qakbot | c3a8ed0e971bbb1343a29ec788de75657f5f5111ab344b0374289f6c4a3ea2ab

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
Size

1.9MB
MD5

82b8bd90e500fb0bf878d6f430c5abec
SHA1

f004c09428f2f18a145212a9e55eef3615858f9c
SHA256

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f
SHA512

82b2e997bf5bc0d08ab8dd921aef3e8d620a61c26f86b6f481845ad694d7b97f65dfa42e1c18b83f0f827cad9df69a409b75d96793e5bd7124c26bc7cb07f881
SSDEEP

49152:Ksjitd+vszAlozTy4g5r8+5eNBABxGNvXreD68f:rihTyfcXreO8f

Score

10^/10

qakbot tchk06 1702463600 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

45.138.74.191:443

65.108.218.24:443

Attributes

camp_date
2023-12-13 10:33:20 +0000 UTC

Signatures

Detect Qakbot Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2704-82-0x000001CF50F40000-0x000001CF50F6F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2704-83-0x000001CF50F10000-0x000001CF50F3D000-memory.dmp	family_qakbot_v5
behavioral2/memory/2704-87-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2704-88-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2608-90-0x0000018170C60000-0x0000018170C8E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2608-96-0x0000018170C60000-0x0000018170C8E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2704-106-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2608-110-0x0000018170C60000-0x0000018170C8E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2608-111-0x0000018170C60000-0x0000018170C8E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2608-112-0x0000018170C60000-0x0000018170C8E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2608-113-0x0000018170C60000-0x0000018170C8E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2608-114-0x0000018170C60000-0x0000018170C8E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow	pid	Process
4	436	msiexec.exe
6	436	msiexec.exe
10	436	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E42164EE-5510-4BB6-BA12-B7664EFD3B05}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C57.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9281.tmp	msiexec.exe
File created	C:\Windows\Installer\e577a60.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BAA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7AFC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B8A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e577a60.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI9281.tmp

pid	Process
4024	MSI9281.tmp

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMsiExec.exerundll32.exe

pid	Process
4036	MsiExec.exe
4036	MsiExec.exe
4036	MsiExec.exe
4036	MsiExec.exe
4036	MsiExec.exe
4036	MsiExec.exe
4036	MsiExec.exe
4920	MsiExec.exe
4920	MsiExec.exe
4920	MsiExec.exe
4920	MsiExec.exe
2704	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005cf4f6141e81f6580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005cf4f6140000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005cf4f614000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5cf4f614000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cf4f61400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies registry class 12 IoCs

Processes:

wermgr.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\oydusrwiytfymaq\be9546b0 = c5e5d55b98f10d306d74f3396427a7dd840ca94c086d2bceb97e8f9f9e9f575e7874e23f29c4f204d2ab4ee877b3808980	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\oydusrwiytfymaq\797d12b0 = 47aeee1fbb2d7fed27a5c98bd49b32766f29a8e5891d4a6a27822f5bd0d83a80353120e67804bbe7a1c62fa65a183935b843b69a3340f75667c166caaacd6d91a21800c62135969aea9fd3ff8780e2bdcd017c7d06f227637b6b9c002a0eddb2be69bc0cfa84bae67adc2eecbc0ff977ed23f2692c68f93e5b41f392bc2713e385	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\oydusrwiytfymaq\e93a53ff = a7c2b58fdf998edb40c52782de81480271d32307b99a37545c0fbae600bf490867c18c5c07fb7d6d6b175fcaf8c9b56de26639424b87e1c08301de4e46e30ba1c9f2f5ea61681cee4cbf6d82bbff34d78d4800f1e9715eefa1d0dde4a23fc9812344edc0f6756d21defe25927398322b18	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\oydusrwiytfymaq\bf121b37 = 256409c3b25ed68e13a747b6ad3e9e4aa82da649fb9b89852681ecbaf090953f1ef33caf6faf4c276d4ddef63cbf5b7c3b12eabf260fec5e270268666b902bbba508e5b97027220ab0b4dc702b0c223459944e0ea37b1a1d589df4e38243b494357687c46ffe454d5dfcf38c997d79f3243f83bb912a0fe80afb238b69251575320b1fb80017d9cd92f43d256401304e3f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\oydusrwiytfymaq\a1da5d9b = 076e5a6e3a8a8bc6aa7dba40984c5fe09ef901ff4c780bfd4fe6eca5facaebb3db0c15c7fbda7ed302fbc587ff570e4d53cea57dc64ed9f7a45728d54b0a038a5a37c5624831520d118aa7d0e30fee5a16	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\oydusrwiytfymaq\6d705d05 = a52df596aeb83e408dff8ebabd2b8c6e19c5b8684bf68e977121762826469139d154789c94ea9e0b8d06ae7f290535446b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\oydusrwiytfymaq\d623382e = c4475e0df7b652e31b659feea1a47088d8f72095cfc069a2c702fce3602bae1de9aa2f7880e52e2ce7a252567f614f0fad	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\oydusrwiytfymaq\723f462e = 463d6ad255550aa4fa46cda8349c08e9ac77629ed1da276d9b0055382ac2c83774a960f505b3f35b80aec711f3736e5ac9afb15e66f1e204ff0ae4f34b82d73e515d4e1bae2b2daa30f2117fe25e958fb3d287b825cbf627e105842ac4b2018b5b85ba4e51a8b0aa539a88dca4e9785607c1770edf04f0088c6a4ab1600d63b3f12c45001a4197194add71adb9f8802af1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\oydusrwiytfymaq\73b81ba9 = a4f33b10d67ea9b19c9323f8d6980a0f712b6e5e6ea047ae58ddb06e3f0083b84286d7d2cf09722af3891a57533f60d3c4	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\oydusrwiytfymaq	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\oydusrwiytfymaq\e93a53ff = c78415a9910537a7eb22c2256ec98b98470694d0fb7bd432de0fc2810255b87419a8c24eb0bbba7f4794ba2358189472605f8aad925e333a70b044c1a53dd29e32530f3b364635a2819d44c08104118b72842a136a4fc5ba0d7d3eafa4f8c9392a17201929dde494fc01e36558c518555a4f9d579e4ceae2109f71927572309e0f67497c8fdb5ab12ccebb9e97efbee002	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\oydusrwiytfymaq\e8bd0e78 = 86bce76bdcc808c4042ecdf5fc28081dcf374628804aafefe50ded329832ec1255120b617a21a84c75ca7e77ea6c27a6725353144d7cd6c1eb30005f16b93388e9	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSI9281.tmprundll32.exewermgr.exe

