formbook | dd3ecf0b5a39b287ba63687fe12ff1f1fcdde34adf0f3e30f7990ebc158347d8

General

Target

SecuriteInfo.com.Gen.Variant.Androm.29.22420.16142.msi
Size

252KB
MD5

04d6b8269105608ef9a560927dc3a9fa
SHA1

80f9a44457b63b766ce26acfb69676a402c2b838
SHA256

dd3ecf0b5a39b287ba63687fe12ff1f1fcdde34adf0f3e30f7990ebc158347d8
SHA512

5e3b4db37438d9cc3591867ad38d1d7d9c1cb24b13ce2a798a7a1c8627ef64c157241d734067446f3ef4856ca5513db3d61c17ea030bca9361e01fb0fcdb31d2

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3704-128-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3704-130-0x00000000004D0000-0x000000000057E000-memory.dmp	formbook
behavioral2/memory/2308-135-0x0000000002CD0000-0x0000000002CFE000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

MSI75A5.tmpMSI75A5.tmp

pid process

2876 MSI75A5.tmp
3704 MSI75A5.tmp
Loads dropped DLL 1 IoCs

Processes:

MSI75A5.tmp

pid process

2876 MSI75A5.tmp

pid	process
2876	MSI75A5.tmp
3704	MSI75A5.tmp

pid	process
2876	MSI75A5.tmp

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MSI75A5.tmpMSI75A5.tmpwlanext.exe

description	pid	process	target process
PID 2876 set thread context of 3704	2876	MSI75A5.tmp	MSI75A5.tmp
PID 3704 set thread context of 3024	3704	MSI75A5.tmp	Explorer.EXE
PID 2308 set thread context of 3024	2308	wlanext.exe	Explorer.EXE

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI7507.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75A5.tmp	msiexec.exe
File created	C:\Windows\Installer\f7472a5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7472a5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Windows\Installer\MSI75A5.tmp	nsis_installer_1
C:\Windows\Installer\MSI75A5.tmp	nsis_installer_2
C:\Windows\Installer\MSI75A5.tmp	nsis_installer_1
C:\Windows\Installer\MSI75A5.tmp	nsis_installer_2
C:\Windows\Installer\MSI75A5.tmp	nsis_installer_1
C:\Windows\Installer\MSI75A5.tmp	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

msiexec.exeMSI75A5.tmpwlanext.exe

pid	process
2288	msiexec.exe
2288	msiexec.exe
3704	MSI75A5.tmp
3704	MSI75A5.tmp
3704	MSI75A5.tmp
3704	MSI75A5.tmp
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe
2308	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MSI75A5.tmpMSI75A5.tmpwlanext.exe

pid process

2876 MSI75A5.tmp
3704 MSI75A5.tmp
3704 MSI75A5.tmp
3704 MSI75A5.tmp
2308 wlanext.exe
2308 wlanext.exe

pid	process
3024	Explorer.EXE

pid	process
2876	MSI75A5.tmp
3704	MSI75A5.tmp
3704	MSI75A5.tmp
3704	MSI75A5.tmp
2308	wlanext.exe
2308	wlanext.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exeMSI75A5.tmpwlanext.exeExplorer.EXE

