qakbot | c3a8ed0e971bbb1343a29ec788de75657f5f5111ab344b0374289f6c4a3ea2ab

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
Size

1.9MB
MD5

82b8bd90e500fb0bf878d6f430c5abec
SHA1

f004c09428f2f18a145212a9e55eef3615858f9c
SHA256

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f
SHA512

82b2e997bf5bc0d08ab8dd921aef3e8d620a61c26f86b6f481845ad694d7b97f65dfa42e1c18b83f0f827cad9df69a409b75d96793e5bd7124c26bc7cb07f881
SSDEEP

49152:Ksjitd+vszAlozTy4g5r8+5eNBABxGNvXreD68f:rihTyfcXreO8f

Score

10^/10

qakbot tchk06 1702463600 banker discovery persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

45.138.74.191:443

65.108.218.24:443

Attributes

camp_date
2023-12-13 10:33:20 +0000 UTC

Signatures

Detect Qakbot Payload 9 IoCs

resource	yara_rule
behavioral2/memory/4464-84-0x000002C82FBC0000-0x000002C82FBEF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4464-88-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-91-0x0000027373250000-0x000002737327E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-94-0x0000027373250000-0x000002737327E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-108-0x0000027373250000-0x000002737327E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-109-0x0000027373250000-0x000002737327E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-107-0x0000027373250000-0x000002737327E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-106-0x0000027373250000-0x000002737327E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1156-110-0x0000027373250000-0x000002737327E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	2672	msiexec.exe
18	2672	msiexec.exe
24	2672	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{E42164EE-5510-4BB6-BA12-B7664EFD3B05}	msiexec.exe
File created	C:\Windows\Installer\e57f9c1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f9c1.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF90.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB49.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1680	MSIF90.tmp

