bbb95f2e2fff202e4c53e2d21b3bb3953d0694c91d87ca5f5a4d54114085f354

General

Target

Fall Guys Ultimate Knockout Generator.msi
Size

1.1MB
MD5

c6bda3eb7bed85863b0c8a2ffed22751
SHA1

0c3ed7891da82fd8170b11cb77787de474700b4b
SHA256

bbb95f2e2fff202e4c53e2d21b3bb3953d0694c91d87ca5f5a4d54114085f354
SHA512

331fd5099f74969792dc857c61a3886e8e0dd39f4adcd304a670e30a0c2d97f5804ef506bc190efe0f54c645a5d35cf4a4da078956a96a86d56d7d4f237cd9fc

Score

8^/10

Malware Config

Signatures

Blacklisted process makes network request 4 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

2 752 msiexec.exe
4 752 msiexec.exe
6 752 msiexec.exe
8 1440 msiexec.exe
Executes dropped EXE 1 IoCs

Processes:

NativeDorstenia.exe

pid process

1148 NativeDorstenia.exe

flow	pid	process
2	752	msiexec.exe
4	752	msiexec.exe
6	752	msiexec.exe
8	1440	msiexec.exe

pid	process
1148	NativeDorstenia.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe	js

Drops file in Windows directory 6 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI250C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f741fd1.ipi	msiexec.exe
File created	C:\Windows\Installer\f741fd0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f741fd0.msi	msiexec.exe
File created	C:\Windows\Installer\f741fd1.ipi	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exeNativeDorstenia.exe

pid process

1440 msiexec.exe
1440 msiexec.exe
1148 NativeDorstenia.exe
1148 NativeDorstenia.exe

pid	process
1440	msiexec.exe
1440	msiexec.exe
1148	NativeDorstenia.exe
1148	NativeDorstenia.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

msiexec.exemsiexec.exeNativeDorstenia.exe

description	pid	process
Token: SeShutdownPrivilege	752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	752	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeSecurityPrivilege	1440	msiexec.exe
Token: SeCreateTokenPrivilege	752	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	752	msiexec.exe
Token: SeLockMemoryPrivilege	752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	752	msiexec.exe
Token: SeMachineAccountPrivilege	752	msiexec.exe
Token: SeTcbPrivilege	752	msiexec.exe
Token: SeSecurityPrivilege	752	msiexec.exe
Token: SeTakeOwnershipPrivilege	752	msiexec.exe
Token: SeLoadDriverPrivilege	752	msiexec.exe
Token: SeSystemProfilePrivilege	752	msiexec.exe
Token: SeSystemtimePrivilege	752	msiexec.exe
Token: SeProfSingleProcessPrivilege	752	msiexec.exe
Token: SeIncBasePriorityPrivilege	752	msiexec.exe
Token: SeCreatePagefilePrivilege	752	msiexec.exe
Token: SeCreatePermanentPrivilege	752	msiexec.exe
Token: SeBackupPrivilege	752	msiexec.exe
Token: SeRestorePrivilege	752	msiexec.exe
Token: SeShutdownPrivilege	752	msiexec.exe
Token: SeDebugPrivilege	752	msiexec.exe
Token: SeAuditPrivilege	752	msiexec.exe
Token: SeSystemEnvironmentPrivilege	752	msiexec.exe
Token: SeChangeNotifyPrivilege	752	msiexec.exe
Token: SeRemoteShutdownPrivilege	752	msiexec.exe
Token: SeUndockPrivilege	752	msiexec.exe
Token: SeSyncAgentPrivilege	752	msiexec.exe
Token: SeEnableDelegationPrivilege	752	msiexec.exe
Token: SeManageVolumePrivilege	752	msiexec.exe
Token: SeImpersonatePrivilege	752	msiexec.exe
Token: SeCreateGlobalPrivilege	752	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeDebugPrivilege	1148	NativeDorstenia.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

752 msiexec.exe
752 msiexec.exe

pid	process
752	msiexec.exe
752	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1440 wrote to memory of 1148	1440	msiexec.exe	NativeDorstenia.exe
PID 1440 wrote to memory of 1148	1440	msiexec.exe	NativeDorstenia.exe
PID 1440 wrote to memory of 1148	1440	msiexec.exe	NativeDorstenia.exe
PID 1440 wrote to memory of 1148	1440	msiexec.exe	NativeDorstenia.exe
PID 1440 wrote to memory of 1148	1440	msiexec.exe	NativeDorstenia.exe
PID 1440 wrote to memory of 1148	1440	msiexec.exe	NativeDorstenia.exe
PID 1440 wrote to memory of 1148	1440	msiexec.exe	NativeDorstenia.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Fall Guys Ultimate Knockout Generator.msi"
1⤵
- Blacklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:752