description	pid	process
Token: SeShutdownPrivilege	4024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4024	msiexec.exe
Token: SeSecurityPrivilege	2288	msiexec.exe
Token: SeCreateTokenPrivilege	4024	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4024	msiexec.exe
Token: SeLockMemoryPrivilege	4024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4024	msiexec.exe
Token: SeMachineAccountPrivilege	4024	msiexec.exe
Token: SeTcbPrivilege	4024	msiexec.exe
Token: SeSecurityPrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeLoadDriverPrivilege	4024	msiexec.exe
Token: SeSystemProfilePrivilege	4024	msiexec.exe
Token: SeSystemtimePrivilege	4024	msiexec.exe
Token: SeProfSingleProcessPrivilege	4024	msiexec.exe
Token: SeIncBasePriorityPrivilege	4024	msiexec.exe
Token: SeCreatePagefilePrivilege	4024	msiexec.exe
Token: SeCreatePermanentPrivilege	4024	msiexec.exe
Token: SeBackupPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeShutdownPrivilege	4024	msiexec.exe
Token: SeDebugPrivilege	4024	msiexec.exe
Token: SeAuditPrivilege	4024	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4024	msiexec.exe
Token: SeChangeNotifyPrivilege	4024	msiexec.exe
Token: SeRemoteShutdownPrivilege	4024	msiexec.exe
Token: SeUndockPrivilege	4024	msiexec.exe
Token: SeSyncAgentPrivilege	4024	msiexec.exe
Token: SeEnableDelegationPrivilege	4024	msiexec.exe
Token: SeManageVolumePrivilege	4024	msiexec.exe
Token: SeImpersonatePrivilege	4024	msiexec.exe
Token: SeCreateGlobalPrivilege	4024	msiexec.exe
Token: SeBackupPrivilege	200	vssvc.exe
Token: SeRestorePrivilege	200	vssvc.exe
Token: SeAuditPrivilege	200	vssvc.exe
Token: SeBackupPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeBackupPrivilege	2660	srtasks.exe
Token: SeRestorePrivilege	2660	srtasks.exe
Token: SeSecurityPrivilege	2660	srtasks.exe
Token: SeTakeOwnershipPrivilege	2660	srtasks.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeDebugPrivilege	3704	MSI75A5.tmp
Token: SeBackupPrivilege	2660	srtasks.exe
Token: SeRestorePrivilege	2660	srtasks.exe
Token: SeSecurityPrivilege	2660	srtasks.exe
Token: SeTakeOwnershipPrivilege	2660	srtasks.exe
Token: SeDebugPrivilege	2308	wlanext.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4024 msiexec.exe
4024 msiexec.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE

pid	process
4024	msiexec.exe
4024	msiexec.exe

pid	process
3024	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeMSI75A5.tmpExplorer.EXEwlanext.exe

description	pid	process	target process
PID 2288 wrote to memory of 2660	2288	msiexec.exe	srtasks.exe
PID 2288 wrote to memory of 2660	2288	msiexec.exe	srtasks.exe
PID 2288 wrote to memory of 2876	2288	msiexec.exe	MSI75A5.tmp
PID 2288 wrote to memory of 2876	2288	msiexec.exe	MSI75A5.tmp
PID 2288 wrote to memory of 2876	2288	msiexec.exe	MSI75A5.tmp
PID 2876 wrote to memory of 3704	2876	MSI75A5.tmp	MSI75A5.tmp
PID 2876 wrote to memory of 3704	2876	MSI75A5.tmp	MSI75A5.tmp
PID 2876 wrote to memory of 3704	2876	MSI75A5.tmp	MSI75A5.tmp
PID 2876 wrote to memory of 3704	2876	MSI75A5.tmp	MSI75A5.tmp
PID 3024 wrote to memory of 2308	3024	Explorer.EXE	wlanext.exe
PID 3024 wrote to memory of 2308	3024	Explorer.EXE	wlanext.exe
PID 3024 wrote to memory of 2308	3024	Explorer.EXE	wlanext.exe
PID 2308 wrote to memory of 2184	2308	wlanext.exe	cmd.exe
PID 2308 wrote to memory of 2184	2308	wlanext.exe	cmd.exe
PID 2308 wrote to memory of 2184	2308	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.22420.16142.msi
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4024
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Installer\MSI75A5.tmp"
    3⤵
    PID:2184

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\Installer\MSI75A5.tmp
  "C:\Windows\Installer\MSI75A5.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\Installer\MSI75A5.tmp
    "C:\Windows\Installer\MSI75A5.tmp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:200

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI75A5.tmp

MD5
2b1cb416ade4d567beae5b90f78881a6

SHA1
bb6cfc2f205a922620eeca38406e9ca2ff2875bf

SHA256
ac2bc57ced40d79ee9507ee3259682c9a545a1290c2dbd4e0a5045b1ae5e61f3

SHA512
f96dc90e2ef21cb6ce5334d4b3b1043b51862fb9686afdc41da95188d653f6f69d013b62c9301425b95f16e259a4d672e39418c8a849dd5b9b98e20a18853a09