Loads dropped DLL 12 IoCs

pid	Process
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
372	MsiExec.exe
372	MsiExec.exe
372	MsiExec.exe
372	MsiExec.exe
4464	rundll32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2672	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIF90.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\wskaeiybfe\f88d8ea2 = c447266f738c32492275ad56309d154ffc65319b417e1e40f035726dd21a9e5cdbd932c24174ec38709ee93a63db25b3ec66fef489ee77d03b006b264a8eefdfddba405e7301d595ca48304548d34de6e1c31ebcc26fd2735885f40a664ce4c450d14b173246bd6ae37689f142167ff31f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\wskaeiybfe\5c91f0a2 = 87603a8bd7a8f3666709cc0b348501337eebffb16dd66e026767e880d9794e7324437bb51d22c4a834f072f630fecd9a66b3ae40113e1d02d94f39fd50698b5bfb4f11852744b1990a50db5d642346d786	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\wskaeiybfe\5d16ad25 = 466d3dacbac2dab713bd39dff45d5ace43d341f8551fa8aeb1475401db712c8508e90e690e70a411adf69fd01bc90daf5f63c25943ad73bf05c93479d360ff89e68c430cc723eca8956272ea485f3dc7a3da9e6ab05ca64953eb7dc97a3634433d58870a661865751cb92713006c90cc2927dee75e329d7261ec6954c9d6a49659	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\wskaeiybfe\c613b8f4 = c41acf3a6808a722666b159116907cdeebe293790fecf463d02745aad04c0bd8572f3e7f4349633e3c466017b7ab3e3a65b6f50a0c68cb80cc4ff44cb841960f01d52a52b33017a83a20600798ca84aedc	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\wskaeiybfe	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\wskaeiybfe\8f74eb17 = 6532db3d477c2b1e88c42aacfa89735704a1a29a4b8e4d69e46ab9e7b28f870ddad2e0e6de19324ebaf3295bbc9d454a9c10f2ace7bc04ee577da1f29e92486dc7017a9bded281e781aba536e03d9010b9e80b9785c26d408989cd1fc6d3176d1c7ea9d7f833723ebce4c422284aff6c4a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\wskaeiybfe\43deeb89 = a6efa5efb9c3c5bb7bc8cb1c8912ce6d57961e95a2a54a892be0d25b2f7137e633444b4123a38bb11251ce7ada2b12f02e7415d4cb197fd2849b52b0cd3202766f3f83c99493742ff8884632290fd551994c60036068b266ebeb0afdc75dd703cd4bb3e701166d3b35558f34ccdc79864e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\wskaeiybfe\57d3a43c = 8657f251a5a284c5cab1d0fb5453bcc0142d90dfd12770e59f70bbe40f9bea15ac646f6be690baacf855fc2abce57676d1ad4dd273ce49b58a1d18b7982e1ac9c098df341e25fcc40d24a8cb95c5c079de107599188452fe6171df1df9ff439155	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\wskaeiybfe\c794e573 = 85ca00e9b29ee011c86e5806e8dcfc5d6a434cd39c7f5d2c2e0ffad1201488b02ef73590944e17056fcef3b7d84d4e8ead218911baeb8d9dbffdbb214b2b84c7a47dc165b962b19243689ef4a21db2c942	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\wskaeiybfe\91bcadbb = 04c235170c57b724ea60fa0c7aff027c4bb20102a98513eb8a2e04e1b86c8e38300d6377486ace21667ff476ace123d43d972a26359858151f2ac4a6dbd7f719fe58662a16be1093df0787d41ac22444e0433faf579754ff910998e109eee6ab7bf57a11b2e4d4997b9b23d36f8c59c23ab9fb365a431fc6748e175e3de81ffd2d4f4840c6226bc009bbca90ae68babb47	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\wskaeiybfe\903bf03c = a795fc3f3357b56fa7a3e11e55022cf44331d82be27c1f075709ffc11fdb025b1cf6151bcd25f43cbdd471eae1e98a0c0d0b2fe58f6116c4a6a93711618577f39528592367649172b5512d139cdba43d85dfd1662e953f4d752804733391d57f41971311a4dea7368e9d467063faa9bc1084845397b419dc7643fa8be6975fed93	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\wskaeiybfe\c794e573 = 8759b2b2d3bec124531cf0c936b3cf48206a714124cd4b4b670f22d06748ae8fe7372dbbbca98e11f793b1fcd74b11196f6cfd84f0379c88cce3ec007dce418c4b78327caec6706c10df6f97b59c9658b90699927ff95c3a4539cba1223df7cb60715254ff26446a14222ac340ca5eca28	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3496	msiexec.exe
3496	msiexec.exe
1680	MSIF90.tmp
1680	MSIF90.tmp
4464	rundll32.exe
4464	rundll32.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe
1156	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2672	msiexec.exe
Token: SeSecurityPrivilege	3496	msiexec.exe
Token: SeCreateTokenPrivilege	2672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2672	msiexec.exe
Token: SeLockMemoryPrivilege	2672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2672	msiexec.exe
Token: SeMachineAccountPrivilege	2672	msiexec.exe
Token: SeTcbPrivilege	2672	msiexec.exe
Token: SeSecurityPrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeLoadDriverPrivilege	2672	msiexec.exe
Token: SeSystemProfilePrivilege	2672	msiexec.exe
Token: SeSystemtimePrivilege	2672	msiexec.exe
Token: SeProfSingleProcessPrivilege	2672	msiexec.exe
Token: SeIncBasePriorityPrivilege	2672	msiexec.exe
Token: SeCreatePagefilePrivilege	2672	msiexec.exe
Token: SeCreatePermanentPrivilege	2672	msiexec.exe
Token: SeBackupPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeShutdownPrivilege	2672	msiexec.exe
Token: SeDebugPrivilege	2672	msiexec.exe
Token: SeAuditPrivilege	2672	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2672	msiexec.exe
Token: SeChangeNotifyPrivilege	2672	msiexec.exe
Token: SeRemoteShutdownPrivilege	2672	msiexec.exe
Token: SeUndockPrivilege	2672	msiexec.exe
Token: SeSyncAgentPrivilege	2672	msiexec.exe
Token: SeEnableDelegationPrivilege	2672	msiexec.exe
Token: SeManageVolumePrivilege	2672	msiexec.exe
Token: SeImpersonatePrivilege	2672	msiexec.exe
Token: SeCreateGlobalPrivilege	2672	msiexec.exe
Token: SeCreateTokenPrivilege	2672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2672	msiexec.exe
Token: SeLockMemoryPrivilege	2672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2672	msiexec.exe
Token: SeMachineAccountPrivilege	2672	msiexec.exe
Token: SeTcbPrivilege	2672	msiexec.exe
Token: SeSecurityPrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeLoadDriverPrivilege	2672	msiexec.exe
Token: SeSystemProfilePrivilege	2672	msiexec.exe
Token: SeSystemtimePrivilege	2672	msiexec.exe
Token: SeProfSingleProcessPrivilege	2672	msiexec.exe
Token: SeIncBasePriorityPrivilege	2672	msiexec.exe
Token: SeCreatePagefilePrivilege	2672	msiexec.exe
Token: SeCreatePermanentPrivilege	2672	msiexec.exe
Token: SeBackupPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeShutdownPrivilege	2672	msiexec.exe
Token: SeDebugPrivilege	2672	msiexec.exe
Token: SeAuditPrivilege	2672	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2672	msiexec.exe
Token: SeChangeNotifyPrivilege	2672	msiexec.exe
Token: SeRemoteShutdownPrivilege	2672	msiexec.exe
Token: SeUndockPrivilege	2672	msiexec.exe
Token: SeSyncAgentPrivilege	2672	msiexec.exe
Token: SeEnableDelegationPrivilege	2672	msiexec.exe
Token: SeManageVolumePrivilege	2672	msiexec.exe
Token: SeImpersonatePrivilege	2672	msiexec.exe
Token: SeCreateGlobalPrivilege	2672	msiexec.exe
Token: SeCreateTokenPrivilege	2672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2672	msiexec.exe
Token: SeLockMemoryPrivilege	2672	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2672	msiexec.exe
2672	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 3108	3496	msiexec.exe	89
PID 3496 wrote to memory of 3108	3496	msiexec.exe	89
PID 3496 wrote to memory of 3108	3496	msiexec.exe	89
PID 3496 wrote to memory of 4596	3496	msiexec.exe	104
PID 3496 wrote to memory of 4596	3496	msiexec.exe	104
PID 3496 wrote to memory of 372	3496	msiexec.exe	106
PID 3496 wrote to memory of 372	3496	msiexec.exe	106
PID 3496 wrote to memory of 372	3496	msiexec.exe	106
PID 3496 wrote to memory of 1680	3496	msiexec.exe	107
PID 3496 wrote to memory of 1680	3496	msiexec.exe	107
PID 3496 wrote to memory of 1680	3496	msiexec.exe	107
PID 4464 wrote to memory of 1156	4464	rundll32.exe	109
PID 4464 wrote to memory of 1156	4464	rundll32.exe	109
PID 4464 wrote to memory of 1156	4464	rundll32.exe	109
PID 4464 wrote to memory of 1156	4464	rundll32.exe	109
PID 4464 wrote to memory of 1156	4464	rundll32.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2672

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A0175A397EB8FC2EBEFB5EFEAAE37341 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3108
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4596
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 627E1E9FE45F7768D3EBE85022B4A2CD
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:372
- C:\Windows\Installer\MSIF90.tmp
  "C:\Windows\Installer\MSIF90.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1976

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f9c2.rbs

Filesize
1KB

MD5
738731a7afdae00558a365964ad4ff40

SHA1
a7b735ccc9edce615a78ae9bf08e27ea339375c7

SHA256
f40504014a02662788ef8d16072cd74df4aac44ff55abf9f4026640ce3488888

SHA512
190d043f4ddc69d541e117c3db56ad2301bdad92e6c959c3c9571e4ceaf03d274bcf17abd63ea5618638b40715d615490d9b862ea94e816f21b683d6ff22232a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
69KB

MD5
8b1fa6e4755be1606d6bad75f9f3b458

SHA1
b2bfd9b2d9d7052bb026f07aa3f5eeb13db4ce3b

SHA256
173b9db5b673e4345f4421bc48507165a25f73cbe475e0bbffc1fe56237addd5

SHA512
cbc9cd2a89341c80fcd56fd7b4145b1709e370c46e232ad756af3b5aa892fb2912f705ce774c5769f6d128b3f43569cf2f03db66d39c6e5f627cb76b06402c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
7e5e9912de7a985ff6257b5e3005de2c

