qakbot | 4e18d60d3a74a9eb415dbcd114c0f244b879cbba133ef344c29761270ef0afdb

Analysis

max time kernel
178s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
Size

5.8MB
MD5

483b57478ab379546ae9fbab1c0185fa
SHA1

e76211f214c1bcd7eb4ab21478d11a50c31d5da7
SHA256

73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3
SHA512

a06f6a98831454f70413efcb6ca97a96440c07bc65e42a8bbfa6c2a6ae7d5dc666d3b96455acdd98089867b9f5ed0cbd98c69bda1c088eb6f3a6c7d702bcb9c4
SSDEEP

98304:mihTySajXEjCVXrepfrULCZf7ACNQB0zmlwXU8ern7beyN:OjjIzULqpQBv17r3eyN

Score

10^/10

qakbot tchk08 1706710954 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1706710954

31.210.173.10:443

185.156.172.62:443

185.113.8.123:443

Attributes

camp_date
2024-01-31 14:22:34 +0000 UTC

Signatures

Detect Qakbot Payload 23 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3332-75-0x000001EE54E00000-0x000001EE54E30000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-74-0x000001EE54DD0000-0x000001EE54DFD000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-78-0x000001EE54E30000-0x000001EE54E60000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-77-0x000001EE54E30000-0x000001EE54E60000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-73-0x000001EE54E30000-0x000001EE54E60000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-81-0x000001EE54E30000-0x000001EE54E60000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-80-0x000001EE54E30000-0x000001EE54E60000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-82-0x000001EE54E30000-0x000001EE54E60000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-94-0x000001EE54E30000-0x000001EE54E60000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-96-0x000001EE54E30000-0x000001EE54E60000-memory.dmp	family_qakbot_v5
behavioral2/memory/880-99-0x000001E066490000-0x000001E0664C0000-memory.dmp	family_qakbot_v5
behavioral2/memory/880-114-0x000001E066490000-0x000001E0664C0000-memory.dmp	family_qakbot_v5
behavioral2/memory/880-116-0x000001E066490000-0x000001E0664C0000-memory.dmp	family_qakbot_v5
behavioral2/memory/880-117-0x000001E066490000-0x000001E0664C0000-memory.dmp	family_qakbot_v5
behavioral2/memory/880-118-0x000001E066490000-0x000001E0664C0000-memory.dmp	family_qakbot_v5
behavioral2/memory/880-115-0x000001E066490000-0x000001E0664C0000-memory.dmp	family_qakbot_v5
behavioral2/memory/880-97-0x000001E066490000-0x000001E0664C0000-memory.dmp	family_qakbot_v5
behavioral2/memory/880-95-0x000001E066490000-0x000001E0664C0000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-93-0x000001EE54E30000-0x000001EE54E60000-memory.dmp	family_qakbot_v5
behavioral2/memory/880-87-0x000001E066490000-0x000001E0664C0000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-85-0x000001EE54E30000-0x000001EE54E60000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-84-0x000001EE54E30000-0x000001EE54E60000-memory.dmp	family_qakbot_v5
behavioral2/memory/3332-83-0x000001EE54E30000-0x000001EE54E60000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3CE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D3F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D4F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F44.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI403F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C75.tmp	msiexec.exe
File created	C:\Windows\Installer\e593c63.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e593c63.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9685643A-B981-47EB-9EC6-6DFD99114DFA}	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI403F.tmp

pid	Process
1284	MSI403F.tmp

Loads dropped DLL 13 IoCs

Processes:

MsiExec.exeMsiExec.exerundll32.exe

pid	Process
2344	MsiExec.exe
2344	MsiExec.exe
2344	MsiExec.exe
2344	MsiExec.exe
2344	MsiExec.exe
2344	MsiExec.exe
2344	MsiExec.exe
2344	MsiExec.exe
1792	MsiExec.exe
1792	MsiExec.exe
1792	MsiExec.exe
3332	rundll32.exe
1792	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000db5049eb9f24a4820000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000db5049eb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900db5049eb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1ddb5049eb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000db5049eb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 11 IoCs

Processes:

wermgr.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ovitgyedssez\3f4218de = e7cfbe2cfa70bbc1c573a3da84fc6097dac611a8d9dc903d0b553d4735e02801c5f820d45b10e4723e19be8926f43def71eab2bd5c129163d5eb4e457e925387c60c1f0b91cc641d30dca7eafa8f5eee362f883cf484a81e6967901653897d3b6b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ovitgyedssez\200d03f5 = e5b1c52d3d9070922bf37e431654cbd20bce9a84242e628646deeaabbde31ae0e06e9d50d484f4a8518731f3464de58ab02a823dcf3ed6abb6def46c694e70e35e10927deb8ab4db91679dbc5048e0a5f7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ovitgyedssez\ed205eec = 07b955c0d2d5de49fa9e960ab7d99d4ff1289698df09e14b8a8ba8c84e98e1d0113429e439ec761883ad04c0ed4a6b7e56bd4dc66afeb900cf9bb07945ffdb32d3aa528c317a51908d6cf7f9eacd51443dd6c236cbece59be9ff6c31399c7fd002a800134c689c5c1b8395a871311fdfb6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ovitgyedssez\76254b3d = c5e5de24b047057160c3a634ef5524ff4a98987e9e3bb1de36f4fc6d6cb446a97cb9819ca5a42cfd12d9941b4b53ef053ee83f60ba0e12ab52734a56adf6edbe59c1ff58cf79deff607a3d03ac3c54a8e5da1a1db31fb0abb0d8c40848a1608e8dc554388313e5c120b0921aecc667091a416583b0b1487e0451162c9140965b9fcaaf60ec1b9add8a79cfc49c5f304b56	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ovitgyedssez\77a216ba = 472a1f6472b7bb7e933d21b2245adc01427122eac3609500568b6b962ce098e5fe16107cc7e4e735c0364ce3fa5158f5d7e6e0f75bbed9a851120116a423bd85d06ccdf75b2154a45354e3c5382efeab3983ca28d034fa5994263f566c894d6011cc74072e9aab817ae2d307cb863a7efe	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ovitgyedssez	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ovitgyedssez\218a5e72 = c416b8f44dfe0315c8b6cb82866ac79fd536e50380261bf72419afc6da69b14b342f320802e6d2a80328fa4c4f9a3c71b307a89042391cc686f44b512581b9c630f4a4162285c44d3f9cc04b2080f62e310c75f061d84d2e237b984f92bd1aa07a40f22ac5080a302e3844d623f5dfebd2b0d702b9c999aed304c4a7f258cb3c5ff6ad6c1c6d4178009c84e66a9a8bb6a7734917d3b688083058d50dc9aeccc529df4d2b5133b4d99aef70c82386ff113d8c110630167bb470adf6e3e14046e5b68e9eec80165b04e60e31e2a9add26078	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ovitgyedssez\48bb7d6b = 27983174003a1248d6b45371013d8e6aa909ffd5ac2345dfbc1edfc28a7c97822478561e8bc2080b0c12830d2f58df8b73b8271922cf07e202aba55e7ceb16c05465491fdabee9561df1ef637516b08d33	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ovitgyedssez\eca7036b = c4dabb20c8f9c8e055bd18c863d3f2f9bfffe95972ea73f7d807aedbbd5def4757bb5a11d6c397bd9d447a02f61d4db8c323308610a94015fb808ead5955da70fb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ovitgyedssez\77a216ba = 64ccfac2b9ef7063af1b1877836a4cb83fcdf9db1a7a8445592104267f6c479c24ddda37897ec1e0d7d4a6127e3b8acbf9ccada52796dc0696513a5b840b29d2f9cf5a7c87811ebb6f0edaabdec1d0fc85	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ovitgyedssez\f3e81840 = 07da067ebb4e4c9b99760951b8e61b989628bdf55e6d1d941ac542fe8467f7fdc23a3c94b2044074a9bc630e32854b3f30feca02247a5b30554ce5e5c12f47fefb	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSI403F.tmprundll32.exewermgr.exe

