qakbot | c3a8ed0e971bbb1343a29ec788de75657f5f5111ab344b0374289f6c4a3ea2ab

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
Size

1.9MB
MD5

82b8bd90e500fb0bf878d6f430c5abec
SHA1

f004c09428f2f18a145212a9e55eef3615858f9c
SHA256

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f
SHA512

82b2e997bf5bc0d08ab8dd921aef3e8d620a61c26f86b6f481845ad694d7b97f65dfa42e1c18b83f0f827cad9df69a409b75d96793e5bd7124c26bc7cb07f881
SSDEEP

49152:Ksjitd+vszAlozTy4g5r8+5eNBABxGNvXreD68f:rihTyfcXreO8f

Score

10^/10

qakbot tchk06 1702463600 banker discovery persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

45.138.74.191:443

65.108.218.24:443

Attributes

camp_date
2023-12-13 10:33:20 +0000 UTC

Signatures

Detect Qakbot Payload 9 IoCs

resource	yara_rule
behavioral1/memory/2680-308-0x0000000001D40000-0x0000000001D6F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2680-312-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/1532-315-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/1532-318-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/1532-337-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/1532-338-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/1532-336-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/1532-335-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/1532-334-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2528	msiexec.exe
5	2528	msiexec.exe
6	1788	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76f4cb.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76f4cb.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76f4ca.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76f4ca.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF7B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA3A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI38D.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	MSI38D.tmp

Loads dropped DLL 11 IoCs

pid	Process
1500	MsiExec.exe
1500	MsiExec.exe
1500	MsiExec.exe
1500	MsiExec.exe
1500	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
2680	rundll32.exe
2680	rundll32.exe
2680	rundll32.exe
2680	rundll32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2528	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI38D.tmp

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\vvicenygkou\f73e2713 = 06ed60e01726727964c2e2ac953724d32a90edd6bcf4dabf88b1a270fdc5b910972974a988bf7a719df2be20182fa0e55391449802f322bbf43924335afc7b5cb9b6847fea1e6a63b685f9d069718265911183ebea22bb614813abedfd587e6821	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\vvicenygkou\53225913 = 4729e480693bc298e6eaef743673a7a53687c27efd4c4d5ed3033e823aedec3a7d6dd2031e17c3a0947b1d418a11e5f8065d15907cecdf7a2ff42ae9019ffce714c9fb13fcff378bc9825ce6bc93ab7fccb559d3ab92b3f174164aa8c2105d8023a268a20220acf8498257d40a127d9ca6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\vvicenygkou\9f88598d = 066337fbc7816210b93f6b530d0ae59853585349d21e777a685eb9dc9f8f380eda1141483fb4179f626c3b27ce757b318d2b03fc564635dba7d7cc305c5f0f82d3cc61976ee9ba67b3e8a86d049b14803640b1ff37fef036c2014ddeb8ffd4c1369bb8862b125d0223191c1a17bc8d3ae9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\vvicenygkou\52a50494 = 0622149fcfd482cdb20c867635135e1ec9798115b3ded32f9aecb5d190254a09714076cd9c75c0f61129017fd842a25f9551b839066130d8cc72792b16ed3102b6d53d3c1ad5afd7a5a801d1d0ca088918042e4c1a1ecba33a11464fc006fb71fc072ae6ab452b35a54b1f680f35cadf6c	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\vvicenygkou	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\vvicenygkou\9e0f040a = 25c0f20ab795e33a32260445de3651eb02f3d616f7d72ffb768eabea6f7523199ba0f14cf26a261dce3fc2ecaa2b17b0dcf71bf889601eb5665b0c31f92ed59949bef22631e85744f07a5acca63bf2f8eb438503efe8bce4660071608056625d9d48809de8727569e6dcdc5edd217b16e0e3a8cf841f7e2fbd0d37d3ea2c6e28caf0ecf286e63f049cc52f9fec08887cf65f2ba28403c75f915243eac620fad8462b30d48b3fba2dbbe4ef7edf42b299c1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\vvicenygkou\4c6d4238 = c5af4f3e5a0c6ce973214b2ef20f65a5a774520a4ea7fdec2863c46a31ae51bd4a6d7c0ed20ee6b89a1eca7249b76e38edcfc8f0e41e895511e23ff0280e26439d99cf19e50ce92c5634c89603dc088e86cffa1e1fabf8e4f883e69613e6489e93	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\vvicenygkou\58600d8d = 8529b75d167ad619199e6f3d142debc23372826d6f9470a4b672279076ddb97e0f88c7718a2b6dad89ace8b88b3b740f52827fd90fa78bf3e4249ada43f6b0103d135a3c91852ebe5f54d085b4b11588b8dea4ebf299e8d04da68767e109cfa9f02160c2c289a7beb212ba2e01dc83f9f8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\vvicenygkou\c8274cc2 = 458e8bd844a379a4c0f226509ee942eb58dc9c456ed0cc8deb9525fbddec9b3ef386bbc9fa23f524cb08c7273fa01b0f1061acacfe6e37c7210f2f92340f70b95d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\vvicenygkou\c8274cc2 = 87a333b50f88e9576129a5ee8a8a09a89645630d9c34bccf1c9fc61550fdb0ef2f176336fd99929b63779a31280935b1a0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\vvicenygkou\80c742a6 = c7663789aadf7f94c20b7ffb7251b1ad64de944e2687c246c49d14e7735028949306b019ae35347be506d0b6e6944b9fc97a09246b23fd6d003028af699742fd65	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\vvicenygkou\c9a01145 = 24081d6f4a138ac6b54da88c038cbfedcf4c86ca3179d08eb2ef7858852210daa1032250994be8fae864f5c140fb1d34ef3cfa25c6b20ce8917b4c7896346158b43e2fecd48b2a2a4875be0e4e42c06724	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1788	msiexec.exe
1788	msiexec.exe
2732	MSI38D.tmp
2680	rundll32.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe
1532	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2528	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	1788	msiexec.exe
Token: SeTakeOwnershipPrivilege	1788	msiexec.exe
Token: SeSecurityPrivilege	1788	msiexec.exe
Token: SeCreateTokenPrivilege	2528	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2528	msiexec.exe
Token: SeLockMemoryPrivilege	2528	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2528	msiexec.exe
Token: SeMachineAccountPrivilege	2528	msiexec.exe
Token: SeTcbPrivilege	2528	msiexec.exe
Token: SeSecurityPrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeLoadDriverPrivilege	2528	msiexec.exe
Token: SeSystemProfilePrivilege	2528	msiexec.exe
Token: SeSystemtimePrivilege	2528	msiexec.exe
Token: SeProfSingleProcessPrivilege	2528	msiexec.exe
Token: SeIncBasePriorityPrivilege	2528	msiexec.exe
Token: SeCreatePagefilePrivilege	2528	msiexec.exe
Token: SeCreatePermanentPrivilege	2528	msiexec.exe
Token: SeBackupPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeShutdownPrivilege	2528	msiexec.exe
Token: SeDebugPrivilege	2528	msiexec.exe
Token: SeAuditPrivilege	2528	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2528	msiexec.exe
Token: SeChangeNotifyPrivilege	2528	msiexec.exe
Token: SeRemoteShutdownPrivilege	2528	msiexec.exe
Token: SeUndockPrivilege	2528	msiexec.exe
Token: SeSyncAgentPrivilege	2528	msiexec.exe
Token: SeEnableDelegationPrivilege	2528	msiexec.exe
Token: SeManageVolumePrivilege	2528	msiexec.exe
Token: SeImpersonatePrivilege	2528	msiexec.exe
Token: SeCreateGlobalPrivilege	2528	msiexec.exe
Token: SeCreateTokenPrivilege	2528	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2528	msiexec.exe
Token: SeLockMemoryPrivilege	2528	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2528	msiexec.exe
Token: SeMachineAccountPrivilege	2528	msiexec.exe
Token: SeTcbPrivilege	2528	msiexec.exe
Token: SeSecurityPrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeLoadDriverPrivilege	2528	msiexec.exe
Token: SeSystemProfilePrivilege	2528	msiexec.exe
Token: SeSystemtimePrivilege	2528	msiexec.exe
Token: SeProfSingleProcessPrivilege	2528	msiexec.exe
Token: SeIncBasePriorityPrivilege	2528	msiexec.exe
Token: SeCreatePagefilePrivilege	2528	msiexec.exe
Token: SeCreatePermanentPrivilege	2528	msiexec.exe
Token: SeBackupPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeShutdownPrivilege	2528	msiexec.exe
Token: SeDebugPrivilege	2528	msiexec.exe
Token: SeAuditPrivilege	2528	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2528	msiexec.exe
Token: SeChangeNotifyPrivilege	2528	msiexec.exe
Token: SeRemoteShutdownPrivilege	2528	msiexec.exe
Token: SeUndockPrivilege	2528	msiexec.exe
Token: SeSyncAgentPrivilege	2528	msiexec.exe
Token: SeEnableDelegationPrivilege	2528	msiexec.exe
Token: SeManageVolumePrivilege	2528	msiexec.exe
Token: SeImpersonatePrivilege	2528	msiexec.exe
Token: SeCreateGlobalPrivilege	2528	msiexec.exe
Token: SeCreateTokenPrivilege	2528	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2528	msiexec.exe
2528	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1500	1788	msiexec.exe	32
PID 1788 wrote to memory of 1500	1788	msiexec.exe	32
PID 1788 wrote to memory of 1500	1788	msiexec.exe	32
PID 1788 wrote to memory of 1500	1788	msiexec.exe	32
PID 1788 wrote to memory of 1500	1788	msiexec.exe	32
PID 1788 wrote to memory of 1500	1788	msiexec.exe	32
PID 1788 wrote to memory of 1500	1788	msiexec.exe	32
PID 1788 wrote to memory of 2684	1788	msiexec.exe	36
PID 1788 wrote to memory of 2684	1788	msiexec.exe	36
PID 1788 wrote to memory of 2684	1788	msiexec.exe	36
PID 1788 wrote to memory of 2684	1788	msiexec.exe	36
PID 1788 wrote to memory of 2684	1788	msiexec.exe	36
PID 1788 wrote to memory of 2684	1788	msiexec.exe	36
PID 1788 wrote to memory of 2684	1788	msiexec.exe	36
PID 1788 wrote to memory of 2732	1788	msiexec.exe	37
PID 1788 wrote to memory of 2732	1788	msiexec.exe	37
PID 1788 wrote to memory of 2732	1788	msiexec.exe	37
PID 1788 wrote to memory of 2732	1788	msiexec.exe	37
PID 1788 wrote to memory of 2732	1788	msiexec.exe	37
PID 1788 wrote to memory of 2732	1788	msiexec.exe	37
PID 1788 wrote to memory of 2732	1788	msiexec.exe	37
PID 2680 wrote to memory of 1532	2680	rundll32.exe	39
PID 2680 wrote to memory of 1532	2680	rundll32.exe	39
PID 2680 wrote to memory of 1532	2680	rundll32.exe	39
PID 2680 wrote to memory of 1532	2680	rundll32.exe	39
PID 2680 wrote to memory of 1532	2680	rundll32.exe	39
PID 2680 wrote to memory of 1532	2680	rundll32.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2528