SHA1
3d5557f4d0ce85b5d42ae97579b154c53648c418

SHA256
ec0bdea0fcc54be0a302cac5a2513186ccd5a9e1bd9de7c8dd81ce1773141571

SHA512
a2a8e2118dcbbeeb1c208fc34ac67d78ba85bddeffe3cc81668ce2b90d8cb992b2be881ed9db2c9847cebc597558060d2cec50337cef115bc2a07773076a6e4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
f20ce5f2ff7ccd000ddba979469467d2

SHA1
8579cbb23db855f153fa35364c627f5bd34fdd65

SHA256
c68735ee9c2554b2b170542da65fb7026b2de21d9418d42b9cbec27f1590823d

SHA512
ceba5d34b544dcca323d1693998fa58ebf11985b31f477673a97436c015e769b560636aa778dd6487021f16f000b6d262bed60073896e8cea45c9b6c04c51b4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
a64e3e31513006315b53ebec5b77b209

SHA1
f83629c5f8c7e5c9df497e917b86dd97c82fadc0

SHA256
1ebe93ed0b52f9b63dd012a71d066f15820a15b637252114fc0c8985659c8c27

SHA512
9da2d9aa61b53005866980d68a23866ca7d8dc012ee684addab8a5200646cc5c09089457911a4b3fb72ab26d0a31eb1b1190b0638ea3838a8d6d4ea06f513d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBA38.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Roaming\KROST.dll

Filesize
459KB

MD5
0a29918110937641bbe4a2d5ee5e4272

SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734

SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3

SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f

Download Submit
C:\Windows\Installer\MSIF90.tmp

Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
576f110ef3633d7e402e192adbad18bb

SHA1
74db74034620e7a06e56aeb7502a20a8156fadff

SHA256
6f1cc626ccbc753ed65d113a3eb4ad69393c410a93c77024283247e080209c75

SHA512
c79d6a14163675bfd2bffb130a7e4438f4eb5969769f9f09c611d4682df05b225b71446a6f4e035612600080db4505bf8c87ba335ed73721e247075ca1bf2a67

Download Submit
\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{49227c45-c17b-49b2-8fbf-db7177fccb05}_OnDiskSnapshotProp

Filesize
6KB

MD5
806599a4503f2ded5ac05c134cd51998

SHA1
1eb01b3b4a340108371e29f71d56ca678dc6df0b

SHA256
3759a8f43c3c4d91e8fbc8dd5d44833c2d5af67d8806f9921935349d96345d42

SHA512
1e47ab705c294879e6b014d1790c93c90a0aa8672e1377aa03f5991ddc5884bc84cd00efd77f2f0a7ee9c3e1b97f8ef9a30a9fcdd2c5f2b263bfe221b67a6ce6

Download Submit
memory/1156-94-0x0000027373250000-0x000002737327E000-memory.dmp

Filesize
184KB

Download
memory/1156-89-0x0000027373280000-0x0000027373282000-memory.dmp

Filesize
8KB

Download
memory/1156-91-0x0000027373250000-0x000002737327E000-memory.dmp

Filesize
184KB

Download
memory/1156-108-0x0000027373250000-0x000002737327E000-memory.dmp

Filesize
184KB

Download
memory/1156-109-0x0000027373250000-0x000002737327E000-memory.dmp

Filesize
184KB

Download
memory/1156-107-0x0000027373250000-0x000002737327E000-memory.dmp

Filesize
184KB

Download
memory/1156-106-0x0000027373250000-0x000002737327E000-memory.dmp

Filesize
184KB

Download
memory/1156-110-0x0000027373250000-0x000002737327E000-memory.dmp

Filesize
184KB

Download
memory/4464-84-0x000002C82FBC0000-0x000002C82FBEF000-memory.dmp

Filesize
188KB

Download
memory/4464-88-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/4464-83-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download