qakbot | 365f7e7eb4f8297de0eec8a541833110333a1f317a33cd72f1382fd675967eae

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
Size

1.9MB
MD5

82b8bd90e500fb0bf878d6f430c5abec
SHA1

f004c09428f2f18a145212a9e55eef3615858f9c
SHA256

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f
SHA512

82b2e997bf5bc0d08ab8dd921aef3e8d620a61c26f86b6f481845ad694d7b97f65dfa42e1c18b83f0f827cad9df69a409b75d96793e5bd7124c26bc7cb07f881
SSDEEP

49152:Ksjitd+vszAlozTy4g5r8+5eNBABxGNvXreD68f:rihTyfcXreO8f

Score

10^/10

qakbot tchk06 1702463600 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

45.138.74.191:443

65.108.218.24:443

Attributes

camp_date
2023-12-13 10:33:20 +0000 UTC

Signatures

Detect Qakbot Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3340-82-0x000001EBE6DC0000-0x000001EBE6DEF000-memory.dmp	family_qakbot_v5
behavioral2/memory/3340-85-0x000001EBE6D90000-0x000001EBE6DBD000-memory.dmp	family_qakbot_v5
behavioral2/memory/3340-87-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3340-88-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2312-90-0x00000145F4680000-0x00000145F46AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2312-96-0x00000145F4680000-0x00000145F46AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/3340-106-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2312-108-0x00000145F4680000-0x00000145F46AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2312-109-0x00000145F4680000-0x00000145F46AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2312-110-0x00000145F4680000-0x00000145F46AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2312-111-0x00000145F4680000-0x00000145F46AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2312-114-0x00000145F4680000-0x00000145F46AE000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

7 4380 msiexec.exe
9 4380 msiexec.exe
11 4380 msiexec.exe

flow	pid	process
7	4380	msiexec.exe
9	4380	msiexec.exe
11	4380	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID022.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID062.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E42164EE-5510-4BB6-BA12-B7664EFD3B05}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ce7b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID6AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF37.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID1CA.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ce7b.msi	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSID6AE.tmp

pid process

3924 MSID6AE.tmp

pid	process
3924	MSID6AE.tmp

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMsiExec.exerundll32.exe

pid	process
1100	MsiExec.exe
1100	MsiExec.exe
1100	MsiExec.exe
1100	MsiExec.exe
1100	MsiExec.exe
1100	MsiExec.exe
1100	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
3340	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c2cf76efb8a5767e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c2cf76ef0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c2cf76ef000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc2cf76ef000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c2cf76ef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 12 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\heozyhewyl\bebabb24 = 251564346e8db99688413eebc0f2a468883a49e8786f07989774aa9647b88e41eab2d7528f4e3ecfbf8ef78b65186515e501f6dd90c9475593aeec833bb9a56f82	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\heozyhewyl\bebabb24 = c565afc08f455d48e91f969578ba3a5d9a2387e546c670b3a920a8d896122fcbe6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\heozyhewyl\e892f3ec = 24fd6e4ba00c6780f9e27289c1cf2d265749a1a81a64f22382d44332865f7728e63d42c7ff843e6f5ef2d1325f9257962f8947b2c204ef4a4457431b136a89819288e3d49ff1c5bc732445f236c7fefca396b2418cb3c89531f298a6a62f11587792c01042f14e7b8832662878d6640327fed04eeccab5c89c1484f7f69f251ca6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\heozyhewyl\e915ae6b = 84811fffc7548744f07e46d3f99fe08da33d3e21ac9b426ab834d3823cd5554d439bf9e5fbab3f80aee76fad29e17dddd11515e1b13c10d55515e2f4d28e2e231ba980ce8ca1f4821ba467111fb27fbdb6134527b048d17a4bd223778938d14fa63fca1e22d230675faf91b5ab7aa06a2a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\heozyhewyl\2efdfa6b = 45115c0c3087d25ade5dde8249a613c5bdf52f6b378fb8c4ea6963c11b3bc09cc171705aad3e2f8ce3ca6df24d5e5421b6f53d5158e8089361d47633343a4b4f0978f87ab6d57881deb0ea5815d6bd39138d6bc7bfb1769a73d050c2b76afe3f0068e6ab5e0cd0da6d714834327e6e3779545a6a7347cedb37d79221d32d619a7c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\heozyhewyl\81a3d0f5 = c40404bdc608ad6bc3ff636b28057edff7d7439ecb522ff3ec5d4e93b9990d3d27ac5c6b47163cb8920e9003c64dfecda65d427a5c0cd0ef03386c5c661a4dd8facc1e86b579a1cb93fb6186074c1903dcb028b89a03375e6df2a7a701d45c059597f50f667d8adb83314faac43d9741853e9b1843965f80f71e41f87e7a264b0e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\heozyhewyl\25bfaef5 = c42cc5ce411668afa8af2cf46fd3056777854fccf992fb85ebb710e44c1f258489ed97c59024a05dd6b5cd70309fdaa88d9293b021b1ccd3f64fffca5544baaccda8aebd2adf441e006bea9c86fcfb0179ee61e6c53870511adbe37ca2d96ce3d3e9403c94124d0967c1c894947f6cd9f2aa0f68139c221d4763636b08f2847399	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\heozyhewyl\2438f372 = 461265f5945da2829068471a9cbfd09d4bb9deb0f1823cca63aef5352baf7dbbb9fe24f7982a51a8e1cba6083cb6a90e42455fb152a720c672f3976017f8428cf88e0f71e106114cd733f5d3744a6f466d3067dcde920cd432a7cad113f2d1609e5482db85a241b9d915c2b809769d23f3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\heozyhewyl\bf3de6a3 = c640de3d5fc0351338cfc78acb02ba3935f5acd24a74de394c34dfdf81e9326ca9942fe3f27faff282056a2c41d5d1d1b9b12bf01c5f4cceb188b91a22ef854c9f9d22e3d887fc86c4e5795a368a4b82f7348c718e221bfd389fc63c57183def3a	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\heozyhewyl	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\heozyhewyl\f65ab540 = 46a949357671ed5611e02e02fd9d6454edf69a5f4ff54d2a2d20a239f1e0786c90883ad99ffa12d2301083650317d8e619640784ec898afbf935e593a9d6114d2af47a581a98adb34da386df365d62d4c92157bffb2ca5e5e4191eab8a7379a625	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\heozyhewyl\3af0b5de = e4aa1004a532f157c072fca1386a71c6cb5e4d335b1fc8716939734c80127e3fb8f307bbb9901777132a7e79f063d84a12d0abd2288cfd6d564b5c5e2d459a9a639a02abe3d7787f6bc26afa1cfb957fcd8cfd856b515d6810f616fb8b570418ca52783856931081884afed30a73399716	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSID6AE.tmprundll32.exewermgr.exe