pid	Process
1844	msiexec.exe
1844	msiexec.exe
1284	MSI403F.tmp
1284	MSI403F.tmp
3332	rundll32.exe
3332	rundll32.exe
3332	rundll32.exe
3332	rundll32.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe
880	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	2504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2504	msiexec.exe
Token: SeSecurityPrivilege	1844	msiexec.exe
Token: SeCreateTokenPrivilege	2504	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2504	msiexec.exe
Token: SeLockMemoryPrivilege	2504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2504	msiexec.exe
Token: SeMachineAccountPrivilege	2504	msiexec.exe
Token: SeTcbPrivilege	2504	msiexec.exe
Token: SeSecurityPrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeLoadDriverPrivilege	2504	msiexec.exe
Token: SeSystemProfilePrivilege	2504	msiexec.exe
Token: SeSystemtimePrivilege	2504	msiexec.exe
Token: SeProfSingleProcessPrivilege	2504	msiexec.exe
Token: SeIncBasePriorityPrivilege	2504	msiexec.exe
Token: SeCreatePagefilePrivilege	2504	msiexec.exe
Token: SeCreatePermanentPrivilege	2504	msiexec.exe
Token: SeBackupPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeShutdownPrivilege	2504	msiexec.exe
Token: SeDebugPrivilege	2504	msiexec.exe
Token: SeAuditPrivilege	2504	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2504	msiexec.exe
Token: SeChangeNotifyPrivilege	2504	msiexec.exe
Token: SeRemoteShutdownPrivilege	2504	msiexec.exe
Token: SeUndockPrivilege	2504	msiexec.exe
Token: SeSyncAgentPrivilege	2504	msiexec.exe
Token: SeEnableDelegationPrivilege	2504	msiexec.exe
Token: SeManageVolumePrivilege	2504	msiexec.exe
Token: SeImpersonatePrivilege	2504	msiexec.exe
Token: SeCreateGlobalPrivilege	2504	msiexec.exe
Token: SeCreateTokenPrivilege	2504	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2504	msiexec.exe
Token: SeLockMemoryPrivilege	2504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2504	msiexec.exe
Token: SeMachineAccountPrivilege	2504	msiexec.exe
Token: SeTcbPrivilege	2504	msiexec.exe
Token: SeSecurityPrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeLoadDriverPrivilege	2504	msiexec.exe
Token: SeSystemProfilePrivilege	2504	msiexec.exe
Token: SeSystemtimePrivilege	2504	msiexec.exe
Token: SeProfSingleProcessPrivilege	2504	msiexec.exe
Token: SeIncBasePriorityPrivilege	2504	msiexec.exe
Token: SeCreatePagefilePrivilege	2504	msiexec.exe
Token: SeCreatePermanentPrivilege	2504	msiexec.exe
Token: SeBackupPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeShutdownPrivilege	2504	msiexec.exe
Token: SeDebugPrivilege	2504	msiexec.exe
Token: SeAuditPrivilege	2504	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2504	msiexec.exe
Token: SeChangeNotifyPrivilege	2504	msiexec.exe
Token: SeRemoteShutdownPrivilege	2504	msiexec.exe
Token: SeUndockPrivilege	2504	msiexec.exe
Token: SeSyncAgentPrivilege	2504	msiexec.exe
Token: SeEnableDelegationPrivilege	2504	msiexec.exe
Token: SeManageVolumePrivilege	2504	msiexec.exe
Token: SeImpersonatePrivilege	2504	msiexec.exe
Token: SeCreateGlobalPrivilege	2504	msiexec.exe
Token: SeCreateTokenPrivilege	2504	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2504	msiexec.exe
Token: SeLockMemoryPrivilege	2504	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
2504	msiexec.exe
2504	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exerundll32.exe