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blacklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe
"C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe" "C:\Users\Admin\AppData\Local\Temp\Fall Guys Ultimate Knockout Generator.msi"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_D0A15851E78F28E33467584A33BA5369
MD5
c6f8c294305660cfc46cb2d5b33849c9

SHA1
3515d79d9c6adc4131bddced3c57a9077e2b34b4

SHA256
8be38bde4a3d486385def5f4513583745e9b42227ce78e8ae71343d9379cbcf5

SHA512
4c8641b9ba11441f2f4826c5c0e694e0b82bd9fd1cbfb9ae6b3589263ea986afadcccfa29b55a27bd5a511f685e6c361ef56ec839ce2c8360762981d92af3009

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F
MD5
81422f05f88494993bbdfcb9c5a8aec8

SHA1
de2aa7a0ebdb4737d9ca8ffcefa3cd57353c7faa

SHA256
8e56fd0e32c5a01958dab5b7d46a803f1590ad7f87aa91d2d60b6532c6f58be0

SHA512
32ead12a08cd1388d40f59e2293813521b11082b529ade107a58719a48ba3b9e49e4c4eba455cfdadc3d19207cdb5951a67b58e1c8c0b35f0eb5c49c1310f381

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0972B7C417F696E06E186AEB26286F01_D0A15851E78F28E33467584A33BA5369
MD5
6f807f95151320dacf81598edf8a0b46

SHA1
cfe41b45d47cdd6cb7e6a2bacada1734f4cc81db

SHA256
09d77b765c2e5171c668d09fa250743b4c99ca4698d7436d5d5f5ec2ddbdb01f

SHA512
6e0f9bd9f78da0a58908f196dae5b79dace6a3e2261fd8b3806c6adc322033ddfd02983223a687bb270e54f09ed4b43571aa7922b670a6263f10eb661544bf3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F
MD5
ff7ad33895d5f8b7937edfb6afdb06a3

SHA1
35e59a0e91320a471c9e608486f465ea46692fd9

SHA256
2e7db91f1638b5301361db5b52db71c2fcb9dcdac40be8c47ec7c04315550d17

SHA512
a566433e74d91aedefa638ab5bafe59ada9e4f8bdc44d7540e92b1c2c3304a73044ae5012ac7cfd6e7292543bb59665b90f4d920959d371e865643dfb1ee3b45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
8c05913c5563a46339f83ebdf994a988

SHA1
4ced917570fa4ea34502c0ac5e8321afadd5bd83

SHA256
ef80f7c59e96f7b4009bc458c94c67b7569e1e9f6a0c77b86987c5bc933f5311

SHA512
c5366eda35e8db629b1e3d1672d0da21c4ab887c0be2783b983d3f470deb422d8504588eb91a728b9600fae87d30d765af13e88a7f539e45453bbcd83e7ab029

Download Submit
C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe
MD5
a4ca15d48f389c223c9d1d9a04ca0e44

SHA1
74ca1174d182c70f249767d1fa93c47fa9bd50be

SHA256
278b73121a224e100d81ef238daa93effb3b38d0340beb217f06b00ed2b2b276

SHA512
113a2dc7d49055786b36dd992ace378da84b119e10ac80b21f7579f8da8b5084370a580a44a49dc348be863cfc761bcdf8e2fdeb293cf8eb9b65fa9ecc25f766

Download Submit
memory/752-6-0x0000000004520000-0x0000000004524000-memory.dmp

Filesize
16KB

Download
memory/752-0-0x0000000003480000-0x0000000003484000-memory.dmp

Filesize
16KB

Download
memory/752-4-0x0000000004520000-0x0000000004524000-memory.dmp

Filesize
16KB

Download
memory/752-3-0x00000000043F0000-0x00000000043F4000-memory.dmp

Filesize
16KB

Download
memory/752-1-0x00000000041A0000-0x00000000041A4000-memory.dmp

Filesize
16KB

Download
memory/752-22-0x0000000002380000-0x0000000002384000-memory.dmp

Filesize
16KB

Download
memory/1148-17-0x0000000000000000-mapping.dmp

Download
memory/1440-15-0x0000000001D30000-0x0000000001D34000-memory.dmp

Filesize
16KB

Download
memory/1440-16-0x00000000018E0000-0x00000000018E4000-memory.dmp

Filesize
16KB

Download
memory/1440-19-0x0000000002660000-0x0000000002664000-memory.dmp

Filesize
16KB

Download
memory/1440-20-0x00000000018E0000-0x00000000018E4000-memory.dmp

Filesize
16KB

Download
memory/1440-21-0x0000000002660000-0x0000000002664000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads