qakbot | b2372de70a5f34110e015a3a3835cc2eea85a187c2a7380d6c1330e10f8870f2

Analysis

max time kernel
149s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi
Size

2.1MB
MD5

723dae8ed3f157e40635681f028328e6
SHA1

aa6dd8df02000fbfc884e687bcafed57f84a83b0
SHA256

e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115
SHA512

4e1829bfc470ea8624dee424db34b2b0f965597c1e300ca62f271727a7fd4dc6c90137d5ca8fd227ba3bad26fee2870788f91b00b225d6a626e99e18476473be
SSDEEP

49152:DNGitd+vszAlozTy4g5r8+5eNBADPGXJXrejhJ8I+jELv6:oihTyfIXreNJ8IpT6

Score

10^/10

qakbot tchk07 1702975817 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

116.203.56.11:443

109.107.181.8:443

Attributes

camp_date
2023-12-19 08:50:17 +0000 UTC

Signatures

Detect Qakbot Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1912-83-0x0000022DCA320000-0x0000022DCA34F000-memory.dmp	family_qakbot_v5
behavioral2/memory/1912-88-0x0000022DCA2F0000-0x0000022DCA31D000-memory.dmp	family_qakbot_v5
behavioral2/memory/1912-89-0x0000022DCA350000-0x0000022DCA37E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1912-87-0x0000022DCA350000-0x0000022DCA37E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3284-91-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/3284-98-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1912-97-0x0000022DCA350000-0x0000022DCA37E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3284-113-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/3284-112-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/3284-114-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/3284-115-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/3284-116-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow	pid	Process
8	1020	msiexec.exe
9	1020	msiexec.exe
11	1020	msiexec.exe
15	1020	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1FDC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e580654.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI80B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI879.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{22742959-614A-4FC5-9C2F-4B7D7AE6105A}	msiexec.exe
File created	C:\Windows\Installer\e580654.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73E.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI1FDC.tmp

pid	Process
1576	MSI1FDC.tmp

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMsiExec.exerundll32.exe

pid	Process
2560	MsiExec.exe
2560	MsiExec.exe
2560	MsiExec.exe
2560	MsiExec.exe
2560	MsiExec.exe
2560	MsiExec.exe
2560	MsiExec.exe
4176	MsiExec.exe
4176	MsiExec.exe
4176	MsiExec.exe
4176	MsiExec.exe
1912	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007d3392e9fd415b840000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007d3392e90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007d3392e9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7d3392e9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007d3392e900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\rybkxzfyg	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\rybkxzfyg\bf882a0d = 46916e72f830ac12efdefb3bbd18c50db56cfdc12f606e25bd31ba6b42468917b79ac31678b196edf12d9c05993e031b50d4e7b07d77e3fbe4040636e3dd27dd677efdbbc13b68de13ab2ce8838ab27a6930ea43a6713aa31705e6d6a2b59a967a6725a8408c1dbd24971e6a19b19021b41246bd28dded7f941870dd15678695b4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\rybkxzfyg\248d3fdc = c6dfc3868664499340e5b7b5a498883edcec8570cc817ee21a39122dbcf8735c9f7a6c9cb851accb5549783ab837748d8dee34af78a1a5463154167aa4635fad7d5e6c89fd414bc3ff4d81adb884dec70f17abfc5d94b0b47828e8b436cb748b0af2566669c316d660bf40e6a1d2b962a2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\rybkxzfyg\250a625b = 84baa9aa2524f65169aeaf5b38a3defa230b34db16b3074523182920c932f6514591d8258b9deede08444fb1de112b5d425f6a81d70ef69f7799bd3b20a26576710be315418625976406b868afa70b0fd4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\rybkxzfyg\250a625b = c6dc20c3f14ded468c65f6d5ed6e7aee65680c5c00a4a98d10a72f4f35cf5e920bd9aaf5812a45b86bd4650fa83005f2ddee777620530a005a6d20cc4445ed62d4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\rybkxzfyg\73222a93 = a65557221663e422ea20129712ce05707f38bbc3c5b8a21053c8557b1a79866a07dff6fabc2baf46d4037b762b28785d33d7d1a21a649f7ac9e0dc6c8cde5f152898003999cbea92230497b38efbd7930c9d9d060e23026e82ee1e6079d901a327059aa8b0f3310501ca834618c4e09b69980d66c700993e05e50f22717a605fe52e3f5a790846c6ad6923d9d309756fa3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\rybkxzfyg\6dea6c3f = 071356a72c795e36cb07240402bafd6157df745bb2b1464021990a896134fa6b9225b1dceb233bd2f32b48f1d4834fb0686e225f88d9af5370518cbb6c0690ab1296c7c824577b800b4d84be25eac2541fd1c93c24cb8acc2b2a09dea3299670a677c8e6678abdd7a3e4156c15f65055ad	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\rybkxzfyg\a1406ca1 = c776e2a16eeb72e3d1f4162a0575d297e733261c903b974a2c6f63ae48b1e5f92bb307706a4318a6f8ba234b86c6a5086daac3564ce5f3592e5e4e36a0d164b6f29c120c8b42f72aeebafa3a77cc1cb3dc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\rybkxzfyg\be0f778a = a5cc9181dc6424869ac4a40e75ef0bd5dc3a2ddf106d466c4e6fafca5bc3ce5b9cda7d49e1be2d45a926964fc2101428ee7fb7a1a62b5cf9618fa90ae7a0925e0b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\rybkxzfyg\72a57714 = c7bfdd347d3619d7bca837866a9a77853161b473ea316b2a3d2bed98b6e53ee58f04a2a3a9eb59956d99176b5939a4837c677940e375d6a2330a3182827dc6575a7c5e80320887f3941cc4d8ad7dbdb479dc737fb354a557269cb91c27763251a36fba5b56f77ff81c80892a72a700b4a03eace5e6cfa1436db7cabb3f5db71573	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSI1FDC.tmprundll32.exewermgr.exe

pid	Process
4844	msiexec.exe
4844	msiexec.exe
1576	MSI1FDC.tmp
1576	MSI1FDC.tmp
1912	rundll32.exe
1912	rundll32.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe
3284	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	1020	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1020	msiexec.exe
Token: SeSecurityPrivilege	4844	msiexec.exe
Token: SeCreateTokenPrivilege	1020	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1020	msiexec.exe
Token: SeLockMemoryPrivilege	1020	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1020	msiexec.exe
Token: SeMachineAccountPrivilege	1020	msiexec.exe
Token: SeTcbPrivilege	1020	msiexec.exe
Token: SeSecurityPrivilege	1020	msiexec.exe
Token: SeTakeOwnershipPrivilege	1020	msiexec.exe
Token: SeLoadDriverPrivilege	1020	msiexec.exe
Token: SeSystemProfilePrivilege	1020	msiexec.exe
Token: SeSystemtimePrivilege	1020	msiexec.exe
Token: SeProfSingleProcessPrivilege	1020	msiexec.exe
Token: SeIncBasePriorityPrivilege	1020	msiexec.exe
Token: SeCreatePagefilePrivilege	1020	msiexec.exe
Token: SeCreatePermanentPrivilege	1020	msiexec.exe
Token: SeBackupPrivilege	1020	msiexec.exe
Token: SeRestorePrivilege	1020	msiexec.exe
Token: SeShutdownPrivilege	1020	msiexec.exe
Token: SeDebugPrivilege	1020	msiexec.exe
Token: SeAuditPrivilege	1020	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1020	msiexec.exe
Token: SeChangeNotifyPrivilege	1020	msiexec.exe
Token: SeRemoteShutdownPrivilege	1020	msiexec.exe
Token: SeUndockPrivilege	1020	msiexec.exe
Token: SeSyncAgentPrivilege	1020	msiexec.exe
Token: SeEnableDelegationPrivilege	1020	msiexec.exe
Token: SeManageVolumePrivilege	1020	msiexec.exe
Token: SeImpersonatePrivilege	1020	msiexec.exe
Token: SeCreateGlobalPrivilege	1020	msiexec.exe
Token: SeCreateTokenPrivilege	1020	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1020	msiexec.exe
Token: SeLockMemoryPrivilege	1020	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1020	msiexec.exe
Token: SeMachineAccountPrivilege	1020	msiexec.exe
Token: SeTcbPrivilege	1020	msiexec.exe
Token: SeSecurityPrivilege	1020	msiexec.exe
Token: SeTakeOwnershipPrivilege	1020	msiexec.exe
Token: SeLoadDriverPrivilege	1020	msiexec.exe
Token: SeSystemProfilePrivilege	1020	msiexec.exe
Token: SeSystemtimePrivilege	1020	msiexec.exe
Token: SeProfSingleProcessPrivilege	1020	msiexec.exe
Token: SeIncBasePriorityPrivilege	1020	msiexec.exe
Token: SeCreatePagefilePrivilege	1020	msiexec.exe
Token: SeCreatePermanentPrivilege	1020	msiexec.exe
Token: SeBackupPrivilege	1020	msiexec.exe
Token: SeRestorePrivilege	1020	msiexec.exe
Token: SeShutdownPrivilege	1020	msiexec.exe
Token: SeDebugPrivilege	1020	msiexec.exe
Token: SeAuditPrivilege	1020	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1020	msiexec.exe
Token: SeChangeNotifyPrivilege	1020	msiexec.exe
Token: SeRemoteShutdownPrivilege	1020	msiexec.exe
Token: SeUndockPrivilege	1020	msiexec.exe
Token: SeSyncAgentPrivilege	1020	msiexec.exe
Token: SeEnableDelegationPrivilege	1020	msiexec.exe
Token: SeManageVolumePrivilege	1020	msiexec.exe
Token: SeImpersonatePrivilege	1020	msiexec.exe
Token: SeCreateGlobalPrivilege	1020	msiexec.exe
Token: SeCreateTokenPrivilege	1020	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1020	msiexec.exe
Token: SeLockMemoryPrivilege	1020	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
1020	msiexec.exe
1020	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exerundll32.exe

description	pid	Process	procid_target
PID 4844 wrote to memory of 2560	4844	msiexec.exe	90
PID 4844 wrote to memory of 2560	4844	msiexec.exe	90
PID 4844 wrote to memory of 2560	4844	msiexec.exe	90
PID 4844 wrote to memory of 2116	4844	msiexec.exe	101
PID 4844 wrote to memory of 2116	4844	msiexec.exe	101
PID 4844 wrote to memory of 4176	4844	msiexec.exe	103
PID 4844 wrote to memory of 4176	4844	msiexec.exe	103
PID 4844 wrote to memory of 4176	4844	msiexec.exe	103
PID 4844 wrote to memory of 1576	4844	msiexec.exe	104
PID 4844 wrote to memory of 1576	4844	msiexec.exe	104
PID 4844 wrote to memory of 1576	4844	msiexec.exe	104
PID 1912 wrote to memory of 3284	1912	rundll32.exe	106
PID 1912 wrote to memory of 3284	1912	rundll32.exe	106
PID 1912 wrote to memory of 3284	1912	rundll32.exe	106
PID 1912 wrote to memory of 3284	1912	rundll32.exe	106
PID 1912 wrote to memory of 3284	1912	rundll32.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1020

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9267D50B24B714AE990214395539D225 C
  2⤵
  - Loads dropped DLL
  PID:2560
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EB45A7BE4E0B8AEC0889125F48EE0081
  2⤵
  - Loads dropped DLL
  PID:4176
- C:\Windows\Installer\MSI1FDC.tmp
  "C:\Windows\Installer\MSI1FDC.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2188

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e580655.rbs

Filesize
1KB

MD5
64be7cba38d375eccce71803b4ee7ac5

SHA1
8b993689cf8e148bc59496a55b171b984b1920be

SHA256
35c3d00c2851e7fded1114116050978d88eb2fab2d07d7f6884e509a46bbcf4f

SHA512
3d37068ed87bc64d2c55af6113352a09752a598b9117c96f001a756f52017b6c2234362c4a09363740a09485c03dac7922e818727ca193e4fbb3f429047a8024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
52KB

MD5
5bd63d118df94bdd463bb97b601f2214

SHA1
f59ed4f308754b59dc32f214465e62ec704e01bf

SHA256
d7c9b2da728943f4cf9ca560f6947a008b9911753922bf04fbbe1543378481a3

SHA512
515a1980fb3a46345dc5b68a16ad58f7620019fbf0cd3469e77155f1a418c4813be500e9a448ef976115f4cc7cf6ad7dffc43505d4119b530e3d5f1a8cb217e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
ad14e0d8ee16a9f7460d20b3c892d300

SHA1
3caf051d6a46d3925dfcee77f93120707e9dc876

SHA256
0a58bfa990d80d016241c2e8705f3c9d6c9fbf962f43dd7264195752324c99f5

SHA512
35b0ea0b576a1abc4dea6f276ea415f5d8a0eff6ae0db10aa80e4fec7a7ed984240014adc14eefc58d19b13489bd15a3db5f0132d02eef275ad401603817b518

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
b394aa0f2e1cb69db89da60949729722

SHA1
82966f8728d13404f5e77d5c25b80ad0403ec121

SHA256
ec3d1231ec1161e17b569c4aa1fe98f409774e4f4f17d221ac36689dd96f0168

SHA512
920ad67a168bb5657d629028fb0af1abc1d4973769ef7e1f21850ce5b9e9b57e692ecad421cbedd555a0dca9560bc6c08e50bddcdb769ed8f21cc8dbeb205503

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8656.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeAC.dll

Filesize
898KB

MD5
88bbf2a743baaf81f7a312be61f90d76

SHA1
3719aabc29d5eb58d5d2d2a37066047c67bfc2c6

SHA256
12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305

SHA512
b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70

Download Submit
C:\Windows\Installer\MSI1FDC.tmp

Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
8f8b27dfb3d77e391ee13485b7a54ca4

SHA1
1c35767cb59affa088359062f5476a4e48a7ae36

SHA256
938e55b16a6a2cf7c927a89369dc145a624ce778b5172bd5c41e6528b961aaff

SHA512
8554273e88451a2f43d05c592d387458492771b5c3e5adf4abbb5f7c173a48f617ce55ca7d2aefa9cf4cb9b5fb4fe9e2f31aafb9495ca555d1a998dabab234ed

Download Submit
\??\Volume{e992337d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a32ebe6d-eec5-4cc2-85fc-0fd42f0de511}_OnDiskSnapshotProp

Filesize
6KB

MD5
a04b28fbd6cc3da260e8a0cc59ff1295

SHA1
55d969786ab814f8e1075a4a49ce7586481a76bf

SHA256
4861316214641ae226e6c5c5bc6634a2a7e826d97c7787cebd3bcbd87e632e9b

SHA512
9ddd0678669afe7d946b29fe11ee3c48361f48930ee8c974a78e8425853dcd396daafa6b7aabf45ba9cfb370f54093c16de40970e3149272bce814c89ae8a9d9

Download Submit
memory/1912-89-0x0000022DCA350000-0x0000022DCA37E000-memory.dmp

Filesize
184KB

Download
memory/1912-87-0x0000022DCA350000-0x0000022DCA37E000-memory.dmp

Filesize
184KB

Download
memory/1912-97-0x0000022DCA350000-0x0000022DCA37E000-memory.dmp

Filesize
184KB

Download
memory/1912-88-0x0000022DCA2F0000-0x0000022DCA31D000-memory.dmp

Filesize
180KB

Download
memory/1912-83-0x0000022DCA320000-0x0000022DCA34F000-memory.dmp

Filesize
188KB

Download
memory/3284-90-0x000001C7FE9B0000-0x000001C7FE9B2000-memory.dmp

Filesize
8KB

Download
memory/3284-91-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp

Filesize
184KB

Download
memory/3284-98-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp

Filesize
184KB

Download
memory/3284-113-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp

Filesize
184KB

Download
memory/3284-112-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp

Filesize
184KB

Download
memory/3284-114-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp

Filesize
184KB

Download
memory/3284-115-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp

Filesize
184KB

Download
memory/3284-116-0x000001C7FE980000-0x000001C7FE9AE000-memory.dmp

Filesize
184KB

Download