qakbot | e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

maldoc_5.msi
Size

2.1MB
MD5

723dae8ed3f157e40635681f028328e6
SHA1

aa6dd8df02000fbfc884e687bcafed57f84a83b0
SHA256

e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115
SHA512

4e1829bfc470ea8624dee424db34b2b0f965597c1e300ca62f271727a7fd4dc6c90137d5ca8fd227ba3bad26fee2870788f91b00b225d6a626e99e18476473be
SSDEEP

49152:DNGitd+vszAlozTy4g5r8+5eNBADPGXJXrejhJ8I+jELv6:oihTyfIXreNJ8IpT6

Score

10^/10

qakbot tchk07 1702975817 banker discovery persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

116.203.56.11:443

109.107.181.8:443

Attributes

camp_date
2023-12-19 08:50:17 +0000 UTC

Signatures

Detect Qakbot Payload 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2348-85-0x0000023566C70000-0x0000023566C9F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2348-89-0x0000023566CA0000-0x0000023566CCE000-memory.dmp	family_qakbot_v5
behavioral2/memory/3956-92-0x0000021376800000-0x000002137682E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3956-94-0x0000021376800000-0x000002137682E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3956-111-0x0000021376800000-0x000002137682E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3956-110-0x0000021376800000-0x000002137682E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3956-109-0x0000021376800000-0x000002137682E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3956-108-0x0000021376800000-0x000002137682E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3956-112-0x0000021376800000-0x000002137682E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

5 3240 msiexec.exe
7 3240 msiexec.exe
9 3240 msiexec.exe
13 3240 msiexec.exe

flow	pid	process
5	3240	msiexec.exe
7	3240	msiexec.exe
9	3240	msiexec.exe
13	3240	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIC5B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAE6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0CF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC14D.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{22742959-614A-4FC5-9C2F-4B7D7AE6105A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC278.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57bfe5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bfe5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC19C.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSICAE6.tmp

pid process

3404 MSICAE6.tmp

pid	process
3404	MSICAE6.tmp

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMsiExec.exerundll32.exe

pid	process
3408	MsiExec.exe
3408	MsiExec.exe
3408	MsiExec.exe
3408	MsiExec.exe
3408	MsiExec.exe
3408	MsiExec.exe
3408	MsiExec.exe
4924	MsiExec.exe
4924	MsiExec.exe
4924	MsiExec.exe
4924	MsiExec.exe
2348	rundll32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

3240 msiexec.exe

pid	process
3240	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exeMsiExec.exeMSICAE6.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSICAE6.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\xdknfeoiyfht\99b7d69f = e672502e94f5b47a7282f67316e8981c862ec206dd19a989ad8d066f6bd3b61e1d05765129acbf3daab0683c1838ac705577b3aa1018c248f67f8b1b4a81b3efbfff459071387eb34bc558ed5e243cea3f26eac653500a819943bdf5c780ef49c9b7a995ea02278482df09eb1ca105875e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\xdknfeoiyfht\4a52cd2a = 25832d6a510d328c2b501ee49e840b6c29104238530046e80798f84656962b8f80	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\xdknfeoiyfht\1dfdd865 = 856a324198aacc4beae651d51a4cccb0c851d713b15f83803125726551ad395b5c196f21269a9c24a64434e35a421551ff9ec4266f25feee3b3217855c2b393080a8b2d6b538c75aa0bf20fa2cc7cfd0cf	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\xdknfeoiyfht	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\xdknfeoiyfht\1dfdd865 = 07fde9b38713c25f5d5904da3ab02959d00194c752b835782c13866426eb9ce975572fae207bc643fc3cb6d9cbb2cb6f43	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\xdknfeoiyfht\86f8cdb4 = 04fb5b9dee2e2b630cada51b11100325a0e17769f0aa35b5cba6dc56dc9ebb59796a846ebcde770e795c28c867be5457eb167734894478b790aaf23a7247797e6d10d09d8901aad5296f48f45212d926a68377eacfe0c3dd5cc4ae53308850cdbf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\xdknfeoiyfht\877f9033 = a5bc60098427ff55b633844ec409844a05159c5517e26fbfd9857b7ec031b4fc446320f50e857d96d4ff8acabd3406b7bb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\xdknfeoiyfht\1c7a85e2 = 46b5baea9bbbb3038f8a1fb138e6745ba45c6a22482f60956e88620d13cd037811	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\xdknfeoiyfht\4bd590ad = 45fafbf75b960218216d829e90bc0a0fb097f2a29512fb5bc79a6e0de97c3ad6ce48318361358b5baa8a4bc8d2c621c10bc6236767c08a68c79941ecb77e1354464ceb5254a4d33e5f1b5471e02f7ee73a8b93de45242bcfa16d9ec4a5672adf395a248f93309716e41c06b1f480e3f3478fdebe8c8b07d72f015ac8b5283f90a119aa619ef41a80ccb36d053015103d45	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\xdknfeoiyfht\551dd601 = 04ab7bdc7147731b7ae99d737bde60e70d8db33a54f107ce3dabfa9bd79e595d2a9f96729371eb94bb6aa0b89a7021cae8f7c5ecb08dbb61445630eaa3e62cc542bc640bae723b936188039671139e723f8c11dc8ab99bb2c1f52f98b48f26438f2b6ace5c671f7b3ba0952e778a235a7638750cfb990fd670455ecb764154e6343edbcfe14c32da79f0a766e79fb0d09c	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSICAE6.tmprundll32.exewermgr.exe

