qakbot | 51c7477f1878e4c676029a2c2b628f1051da68f6df95806f3f79e382d1e488b5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi
Size

2.1MB
MD5

723dae8ed3f157e40635681f028328e6
SHA1

aa6dd8df02000fbfc884e687bcafed57f84a83b0
SHA256

e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115
SHA512

4e1829bfc470ea8624dee424db34b2b0f965597c1e300ca62f271727a7fd4dc6c90137d5ca8fd227ba3bad26fee2870788f91b00b225d6a626e99e18476473be
SSDEEP

49152:DNGitd+vszAlozTy4g5r8+5eNBADPGXJXrejhJ8I+jELv6:oihTyfIXreNJ8IpT6

Score

10^/10

qakbot tchk07 1702975817 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

116.203.56.11:443

109.107.181.8:443

Attributes

camp_date
2023-12-19 08:50:17 +0000 UTC

Signatures

Detect Qakbot Payload 12 IoCs

resource	yara_rule
behavioral2/memory/216-90-0x0000015E1B3A0000-0x0000015E1B3CD000-memory.dmp	family_qakbot_v5
behavioral2/memory/216-91-0x0000015E1B400000-0x0000015E1B42E000-memory.dmp	family_qakbot_v5
behavioral2/memory/216-89-0x0000015E1B400000-0x0000015E1B42E000-memory.dmp	family_qakbot_v5
behavioral2/memory/216-85-0x0000015E1B3D0000-0x0000015E1B3FF000-memory.dmp	family_qakbot_v5
behavioral2/memory/2780-93-0x00000234A75A0000-0x00000234A75CE000-memory.dmp	family_qakbot_v5
behavioral2/memory/216-100-0x0000015E1B400000-0x0000015E1B42E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2780-99-0x00000234A75A0000-0x00000234A75CE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2780-114-0x00000234A75A0000-0x00000234A75CE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2780-115-0x00000234A75A0000-0x00000234A75CE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2780-116-0x00000234A75A0000-0x00000234A75CE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2780-117-0x00000234A75A0000-0x00000234A75CE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2780-118-0x00000234A75A0000-0x00000234A75CE000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	2008	msiexec.exe
8	2008	msiexec.exe
11	2008	msiexec.exe
16	2008	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6BAD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI78BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e576a24.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6AA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B2E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B2F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{22742959-614A-4FC5-9C2F-4B7D7AE6105A}	msiexec.exe
File created	C:\Windows\Installer\e576a24.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C2B.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4536	MSI78BF.tmp

Loads dropped DLL 12 IoCs

pid	Process
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
3840	MsiExec.exe
3840	MsiExec.exe
3840	MsiExec.exe
3840	MsiExec.exe
216	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000982641fbe24eac720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000982641fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900982641fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d982641fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000982641fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\impkeylow	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\impkeylow\11b54d1a = 66e7d594052837807bf015d38646a0bdc3eac081c8aac5dc5fa3cb833a5d639d155b4436c54b757559a465b39e9e09b9d45e31059b35c3136c42ff2dc2f427ba7dbdee002c7f093924fe6ab66f1ea12beb03ab1ebf1f6b74bad3428039f6b6faedbb01ce96a01750273719b72a8deca7d8278bfc9d62c63c752249c3d4eabdc4c84042c1f40822e4e5618d15acd884716ec97a2d7e5134b93a167a8c6e90981f5b3b5511ae34a02a401dc716573bdc77739beb0a973b5fd1fcab1ee139555dbf4132899b77a208b17abbfe74bde6b165d2cafca2f7ef0d119103fa353f782c5fa8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\impkeylow\c3d70b28 = 843d0bd3f930fb203ec295fef579f5875fe05ebe348a2c20c1fe68799e07f080503bdaab134a094b520b29c0d7613f1a53	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\impkeylow\dc981003 = e77f0576baf8325b1d9a7371540a4b152c99b3d0647fa71392de33c49e5c3c660b566db4e8c7b208fb4b9bd49e230655e72e189bef3840e82b14ff5d2b83d74349	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\impkeylow\479d05d2 = 44899e97c9a6da1c29b012867dcc694050b4436d13f45ba09bc2ed00620c4c5e4ac9d75a93ea2da1a3bc06c60a93afedd7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\impkeylow\f7d0bb6 = 274474e92caaf7a293055fb266f2a2d9df3859baa8b4b9121bdabe0e3c4240ed4bd29cc6afde1dc6024ac9202b8961413f6c5db93a6bfc4008f644c449f83049e2c38d9ae3f9ed5561567d0376fb5d19087800673e5444dc618930fa75198346a97b03b1a431075bf131d26f43b2df5df85de7ced209d1b5a178cc4729ecd1813c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\impkeylow\1032109d = c7ff761e88fb3cc75ce64fd94c552b1c4920d6e715fbd5142e502e9d25a5321b7f4ec9e8acefaeaf2a2183619a12f34872d88fcc493c58b1e010ecc4205c4055af6c45e7e602b959ad70fd55f29a393f656461ceecf1e63450ac494c63019b8d686164e9385a61b8aae5ea36786793fb3fe209a893ee26941e6f1b59e459456008	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\impkeylow\dd1f4d84 = 67bd00223d6881811dbec40b54f51ae6f7b7fd9ddd12a78cb18740a4222113485ab020a1e009f095f908c78639ca752d61e5b5463d44b8442a2a92e61431f7039f8c1ab9b600c4196547bdc473ee8ec320	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\impkeylow\461a5855 = c47243cf6baf7d7dc1ee20c250b7e78afd73d63810e53c81d0d1a21bd27e703275f23ab644d2a96dd785bfdfea2a0eb4e493a493fd89b132ef5a7163cd28fd9950	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\impkeylow\479d05d2 = e7b1af1fd1595d00dd63a2abe838ba94a9815a844319c6f74fb2445cf2c71b11036d5a20bf301118e1fb9a7296cb822644e2974710795d5a537786325cdadaa9dea967355689ad1479f56119af929d0c75	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1260	msiexec.exe
1260	msiexec.exe
4536	MSI78BF.tmp
4536	MSI78BF.tmp
216	rundll32.exe
216	rundll32.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe
2780	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2008	msiexec.exe
Token: SeSecurityPrivilege	1260	msiexec.exe
Token: SeCreateTokenPrivilege	2008	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2008	msiexec.exe
Token: SeLockMemoryPrivilege	2008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2008	msiexec.exe
Token: SeMachineAccountPrivilege	2008	msiexec.exe
Token: SeTcbPrivilege	2008	msiexec.exe
Token: SeSecurityPrivilege	2008	msiexec.exe
Token: SeTakeOwnershipPrivilege	2008	msiexec.exe
Token: SeLoadDriverPrivilege	2008	msiexec.exe
Token: SeSystemProfilePrivilege	2008	msiexec.exe
Token: SeSystemtimePrivilege	2008	msiexec.exe
Token: SeProfSingleProcessPrivilege	2008	msiexec.exe
Token: SeIncBasePriorityPrivilege	2008	msiexec.exe
Token: SeCreatePagefilePrivilege	2008	msiexec.exe
Token: SeCreatePermanentPrivilege	2008	msiexec.exe
Token: SeBackupPrivilege	2008	msiexec.exe
Token: SeRestorePrivilege	2008	msiexec.exe
Token: SeShutdownPrivilege	2008	msiexec.exe
Token: SeDebugPrivilege	2008	msiexec.exe
Token: SeAuditPrivilege	2008	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2008	msiexec.exe
Token: SeChangeNotifyPrivilege	2008	msiexec.exe
Token: SeRemoteShutdownPrivilege	2008	msiexec.exe
Token: SeUndockPrivilege	2008	msiexec.exe
Token: SeSyncAgentPrivilege	2008	msiexec.exe
Token: SeEnableDelegationPrivilege	2008	msiexec.exe
Token: SeManageVolumePrivilege	2008	msiexec.exe
Token: SeImpersonatePrivilege	2008	msiexec.exe
Token: SeCreateGlobalPrivilege	2008	msiexec.exe
Token: SeCreateTokenPrivilege	2008	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2008	msiexec.exe
Token: SeLockMemoryPrivilege	2008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2008	msiexec.exe
Token: SeMachineAccountPrivilege	2008	msiexec.exe
Token: SeTcbPrivilege	2008	msiexec.exe
Token: SeSecurityPrivilege	2008	msiexec.exe
Token: SeTakeOwnershipPrivilege	2008	msiexec.exe
Token: SeLoadDriverPrivilege	2008	msiexec.exe
Token: SeSystemProfilePrivilege	2008	msiexec.exe
Token: SeSystemtimePrivilege	2008	msiexec.exe
Token: SeProfSingleProcessPrivilege	2008	msiexec.exe
Token: SeIncBasePriorityPrivilege	2008	msiexec.exe
Token: SeCreatePagefilePrivilege	2008	msiexec.exe
Token: SeCreatePermanentPrivilege	2008	msiexec.exe
Token: SeBackupPrivilege	2008	msiexec.exe
Token: SeRestorePrivilege	2008	msiexec.exe
Token: SeShutdownPrivilege	2008	msiexec.exe
Token: SeDebugPrivilege	2008	msiexec.exe
Token: SeAuditPrivilege	2008	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2008	msiexec.exe
Token: SeChangeNotifyPrivilege	2008	msiexec.exe
Token: SeRemoteShutdownPrivilege	2008	msiexec.exe
Token: SeUndockPrivilege	2008	msiexec.exe
Token: SeSyncAgentPrivilege	2008	msiexec.exe
Token: SeEnableDelegationPrivilege	2008	msiexec.exe
Token: SeManageVolumePrivilege	2008	msiexec.exe
Token: SeImpersonatePrivilege	2008	msiexec.exe
Token: SeCreateGlobalPrivilege	2008	msiexec.exe
Token: SeCreateTokenPrivilege	2008	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2008	msiexec.exe
Token: SeLockMemoryPrivilege	2008	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2008	msiexec.exe
2008	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2556	1260	msiexec.exe	91
PID 1260 wrote to memory of 2556	1260	msiexec.exe	91
PID 1260 wrote to memory of 2556	1260	msiexec.exe	91
PID 1260 wrote to memory of 2116	1260	msiexec.exe	101
PID 1260 wrote to memory of 2116	1260	msiexec.exe	101
PID 1260 wrote to memory of 3840	1260	msiexec.exe	103
PID 1260 wrote to memory of 3840	1260	msiexec.exe	103
PID 1260 wrote to memory of 3840	1260	msiexec.exe	103
PID 1260 wrote to memory of 4536	1260	msiexec.exe	104
PID 1260 wrote to memory of 4536	1260	msiexec.exe	104
PID 1260 wrote to memory of 4536	1260	msiexec.exe	104
PID 216 wrote to memory of 2780	216	rundll32.exe	106
PID 216 wrote to memory of 2780	216	rundll32.exe	106
PID 216 wrote to memory of 2780	216	rundll32.exe	106
PID 216 wrote to memory of 2780	216	rundll32.exe	106
PID 216 wrote to memory of 2780	216	rundll32.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9F3DDCC10FB808307AD4329667563B01 C
  2⤵
  - Loads dropped DLL
  PID:2556
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F82F46B5B8D210E30EFDE3100ED35CDD
  2⤵
  - Loads dropped DLL
  PID:3840
- C:\Windows\Installer\MSI78BF.tmp
  "C:\Windows\Installer\MSI78BF.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3000

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e576a25.rbs

Filesize
1KB

MD5
ce200da2e9743da390ba667b49906b4c

SHA1
0edbfae2d02213b0941db64ce27d923a46eb47ec

SHA256
dd46ca7643c4c0cefb6dc92be0115b88e01bc1bc70ee3ee490cb17c051d2c815

SHA512
8cc0e2d920ef1d56bccb6b62a40a4214c74968d7cc5587610aa2a99e263bc2aa291bd34d6676b02c28b75dc1f714b5b3725b111632be6ddb795f26f784275f41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
52KB

MD5
5bd63d118df94bdd463bb97b601f2214

SHA1
f59ed4f308754b59dc32f214465e62ec704e01bf

SHA256
d7c9b2da728943f4cf9ca560f6947a008b9911753922bf04fbbe1543378481a3

SHA512
515a1980fb3a46345dc5b68a16ad58f7620019fbf0cd3469e77155f1a418c4813be500e9a448ef976115f4cc7cf6ad7dffc43505d4119b530e3d5f1a8cb217e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
93d044df04119a466bad23d66e1720ad

SHA1
7b28dcf50952692b609221251b6400f02118a317

SHA256
32bc1eb29ed58bd78421fc2657160421e25d4f4060301f9ce5bf891b47380b98

SHA512
b34c6d52f5d58c3ab0a15a27deb0e014567461451670d215606ad08ba4fb0c00dbb0a8c458b99b633cea72ba1cdf2ac819f917faf6a6ba51295f475771159a74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
32d8a0c6a48c3750266c338db8d58b83

SHA1
c45449d69dc11b459c6d71cc45a679ba42a0b74e

SHA256
82b5b43d212b094a8ea7dc4c6f5615e876fd50350fb13bca0cda0019f1811177

SHA512
1648715dfaf5c35ef0cf2b1acf0aeb3b727eb300ce2e52f51f8a09875f97fd5141595c0f1f812d315c8c2a54ce24df3586026744e9dbcf8c02e43615b7b2b74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3316.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeAC.dll

Filesize
898KB

MD5
88bbf2a743baaf81f7a312be61f90d76

SHA1
3719aabc29d5eb58d5d2d2a37066047c67bfc2c6

SHA256
12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305

SHA512
b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70

Download Submit
C:\Windows\Installer\MSI78BF.tmp

Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
85e12a14a49d290ac43822d8fdb8f16d

SHA1
e97aa9b06be6ae5a1f940861f04218d41c93a951

SHA256
65b751e104ded136c3c171dde5af585fdba903bf5b36231781da0478c106e9a5

SHA512
55916f745a070bd92a5686ec854b6ea1367c0fd8592be3fa7713dad6e69275511f5d5325eed074f4245fbb451eea5a61c68ba047ec889e28bbbdbfda1fd4a61d

Download Submit
\??\Volume{fb412698-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fd14061f-0057-41b2-b1cc-d91160531768}_OnDiskSnapshotProp

Filesize
6KB

MD5
eb69104a62973fc33e30cb898dd66231

SHA1
aca5201131b5666f047e0bf2e23efdeedbff5875

SHA256
7a33b398ab7643253547aa91789e031255a4d6901dab7c6de7f2158d58e6f9da

SHA512
1011a263adc0ae7f1d962febb57ed255aa95c2976e30f16e27793356dd691c12505fc7de76abfa9f1ef5b206dd9003b6349deabf43020f278033b4a2bf2ef203

Download Submit
memory/216-89-0x0000015E1B400000-0x0000015E1B42E000-memory.dmp

Filesize
184KB

Download
memory/216-85-0x0000015E1B3D0000-0x0000015E1B3FF000-memory.dmp

Filesize
188KB

Download
memory/216-100-0x0000015E1B400000-0x0000015E1B42E000-memory.dmp

Filesize
184KB

Download
memory/216-91-0x0000015E1B400000-0x0000015E1B42E000-memory.dmp

Filesize
184KB

Download
memory/216-90-0x0000015E1B3A0000-0x0000015E1B3CD000-memory.dmp

Filesize
180KB

Download
memory/2780-93-0x00000234A75A0000-0x00000234A75CE000-memory.dmp

Filesize
184KB

Download
memory/2780-92-0x00000234A75D0000-0x00000234A75D2000-memory.dmp

Filesize
8KB

Download
memory/2780-99-0x00000234A75A0000-0x00000234A75CE000-memory.dmp

Filesize
184KB

Download
memory/2780-114-0x00000234A75A0000-0x00000234A75CE000-memory.dmp

Filesize
184KB

Download
memory/2780-115-0x00000234A75A0000-0x00000234A75CE000-memory.dmp

Filesize
184KB

Download
memory/2780-116-0x00000234A75A0000-0x00000234A75CE000-memory.dmp

Filesize
184KB

Download
memory/2780-117-0x00000234A75A0000-0x00000234A75CE000-memory.dmp

Filesize
184KB

Download
memory/2780-118-0x00000234A75A0000-0x00000234A75CE000-memory.dmp

Filesize
184KB

Download