qakbot | e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

maldoc5.msi
Size

2.1MB
MD5

723dae8ed3f157e40635681f028328e6
SHA1

aa6dd8df02000fbfc884e687bcafed57f84a83b0
SHA256

e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115
SHA512

4e1829bfc470ea8624dee424db34b2b0f965597c1e300ca62f271727a7fd4dc6c90137d5ca8fd227ba3bad26fee2870788f91b00b225d6a626e99e18476473be
SSDEEP

49152:DNGitd+vszAlozTy4g5r8+5eNBADPGXJXrejhJ8I+jELv6:oihTyfIXreNJ8IpT6

Score

10^/10

qakbot tchk07 1702975817 banker discovery persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

116.203.56.11:443

109.107.181.8:443

Attributes

camp_date
2023-12-19 08:50:17 +0000 UTC

Signatures

Detect Qakbot Payload 9 IoCs

resource	yara_rule
behavioral2/memory/3600-83-0x00000175369B0000-0x00000175369DF000-memory.dmp	family_qakbot_v5
behavioral2/memory/3600-87-0x00000175369E0000-0x0000017536A0E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3628-89-0x000002576FC50000-0x000002576FC7E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3628-92-0x000002576FC50000-0x000002576FC7E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3628-107-0x000002576FC50000-0x000002576FC7E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3628-106-0x000002576FC50000-0x000002576FC7E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3628-109-0x000002576FC50000-0x000002576FC7E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3628-108-0x000002576FC50000-0x000002576FC7E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3628-110-0x000002576FC50000-0x000002576FC7E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	1164	msiexec.exe
8	1164	msiexec.exe
10	1164	msiexec.exe
14	1164	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{22742959-614A-4FC5-9C2F-4B7D7AE6105A}	msiexec.exe
File created	C:\Windows\Installer\e57a681.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA72D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA828.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA838.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA904.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA0F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a681.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3A5.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1464	MSIB3A5.tmp