pid	process
540	msiexec.exe
540	msiexec.exe
3924	MSID6AE.tmp
3924	MSID6AE.tmp
3340	rundll32.exe
3340	rundll32.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe
2312	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4380	msiexec.exe
Token: SeSecurityPrivilege	540	msiexec.exe
Token: SeCreateTokenPrivilege	4380	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4380	msiexec.exe
Token: SeLockMemoryPrivilege	4380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4380	msiexec.exe
Token: SeMachineAccountPrivilege	4380	msiexec.exe
Token: SeTcbPrivilege	4380	msiexec.exe
Token: SeSecurityPrivilege	4380	msiexec.exe
Token: SeTakeOwnershipPrivilege	4380	msiexec.exe
Token: SeLoadDriverPrivilege	4380	msiexec.exe
Token: SeSystemProfilePrivilege	4380	msiexec.exe
Token: SeSystemtimePrivilege	4380	msiexec.exe
Token: SeProfSingleProcessPrivilege	4380	msiexec.exe
Token: SeIncBasePriorityPrivilege	4380	msiexec.exe
Token: SeCreatePagefilePrivilege	4380	msiexec.exe
Token: SeCreatePermanentPrivilege	4380	msiexec.exe
Token: SeBackupPrivilege	4380	msiexec.exe
Token: SeRestorePrivilege	4380	msiexec.exe
Token: SeShutdownPrivilege	4380	msiexec.exe
Token: SeDebugPrivilege	4380	msiexec.exe
Token: SeAuditPrivilege	4380	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4380	msiexec.exe
Token: SeChangeNotifyPrivilege	4380	msiexec.exe
Token: SeRemoteShutdownPrivilege	4380	msiexec.exe
Token: SeUndockPrivilege	4380	msiexec.exe
Token: SeSyncAgentPrivilege	4380	msiexec.exe
Token: SeEnableDelegationPrivilege	4380	msiexec.exe
Token: SeManageVolumePrivilege	4380	msiexec.exe
Token: SeImpersonatePrivilege	4380	msiexec.exe
Token: SeCreateGlobalPrivilege	4380	msiexec.exe
Token: SeCreateTokenPrivilege	4380	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4380	msiexec.exe
Token: SeLockMemoryPrivilege	4380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4380	msiexec.exe
Token: SeMachineAccountPrivilege	4380	msiexec.exe
Token: SeTcbPrivilege	4380	msiexec.exe
Token: SeSecurityPrivilege	4380	msiexec.exe
Token: SeTakeOwnershipPrivilege	4380	msiexec.exe
Token: SeLoadDriverPrivilege	4380	msiexec.exe
Token: SeSystemProfilePrivilege	4380	msiexec.exe
Token: SeSystemtimePrivilege	4380	msiexec.exe
Token: SeProfSingleProcessPrivilege	4380	msiexec.exe
Token: SeIncBasePriorityPrivilege	4380	msiexec.exe
Token: SeCreatePagefilePrivilege	4380	msiexec.exe
Token: SeCreatePermanentPrivilege	4380	msiexec.exe
Token: SeBackupPrivilege	4380	msiexec.exe
Token: SeRestorePrivilege	4380	msiexec.exe
Token: SeShutdownPrivilege	4380	msiexec.exe
Token: SeDebugPrivilege	4380	msiexec.exe
Token: SeAuditPrivilege	4380	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4380	msiexec.exe
Token: SeChangeNotifyPrivilege	4380	msiexec.exe
Token: SeRemoteShutdownPrivilege	4380	msiexec.exe
Token: SeUndockPrivilege	4380	msiexec.exe
Token: SeSyncAgentPrivilege	4380	msiexec.exe
Token: SeEnableDelegationPrivilege	4380	msiexec.exe
Token: SeManageVolumePrivilege	4380	msiexec.exe
Token: SeImpersonatePrivilege	4380	msiexec.exe
Token: SeCreateGlobalPrivilege	4380	msiexec.exe
Token: SeCreateTokenPrivilege	4380	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4380	msiexec.exe
Token: SeLockMemoryPrivilege	4380	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4380 msiexec.exe
4380 msiexec.exe

pid	process
4380	msiexec.exe
4380	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exerundll32.exe

description	pid	process	target process
PID 540 wrote to memory of 1100	540	msiexec.exe	MsiExec.exe
PID 540 wrote to memory of 1100	540	msiexec.exe	MsiExec.exe
PID 540 wrote to memory of 1100	540	msiexec.exe	MsiExec.exe
PID 540 wrote to memory of 2256	540	msiexec.exe	srtasks.exe
PID 540 wrote to memory of 2256	540	msiexec.exe	srtasks.exe
PID 540 wrote to memory of 4552	540	msiexec.exe	MsiExec.exe
PID 540 wrote to memory of 4552	540	msiexec.exe	MsiExec.exe
PID 540 wrote to memory of 4552	540	msiexec.exe	MsiExec.exe
PID 540 wrote to memory of 3924	540	msiexec.exe	MSID6AE.tmp
PID 540 wrote to memory of 3924	540	msiexec.exe	MSID6AE.tmp
PID 540 wrote to memory of 3924	540	msiexec.exe	MSID6AE.tmp
PID 3340 wrote to memory of 2312	3340	rundll32.exe	wermgr.exe
PID 3340 wrote to memory of 2312	3340	rundll32.exe	wermgr.exe
PID 3340 wrote to memory of 2312	3340	rundll32.exe	wermgr.exe
PID 3340 wrote to memory of 2312	3340	rundll32.exe	wermgr.exe
PID 3340 wrote to memory of 2312	3340	rundll32.exe	wermgr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 54129ACFD824214D01577CBB3F065C9C C
2⤵
- Loads dropped DLL
PID:1100

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2256

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C9017A8214087C5ABC3CD256264E22EC
2⤵
- Loads dropped DLL
PID:4552

C:\Windows\Installer\MSID6AE.tmp
"C:\Windows\Installer\MSID6AE.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3048

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ce7c.rbs
Filesize
1KB

MD5
d993a9cbfc805742c2a831ed4a1ab90a

SHA1
1cc3e218190c6dbe72c1295cceccd0e86e30c3fe

SHA256
b7a4be699533f7c7c745683d22506eb9afc95251756b8f543488999f10e2039b

SHA512
ae49c5b82cd24e9c69cb615ac82ada1c6c823b5169961f216947abbeb05676f80f7a104eb3f4c7cd9ddc5f4d2adff92cd714e9a6616848bd4e305994eb3c5ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05
Filesize
52KB