description	pid	Process	procid_target
PID 1844 wrote to memory of 2344	1844	msiexec.exe	93
PID 1844 wrote to memory of 2344	1844	msiexec.exe	93
PID 1844 wrote to memory of 2344	1844	msiexec.exe	93
PID 1844 wrote to memory of 1000	1844	msiexec.exe	103
PID 1844 wrote to memory of 1000	1844	msiexec.exe	103
PID 1844 wrote to memory of 1792	1844	msiexec.exe	105
PID 1844 wrote to memory of 1792	1844	msiexec.exe	105
PID 1844 wrote to memory of 1792	1844	msiexec.exe	105
PID 1844 wrote to memory of 1284	1844	msiexec.exe	106
PID 1844 wrote to memory of 1284	1844	msiexec.exe	106
PID 1844 wrote to memory of 1284	1844	msiexec.exe	106
PID 3332 wrote to memory of 880	3332	rundll32.exe	109
PID 3332 wrote to memory of 880	3332	rundll32.exe	109
PID 3332 wrote to memory of 880	3332	rundll32.exe	109
PID 3332 wrote to memory of 880	3332	rundll32.exe	109
PID 3332 wrote to memory of 880	3332	rundll32.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2504

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E71FB7A567820BC33D385EF456F2BAD5 C
  2⤵
  - Loads dropped DLL
  PID:2344
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F6770DD38D5E76FCAD56037B9E1906D9
  2⤵
  - Loads dropped DLL
  PID:1792
- C:\Windows\Installer\MSI403F.tmp
  "C:\Windows\Installer\MSI403F.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\Acrobat\\MicrosoftOffice15\ClientX64\Acrobat.dll,CfGetPlatformInfo
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2844

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Acrobat\\MicrosoftOffice15\ClientX64\Acrobat.dll,CfGetPlatformInfo
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e593c64.rbs

Filesize
1KB

MD5
d73ac717460e5d576b1d3fdc850a5249

SHA1
941db303c7a09f9f70a7221d41a07d27c1f6d694

SHA256
714f6f96e40d1b2430c7a0cea2dc4b1bac40c657ff730241b8424453d35b61b5

SHA512
0c23a8b5fd4e7bb2919598d27b3db11323bae18a604f0a12d5e83363e00677bd522730c73dd266d8ed1e5a5eea8a51ba06e8bbfab2937dbc5fde9bce3058b25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF82B.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFE3B.tmp

Filesize
1.1MB

MD5
25e52c5776a81e0c5ccb9bdd4c808c90

SHA1
e42104ef61ae4760a41552292091eb6a5089ced4

SHA256
0831dbcb3799c9e36ea586582e8ef907dcefeb2045351d6774c7ad0ef02a9af2

SHA512
746570c011e501505ec9d09077519bca1a485b0cac66229be6f4715a91ee52d5cc857de26ad8d7a33806ddfa580d2ba9f77759e3764ea761d327fe2f1e881292

Download Submit
C:\Users\Admin\AppData\Roaming\Acrobat\MicrosoftOffice15\ClientX64\Acrobat.dll

Filesize
922KB

MD5
af7364f14a56ae4234d449ff89a2bb7d

SHA1
ce261d1f31bed80417009fbeb5230be37c34e374

SHA256
a59707803f3d94ed9cb429929c832e9b74ce56071a1c2086949b389539788d8a

SHA512
4c6982a5a11578cdd1b2789628787a8a7f08c86e814dfbe717a1e9cb43060b3f9b888948bdc97bcf207d5dd06398a955cab46f2cfc28761b3be15ef40fbc14de

Download Submit
C:\Windows\Installer\MSI403F.tmp

Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
7e9e18b18d4d16f4b9a81030b89982ff

