formbook | 6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4

General

Target

89002.msi
Size

256KB
MD5

a75dd7431fff6664e2a12263881315ef
SHA1

b28f29e87fe4b79bc87fe860d21a16780d31069c
SHA256

6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4
SHA512

dcef03d5e4678aa23d98284cc4c93d535885d6c6b3d2454f12803042393323275db7b32c0d7a553853fffba899d63a5d58fb92e75116d317533879fc28ebcc83

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2148-126-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2640-133-0x0000000002D20000-0x0000000002D4E000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

MSIB1E3.tmpMSIB1E3.tmp

pid process

3556 MSIB1E3.tmp
2148 MSIB1E3.tmp
Loads dropped DLL 1 IoCs

Processes:

MSIB1E3.tmp

pid process

3556 MSIB1E3.tmp

pid	process
3556	MSIB1E3.tmp
2148	MSIB1E3.tmp

pid	process
3556	MSIB1E3.tmp

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MSIB1E3.tmpMSIB1E3.tmpmsdt.exe

description	pid	process	target process
PID 3556 set thread context of 2148	3556	MSIB1E3.tmp	MSIB1E3.tmp
PID 2148 set thread context of 3016	2148	MSIB1E3.tmp	Explorer.EXE
PID 2640 set thread context of 3016	2640	msdt.exe	Explorer.EXE

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB154.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1E3.tmp	msiexec.exe
File created	C:\Windows\Installer\f74aee3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74aee3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Windows\Installer\MSIB1E3.tmp	nsis_installer_1
C:\Windows\Installer\MSIB1E3.tmp	nsis_installer_2
C:\Windows\Installer\MSIB1E3.tmp	nsis_installer_1
C:\Windows\Installer\MSIB1E3.tmp	nsis_installer_2
C:\Windows\Installer\MSIB1E3.tmp	nsis_installer_1
C:\Windows\Installer\MSIB1E3.tmp	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

msiexec.exeMSIB1E3.tmpmsdt.exe

pid	process
1708	msiexec.exe
1708	msiexec.exe
2148	MSIB1E3.tmp
2148	MSIB1E3.tmp
2148	MSIB1E3.tmp
2148	MSIB1E3.tmp
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe
2640	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MSIB1E3.tmpMSIB1E3.tmpmsdt.exe

pid process

3556 MSIB1E3.tmp
2148 MSIB1E3.tmp
2148 MSIB1E3.tmp
2148 MSIB1E3.tmp
2640 msdt.exe
2640 msdt.exe

pid	process
3016	Explorer.EXE

pid	process
3556	MSIB1E3.tmp
2148	MSIB1E3.tmp
2148	MSIB1E3.tmp
2148	MSIB1E3.tmp
2640	msdt.exe
2640	msdt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeMSIB1E3.tmpmsdt.exesrtasks.exeExplorer.EXE

description	pid	process
Token: SeShutdownPrivilege	2544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2544	msiexec.exe
Token: SeSecurityPrivilege	1708	msiexec.exe
Token: SeCreateTokenPrivilege	2544	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2544	msiexec.exe
Token: SeLockMemoryPrivilege	2544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2544	msiexec.exe
Token: SeMachineAccountPrivilege	2544	msiexec.exe
Token: SeTcbPrivilege	2544	msiexec.exe
Token: SeSecurityPrivilege	2544	msiexec.exe
Token: SeTakeOwnershipPrivilege	2544	msiexec.exe
Token: SeLoadDriverPrivilege	2544	msiexec.exe
Token: SeSystemProfilePrivilege	2544	msiexec.exe
Token: SeSystemtimePrivilege	2544	msiexec.exe
Token: SeProfSingleProcessPrivilege	2544	msiexec.exe
Token: SeIncBasePriorityPrivilege	2544	msiexec.exe
Token: SeCreatePagefilePrivilege	2544	msiexec.exe
Token: SeCreatePermanentPrivilege	2544	msiexec.exe
Token: SeBackupPrivilege	2544	msiexec.exe
Token: SeRestorePrivilege	2544	msiexec.exe
Token: SeShutdownPrivilege	2544	msiexec.exe
Token: SeDebugPrivilege	2544	msiexec.exe
Token: SeAuditPrivilege	2544	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2544	msiexec.exe
Token: SeChangeNotifyPrivilege	2544	msiexec.exe
Token: SeRemoteShutdownPrivilege	2544	msiexec.exe
Token: SeUndockPrivilege	2544	msiexec.exe
Token: SeSyncAgentPrivilege	2544	msiexec.exe
Token: SeEnableDelegationPrivilege	2544	msiexec.exe
Token: SeManageVolumePrivilege	2544	msiexec.exe
Token: SeImpersonatePrivilege	2544	msiexec.exe
Token: SeCreateGlobalPrivilege	2544	msiexec.exe
Token: SeBackupPrivilege	2844	vssvc.exe
Token: SeRestorePrivilege	2844	vssvc.exe
Token: SeAuditPrivilege	2844	vssvc.exe
Token: SeBackupPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeDebugPrivilege	2148	MSIB1E3.tmp
Token: SeDebugPrivilege	2640	msdt.exe
Token: SeBackupPrivilege	2776	srtasks.exe
Token: SeRestorePrivilege	2776	srtasks.exe
Token: SeSecurityPrivilege	2776	srtasks.exe
Token: SeTakeOwnershipPrivilege	2776	srtasks.exe
Token: SeBackupPrivilege	2776	srtasks.exe
Token: SeRestorePrivilege	2776	srtasks.exe
Token: SeSecurityPrivilege	2776	srtasks.exe
Token: SeTakeOwnershipPrivilege	2776	srtasks.exe
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2544 msiexec.exe
2544 msiexec.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE

pid	process
2544	msiexec.exe
2544	msiexec.exe

pid	process
3016	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeMSIB1E3.tmpExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1708 wrote to memory of 2776	1708	msiexec.exe	srtasks.exe
PID 1708 wrote to memory of 2776	1708	msiexec.exe	srtasks.exe
PID 1708 wrote to memory of 3556	1708	msiexec.exe	MSIB1E3.tmp
PID 1708 wrote to memory of 3556	1708	msiexec.exe	MSIB1E3.tmp
PID 1708 wrote to memory of 3556	1708	msiexec.exe	MSIB1E3.tmp
PID 3556 wrote to memory of 2148	3556	MSIB1E3.tmp	MSIB1E3.tmp
PID 3556 wrote to memory of 2148	3556	MSIB1E3.tmp	MSIB1E3.tmp
PID 3556 wrote to memory of 2148	3556	MSIB1E3.tmp	MSIB1E3.tmp
PID 3556 wrote to memory of 2148	3556	MSIB1E3.tmp	MSIB1E3.tmp
PID 3016 wrote to memory of 2640	3016	Explorer.EXE	msdt.exe
PID 3016 wrote to memory of 2640	3016	Explorer.EXE	msdt.exe
PID 3016 wrote to memory of 2640	3016	Explorer.EXE	msdt.exe
PID 2640 wrote to memory of 4004	2640	msdt.exe	cmd.exe
PID 2640 wrote to memory of 4004	2640	msdt.exe	cmd.exe
PID 2640 wrote to memory of 4004	2640	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\89002.msi
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2544

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Installer\MSIB1E3.tmp"
3⤵
PID:4004

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\Installer\MSIB1E3.tmp
"C:\Windows\Installer\MSIB1E3.tmp"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\Installer\MSIB1E3.tmp
"C:\Windows\Installer\MSIB1E3.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIB1E3.tmp

MD5
4f7763bf413f2e070a154ed73dc14ee0

SHA1
d088a5e16d0a634cca9be31630e0743722be7804

SHA256
5e29e1f268987df8f3a74504ee4926ad1a82c11f016d9aad8818f89202d102ad

SHA512
0e2735d69847b9fb6522e0af22e2225246ee74e6899a23c2d814e4e4b7f907545c00e6162321296f7cd1c53169482b11e106c9e3b721ad63bb19acfd99c45755

Download Submit
C:\Windows\Installer\MSIB1E3.tmp

MD5
4f7763bf413f2e070a154ed73dc14ee0

SHA1
d088a5e16d0a634cca9be31630e0743722be7804

SHA256
5e29e1f268987df8f3a74504ee4926ad1a82c11f016d9aad8818f89202d102ad

SHA512
0e2735d69847b9fb6522e0af22e2225246ee74e6899a23c2d814e4e4b7f907545c00e6162321296f7cd1c53169482b11e106c9e3b721ad63bb19acfd99c45755

Download Submit
C:\Windows\Installer\MSIB1E3.tmp

MD5
4f7763bf413f2e070a154ed73dc14ee0

SHA1
d088a5e16d0a634cca9be31630e0743722be7804

SHA256
5e29e1f268987df8f3a74504ee4926ad1a82c11f016d9aad8818f89202d102ad

SHA512
0e2735d69847b9fb6522e0af22e2225246ee74e6899a23c2d814e4e4b7f907545c00e6162321296f7cd1c53169482b11e106c9e3b721ad63bb19acfd99c45755

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5
0efb96fbd5d4765e6d151a23773c15e3

SHA1
026cd414eb14d7ea38b88ad2de783ad6bc8cfb4d

SHA256
6fcc5d7be9284c5c3954f720c18b12860a65d3a0c418f9769574dc7cf2d26a2b

SHA512
ab19270f5a079eb54015f6bee833b2cd695df63e344ebf1d5d217eaea1e18244ec2d1b226cf68f540d8ac81d12a5db1d8ed8e012f8ea94e43ce590ed7ef05e98

Download Submit
\??\Volume{d05cfc4a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{3483b9a0-d0d6-4eeb-8006-e476c407443f}_OnDiskSnapshotProp

MD5
939663dd2c8cdc821359e6c80a6797f9

SHA1
425fa6af476381ca79d88be32e1070710a6c8da0

SHA256
2b78fb04b9d6dd9e542c043a0fa9ce38049715156a592325a97d857ac70b9f27

SHA512
4e40df4386b2dee5424a684da2983b0474732a491eed85c4f6a261b4d78de7aeb36798bdb01efb6af469330d9fac39ee166845a76f7de48ec03a994f928c1cb9

Download Submit
\Users\Admin\AppData\Local\Temp\nskB88A.tmp\qldlbh595.dll

MD5
c44409c99eee911adfed34a93895b98d

SHA1
4093cbb2cbba39ce5093fffc3dca7c091780d0c1

SHA256
00b12204f9f4d1f3079dfdcb17ea31aa4c975ee452a6688e168ba37a623114f4

SHA512
0ab0e60c8c7f797f7b92714db6cf97475df26b0ea7752d78fbd453575630df34e89a178026c2ed0104b44996f9e397d951f5632942c688c194713c714d49822d

Download Submit
memory/2148-127-0x0000000000AA0000-0x0000000000DC0000-memory.dmp

Filesize
3.1MB

Download
memory/2148-124-0x000000000041EBB0-mapping.dmp

Download
memory/2148-128-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/2148-126-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2640-134-0x00000000048D0000-0x0000000004BF0000-memory.dmp

Filesize
3.1MB

Download
memory/2640-130-0x0000000000000000-mapping.dmp

Download
memory/2640-137-0x00000000045A0000-0x0000000004633000-memory.dmp

Filesize
588KB

Download
memory/2640-133-0x0000000002D20000-0x0000000002D4E000-memory.dmp

Filesize
184KB

Download
memory/2640-132-0x0000000000240000-0x00000000003B3000-memory.dmp

Filesize
1.4MB

Download
memory/2776-118-0x0000000000000000-mapping.dmp

Download
memory/3016-129-0x0000000006AA0000-0x0000000006B55000-memory.dmp

Filesize
724KB

Download
memory/3016-138-0x0000000006B60000-0x0000000006C90000-memory.dmp

Filesize
1.2MB

Download
memory/3556-123-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/3556-119-0x0000000000000000-mapping.dmp

Download
memory/4004-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads