Overview

overview

10

Static

static

1

maldoc5.msi

windows7-x64

10

maldoc5.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-09-2024 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    maldoc5.msi

  • Size

    2.1MB

  • MD5

    723dae8ed3f157e40635681f028328e6

  • SHA1

    aa6dd8df02000fbfc884e687bcafed57f84a83b0

  • SHA256

    e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115

  • SHA512

    4e1829bfc470ea8624dee424db34b2b0f965597c1e300ca62f271727a7fd4dc6c90137d5ca8fd227ba3bad26fee2870788f91b00b225d6a626e99e18476473be

  • SSDEEP

    49152:DNGitd+vszAlozTy4g5r8+5eNBADPGXJXrejhJ8I+jELv6:oihTyfIXreNJ8IpT6

Score
10/10
qakbottchk071702975817bankerdiscoverypersistenceprivilege_escalationstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

C2

116.203.56.11:443

109.107.181.8:443
Attributes
  • camp_date

    2023-12-19 08:50:17 +0000 UTC

Signatures

  • Detect Qakbot Payload 2 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 13 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\maldoc5.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Loads dropped DLL
    • Event Triggered Execution: Installer Packages
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2232
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E9BADC5E56F1C9AA5799B2A73C0FE9A4 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2636
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2EA415038EE1A434A063423296512924
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2656
    • C:\Windows\Installer\MSIAA28.tmp
      "C:\Windows\Installer\MSIAA28.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2544
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:280
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D8" "000000000000059C"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1156
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\System32\wermgr.exe
        C:\Windows\System32\wermgr.exe
        2⤵
          PID:2856

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\f769771.rbs
        Filesize

        1KB

        MD5

        c30d8b3370e935efc45141407b614ee8

        SHA1

        97d80ec11fb55eddaa458ee0b8c3f9ac65ec068f

        SHA256

        310c1baf5cbaf51ae16a1b4e23d8a088d3cda134fde2221a162e69c011156133

        SHA512

        c5f618e9e62caa404f3cfa50250800ed12aa904d58d0b5215df5007f7279b862b36be7cffa0edb8b49a82b0a3804759a73dd0b3013b9aba82c8df99b77748a89

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07298EE8EBA9732300AE62BDCA6B6898
        Filesize

        1KB

        MD5

        e11e31581aae545302f6176a117b4d95

        SHA1

        743af0529bd032a0f44a83cdd4baa97b7c2ec49a

        SHA256

        2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c

        SHA512

        c63aba6ca79c60a92b3bd26d784a5436e45a626022958bf6c194afc380c7bfb01fadf0b772513bbdbd7f1bb73691b0edb2f60b2f235ec9e0b81c427e04fbe451

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8555326CC9661C9937DC5053B6C38763
        Filesize

        1KB

        MD5

        866912c070f1ecacacc2d5bca55ba129

        SHA1

        b7ab3308d1ea4477ba1480125a6fbda936490cbb

        SHA256

        85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69

        SHA512

        f91e855e0346ac8c3379129154e01488bb22cff7f6a6df2a80f1671e43c5df8acae36fdf5ee0eb2320f287a681a326b6f1df36e8e37aa5597c4797dd6b43b7cf

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07298EE8EBA9732300AE62BDCA6B6898
        Filesize

        312B

        MD5

        5ae0f931c043ebedf969ba51166a4ee4

        SHA1

        bdcc8829d880e49b523b4d3fdeaa700a1714a694

        SHA256

        81c08ed67af365d7006158926aaa8882e13b6738b1f32eafe5344801a1192017

        SHA512

        c030cccec0df3a40feeb812d8d4200da29768961e378663b908e519ed624cc66746390a8e80bf6e3dff9ce62213a87745a4161b97c943f24fbb1bb315599910e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763
        Filesize

        326B

        MD5

        099900352cecf1ba0e57399654d9fb6f

        SHA1

        b6f82d8ceaa122125d27dbcf5fcacf618b71acb0

        SHA256

        11932d2a0ed18d9fdb39dc9543edbcc608314d1cdab5187d75736c5aaf5a7781

        SHA512

        d430c7632eb17e7ab1cf843a19f323f8e9a141f91991d369d8b6732c89a3fb1d51eb4c482e8bd93c1e43a4553c016d0c9832d93cefc958b08983217eb20eb297

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        b5eefa61127819a2eb1c2a47e5db1d04

        SHA1

        f1619556338ffe4c5400f94ef05138da756aa251

        SHA256

        7896dac4cd0552b5198c80d1f8c1a23e705010e19430e82eeceed8df3ae498e1

        SHA512

        4dd8c4871092826379378424acbe588c66cb922519a1408c6a3625a00748c6830e3e2a4759cd44ccb129bc88a37b3051b532c64bccfe5097eebdb0a659a642d9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab763B.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSI7B54.tmp
        Filesize

        721KB

        MD5

        5a1f2196056c0a06b79a77ae981c7761

        SHA1

        a880ae54395658f129e24732800e207ecd0b5603

        SHA256

        52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

        SHA512

        9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar77A5.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AdobeAC.dll
        Filesize

        898KB

        MD5

        88bbf2a743baaf81f7a312be61f90d76

        SHA1

        3719aabc29d5eb58d5d2d2a37066047c67bfc2c6

        SHA256

        12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305

        SHA512

        b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70

        Download Submit

      • C:\Windows\Installer\MSIAA28.tmp
        Filesize

        397KB

        MD5

        b41e1b0ae2ec215c568c395b0dbb738a

        SHA1

        90d8e50176a1f4436604468279f29a128723c64b

        SHA256

        a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

        SHA512

        828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

        Download Submit

      • memory/2524-315-0x0000000001D70000-0x0000000001D9E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2524-311-0x0000000001D40000-0x0000000001D6F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/2544-305-0x0000000000130000-0x0000000000132000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2856-319-0x0000000000110000-0x0000000000112000-memory.dmp

        Filesize

        8KB

        Download