MD5
5bd63d118df94bdd463bb97b601f2214

SHA1
f59ed4f308754b59dc32f214465e62ec704e01bf

SHA256
d7c9b2da728943f4cf9ca560f6947a008b9911753922bf04fbbe1543378481a3

SHA512
515a1980fb3a46345dc5b68a16ad58f7620019fbf0cd3469e77155f1a418c4813be500e9a448ef976115f4cc7cf6ad7dffc43505d4119b530e3d5f1a8cb217e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
Filesize
314B

MD5
184421896466f811b718d5ede308424d

SHA1
126a9d404b7c9182afd9ecdf3141c217a943bf2e

SHA256
ed18b68dd3db705ae0da28f378aae0f62f6f9dd46c0c16a89e4969a964d58f35

SHA512
532d4f01fb8f70bb9d095954f84b6c0e798d63e7913e11adcf2ce82bb3065b2a15dd265cb52a9a8738894cdb6558b3a6389461ebc34217c6ec60005d5e754647

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
478B

MD5
6c9871a917e28c18f7ee44bbb558dde6

SHA1
a326dcc3ff77e596e7113f32c56957e3d9a9a4dc

SHA256
bebb182ebe1c14852956d1b427b53dd6287daff4ff978462c1560177d03b93de

SHA512
bb36b088e7ce2afee20817925d6288cb21624828b7e3bcdedada07a64c8540ec416f9ac2315626977a86189105116da402d7e573b5cce439e5b08311e846f147

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI638C.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Roaming\KROST.dll
Filesize
459KB

MD5
0a29918110937641bbe4a2d5ee5e4272

SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734

SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3

SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f

Download Submit
C:\Windows\Installer\MSID6AE.tmp
Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
b23f9585fa0fa67c850b0d9aac57c762

SHA1
748dfd4b9cfae2c5b4c43fb2d2c8a760f0a31630

SHA256
2f6361e898e93562ab28d5a6fbd972d20e884edd6b7b63c974177b889a851a04

SHA512
ab56c5e70482de028c966943055032dbbcd682c33702bf06c47c512e86f34ef5e0fe6bb80ff169a5900743e27727dad392f979e46ee8f42faa72822fe0bed0a4

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e008560b-af87-4692-9c50-478335ae46e1}_OnDiskSnapshotProp
Filesize
6KB

MD5
4d3355c3152eafc2885984073dadac78

SHA1
632374108f5cf449a95d82ea8394c27365252d48

SHA256
f90ce218383a1bded3d1211cdbbf5a4d1c5c2f088fc8f6be90aa58c5973ea452

SHA512
43f30e6018c8bddc21f489ec851753dfb1e403568a93e85e69d283a66124ae2b5656f169ce8a6dc8c0e5792210f8785694e5e823c146a3e5f71faec1ac3b4c06

Download Submit
memory/2312-109-0x00000145F4680000-0x00000145F46AE000-memory.dmp

Filesize
184KB

Download
memory/2312-108-0x00000145F4680000-0x00000145F46AE000-memory.dmp

Filesize
184KB

Download
memory/2312-114-0x00000145F4680000-0x00000145F46AE000-memory.dmp

Filesize
184KB

Download
memory/2312-89-0x00000145F46B0000-0x00000145F46B2000-memory.dmp

Filesize
8KB

Download
memory/2312-90-0x00000145F4680000-0x00000145F46AE000-memory.dmp

Filesize
184KB

Download
memory/2312-96-0x00000145F4680000-0x00000145F46AE000-memory.dmp

Filesize
184KB

Download
memory/2312-111-0x00000145F4680000-0x00000145F46AE000-memory.dmp

Filesize
184KB

Download
memory/2312-110-0x00000145F4680000-0x00000145F46AE000-memory.dmp

Filesize
184KB

Download
memory/3340-85-0x000001EBE6D90000-0x000001EBE6DBD000-memory.dmp

Filesize
180KB

Download
memory/3340-87-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/3340-106-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/3340-88-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/3340-82-0x000001EBE6DC0000-0x000001EBE6DEF000-memory.dmp

Filesize
188KB

Download
memory/3340-81-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download