SHA1
990e59546394e5004b00ba0d0e606817e3f44e48

SHA256
17e2552e2beb8d6acdd20a9e759d1559f5ae9811b06e815386a76cd4a4dd328d

SHA512
e5b8733dd33666ad32b208b669eea318ad7e88ad3dd38a05006c9880109a44f0fb70be32c0983c937794dcd55ebb18b6eca13ae51245a9300f50ee336c14b31d

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\Volume{eb4950db-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{98b4bd23-50e4-4604-81f8-c942391fbcc8}_OnDiskSnapshotProp

Filesize
6KB

MD5
9530559842523ca6b5f748c9575fd710

SHA1
c3229fa723335ac27f0fe48cd8f239051c4bac79

SHA256
223eeb6e1eda1069403d84fdcae949b04671163c8fe8514a835b9e4ed8b5732e

SHA512
3e7879fd7b8b5adcea15fbab12f0388ac03929fad5bb5572502a104881983de260e0e470f915f20c77657343876320dde9a381f957e1ba51b557878888d2cc95

Download Submit
memory/880-87-0x000001E066490000-0x000001E0664C0000-memory.dmp

Filesize
192KB

Download
memory/880-86-0x000001E0664C0000-0x000001E0664C2000-memory.dmp

Filesize
8KB

Download
memory/880-116-0x000001E066490000-0x000001E0664C0000-memory.dmp

Filesize
192KB

Download
memory/880-95-0x000001E066490000-0x000001E0664C0000-memory.dmp

Filesize
192KB

Download
memory/880-97-0x000001E066490000-0x000001E0664C0000-memory.dmp

Filesize
192KB

Download
memory/880-115-0x000001E066490000-0x000001E0664C0000-memory.dmp

Filesize
192KB

Download
memory/880-118-0x000001E066490000-0x000001E0664C0000-memory.dmp

Filesize
192KB

Download
memory/880-117-0x000001E066490000-0x000001E0664C0000-memory.dmp

Filesize
192KB

Download
memory/880-99-0x000001E066490000-0x000001E0664C0000-memory.dmp

Filesize
192KB

Download
memory/880-114-0x000001E066490000-0x000001E0664C0000-memory.dmp

Filesize
192KB

Download
memory/3332-78-0x000001EE54E30000-0x000001EE54E60000-memory.dmp

Filesize
192KB

Download
memory/3332-96-0x000001EE54E30000-0x000001EE54E60000-memory.dmp

Filesize
192KB

Download
memory/3332-94-0x000001EE54E30000-0x000001EE54E60000-memory.dmp

Filesize
192KB

Download
memory/3332-82-0x000001EE54E30000-0x000001EE54E60000-memory.dmp

Filesize
192KB

Download
memory/3332-80-0x000001EE54E30000-0x000001EE54E60000-memory.dmp

Filesize
192KB

Download
memory/3332-81-0x000001EE54E30000-0x000001EE54E60000-memory.dmp

Filesize
192KB

Download
memory/3332-93-0x000001EE54E30000-0x000001EE54E60000-memory.dmp

Filesize
192KB

Download
memory/3332-73-0x000001EE54E30000-0x000001EE54E60000-memory.dmp

Filesize
192KB

Download
memory/3332-77-0x000001EE54E30000-0x000001EE54E60000-memory.dmp

Filesize
192KB

Download
memory/3332-85-0x000001EE54E30000-0x000001EE54E60000-memory.dmp

Filesize
192KB

Download
memory/3332-84-0x000001EE54E30000-0x000001EE54E60000-memory.dmp

Filesize
192KB

Download
memory/3332-83-0x000001EE54E30000-0x000001EE54E60000-memory.dmp

Filesize
192KB

Download
memory/3332-74-0x000001EE54DD0000-0x000001EE54DFD000-memory.dmp

Filesize
180KB

Download
memory/3332-75-0x000001EE54E00000-0x000001EE54E30000-memory.dmp

Filesize
192KB

Download