qakbot | e9296f102513c58c645e790fcf00cc40e166a83fb8ecee15ca4552fc453ce0f8

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
Size

5.8MB
MD5

483b57478ab379546ae9fbab1c0185fa
SHA1

e76211f214c1bcd7eb4ab21478d11a50c31d5da7
SHA256

73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3
SHA512

a06f6a98831454f70413efcb6ca97a96440c07bc65e42a8bbfa6c2a6ae7d5dc666d3b96455acdd98089867b9f5ed0cbd98c69bda1c088eb6f3a6c7d702bcb9c4
SSDEEP

98304:mihTySajXEjCVXrepfrULCZf7ACNQB0zmlwXU8ern7beyN:OjjIzULqpQBv17r3eyN

Score

10^/10

qakbot tchk08 1706710954 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1706710954

31.210.173.10:443

185.156.172.62:443

185.113.8.123:443

Attributes

camp_date
2024-01-31 14:22:34 +0000 UTC

Signatures

Detect Qakbot Payload 23 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4052-69-0x00000209E5D40000-0x00000209E5D70000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-70-0x00000209E5CE0000-0x00000209E5D0D000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-71-0x00000209E5D10000-0x00000209E5D40000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-73-0x00000209E5D40000-0x00000209E5D70000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-74-0x00000209E5D40000-0x00000209E5D70000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-76-0x00000209E5D40000-0x00000209E5D70000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-75-0x00000209E5D40000-0x00000209E5D70000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-77-0x00000209E5D40000-0x00000209E5D70000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-78-0x00000209E5D40000-0x00000209E5D70000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-79-0x00000209E5D40000-0x00000209E5D70000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-80-0x00000209E5D40000-0x00000209E5D70000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-82-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-88-0x00000209E5D40000-0x00000209E5D70000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-89-0x00000209E5D40000-0x00000209E5D70000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-90-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-92-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp	family_qakbot_v5
behavioral2/memory/4052-91-0x00000209E5D40000-0x00000209E5D70000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-93-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-112-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-111-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-113-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-114-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-115-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI612D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6ECC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e576021.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI606F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI60ED.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9685643A-B981-47EB-9EC6-6DFD99114DFA}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6209.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6381.tmp	msiexec.exe
File created	C:\Windows\Installer\e576021.msi	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI6381.tmp

pid process

5028 MSI6381.tmp

pid	process
5028	MSI6381.tmp

Loads dropped DLL 13 IoCs

Processes:

MsiExec.exeMsiExec.exerundll32.exe

pid	process
3324	MsiExec.exe
3324	MsiExec.exe
3324	MsiExec.exe
3324	MsiExec.exe
3324	MsiExec.exe
3324	MsiExec.exe
3324	MsiExec.exe
3324	MsiExec.exe
1604	MsiExec.exe
1604	MsiExec.exe
1604	MsiExec.exe
4052	rundll32.exe
1604	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000982641fbe24eac720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000982641fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900982641fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d982641fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000982641fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies registry class 11 IoCs

Processes:

wermgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\oiaqjseysfbyqos	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\oiaqjseysfbyqos\20b81e58 = 274b09d1065695de7b0c7ce0c52a5f47986d48a61730b2122f2c17a4c7fb39082a8d98107ea47d5490bb423daf73d7bf526a842fa5415ddcabc2da3049cbdebc2d0c821e73f820cdbc46da81f27cd9da3ba900c7161ef35d1926b8c8292f72898165422752820e165478149e85fce4f10e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\oiaqjseysfbyqos\a4f210a2 = e6a11c2033f4aef58047c732b4003462fa888859eae8d20635902292426e0200ee0561ccae5deb18423b2fa67135ec8f4223a7c36d29e1c51980880efb97fba1579afe7d4f58e926a37d88f69019a910c1705cc4dfba6964a20cd4b96722a3c0be1ad06e6a7c6cecc6f39449fb42e2e41c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\oiaqjseysfbyqos\bbbd0b89 = 44da4f68b8f4a4c7c4edd0c4a79c5900380b9380fc0af04d11c249d45886cfd07b15a1facb32f74fd9c4cddb89d9b7b5c9e35031fad297152d2ed2d2fe57b62029b33abf0335286d47dd5ee2569e9ffd8c8f1e677cb19c0ffc7871f44f74ab179cfad79367aa2b848a07a866f8b8b02148	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\oiaqjseysfbyqos\213f43df = a5b756decd115055a2bb88054ebfc1d79b4303da23d1425d2d74d03ead092fdce54c2073443a688145390d953b544377b8b03539d510df45a920e0b4b4ac535c0d845c5759fbaea2b2721dc101f62fbbc2a837bb29ce0fcd8dfe92a03287b41a29881434ff5abdf231dd5d64d717d6f6b46f84236706e08245689123eb7a63ba79	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\oiaqjseysfbyqos\20b81e58 = e62fb144ee8363133029fe2cc118f5646aaeb17f08203baaf9ba929161d12009a3d0d6d9576d43a298267e4ff23fb9fa11df06fd207892857e163e04d70c16db823106d53c90f9f00128ba2c236c9265210d19bfa751387be4f16b817873c18244516cefb41bf6d7fff1b8b0a82bafa99b18ba7fb4f75af5bf4031217195898b75	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\oiaqjseysfbyqos\76905690 = a67ed2f6f35be47d78f36495339cf43972430b8d4d812855112680c3262a3e9ac31f235b3d4de988e6ef9a330f7add9a29c1b01470dfdc7e0d8185b4131bcff9bc7c6c0384986930093acf220908e88772d6d1a2b90af70c7bf83fb2d7246d11a761dca4df6b3384ec438c17b94e99b89d0efa08b4efdf0627c1d40b3ada70bc6273e5ea9168500ce6b81760467868ec3dc3691fe127a98d4005f974e0ba439ea4ef30a0c81eb19d55d3bcfe7a695e370e91cceaf159031c813e352046759eaf64	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\oiaqjseysfbyqos\6858103c = 65ec03c7c4fc491672ab0c9ca30fe13c336f2d88de80c38addf7e1c3070b6d6eff77bb29aa66fbff517b6ed76b33acee1838817d18951ef76fa76795f896308a68e7ac5041fd92b17ad105f391fc1432ba	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\oiaqjseysfbyqos\1fa17589 = 06aac1ff22bb07eb5f0a94c99e2686c82b8bab555d13e64d4045cc089cc8aff9fb6718a37e8f1f91707bc41a55ce8a855da7ac1bea8dc79b4e627763b1e32e44415889cf646c91b3f8e3f9b94ee478c7e759c527e87f819b31275e77a9f4e13566	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\oiaqjseysfbyqos\77170b17 = 85cfd2ee8fa3f35fb2b7a154c9007a5755b35765a83bccb23a1ca50dd178526128214a8c5dcbf767c30c8b56a65373883baa93d4ef1a7f0c1004b5f5955278c15e868f61917bfe125b494c023cf851d967b93244c193022cf5c8a40337e7268aeef6f335049da976624e64818d6c09a5759d1c7359afc6d7ffa85c28a310249435	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\oiaqjseysfbyqos\ba3a560e = 653805b4725ca3828f5b7c3dca127f1b5d19a0940a246ed7e1bb54fdb6abecac434afcfbf0a22180a265272a90410fc914797b42d1b128a4d11a880094b1a031e5a190eed5811efadb1f1f3e2763c0a1e611b6e9711827582d7297689b2e1f7212878dcee63b96e31fef0911417c65d91eff625b246044b2005bfc82606a647cc7	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exerundll32.exewermgr.exe