pid	Process
1396	msiexec.exe
1396	msiexec.exe
4024	MSI9281.tmp
4024	MSI9281.tmp
2704	rundll32.exe
2704	rundll32.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe
2608	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	436	msiexec.exe
Token: SeIncreaseQuotaPrivilege	436	msiexec.exe
Token: SeSecurityPrivilege	1396	msiexec.exe
Token: SeCreateTokenPrivilege	436	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	436	msiexec.exe
Token: SeLockMemoryPrivilege	436	msiexec.exe
Token: SeIncreaseQuotaPrivilege	436	msiexec.exe
Token: SeMachineAccountPrivilege	436	msiexec.exe
Token: SeTcbPrivilege	436	msiexec.exe
Token: SeSecurityPrivilege	436	msiexec.exe
Token: SeTakeOwnershipPrivilege	436	msiexec.exe
Token: SeLoadDriverPrivilege	436	msiexec.exe
Token: SeSystemProfilePrivilege	436	msiexec.exe
Token: SeSystemtimePrivilege	436	msiexec.exe
Token: SeProfSingleProcessPrivilege	436	msiexec.exe
Token: SeIncBasePriorityPrivilege	436	msiexec.exe
Token: SeCreatePagefilePrivilege	436	msiexec.exe
Token: SeCreatePermanentPrivilege	436	msiexec.exe
Token: SeBackupPrivilege	436	msiexec.exe
Token: SeRestorePrivilege	436	msiexec.exe
Token: SeShutdownPrivilege	436	msiexec.exe
Token: SeDebugPrivilege	436	msiexec.exe
Token: SeAuditPrivilege	436	msiexec.exe
Token: SeSystemEnvironmentPrivilege	436	msiexec.exe
Token: SeChangeNotifyPrivilege	436	msiexec.exe
Token: SeRemoteShutdownPrivilege	436	msiexec.exe
Token: SeUndockPrivilege	436	msiexec.exe
Token: SeSyncAgentPrivilege	436	msiexec.exe
Token: SeEnableDelegationPrivilege	436	msiexec.exe
Token: SeManageVolumePrivilege	436	msiexec.exe
Token: SeImpersonatePrivilege	436	msiexec.exe
Token: SeCreateGlobalPrivilege	436	msiexec.exe
Token: SeCreateTokenPrivilege	436	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	436	msiexec.exe
Token: SeLockMemoryPrivilege	436	msiexec.exe
Token: SeIncreaseQuotaPrivilege	436	msiexec.exe
Token: SeMachineAccountPrivilege	436	msiexec.exe
Token: SeTcbPrivilege	436	msiexec.exe
Token: SeSecurityPrivilege	436	msiexec.exe
Token: SeTakeOwnershipPrivilege	436	msiexec.exe
Token: SeLoadDriverPrivilege	436	msiexec.exe
Token: SeSystemProfilePrivilege	436	msiexec.exe
Token: SeSystemtimePrivilege	436	msiexec.exe
Token: SeProfSingleProcessPrivilege	436	msiexec.exe
Token: SeIncBasePriorityPrivilege	436	msiexec.exe
Token: SeCreatePagefilePrivilege	436	msiexec.exe
Token: SeCreatePermanentPrivilege	436	msiexec.exe
Token: SeBackupPrivilege	436	msiexec.exe
Token: SeRestorePrivilege	436	msiexec.exe
Token: SeShutdownPrivilege	436	msiexec.exe
Token: SeDebugPrivilege	436	msiexec.exe
Token: SeAuditPrivilege	436	msiexec.exe
Token: SeSystemEnvironmentPrivilege	436	msiexec.exe
Token: SeChangeNotifyPrivilege	436	msiexec.exe
Token: SeRemoteShutdownPrivilege	436	msiexec.exe
Token: SeUndockPrivilege	436	msiexec.exe
Token: SeSyncAgentPrivilege	436	msiexec.exe
Token: SeEnableDelegationPrivilege	436	msiexec.exe
Token: SeManageVolumePrivilege	436	msiexec.exe
Token: SeImpersonatePrivilege	436	msiexec.exe
Token: SeCreateGlobalPrivilege	436	msiexec.exe
Token: SeCreateTokenPrivilege	436	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	436	msiexec.exe
Token: SeLockMemoryPrivilege	436	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
436	msiexec.exe
436	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exerundll32.exe

description	pid	Process	procid_target
PID 1396 wrote to memory of 4036	1396	msiexec.exe	87
PID 1396 wrote to memory of 4036	1396	msiexec.exe	87
PID 1396 wrote to memory of 4036	1396	msiexec.exe	87
PID 1396 wrote to memory of 4780	1396	msiexec.exe	94
PID 1396 wrote to memory of 4780	1396	msiexec.exe	94
PID 1396 wrote to memory of 4920	1396	msiexec.exe	96
PID 1396 wrote to memory of 4920	1396	msiexec.exe	96
PID 1396 wrote to memory of 4920	1396	msiexec.exe	96
PID 1396 wrote to memory of 4024	1396	msiexec.exe	100
PID 1396 wrote to memory of 4024	1396	msiexec.exe	100
PID 1396 wrote to memory of 4024	1396	msiexec.exe	100
PID 2704 wrote to memory of 2608	2704	rundll32.exe	102
PID 2704 wrote to memory of 2608	2704	rundll32.exe	102
PID 2704 wrote to memory of 2608	2704	rundll32.exe	102
PID 2704 wrote to memory of 2608	2704	rundll32.exe	102
PID 2704 wrote to memory of 2608	2704	rundll32.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:436

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 400ADC6E4BD7730BBB05CF331A7351C6 C
  2⤵
  - Loads dropped DLL
  PID:4036
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4780
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 40898F9D5B907332C89A89094C453648
  2⤵
  - Loads dropped DLL
  PID:4920
- C:\Windows\Installer\MSI9281.tmp
  "C:\Windows\Installer\MSI9281.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3036

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577a61.rbs

Filesize
1KB

MD5
b60599cb8cf80a8740d85d7dd6a98071

SHA1
bacedb67b416e23cd412083cb12a444eeb90031e

SHA256
d5e6e62f11d8e166cdd8cfd328e06ae53f48022843ee6a42fe8f5865aa1837d8

SHA512
b5b3303757975862a4cc88ca1f88f5fc7c0565a64eaf8eac7e8f1efab53e6715d8a64729f2bfa10801b4e805bcd0431da92e79ba18bbce762c6dde7c58cf2d6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
52KB

