Overview

overview

10

Static

static

1

73472cfc52...a3.msi

windows7-x64

10

73472cfc52...a3.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi

  • Size

    5.8MB

  • MD5

    483b57478ab379546ae9fbab1c0185fa

  • SHA1

    e76211f214c1bcd7eb4ab21478d11a50c31d5da7

  • SHA256

    73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3

  • SHA512

    a06f6a98831454f70413efcb6ca97a96440c07bc65e42a8bbfa6c2a6ae7d5dc666d3b96455acdd98089867b9f5ed0cbd98c69bda1c088eb6f3a6c7d702bcb9c4

  • SSDEEP

    98304:mihTySajXEjCVXrepfrULCZf7ACNQB0zmlwXU8ern7beyN:OjjIzULqpQBv17r3eyN

Score
10/10
qakbottchk081706710954bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1706710954

C2

31.210.173.10:443

185.156.172.62:443

185.113.8.123:443
Attributes
  • camp_date

    2024-01-31 14:22:34 +0000 UTC

Signatures

  • Detect Qakbot Payload 3 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2516
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DCC0E9A4FC388E5724EB85202427AAC4 C
      2⤵
      • Loads dropped DLL
      PID:2580
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding D0B7DE24814DE163A7122EC1321C56A8
      2⤵
      • Loads dropped DLL
      PID:2084
    • C:\Windows\Installer\MSI2447.tmp
      "C:\Windows\Installer\MSI2447.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\Acrobat\\MicrosoftOffice15\ClientX64\Acrobat.dll,CfGetPlatformInfo
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1992
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2600
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B8" "00000000000005B0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1616
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Acrobat\\MicrosoftOffice15\ClientX64\Acrobat.dll,CfGetPlatformInfo
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:1888

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f77e6a9.rbs
      Filesize

      1KB

      MD5

      d1e42cfd65875a8f877e73ef7cc1f20e

      SHA1

      72730dcb8c394b93c2b7bf40ec30d449686707a7

      SHA256

      9722e6b4b74474d3a2668f76834001cb12baa7eb239e450603fedeeda063e10f

      SHA512

      00ed6ad0f0145ffa6ed653d343225a694d07ca90d9dca9ad4bc3ced3a270a6a7125e459cf5788a2b07e96cfd7a9c1a884ce72fbef822b3f4223e14e8cada06f8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSIC33F.tmp
      Filesize

      721KB

      MD5

      5a1f2196056c0a06b79a77ae981c7761

      SHA1

      a880ae54395658f129e24732800e207ecd0b5603

      SHA256

      52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

      SHA512

      9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSIC65E.tmp
      Filesize

      1.1MB

      MD5

      25e52c5776a81e0c5ccb9bdd4c808c90

      SHA1

      e42104ef61ae4760a41552292091eb6a5089ced4

      SHA256

      0831dbcb3799c9e36ea586582e8ef907dcefeb2045351d6774c7ad0ef02a9af2

      SHA512

      746570c011e501505ec9d09077519bca1a485b0cac66229be6f4715a91ee52d5cc857de26ad8d7a33806ddfa580d2ba9f77759e3764ea761d327fe2f1e881292

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Acrobat\MicrosoftOffice15\ClientX64\Acrobat.dll
      Filesize

      922KB

      MD5

      af7364f14a56ae4234d449ff89a2bb7d

      SHA1

      ce261d1f31bed80417009fbeb5230be37c34e374

      SHA256

      a59707803f3d94ed9cb429929c832e9b74ce56071a1c2086949b389539788d8a

      SHA512

      4c6982a5a11578cdd1b2789628787a8a7f08c86e814dfbe717a1e9cb43060b3f9b888948bdc97bcf207d5dd06398a955cab46f2cfc28761b3be15ef40fbc14de

      Download Submit
    • C:\Windows\Installer\MSI2447.tmp
      Filesize

      397KB

      MD5

      b41e1b0ae2ec215c568c395b0dbb738a

      SHA1

      90d8e50176a1f4436604468279f29a128723c64b

      SHA256

      a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

      SHA512

      828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

      Download Submit
    • \??\PIPE\wkssvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • memory/1888-65-0x0000000000310000-0x0000000000340000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1888-69-0x00000000002E0000-0x0000000000310000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1888-68-0x00000000002B0000-0x00000000002DD000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1992-59-0x00000000001A0000-0x00000000001A2000-memory.dmp
      Filesize

      8KB

      Download