Analysis
-
max time kernel
33s -
max time network
94s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-10-2020 22:26
Static task
static1
Behavioral task
behavioral1
Sample
Fall Guys Ultimate Knockout Generator.msi
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Fall Guys Ultimate Knockout Generator.msi
Resource
win10v20201028
General
-
Target
Fall Guys Ultimate Knockout Generator.msi
-
Size
1.1MB
-
MD5
c6bda3eb7bed85863b0c8a2ffed22751
-
SHA1
0c3ed7891da82fd8170b11cb77787de474700b4b
-
SHA256
bbb95f2e2fff202e4c53e2d21b3bb3953d0694c91d87ca5f5a4d54114085f354
-
SHA512
331fd5099f74969792dc857c61a3886e8e0dd39f4adcd304a670e30a0c2d97f5804ef506bc190efe0f54c645a5d35cf4a4da078956a96a86d56d7d4f237cd9fc
Malware Config
Signatures
-
Blacklisted process makes network request 4 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 2 752 msiexec.exe 4 752 msiexec.exe 6 752 msiexec.exe 8 1440 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
NativeDorstenia.exepid process 1148 NativeDorstenia.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe js -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI250C.tmp msiexec.exe File opened for modification C:\Windows\Installer\f741fd1.ipi msiexec.exe File created C:\Windows\Installer\f741fd0.msi msiexec.exe File opened for modification C:\Windows\Installer\f741fd0.msi msiexec.exe File created C:\Windows\Installer\f741fd1.ipi msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exeNativeDorstenia.exepid process 1440 msiexec.exe 1440 msiexec.exe 1148 NativeDorstenia.exe 1148 NativeDorstenia.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
msiexec.exemsiexec.exeNativeDorstenia.exedescription pid process Token: SeShutdownPrivilege 752 msiexec.exe Token: SeIncreaseQuotaPrivilege 752 msiexec.exe Token: SeRestorePrivilege 1440 msiexec.exe Token: SeTakeOwnershipPrivilege 1440 msiexec.exe Token: SeSecurityPrivilege 1440 msiexec.exe Token: SeCreateTokenPrivilege 752 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 752 msiexec.exe Token: SeLockMemoryPrivilege 752 msiexec.exe Token: SeIncreaseQuotaPrivilege 752 msiexec.exe Token: SeMachineAccountPrivilege 752 msiexec.exe Token: SeTcbPrivilege 752 msiexec.exe Token: SeSecurityPrivilege 752 msiexec.exe Token: SeTakeOwnershipPrivilege 752 msiexec.exe Token: SeLoadDriverPrivilege 752 msiexec.exe Token: SeSystemProfilePrivilege 752 msiexec.exe Token: SeSystemtimePrivilege 752 msiexec.exe Token: SeProfSingleProcessPrivilege 752 msiexec.exe Token: SeIncBasePriorityPrivilege 752 msiexec.exe Token: SeCreatePagefilePrivilege 752 msiexec.exe Token: SeCreatePermanentPrivilege 752 msiexec.exe Token: SeBackupPrivilege 752 msiexec.exe Token: SeRestorePrivilege 752 msiexec.exe Token: SeShutdownPrivilege 752 msiexec.exe Token: SeDebugPrivilege 752 msiexec.exe Token: SeAuditPrivilege 752 msiexec.exe Token: SeSystemEnvironmentPrivilege 752 msiexec.exe Token: SeChangeNotifyPrivilege 752 msiexec.exe Token: SeRemoteShutdownPrivilege 752 msiexec.exe Token: SeUndockPrivilege 752 msiexec.exe Token: SeSyncAgentPrivilege 752 msiexec.exe Token: SeEnableDelegationPrivilege 752 msiexec.exe Token: SeManageVolumePrivilege 752 msiexec.exe Token: SeImpersonatePrivilege 752 msiexec.exe Token: SeCreateGlobalPrivilege 752 msiexec.exe Token: SeRestorePrivilege 1440 msiexec.exe Token: SeTakeOwnershipPrivilege 1440 msiexec.exe Token: SeRestorePrivilege 1440 msiexec.exe Token: SeTakeOwnershipPrivilege 1440 msiexec.exe Token: SeRestorePrivilege 1440 msiexec.exe Token: SeTakeOwnershipPrivilege 1440 msiexec.exe Token: SeRestorePrivilege 1440 msiexec.exe Token: SeTakeOwnershipPrivilege 1440 msiexec.exe Token: SeRestorePrivilege 1440 msiexec.exe Token: SeTakeOwnershipPrivilege 1440 msiexec.exe Token: SeDebugPrivilege 1148 NativeDorstenia.