MD5
5bd63d118df94bdd463bb97b601f2214

SHA1
f59ed4f308754b59dc32f214465e62ec704e01bf

SHA256
d7c9b2da728943f4cf9ca560f6947a008b9911753922bf04fbbe1543378481a3

SHA512
515a1980fb3a46345dc5b68a16ad58f7620019fbf0cd3469e77155f1a418c4813be500e9a448ef976115f4cc7cf6ad7dffc43505d4119b530e3d5f1a8cb217e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
5808c36f100e517f5968cfe97f67ec27

SHA1
f526e102411fbde170efe7daa2e5eee2484ac79b

SHA256
df0fbac4c3e84cf132c52a9b3cd787c683a117f41e2aad6b286fe7986696f354

SHA512
2637b35d56b781e8e3c650ec64748061147e809d77a8c272212ace63a9c15952d1b53f166affcac191df21825efc913b250088b05b21145525266767a36d0920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
14e914ba792b2ed094fcb363105efa1d

SHA1
f7d0f47f19521b7febe132b91d0eb7242d0c484b

SHA256
4c0c4bc7ab9efb0f832df5f8e3655ac4016432abe8d9690cd08167c6c4f153bf

SHA512
62a09c9d375f35ffd4812d805cf8000524261227774d0d3d55872b52d78b0b617aad5fd311118189e5068f3c5cc66f48c386e6a77b837a8153ab4524a7bab171

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4B03.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Roaming\KROST.dll

Filesize
459KB

MD5
0a29918110937641bbe4a2d5ee5e4272

SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734

SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3

SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f

Download Submit
C:\Windows\Installer\MSI9281.tmp

Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
cd2dda92a5a361980f364b13c69c8c27

SHA1
83c9a5683c2ae417c6c8b8dfa0d2c06b898879e4

SHA256
4fc42f709427ea626256dba07eee27e9e52d65d38d8e6a1042ab1c00bce4cb21

SHA512
13442b69986113946855d92120f37e9e6f0915ca276e0cce0200ea0e0549e89f97ce9883974f46d7bf1b2dd9d18d56a4e636f6358c30bae387f51626f5af8328

Download Submit
\??\Volume{14f6f45c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{43096f6f-fd14-4599-a0f9-90722c86a4f8}_OnDiskSnapshotProp

Filesize
6KB

MD5
62e14be3180c07e1a56e29c70ad793a1

SHA1
d977459a19c854b22e3236732c473f582a3edfad

SHA256
8a0d9ab0b86e8519e9f3f68620d5a57fed632b988bea56ba3cb20ef76b67d5a0

SHA512
30ab2c5fe9b78ab939ed833561c9c0e3840fa75b8446dd7a2981087c4bfa21505451c0910fdd96e0bc542fe0d50f6079b92dd7852d5c761443ee3b0458cd5382

Download Submit
memory/2608-111-0x0000018170C60000-0x0000018170C8E000-memory.dmp

Filesize
184KB

Download
memory/2608-110-0x0000018170C60000-0x0000018170C8E000-memory.dmp

Filesize
184KB

Download
memory/2608-114-0x0000018170C60000-0x0000018170C8E000-memory.dmp

Filesize
184KB

Download
memory/2608-89-0x0000018170C90000-0x0000018170C92000-memory.dmp

Filesize
8KB

Download
memory/2608-90-0x0000018170C60000-0x0000018170C8E000-memory.dmp

Filesize
184KB

Download
memory/2608-96-0x0000018170C60000-0x0000018170C8E000-memory.dmp

Filesize
184KB

Download
memory/2608-113-0x0000018170C60000-0x0000018170C8E000-memory.dmp

Filesize
184KB

Download
memory/2608-112-0x0000018170C60000-0x0000018170C8E000-memory.dmp

Filesize
184KB

Download
memory/2704-83-0x000001CF50F10000-0x000001CF50F3D000-memory.dmp

Filesize
180KB

Download
memory/2704-87-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2704-106-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2704-88-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2704-82-0x000001CF50F40000-0x000001CF50F6F000-memory.dmp

Filesize
188KB

Download
memory/2704-81-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download