pid	process
2176	msiexec.exe
2176	msiexec.exe
4052	rundll32.exe
4052	rundll32.exe
4052	rundll32.exe
4052	rundll32.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1912	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1912	msiexec.exe
Token: SeSecurityPrivilege	2176	msiexec.exe
Token: SeCreateTokenPrivilege	1912	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1912	msiexec.exe
Token: SeLockMemoryPrivilege	1912	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1912	msiexec.exe
Token: SeMachineAccountPrivilege	1912	msiexec.exe
Token: SeTcbPrivilege	1912	msiexec.exe
Token: SeSecurityPrivilege	1912	msiexec.exe
Token: SeTakeOwnershipPrivilege	1912	msiexec.exe
Token: SeLoadDriverPrivilege	1912	msiexec.exe
Token: SeSystemProfilePrivilege	1912	msiexec.exe
Token: SeSystemtimePrivilege	1912	msiexec.exe
Token: SeProfSingleProcessPrivilege	1912	msiexec.exe
Token: SeIncBasePriorityPrivilege	1912	msiexec.exe
Token: SeCreatePagefilePrivilege	1912	msiexec.exe
Token: SeCreatePermanentPrivilege	1912	msiexec.exe
Token: SeBackupPrivilege	1912	msiexec.exe
Token: SeRestorePrivilege	1912	msiexec.exe
Token: SeShutdownPrivilege	1912	msiexec.exe
Token: SeDebugPrivilege	1912	msiexec.exe
Token: SeAuditPrivilege	1912	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1912	msiexec.exe
Token: SeChangeNotifyPrivilege	1912	msiexec.exe
Token: SeRemoteShutdownPrivilege	1912	msiexec.exe
Token: SeUndockPrivilege	1912	msiexec.exe
Token: SeSyncAgentPrivilege	1912	msiexec.exe
Token: SeEnableDelegationPrivilege	1912	msiexec.exe
Token: SeManageVolumePrivilege	1912	msiexec.exe
Token: SeImpersonatePrivilege	1912	msiexec.exe
Token: SeCreateGlobalPrivilege	1912	msiexec.exe
Token: SeCreateTokenPrivilege	1912	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1912	msiexec.exe
Token: SeLockMemoryPrivilege	1912	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1912	msiexec.exe
Token: SeMachineAccountPrivilege	1912	msiexec.exe
Token: SeTcbPrivilege	1912	msiexec.exe
Token: SeSecurityPrivilege	1912	msiexec.exe
Token: SeTakeOwnershipPrivilege	1912	msiexec.exe
Token: SeLoadDriverPrivilege	1912	msiexec.exe
Token: SeSystemProfilePrivilege	1912	msiexec.exe
Token: SeSystemtimePrivilege	1912	msiexec.exe
Token: SeProfSingleProcessPrivilege	1912	msiexec.exe
Token: SeIncBasePriorityPrivilege	1912	msiexec.exe
Token: SeCreatePagefilePrivilege	1912	msiexec.exe
Token: SeCreatePermanentPrivilege	1912	msiexec.exe
Token: SeBackupPrivilege	1912	msiexec.exe
Token: SeRestorePrivilege	1912	msiexec.exe
Token: SeShutdownPrivilege	1912	msiexec.exe
Token: SeDebugPrivilege	1912	msiexec.exe
Token: SeAuditPrivilege	1912	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1912	msiexec.exe
Token: SeChangeNotifyPrivilege	1912	msiexec.exe
Token: SeRemoteShutdownPrivilege	1912	msiexec.exe
Token: SeUndockPrivilege	1912	msiexec.exe
Token: SeSyncAgentPrivilege	1912	msiexec.exe
Token: SeEnableDelegationPrivilege	1912	msiexec.exe
Token: SeManageVolumePrivilege	1912	msiexec.exe
Token: SeImpersonatePrivilege	1912	msiexec.exe
Token: SeCreateGlobalPrivilege	1912	msiexec.exe
Token: SeCreateTokenPrivilege	1912	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1912	msiexec.exe
Token: SeLockMemoryPrivilege	1912	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1912 msiexec.exe
1912 msiexec.exe

pid	process
1912	msiexec.exe
1912	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exerundll32.exe

description	pid	process	target process
PID 2176 wrote to memory of 3324	2176	msiexec.exe	MsiExec.exe
PID 2176 wrote to memory of 3324	2176	msiexec.exe	MsiExec.exe
PID 2176 wrote to memory of 3324	2176	msiexec.exe	MsiExec.exe
PID 2176 wrote to memory of 3096	2176	msiexec.exe	srtasks.exe
PID 2176 wrote to memory of 3096	2176	msiexec.exe	srtasks.exe
PID 2176 wrote to memory of 1604	2176	msiexec.exe	MsiExec.exe
PID 2176 wrote to memory of 1604	2176	msiexec.exe	MsiExec.exe
PID 2176 wrote to memory of 1604	2176	msiexec.exe	MsiExec.exe
PID 2176 wrote to memory of 5028	2176	msiexec.exe	MSI6381.tmp
PID 2176 wrote to memory of 5028	2176	msiexec.exe	MSI6381.tmp
PID 2176 wrote to memory of 5028	2176	msiexec.exe	MSI6381.tmp
PID 4052 wrote to memory of 1156	4052	rundll32.exe	wermgr.exe
PID 4052 wrote to memory of 1156	4052	rundll32.exe	wermgr.exe
PID 4052 wrote to memory of 1156	4052	rundll32.exe	wermgr.exe
PID 4052 wrote to memory of 1156	4052	rundll32.exe	wermgr.exe
PID 4052 wrote to memory of 1156	4052	rundll32.exe	wermgr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6510D3C247E18E43498B7D19EB5FF219 C
2⤵
- Loads dropped DLL
PID:3324

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3096

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0AF2E6B1D90F57B58D7E7F3B8709833A
2⤵
- Loads dropped DLL
PID:1604

C:\Windows\Installer\MSI6381.tmp
"C:\Windows\Installer\MSI6381.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\Acrobat\\MicrosoftOffice15\ClientX64\Acrobat.dll,CfGetPlatformInfo
2⤵
- Executes dropped EXE
PID:5028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2480

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Acrobat\\MicrosoftOffice15\ClientX64\Acrobat.dll,CfGetPlatformInfo
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e576022.rbs
Filesize
1KB

MD5
a5f61eadd3f3a5261fca061be8a6f415

SHA1
9d4e037ff206dcbdbc5c8dec3ecedf4a01d46d99

SHA256
0a660d13f861e197f9ca919c82411ee7777694b46527ad040d9cfe1f3670728d

SHA512
8af0365d8f22b1bc78c8c781d53a1ed6d69aa65b3fad233495b59c701ade93e7f69450ec71e58ba177e1068a4e9a771d046c156b6f7b1ab88a786e3383142ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2FDA.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3250.tmp
Filesize
1.1MB

MD5
25e52c5776a81e0c5ccb9bdd4c808c90

SHA1
e42104ef61ae4760a41552292091eb6a5089ced4

SHA256
0831dbcb3799c9e36ea586582e8ef907dcefeb2045351d6774c7ad0ef02a9af2

SHA512
746570c011e501505ec9d09077519bca1a485b0cac66229be6f4715a91ee52d5cc857de26ad8d7a33806ddfa580d2ba9f77759e3764ea761d327fe2f1e881292

Download Submit
C:\Users\Admin\AppData\Roaming\Acrobat\MicrosoftOffice15\ClientX64\Acrobat.dll
Filesize
922KB

MD5
af7364f14a56ae4234d449ff89a2bb7d

SHA1
ce261d1f31bed80417009fbeb5230be37c34e374

SHA256
a59707803f3d94ed9cb429929c832e9b74ce56071a1c2086949b389539788d8a

SHA512
4c6982a5a11578cdd1b2789628787a8a7f08c86e814dfbe717a1e9cb43060b3f9b888948bdc97bcf207d5dd06398a955cab46f2cfc28761b3be15ef40fbc14de

Download Submit
C:\Windows\Installer\MSI6381.tmp
Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
8f2acf5057cdbaef31473dc455abc874

SHA1
4ae0d2c7bad252b31625a6fc628043737697a6e5

SHA256
9009c786af44257b03a7830fb5356168813b7aa5143b664d957887d3656f70d7

SHA512
d9473382fc1c4a96005c253ec93b3e9eaf44bc6be470c6186e90490bb55132081f8bf2dec411de1b821c9825ddfe05c743a125f65220954a11cbbe566b78e5bd

Download Submit
\??\Volume{fb412698-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e83530a2-1355-4fff-8690-0a4fd0c95217}_OnDiskSnapshotProp
Filesize
6KB

MD5
3e15474afee348e0c0a88036883726bd

SHA1
2163a6a54cbf23cd1ef4065db244e6d6f419bab8

SHA256
42f07144c034a75056aadc34c6c1e799918a826dff424979a6472bfb4204ab75

SHA512
bfc275ba51a29b76c11a18d94bf5174060b4b53f69c1023417d474ad83175d9d2a5667769e15a3db1dd5243940f91c6019c45b11526a6d895ffcc5f98e1b2e5c

Download Submit
memory/1156-115-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp

Filesize
192KB

Download
memory/1156-82-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp

Filesize
192KB

Download
memory/1156-114-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp

Filesize
192KB

Download
memory/1156-113-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp

Filesize
192KB

Download
memory/1156-111-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp

Filesize
192KB

Download
memory/1156-112-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp

Filesize
192KB

Download
memory/1156-93-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp

Filesize
192KB

Download
memory/1156-92-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp

Filesize
192KB

Download
memory/1156-90-0x000001FF6A6E0000-0x000001FF6A710000-memory.dmp

Filesize
192KB

Download
memory/1156-81-0x000001FF6A710000-0x000001FF6A712000-memory.dmp

Filesize
8KB

Download
memory/4052-71-0x00000209E5D10000-0x00000209E5D40000-memory.dmp

Filesize
192KB

Download
memory/4052-88-0x00000209E5D40000-0x00000209E5D70000-memory.dmp

Filesize
192KB

Download
memory/4052-89-0x00000209E5D40000-0x00000209E5D70000-memory.dmp

Filesize
192KB

Download
memory/4052-80-0x00000209E5D40000-0x00000209E5D70000-memory.dmp

Filesize
192KB

Download
memory/4052-79-0x00000209E5D40000-0x00000209E5D70000-memory.dmp

Filesize
192KB

Download
memory/4052-91-0x00000209E5D40000-0x00000209E5D70000-memory.dmp

Filesize
192KB

Download
memory/4052-78-0x00000209E5D40000-0x00000209E5D70000-memory.dmp

Filesize
192KB

Download
memory/4052-77-0x00000209E5D40000-0x00000209E5D70000-memory.dmp

Filesize
192KB

Download
memory/4052-75-0x00000209E5D40000-0x00000209E5D70000-memory.dmp

Filesize
192KB

Download
memory/4052-76-0x00000209E5D40000-0x00000209E5D70000-memory.dmp

Filesize
192KB

Download
memory/4052-74-0x00000209E5D40000-0x00000209E5D70000-memory.dmp

Filesize
192KB

Download
memory/4052-73-0x00000209E5D40000-0x00000209E5D70000-memory.dmp

Filesize
192KB

Download
memory/4052-70-0x00000209E5CE0000-0x00000209E5D0D000-memory.dmp

Filesize
180KB

Download
memory/4052-69-0x00000209E5D40000-0x00000209E5D70000-memory.dmp

Filesize
192KB

Download