Loads dropped DLL 12 IoCs

pid	Process
1908	MsiExec.exe
1908	MsiExec.exe
1908	MsiExec.exe
1908	MsiExec.exe
1908	MsiExec.exe
1908	MsiExec.exe
1908	MsiExec.exe
3052	MsiExec.exe
3052	MsiExec.exe
3052	MsiExec.exe
3052	MsiExec.exe
3600	rundll32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1164	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIB3A5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000096fabf83e47a2dea0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000096fabf830000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090096fabf83000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d96fabf83000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000096fabf8300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\ezyqasijzzj\9fcc4acf = e579ab20e5f43816609d941ecfb8632935558d51b326b3a16c7d71f623c4c0d3abf9699cd02960972d4f9c05156b29faa81a620ff1b0c77b435f6d4a7ca8266cc70fe8e3b1dd35d4e5988e394e661ea38377ef7c1e580b0e4826a646e20dc73455e47336c7b5bdf807447dca158ac623ba39d4e7fbdc8138e7f808b6eea07833e503830e69967ccfd249d96f105e83a87c967b8a3b6142925a961bbc7521e10f07	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\ezyqasijzzj\81040c63 = 24740ed5200087af04acf014e415f97c9b94fd24494286b8d7ec152f268ef7b9708407571dfe6d41b82349fdb11152b134554ff889868e6b9ff7cb17fd52e295280858469fc513fddc2dbc23d088a5ab6dd4c46547bab8d32c514591f621af42fe2e0ad7cec7b5b511f492a5b3ae68be82	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\ezyqasijzzj\4dae0cfd = 87c73d8f3d8539bef88ffdc455e212d48770dcaa92bd14c1cf02fb9313f8475eeb13cbeaf954e936528e9046254287f9d35bcd29b1895f46c4d97d194c83ed64a1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\ezyqasijzzj\9e4b1748 = 064dd55a43e703ff542f446b8944eb3c807398fd05d5bcc82c0fdd88c60eeccdeaa83fc5d9bd9c189c315ba8efb2bae42e5917613b48d1e70b70a99928092989b8a4a9072950fbc6a2be447db26153caa1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\ezyqasijzzj\53664a51 = 45fb7695ed3163e6b920160db3e844a4459bab238c4090818c0b9da83971d4665f9da5146884f7e4c6b743da0f3cd6a300888c5102a5a3cc626a15092e96eb69e302d733f2dd52f5ce5d39fa5a065f005c324ca3fed23462caa613eabb7627d85cd1b63642ab2a6a19067410c5efb86a3a7d55ff35e05de9a1e3a22a0c53126545	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\ezyqasijzzj\c9e40207 = 2775645c7f627f0ca8b0f447eab63d3d8972f3b20354fce2b4d1b8152bb1effd385dd587ebe0cff081ce99a53a7422e66b1921ab0492366cbdbb7cdc36fc7d0d71d80201856eb05d072c77413861eb26efe2c18c7fc36c4226f462eb0932e7545a5680bbb3375d1aef78d13c1ec1ea827a749571a261e327fb11407c9cbb568a3ce2de2d00cea6b97d5f5abd447443128e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\ezyqasijzzj\c9e40207 = a5cc49e56ee47c3cb3d7237788b96fb456a825832b196deeaf03509b1155e7da9c81c05114ad162e08ca77158a34452000a380575b982d0e8bf761fc7ec94dc1d3b0af960ec51e93a221723ad053bc1852870f46592070b391ade3671ffa99a8d652942e8d46aaa68f8b6333e9b8b42a270b3c8ee1fb952506c4d08253ace0a613	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\ezyqasijzzj\52e117d6 = 4487b84859b06241fa58b2386f13c4a112369d026bdcb9217a471acea93db3ccf9d290e101a486496c2b79675c88cf603c5cb0cdd926fefc89cd667879f2dd6e948300a4399adde60ca50e2ae41351dd4ffae72a2a9b55ee8e92e373a397f63bc042d533575bf9c20f0d50456d8f6894a63b34e2d26624b915caa38a043f5e575c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\ezyqasijzzj\c8635f80 = 245de622435c3d3a0080ef08b07555d9f6dcea492c10eaee15562aee99b2381623	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\ezyqasijzzj	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	msiexec.exe
2556	msiexec.exe
1464	MSIB3A5.tmp
1464	MSIB3A5.tmp
3600	rundll32.exe
3600	rundll32.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe
3628	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1164	msiexec.exe
Token: SeSecurityPrivilege	2556	msiexec.exe
Token: SeCreateTokenPrivilege	1164	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1164	msiexec.exe
Token: SeLockMemoryPrivilege	1164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1164	msiexec.exe
Token: SeMachineAccountPrivilege	1164	msiexec.exe
Token: SeTcbPrivilege	1164	msiexec.exe