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 752 msiexec.exe 752 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exedescription pid process target process PID 1440 wrote to memory of 1148 1440 msiexec.exe NativeDorstenia.exe PID 1440 wrote to memory of 1148 1440 msiexec.exe NativeDorstenia.exe PID 1440 wrote to memory of 1148 1440 msiexec.exe NativeDorstenia.exe PID 1440 wrote to memory of 1148 1440 msiexec.exe NativeDorstenia.exe PID 1440 wrote to memory of 1148 1440 msiexec.exe NativeDorstenia.exe PID 1440 wrote to memory of 1148 1440 msiexec.exe NativeDorstenia.exe PID 1440 wrote to memory of 1148 1440 msiexec.exe NativeDorstenia.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Fall Guys Ultimate Knockout Generator.msi"1⤵
- Blacklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blacklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe"C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe" "C:\Users\Admin\AppData\Local\Temp\Fall Guys Ultimate Knockout Generator.msi"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_D0A15851E78F28E33467584A33BA5369MD5
c6f8c294305660cfc46cb2d5b33849c9
SHA13515d79d9c6adc4131bddced3c57a9077e2b34b4
SHA2568be38bde4a3d486385def5f4513583745e9b42227ce78e8ae71343d9379cbcf5
SHA5124c8641b9ba11441f2f4826c5c0e694e0b82bd9fd1cbfb9ae6b3589263ea986afadcccfa29b55a27bd5a511f685e6c361ef56ec839ce2c8360762981d92af3009
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5FMD5
81422f05f88494993bbdfcb9c5a8aec8
SHA1de2aa7a0ebdb4737d9ca8ffcefa3cd57353c7faa
SHA2568e56fd0e32c5a01958dab5b7d46a803f1590ad7f87aa91d2d60b6532c6f58be0
SHA51232ead12a08cd1388d40f59e2293813521b11082b529ade107a58719a48ba3b9e49e4c4eba455cfdadc3d19207cdb5951a67b58e1c8c0b35f0eb5c49c1310f381
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0972B7C417F696E06E186AEB26286F01_D0A15851E78F28E33467584A33BA5369MD5
6f807f95151320dacf81598edf8a0b46
SHA1cfe41b45d47cdd6cb7e6a2bacada1734f4cc81db
SHA25609d77b765c2e5171c668d09fa250743b4c99ca4698d7436d5d5f5ec2ddbdb01f
SHA5126e0f9bd9f78da0a58908f196dae5b79dace6a3e2261fd8b3806c6adc322033ddfd02983223a687bb270e54f09ed4b43571aa7922b670a6263f10eb661544bf3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5FMD5
ff7ad33895d5f8b7937edfb6afdb06a3
SHA135e59a0e91320a471c9e608486f465ea46692fd9
SHA2562e7db91f1638b5301361db5b52db71c2fcb9dcdac40be8c47ec7c04315550d17
SHA512a566433e74d91aedefa638ab5bafe59ada9e4f8bdc44d7540e92b1c2c3304a73044ae5012ac7cfd6e7292543bb59665b90f4d920959d371e865643dfb1ee3b45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
8c05913c5563a46339f83ebdf994a988
SHA14ced917570fa4ea34502c0ac5e8321afadd5bd83
SHA256ef80f7c59e96f7b4009bc458c94c67b7569e1e9f6a0c77b86987c5bc933f5311
SHA512c5366eda35e8db629b1e3d1672d0da21c4ab887c0be2783b983d3f470deb422d8504588eb91a728b9600fae87d30d765af13e88a7f539e45453bbcd83e7ab029
-
C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exeMD5
a4ca15d48f389c223c9d1d9a04ca0e44
SHA174ca1174d182c70f249767d1fa93c47fa9bd50be
SHA256278b73121a224e100d81ef238daa93effb3b38d0340beb217f06b00ed2b2b276
SHA512113a2dc7d49055786b36dd992ace378da84b119e10ac80b21f7579f8da8b5084370a580a44a49dc348be863cfc761bcdf8e2fdeb293cf8eb9b65fa9ecc25f766
-
memory/752-6-0x0000000004520000-0x0000000004524000-memory.dmpFilesize
16KB
-
memory/752-0-0x0000000003480000-0x0000000003484000-memory.dmpFilesize
16KB
-
memory/752-4-0x0000000004520000-0x0000000004524000-memory.dmpFilesize
16KB
-
memory/752-3-0x00000000043F0000-0x00000000043F4000-memory.dmpFilesize
16KB
-
memory/752-1-0x00000000041A0000-0x00000000041A4000-memory.dmpFilesize
16KB
-
memory/752-22-0x0000000002380000-0x0000000002384000-memory.dmpFilesize
16KB
-
memory/1148-17-0x0000000000000000-mapping.dmp
-
memory/1440-15-0x0000000001D30000-0x0000000001D34000-memory.dmpFilesize
16KB
-
memory/1440-16-0x00000000018E0000-0x00000000018E4000-memory.dmpFilesize
16KB
-
memory/1440-19-0x0000000002660000-0x0000000002664000-memory.dmpFilesize
16KB
-
memory/1440-20-0x00000000018E0000-0x00000000018E4000-memory.dmpFilesize
16KB
-
memory/1440-21-0x0000000002660000-0x0000000002664000-memory.dmpFilesize
16KB