Overview

overview

10

Static

static

1

e88610db05...15.msi

windows7-x64

10

e88610db05...15.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi

  • Size

    2.1MB

  • MD5

    723dae8ed3f157e40635681f028328e6

  • SHA1

    aa6dd8df02000fbfc884e687bcafed57f84a83b0

  • SHA256

    e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115

  • SHA512

    4e1829bfc470ea8624dee424db34b2b0f965597c1e300ca62f271727a7fd4dc6c90137d5ca8fd227ba3bad26fee2870788f91b00b225d6a626e99e18476473be

  • SSDEEP

    49152:DNGitd+vszAlozTy4g5r8+5eNBADPGXJXrejhJ8I+jELv6:oihTyfIXreNJ8IpT6

Score
10/10
qakbottchk071702975817bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

C2

116.203.56.11:443

109.107.181.8:443
Attributes
  • camp_date

    2023-12-19 08:50:17 +0000 UTC

Signatures

  • Detect Qakbot Payload 3 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 13 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Loads dropped DLL
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2320
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 31248EB105D93CAD33DB17ADA5A41B5E C
      2⤵
      • Loads dropped DLL
      PID:2616
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7DFCB6990E2ECE75D01C2427C9FC63C7
      2⤵
      • Loads dropped DLL
      PID:2944
    • C:\Windows\Installer\MSIE8DD.tmp
      "C:\Windows\Installer\MSIE8DD.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:556
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1012
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "00000000000004AC"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2080
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\System32\wermgr.exe
        C:\Windows\System32\wermgr.exe
        2⤵
          PID:2448

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\f76cbe9.rbs
        Filesize

        1KB

        MD5

        76a04095c1bf9f6f86e5fb2c33174b6b

        SHA1

        dfc6526eb345a6ff653549ef430f1040662ba4cf

        SHA256

        9560393e95843ea4209b3010ab2b591108f12b9b48a9068f42d5ca5d3d97a5be

        SHA512

        29021cdd3b84a6675cdde57505aeab5a85a09f0ff0da9c21c276cd99886bf544b52fb2d26b2e2455c440df8759165a5edb63bb4239a85f35dfb5a32744fc5dba

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07298EE8EBA9732300AE62BDCA6B6898
        Filesize

        1KB

        MD5

        e11e31581aae545302f6176a117b4d95

        SHA1

        743af0529bd032a0f44a83cdd4baa97b7c2ec49a

        SHA256

        2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c

        SHA512

        c63aba6ca79c60a92b3bd26d784a5436e45a626022958bf6c194afc380c7bfb01fadf0b772513bbdbd7f1bb73691b0edb2f60b2f235ec9e0b81c427e04fbe451

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8555326CC9661C9937DC5053B6C38763
        Filesize

        1KB

        MD5

        866912c070f1ecacacc2d5bca55ba129

        SHA1

        b7ab3308d1ea4477ba1480125a6fbda936490cbb

        SHA256

        85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69

        SHA512

        f91e855e0346ac8c3379129154e01488bb22cff7f6a6df2a80f1671e43c5df8acae36fdf5ee0eb2320f287a681a326b6f1df36e8e37aa5597c4797dd6b43b7cf

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07298EE8EBA9732300AE62BDCA6B6898
        Filesize

        312B

        MD5

        3e99f9b7a516f21e9741fc48a6775663

        SHA1

        621d925cffad9be4415b04b4db6844c986024fd1

        SHA256

        20218fadc1b566e92511648dc5f31bb12c2dd5c0682677ae4ced5b4da85e8628

        SHA512

        7a8a4fa3b4443d6a57338ecc0a8d561d2ff3d0ef4dc6f30f7dc2ef611da25f8651c942df7319e9600f73b4c39fc6f97444105c30e0d5dd55eb4a4412eadd71b7

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763
        Filesize

        326B

        MD5

        4199836805a424917ea8d3a391547f45

        SHA1

        32e3d76cba6aa16c37871a842bd391e698c8d616

        SHA256

        56078c787b6edadd7b2b7f866ced2d21d95b18eb55e80378208b696bf0d6d877

        SHA512

        106c8969afcefa3803d188882e5b22f55f75895de27db32be862f7ba5041bada08f6aa60aa899e2e54dad772020979f575cf76146de3585519f4673fa1df884a

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        8c386bc86fabf2ecb25f11df9f0cdbf5

        SHA1

        0a336eadec80eb9ec96c1f1144e4d507db61a990

        SHA256

        28481c9e71a6d0c7c95fc94b60dd99f84805f3430a4747bd7d58f14e30fdec6a

        SHA512

        7a811f10455395970a2006b0fdc2f8cc96e5c222fc73e102d854e02d9160b347b69b356390590d760be6fc3fea6f25db08d093fa18adfcf2d6229c5ea1316426

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Cab6DA3.tmp
        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\MSI74DF.tmp
        Filesize

        721KB

        MD5

        5a1f2196056c0a06b79a77ae981c7761

        SHA1

        a880ae54395658f129e24732800e207ecd0b5603

        SHA256

        52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

        SHA512

        9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar6F1D.tmp
        Filesize

        171KB

        MD5

        9c0c641c06238516f27941aa1166d427

        SHA1

        64cd549fb8cf014fcd9312aa7a5b023847b6c977

        SHA256

        4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

        SHA512

        936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar701C.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\AdobeAC.dll
        Filesize

        898KB

        MD5

        88bbf2a743baaf81f7a312be61f90d76

        SHA1

        3719aabc29d5eb58d5d2d2a37066047c67bfc2c6

        SHA256

        12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305

        SHA512

        b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70

        Download Submit
      • C:\Windows\Installer\MSIE8DD.tmp
        Filesize

        397KB

        MD5

        b41e1b0ae2ec215c568c395b0dbb738a

        SHA1

        90d8e50176a1f4436604468279f29a128723c64b

        SHA256

        a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

        SHA512

        828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

        Download Submit
      • memory/556-318-0x0000000000160000-0x0000000000162000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2448-333-0x0000000000090000-0x0000000000092000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2468-324-0x0000000000140000-0x000000000016F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2468-328-0x00000000002F0000-0x000000000031E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/2468-331-0x0000000000110000-0x000000000013D000-memory.dmp
        Filesize

        180KB

        Download