Token: SeSecurityPrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe
Token: SeLoadDriverPrivilege	1164	msiexec.exe
Token: SeSystemProfilePrivilege	1164	msiexec.exe
Token: SeSystemtimePrivilege	1164	msiexec.exe
Token: SeProfSingleProcessPrivilege	1164	msiexec.exe
Token: SeIncBasePriorityPrivilege	1164	msiexec.exe
Token: SeCreatePagefilePrivilege	1164	msiexec.exe
Token: SeCreatePermanentPrivilege	1164	msiexec.exe
Token: SeBackupPrivilege	1164	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeShutdownPrivilege	1164	msiexec.exe
Token: SeDebugPrivilege	1164	msiexec.exe
Token: SeAuditPrivilege	1164	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1164	msiexec.exe
Token: SeChangeNotifyPrivilege	1164	msiexec.exe
Token: SeRemoteShutdownPrivilege	1164	msiexec.exe
Token: SeUndockPrivilege	1164	msiexec.exe
Token: SeSyncAgentPrivilege	1164	msiexec.exe
Token: SeEnableDelegationPrivilege	1164	msiexec.exe
Token: SeManageVolumePrivilege	1164	msiexec.exe
Token: SeImpersonatePrivilege	1164	msiexec.exe
Token: SeCreateGlobalPrivilege	1164	msiexec.exe
Token: SeCreateTokenPrivilege	1164	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1164	msiexec.exe
Token: SeLockMemoryPrivilege	1164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1164	msiexec.exe
Token: SeMachineAccountPrivilege	1164	msiexec.exe
Token: SeTcbPrivilege	1164	msiexec.exe
Token: SeSecurityPrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe
Token: SeLoadDriverPrivilege	1164	msiexec.exe
Token: SeSystemProfilePrivilege	1164	msiexec.exe
Token: SeSystemtimePrivilege	1164	msiexec.exe
Token: SeProfSingleProcessPrivilege	1164	msiexec.exe
Token: SeIncBasePriorityPrivilege	1164	msiexec.exe
Token: SeCreatePagefilePrivilege	1164	msiexec.exe
Token: SeCreatePermanentPrivilege	1164	msiexec.exe
Token: SeBackupPrivilege	1164	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeShutdownPrivilege	1164	msiexec.exe
Token: SeDebugPrivilege	1164	msiexec.exe
Token: SeAuditPrivilege	1164	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1164	msiexec.exe
Token: SeChangeNotifyPrivilege	1164	msiexec.exe
Token: SeRemoteShutdownPrivilege	1164	msiexec.exe
Token: SeUndockPrivilege	1164	msiexec.exe
Token: SeSyncAgentPrivilege	1164	msiexec.exe
Token: SeEnableDelegationPrivilege	1164	msiexec.exe
Token: SeManageVolumePrivilege	1164	msiexec.exe
Token: SeImpersonatePrivilege	1164	msiexec.exe
Token: SeCreateGlobalPrivilege	1164	msiexec.exe
Token: SeCreateTokenPrivilege	1164	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1164	msiexec.exe
Token: SeLockMemoryPrivilege	1164	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1164	msiexec.exe
1164	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1908	2556	msiexec.exe	88
PID 2556 wrote to memory of 1908	2556	msiexec.exe	88
PID 2556 wrote to memory of 1908	2556	msiexec.exe	88
PID 2556 wrote to memory of 3136	2556	msiexec.exe	99
PID 2556 wrote to memory of 3136	2556	msiexec.exe	99
PID 2556 wrote to memory of 3052	2556	msiexec.exe	101
PID 2556 wrote to memory of 3052	2556	msiexec.exe	101
PID 2556 wrote to memory of 3052	2556	msiexec.exe	101
PID 2556 wrote to memory of 1464	2556	msiexec.exe	102
PID 2556 wrote to memory of 1464	2556	msiexec.exe	102
PID 2556 wrote to memory of 1464	2556	msiexec.exe	102
PID 3600 wrote to memory of 3628	3600	rundll32.exe	104
PID 3600 wrote to memory of 3628	3600	rundll32.exe	104
PID 3600 wrote to memory of 3628	3600	rundll32.exe	104
PID 3600 wrote to memory of 3628	3600	rundll32.exe	104
PID 3600 wrote to memory of 3628	3600	rundll32.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\maldoc5.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 36479DC5DD9A2C3A99048B2CB4529400 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1908
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3136
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8356175709D992F269671E32EAC6461
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Windows\Installer\MSIB3A5.tmp
  "C:\Windows\Installer\MSIB3A5.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2312

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\AdobeAC.dll,EditOwnerInfo
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a682.rbs

Filesize
1KB

MD5
4f06a93eeb15cd628c529a21d1dfd04f

SHA1
e3cfaedf13e66e11f239b9d8f5a29dff08e0db05

SHA256
5bd314653cbc18a7da69c9bce5fdf174ef2d0ca6c2974778f8f5b1603e044ad5

SHA512
204a109ad624b1c8fab7d92f27c307325950a8ae11a479225dffb199c00df697d0774af7d7bdcbe8437f915ebc097a7c3beeb46c16be9e1a15d5b7ad1ecef6d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
66KB

MD5
a1b72c747e56a730ffd785bc069cee17

SHA1
1fad3ba585e43bd8a5dc3897eaebd77658b84ab8

SHA256
aae459cefd449439055c34d680bbe2b5df9993cf2aa5a0512367a9ef57485d97

SHA512
2c6e033343fa22be2cf7a59cf3a0418263e491601492cff54c0451c013f3c3bf61821dfc93ef8927856ce2264f80fdd7a9b19d88fcde2bb7a61db39efad5d306

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
0e1f9ab5a16f168061fb7c9b601ee1ca

SHA1
840724b5cc5e9f03c4e750f9d1d7e60681d58ec9

SHA256
348e8626340e84852dda277c23483b4572b96bdb67f4b28ebe5d4858cc470b1b

SHA512
818e328407bf5956ae6b8a34de61c47dde9bd5ca5277fae18d635fd3ecf8857fe605b8f20a41f624af8b322a0569d2a8cb3ee5e5579e1ad014b56e266aa86a5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
b27db91f16aa3b8a108ef1063b867ed0

SHA1
1c0bede062a784d5fb8bd7f4301f8a31d68fad28

SHA256
c429f8ba3605267de572ea8ce6d390c2f7bcf045d2e1d92a34636c3173393652

SHA512
56bc11a9fe04cf4cf48dd30f689fa0b9af17dbcda83902a7b9a48e09bfbd94988606bb81d02ad81ded14e8c7a0e56f20ac7d8d13f95a547cef3d66cf49aec1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6CC4.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeAC.dll

Filesize
898KB

MD5
88bbf2a743baaf81f7a312be61f90d76

SHA1
3719aabc29d5eb58d5d2d2a37066047c67bfc2c6

SHA256
12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305

SHA512
b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70

Download Submit
C:\Windows\Installer\MSIB3A5.tmp

Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
0b0fe1aaa37a276ca0f5ea17fd24d16d

SHA1
e0ed5bcb60c794b5013ef1972a954e6aa655b98f

SHA256
5ce1edeb26679be0bfb914ece00277905f18d3194e43a49ba32a14586ef1c445

SHA512
b5dc37468ed04cfb83ac9bbc95222f9325083c668a8da23832838fddfb53f10905b886d7e1deccef618b16d39e3f5aae71495fe52ba9fc8cc5a67595ee417e4b

Download Submit
\??\Volume{83bffa96-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5640f145-5c5d-4a33-b01d-4adbe4fc5142}_OnDiskSnapshotProp

Filesize
6KB

MD5
2d5cf5bdaba47b843447bc74e80a805f

SHA1
6ffb52c76b58cfa4f1a78f35ad20c4a127edce89

SHA256
45e6aa0080af2873ab55f86d5a1115d320dfb7c0c2dd2dfcdf73f2fe249b1793

SHA512
25454ee95f0f6dbbc8ad3dd808078fd5ed4239eff1fa0595f2d7ff5b7ef10f51b533fe84aa15764adac1a536d7fde532cb6cd00903205cfccd75ace7be24067c

Download Submit
memory/3600-83-0x00000175369B0000-0x00000175369DF000-memory.dmp

Filesize
188KB

Download
memory/3600-87-0x00000175369E0000-0x0000017536A0E000-memory.dmp

Filesize
184KB

Download
memory/3628-88-0x000002576FC80000-0x000002576FC82000-memory.dmp

Filesize
8KB

Download
memory/3628-107-0x000002576FC50000-0x000002576FC7E000-memory.dmp

Filesize
184KB

Download
memory/3628-106-0x000002576FC50000-0x000002576FC7E000-memory.dmp

Filesize
184KB

Download
memory/3628-109-0x000002576FC50000-0x000002576FC7E000-memory.dmp

Filesize
184KB

Download
memory/3628-108-0x000002576FC50000-0x000002576FC7E000-memory.dmp

Filesize
184KB

Download
memory/3628-110-0x000002576FC50000-0x000002576FC7E000-memory.dmp

Filesize
184KB

Download
memory/3628-92-0x000002576FC50000-0x000002576FC7E000-memory.dmp

Filesize
184KB

Download
memory/3628-89-0x000002576FC50000-0x000002576FC7E000-memory.dmp

Filesize
184KB

Download