pid	process
4324	msiexec.exe
4324	msiexec.exe
3404	MSICAE6.tmp
3404	MSICAE6.tmp
2348	rundll32.exe
2348	rundll32.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe
3956	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3240	msiexec.exe
Token: SeSecurityPrivilege	4324	msiexec.exe
Token: SeCreateTokenPrivilege	3240	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3240	msiexec.exe
Token: SeLockMemoryPrivilege	3240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3240	msiexec.exe
Token: SeMachineAccountPrivilege	3240	msiexec.exe
Token: SeTcbPrivilege	3240	msiexec.exe
Token: SeSecurityPrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeLoadDriverPrivilege	3240	msiexec.exe
Token: SeSystemProfilePrivilege	3240	msiexec.exe
Token: SeSystemtimePrivilege	3240	msiexec.exe
Token: SeProfSingleProcessPrivilege	3240	msiexec.exe
Token: SeIncBasePriorityPrivilege	3240	msiexec.exe
Token: SeCreatePagefilePrivilege	3240	msiexec.exe
Token: SeCreatePermanentPrivilege	3240	msiexec.exe
Token: SeBackupPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeShutdownPrivilege	3240	msiexec.exe
Token: SeDebugPrivilege	3240	msiexec.exe
Token: SeAuditPrivilege	3240	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3240	msiexec.exe
Token: SeChangeNotifyPrivilege	3240	msiexec.exe
Token: SeRemoteShutdownPrivilege	3240	msiexec.exe
Token: SeUndockPrivilege	3240	msiexec.exe
Token: SeSyncAgentPrivilege	3240	msiexec.exe
Token: SeEnableDelegationPrivilege	3240	msiexec.exe
Token: SeManageVolumePrivilege	3240	msiexec.exe
Token: SeImpersonatePrivilege	3240	msiexec.exe
Token: SeCreateGlobalPrivilege	3240	msiexec.exe
Token: SeCreateTokenPrivilege	3240	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3240	msiexec.exe
Token: SeLockMemoryPrivilege	3240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3240	msiexec.exe
Token: SeMachineAccountPrivilege	3240	msiexec.exe
Token: SeTcbPrivilege	3240	msiexec.exe
Token: SeSecurityPrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeLoadDriverPrivilege	3240	msiexec.exe
Token: SeSystemProfilePrivilege	3240	msiexec.exe
Token: SeSystemtimePrivilege	3240	msiexec.exe
Token: SeProfSingleProcessPrivilege	3240	msiexec.exe
Token: SeIncBasePriorityPrivilege	3240	msiexec.exe
Token: SeCreatePagefilePrivilege	3240	msiexec.exe
Token: SeCreatePermanentPrivilege	3240	msiexec.exe
Token: SeBackupPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeShutdownPrivilege	3240	msiexec.exe
Token: SeDebugPrivilege	3240	msiexec.exe
Token: SeAuditPrivilege	3240	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3240	msiexec.exe
Token: SeChangeNotifyPrivilege	3240	msiexec.exe
Token: SeRemoteShutdownPrivilege	3240	msiexec.exe
Token: SeUndockPrivilege	3240	msiexec.exe
Token: SeSyncAgentPrivilege	3240	msiexec.exe
Token: SeEnableDelegationPrivilege	3240	msiexec.exe
Token: SeManageVolumePrivilege	3240	msiexec.exe
Token: SeImpersonatePrivilege	3240	msiexec.exe
Token: SeCreateGlobalPrivilege	3240	msiexec.exe
Token: SeCreateTokenPrivilege	3240	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3240	msiexec.exe
Token: SeLockMemoryPrivilege	3240	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3240 msiexec.exe
3240 msiexec.exe

pid	process
3240	msiexec.exe
3240	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exerundll32.exe

description	pid	process	target process
PID 4324 wrote to memory of 3408	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 3408	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 3408	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 4488	4324	msiexec.exe	srtasks.exe
PID 4324 wrote to memory of 4488	4324	msiexec.exe	srtasks.exe
PID 4324 wrote to memory of 4924	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 4924	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 4924	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 3404	4324	msiexec.exe	MSICAE6.tmp
PID 4324 wrote to memory of 3404	4324	msiexec.exe	MSICAE6.tmp
PID 4324 wrote to memory of 3404	4324	msiexec.exe	MSICAE6.tmp
PID 2348 wrote to memory of 3956	2348	rundll32.exe	wermgr.exe
PID 2348 wrote to memory of 3956	2348	rundll32.exe	wermgr.exe
PID 2348 wrote to memory of 3956	2348	rundll32.exe	wermgr.exe
PID 2348 wrote to memory of 3956	2348	rundll32.exe	wermgr.exe
PID 2348 wrote to memory of 3956	2348	rundll32.exe	wermgr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\maldoc_5.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3240

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A87F7211D4435A8A474438C0BDD5BC9E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3408
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4488
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2373A1C1D4673D8DAC284C9362A1B09F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4924
- C:\Windows\Installer\MSICAE6.tmp
  "C:\Windows\Installer\MSICAE6.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4044

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57bfe6.rbs

Filesize
1KB

MD5
2b97b39da051760b6e38175497b80d7b

SHA1
31232dcad1dd4cb4d4fe3ee7b33366bbe9c4d106

SHA256
234152e1cf505b85b47b1297f827d63da71db5ec9078210ea1e4387efa2db8b8

SHA512
44656f5b1d881b892f7aae32c8ff27531d75c2290c743bbb30e57ed2d44b7824933244f21cca5a499f91dd3f3de62ca5d7136165c65e5fd0d6b26c94b4462040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
66KB

MD5
a2b1dc07038d1bc982778fe03f8f21db

SHA1
fd947f89421ab9626a5a0ca487ee1d0a052de32f

SHA256
07874d5e8364c3d6412c01cafcd2ff574fd614969fbd438c6d051cb7736890c4

SHA512
899dfe72ed40308eb866f1689537b82ea2b3b00446019241cf9c0872421a543adab0f1d79abe6f48f70e6d93828f37a4d56783fa6356b497193525c140f17ca9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
52ee053890b99b697c655f48a374e7ea

SHA1
ce1954b2bc94afc11ae9de721e732093038f82b1

SHA256
51b1be2302c07336faf9d4306072b56c98098606fbc5195507cc4ef4076c8681

SHA512
d102f62b783240fe35163c06b882442220647a5b69567e597b0eba25ea2f0f9331943ff893beead89a30178ca130379ce4da737f37d50eb2653e761396b8ed6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
626fdf76bd2e25c303b41ae6016ba138

SHA1
b05dc03e803060138c711c579ab62d3ffe8544bf

SHA256
b549036e9d513cf3da15ecb7a0f7c42f3db9675e96d1d8f3a9918fd96b474eda

SHA512
c6474201f166f2c6d69602970edb09c0237552cb93869a259841fe6e0030f4029a0e16b0475ca1be490f8788339d3496af303b7120b45c38cf6fad703f59b959

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI83D6.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeAC.dll

Filesize
898KB

MD5
88bbf2a743baaf81f7a312be61f90d76

SHA1
3719aabc29d5eb58d5d2d2a37066047c67bfc2c6

SHA256
12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305

SHA512
b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70

Download Submit
C:\Windows\Installer\MSICAE6.tmp

Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
1b009cfd382ce0745e61bacc07b76816

SHA1
6582e8ecb9e75124828548963be4f18a285c3a3b

SHA256
a93670e0372f35a8782a29f7d3ec475044e8a6d96ae4424fff2768de9f2a64ed

SHA512
4f638a475668e0514da4096334ca282d53fd96cb83bd0741cf1ceb72a76cc89bae5459f218a807139a2cd394841b5e7cd7562edc55de1b7defdd330adfc096f0

Download Submit
\??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0c6a6e01-c38c-47f1-ac1e-70520dab0395}_OnDiskSnapshotProp

Filesize
6KB

MD5
6a4950a632ce242c2160ec667463d165

SHA1
3ce8e7c7ecfaf9df4ab40d4ad0ee3a449bac929c

SHA256
b664ad141cacf17bc5be6bc98dafa2dcc93023ece01e575ad2e3e69e48681393

SHA512
aceddecc7df6a4f4056bd6032a8ef4213da397ac830d98a2306533719db0fe31bcc05c6fe473309be635f56f3cc29fa90bc8b12c6d363b98fbffe2c0646bd62c

Download Submit
memory/2348-85-0x0000023566C70000-0x0000023566C9F000-memory.dmp

Filesize
188KB

Download
memory/2348-89-0x0000023566CA0000-0x0000023566CCE000-memory.dmp

Filesize
184KB

Download
memory/3956-90-0x0000021376830000-0x0000021376832000-memory.dmp

Filesize
8KB

Download
memory/3956-92-0x0000021376800000-0x000002137682E000-memory.dmp

Filesize
184KB

Download
memory/3956-94-0x0000021376800000-0x000002137682E000-memory.dmp

Filesize
184KB

Download
memory/3956-111-0x0000021376800000-0x000002137682E000-memory.dmp

Filesize
184KB

Download
memory/3956-110-0x0000021376800000-0x000002137682E000-memory.dmp

Filesize
184KB

Download
memory/3956-109-0x0000021376800000-0x000002137682E000-memory.dmp

Filesize
184KB

Download
memory/3956-108-0x0000021376800000-0x000002137682E000-memory.dmp

Filesize
184KB

Download
memory/3956-112-0x0000021376800000-0x000002137682E000-memory.dmp

Filesize
184KB

Download