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB3C85A0BA17526EC089AAADA1B224F8 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1500
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9D7A7DF0FB6A8966B5E20A703389531
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\Windows\Installer\MSI38D.tmp
  "C:\Windows\Installer\MSI38D.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1756

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000055C" "00000000000003B8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2928

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76f4cc.rbs

Filesize
1KB

MD5
e07bf44a70047e58defe36e00c3613a2

SHA1
68093ffac10fcdac0be7302c4dc298aa6817d298

SHA256
7993559ebe10b22c0671254006ec21079530bb249f2e023794aa5881c5cc70ce

SHA512
ff1a612d21f4153cb5fa8a4cb87a84537fc1fece4eb48cd96907cab352e3992b884b8eefafa48b3f0ace57b520c47364a222a1c72f5bc4ee743778c6d4c91b42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8555326CC9661C9937DC5053B6C38763

Filesize
1KB

MD5
866912c070f1ecacacc2d5bca55ba129

SHA1
b7ab3308d1ea4477ba1480125a6fbda936490cbb

SHA256
85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69

SHA512
f91e855e0346ac8c3379129154e01488bb22cff7f6a6df2a80f1671e43c5df8acae36fdf5ee0eb2320f287a681a326b6f1df36e8e37aa5597c4797dd6b43b7cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763

Filesize
326B

MD5
427c1001cbc2a86bde85eff80b3dc21e

SHA1
6ffa70bc914f81bbbd29b92320df6d34240910f3

SHA256
d7d93675633af523204260b0edc652534376c64e3d86b0d37707c895dd0e96e6

SHA512
83e2a41f569a2fbf7aa094591ba3a4a3e9306b461cecf9119001186b1f6813ac80231fc99725b3aca241e879b69b4ba101ea6ed63a4ffa5414b146dfb6b5d18f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ec02f6de51378feadbf46f0c602d09f

SHA1
150a5cab45ab3de6c9ea34b9004700b28308f9a5

SHA256
11b64e5323fcc303db86cb4a219e8912d3036c0ee72973896217b5af16bfc1bc

SHA512
c2fce2cdce23b0d70639caa8da88dc7e0eddd9d64d443084607d2ab4cf9affd3de7641405e96c7116cd4356472b86fe36cff1eb0fa385fdaaf0d4aed24dc25d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCFA0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID4B9.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCFA3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSI38D.tmp

Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\Users\Admin\AppData\Roaming\KROST.dll

Filesize
459KB

MD5
0a29918110937641bbe4a2d5ee5e4272

SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734

SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3

SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f

Download Submit
memory/1532-318-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/1532-313-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1532-315-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/1532-337-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/1532-338-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/1532-336-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/1532-335-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/1532-334-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2680-307-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download
memory/2680-308-0x0000000001D40000-0x0000000001D6F000-memory.dmp

Filesize
188KB

Download
memory/2680-312-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2732-301-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download