488-322-0x0000000000100000-0x000000000012D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1488-327-0x0000000180000000-0x000000018002E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1488-326-0x0000000180000000-0x000000018002E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1940-329-0x0000000000060000-0x000000000008E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1940-336-0x0000000000060000-0x000000000008E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1940-328-0x0000000000110000-0x0000000000112000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1940-353-0x0000000000060000-0x000000000008E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1940-355-0x0000000000060000-0x000000000008E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1940-354-0x0000000000060000-0x000000000008E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1940-356-0x0000000000060000-0x000000000008E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1940-357-0x0000000000060000-0x000000000008E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2780-314-0x00000000001E0000-0x00000000001E2000-memory.dmp
      Filesize

      8KB

      Download