Overview

overview

10

Static

static

1

93a98b919a...7f.msi

windows7-x64

10

93a98b919a...7f.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 10:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi

  • Size

    1.9MB

  • MD5

    82b8bd90e500fb0bf878d6f430c5abec

  • SHA1

    f004c09428f2f18a145212a9e55eef3615858f9c

  • SHA256

    93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f

  • SHA512

    82b2e997bf5bc0d08ab8dd921aef3e8d620a61c26f86b6f481845ad694d7b97f65dfa42e1c18b83f0f827cad9df69a409b75d96793e5bd7124c26bc7cb07f881

  • SSDEEP

    49152:Ksjitd+vszAlozTy4g5r8+5eNBABxGNvXreD68f:rihTyfcXreO8f

Score
10/10
qakbottchk061702463600bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

C2

45.138.74.191:443

65.108.218.24:443
Attributes
  • camp_date

    2023-12-13 10:33:20 +0000 UTC

Signatures

  • Detect Qakbot Payload 12 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2368
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 56D042A85CA163DCDF4B71DD20270003 C
      2⤵
      • Loads dropped DLL
      PID:324
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E99FC1C77D0E5F914674E9B7EB38BBD9
      2⤵
      • Loads dropped DLL
      PID:2848
    • C:\Windows\Installer\MSI5D8F.tmp
      "C:\Windows\Installer\MSI5D8F.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2492
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1484
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B0" "0000000000000590"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2260
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\System32\wermgr.exe
        C:\Windows\System32\wermgr.exe
        2⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:2692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f765360.rbs
      Filesize

      1KB

      MD5

      b31153afa087bc20d239637b3b1cec2e

      SHA1

      75f73e9dda7edca45c3a695b9b380ddeb767fc60

      SHA256

      466786583fe5ca35a1e49bf3baf4036740ec4c448ad22a29f3607a9730f915c2

      SHA512

      c3800754dc4e51a4dc37fd5069197fb4086c1e729c4cc162268f7e7ef85fb1f9a39c01f9da78edf7683b7cbd6bc3bcb6dd8117f6cc56daeee28e4108be4117fe

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8555326CC9661C9937DC5053B6C38763
      Filesize

      1KB

      MD5

      866912c070f1ecacacc2d5bca55ba129

      SHA1

      b7ab3308d1ea4477ba1480125a6fbda936490cbb

      SHA256

      85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69

      SHA512

      f91e855e0346ac8c3379129154e01488bb22cff7f6a6df2a80f1671e43c5df8acae36fdf5ee0eb2320f287a681a326b6f1df36e8e37aa5597c4797dd6b43b7cf

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763
      Filesize

      326B

      MD5

      870f57134696617d8dddea2837d31d1d

      SHA1

      3bd1ed9a36a2399768e88e5e4fcc6035a6af2cde

      SHA256

      38c00d97ba747406deddcf3418fae661b8ad00d5dd5fec32b81f90ec27f4ba78

      SHA512

      4ad865bb00a908fb148e3a9a2859f5ab60b56ab076fffa7c5dd259d43be1b4c09a4315361eca28044e719d2f22e3adccafb43248adc89021e8aecbf519c283dd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c325cf01b4eaf5fe655defcf89a392b8

      SHA1

      53331484337491fbc8bbb5e80fed1b61aba2d58a

      SHA256

      3309dfcb0a9f38e2e1e2949d4ddb20564f46037486431b588c1fac764aa9789b

      SHA512

      60cb7ad8ea517f5bfde76c5ae2ad9dd84fe02ae8ac95cf5249b6f32a155e39d0d2914c88d43eb4d9a74bfd1489ead9c269ced0d3e97e9cd5a9f29c71d0596611

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab29B1.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI2F18.tmp
      Filesize

      721KB

      MD5

      5a1f2196056c0a06b79a77ae981c7761

      SHA1

      a880ae54395658f129e24732800e207ecd0b5603

      SHA256

      52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

      SHA512

      9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar29C4.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar2B8E.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\KROST.dll
      Filesize

      459KB

      MD5

      0a29918110937641bbe4a2d5ee5e4272

      SHA1

      7d4a6976c1ece81e01d1f16ac5506266d5210734

      SHA256

      780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3

      SHA512

      998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f

      Download Submit

    • C:\Windows\Installer\MSI5D8F.tmp
      Filesize

      397KB

      MD5

      b41e1b0ae2ec215c568c395b0dbb738a

      SHA1

      90d8e50176a1f4436604468279f29a128723c64b

      SHA256

      a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

      SHA512

      828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

      Download Submit

    • memory/2492-313-0x00000000001A0000-0x00000000001A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2692-328-0x0000000000060000-0x000000000008E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2692-353-0x0000000000060000-0x000000000008E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2692-356-0x0000000000060000-0x000000000008E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2692-354-0x0000000000060000-0x000000000008E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2692-355-0x0000000000060000-0x000000000008E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2692-327-0x0000000000090000-0x0000000000092000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2692-352-0x0000000000060000-0x000000000008E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2692-335-0x0000000000060000-0x000000000008E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3056-336-0x0000000180000000-0x000000018002E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3056-320-0x00000000002C0000-0x00000000002EF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3056-319-0x0000000069140000-0x00000000691BE000-memory.dmp

      Filesize

      504KB

      Download

    • memory/3056-326-0x0000000180000000-0x000000018002E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3056-322-0x0000000000290000-0x00000000002BD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3056-325-0x0000000180000000-0x000000018002E000-memory.dmp

      Filesize

      184KB

      Download