Download Submit
C:\Windows\Installer\MSI75A5.tmp

MD5
2b1cb416ade4d567beae5b90f78881a6

SHA1
bb6cfc2f205a922620eeca38406e9ca2ff2875bf

SHA256
ac2bc57ced40d79ee9507ee3259682c9a545a1290c2dbd4e0a5045b1ae5e61f3

SHA512
f96dc90e2ef21cb6ce5334d4b3b1043b51862fb9686afdc41da95188d653f6f69d013b62c9301425b95f16e259a4d672e39418c8a849dd5b9b98e20a18853a09

Download Submit
C:\Windows\Installer\MSI75A5.tmp

MD5
2b1cb416ade4d567beae5b90f78881a6

SHA1
bb6cfc2f205a922620eeca38406e9ca2ff2875bf

SHA256
ac2bc57ced40d79ee9507ee3259682c9a545a1290c2dbd4e0a5045b1ae5e61f3

SHA512
f96dc90e2ef21cb6ce5334d4b3b1043b51862fb9686afdc41da95188d653f6f69d013b62c9301425b95f16e259a4d672e39418c8a849dd5b9b98e20a18853a09

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5
427ee2ad399296dbec5ec34d6fa33452

SHA1
985a596c79cf3e09cf44d6229c16fd6c05ff53d1

SHA256
4ea86b55f3e34efe3c8a9f2803a58aa1360bca2ef2972b6cc1374674cadf598d

SHA512
846b3983c698e92d55e731b1156d23a2e1d4ad7ad8a087fec72ff7222733500e006a30223ccb4843642ad2541ae38e7f4286159249e2066e9e97fa4b0a245784

Download Submit
\??\Volume{d05cfc4a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{07fb5ceb-9568-4d4c-a0d6-73132f255eb0}_OnDiskSnapshotProp

MD5
4abc2aa30677a150567dc330f7c90443

SHA1
8163f55d5a8d97a252020a43b6d041b1a34b477d

SHA256
318bd5746f1e1673ad443afe089532066e2c5e7887c09d2122005130d25a880b

SHA512
7c77223b30dc2996d110d40d976d5bfb8a5d6f62cba42d17d8c16db2b30c6aed916b327777423ddd92642118c8d9be55d788aadc675c8114e462834d4057cdfc

Download Submit
\Users\Admin\AppData\Local\Temp\nsb7C7A.tmp\ie2mi.dll

MD5
7795b5a3842f3220526b9b5c0792c91a

SHA1
69d6e1a264aab15d749a70a74d63de59c266e3b4

SHA256
7d931a93e761686bde7d6a79253cb03378ee28f8d12c683a9017540e798d2988

SHA512
45bf7270aee9e4ccbd84107490469e455ac4bc6faac7e1aff9cc4453c9c07afc8e64dbef955e248116d28f49b51f6596812d8366ed057ddc73ab061aecfcc43e

Download Submit
memory/2184-133-0x0000000000000000-mapping.dmp

Download
memory/2308-134-0x00000000009B0000-0x00000000009C7000-memory.dmp

Filesize
92KB

Download
memory/2308-137-0x00000000031C0000-0x0000000003253000-memory.dmp

Filesize
588KB

Download
memory/2308-136-0x0000000002D00000-0x0000000002DAE000-memory.dmp

Filesize
696KB

Download
memory/2308-132-0x0000000000000000-mapping.dmp

Download
memory/2308-135-0x0000000002CD0000-0x0000000002CFE000-memory.dmp

Filesize
184KB

Download
memory/2660-118-0x0000000000000000-mapping.dmp

Download
memory/2876-119-0x0000000000000000-mapping.dmp

Download
memory/2876-125-0x00000000028B0000-0x00000000028B2000-memory.dmp

Filesize
8KB

Download
memory/3024-138-0x0000000006050000-0x0000000006138000-memory.dmp

Filesize
928KB

Download
memory/3024-131-0x00000000063D0000-0x000000000656F000-memory.dmp

Filesize
1.6MB

Download
memory/3704-128-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3704-130-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download
memory/3704-129-0x0000000000AA0000-0x0000000000DC0000-memory.dmp

Filesize
3.1MB

Download
memory/3704-126-0x000000000041EBB0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads