formbook | c09b2348606b04620b185f4658474843eef3d9ec99ae70145a481b955d50aebf

General

Target

SecuriteInfo.com.Gen.Variant.Androm.29.12612.8788.msi
Size

252KB
MD5

2a284fbd7e5e4f010e9322e93a238fde
SHA1

1d4621ba747111332fd2f8c9bae67c5c44fc768a
SHA256

c09b2348606b04620b185f4658474843eef3d9ec99ae70145a481b955d50aebf
SHA512

3707c20b942b05e6146f2d4ec20dcd28f73bbb9b5ff279bbc599cd5365c4940aefba2d619dd842b0a4b7a6df16a28536462630f7dbe6a82e4918123eaa40d1d7

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.craftsman-vail.com/cca/

Decoy

whenpigsflyhigh.com

artistiklounge.com

tinytrendstique.com

projektpartner-ag.com

charvelevh.com

easycompliances.net

zengheqiye.com

professionalmallorca.com

bonzerstudio.com

nelivo.com

yangxeric.com

aredntech.com

twincitieshousingmarket.com

allshadesunscreen.com

xiang-life.net

qmcp00011.com

lindsayeandmarkv.com

fbcsbvsbvsjbvjs.com

saveonthrivelife.com

newdpo.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2128-126-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2096-132-0x0000000000160000-0x000000000018E000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

MSID190.tmpMSID190.tmp

pid process

3620 MSID190.tmp
2128 MSID190.tmp
Loads dropped DLL 1 IoCs

Processes:

MSID190.tmp

pid process

3620 MSID190.tmp

pid	process
3620	MSID190.tmp
2128	MSID190.tmp

pid	process
3620	MSID190.tmp

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MSID190.tmpMSID190.tmpsvchost.exe

description	pid	process	target process
PID 3620 set thread context of 2128	3620	MSID190.tmp	MSID190.tmp
PID 2128 set thread context of 3052	2128	MSID190.tmp	Explorer.EXE
PID 2096 set thread context of 3052	2096	svchost.exe	Explorer.EXE

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID190.tmp	msiexec.exe
File created	C:\Windows\Installer\f74cdf4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74cdf4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Windows\Installer\MSID190.tmp	nsis_installer_1
C:\Windows\Installer\MSID190.tmp	nsis_installer_2
C:\Windows\Installer\MSID190.tmp	nsis_installer_1
C:\Windows\Installer\MSID190.tmp	nsis_installer_2
C:\Windows\Installer\MSID190.tmp	nsis_installer_1
C:\Windows\Installer\MSID190.tmp	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

msiexec.exeMSID190.tmpsvchost.exe

pid	process
3192	msiexec.exe
3192	msiexec.exe
2128	MSID190.tmp
2128	MSID190.tmp
2128	MSID190.tmp
2128	MSID190.tmp
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MSID190.tmpMSID190.tmpsvchost.exe

pid process

3620 MSID190.tmp
2128 MSID190.tmp
2128 MSID190.tmp
2128 MSID190.tmp
2096 svchost.exe
2096 svchost.exe

pid	process
3052	Explorer.EXE

pid	process
3620	MSID190.tmp
2128	MSID190.tmp
2128	MSID190.tmp
2128	MSID190.tmp
2096	svchost.exe
2096	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeMSID190.tmpsvchost.exesrtasks.exeExplorer.EXE

description	pid	process
Token: SeShutdownPrivilege	784	msiexec.exe
Token: SeIncreaseQuotaPrivilege	784	msiexec.exe
Token: SeSecurityPrivilege	3192	msiexec.exe
Token: SeCreateTokenPrivilege	784	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	784	msiexec.exe
Token: SeLockMemoryPrivilege	784	msiexec.exe
Token: SeIncreaseQuotaPrivilege	784	msiexec.exe
Token: SeMachineAccountPrivilege	784	msiexec.exe
Token: SeTcbPrivilege	784	msiexec.exe
Token: SeSecurityPrivilege	784	msiexec.exe
Token: SeTakeOwnershipPrivilege	784	msiexec.exe
Token: SeLoadDriverPrivilege	784	msiexec.exe
Token: SeSystemProfilePrivilege	784	msiexec.exe
Token: SeSystemtimePrivilege	784	msiexec.exe
Token: SeProfSingleProcessPrivilege	784	msiexec.exe
Token: SeIncBasePriorityPrivilege	784	msiexec.exe
Token: SeCreatePagefilePrivilege	784	msiexec.exe
Token: SeCreatePermanentPrivilege	784	msiexec.exe
Token: SeBackupPrivilege	784	msiexec.exe
Token: SeRestorePrivilege	784	msiexec.exe
Token: SeShutdownPrivilege	784	msiexec.exe
Token: SeDebugPrivilege	784	msiexec.exe
Token: SeAuditPrivilege	784	msiexec.exe
Token: SeSystemEnvironmentPrivilege	784	msiexec.exe
Token: SeChangeNotifyPrivilege	784	msiexec.exe
Token: SeRemoteShutdownPrivilege	784	msiexec.exe
Token: SeUndockPrivilege	784	msiexec.exe
Token: SeSyncAgentPrivilege	784	msiexec.exe
Token: SeEnableDelegationPrivilege	784	msiexec.exe
Token: SeManageVolumePrivilege	784	msiexec.exe
Token: SeImpersonatePrivilege	784	msiexec.exe
Token: SeCreateGlobalPrivilege	784	msiexec.exe
Token: SeBackupPrivilege	2852	vssvc.exe
Token: SeRestorePrivilege	2852	vssvc.exe
Token: SeAuditPrivilege	2852	vssvc.exe
Token: SeBackupPrivilege	3192	msiexec.exe
Token: SeRestorePrivilege	3192	msiexec.exe
Token: SeRestorePrivilege	3192	msiexec.exe
Token: SeTakeOwnershipPrivilege	3192	msiexec.exe
Token: SeRestorePrivilege	3192	msiexec.exe
Token: SeTakeOwnershipPrivilege	3192	msiexec.exe
Token: SeRestorePrivilege	3192	msiexec.exe
Token: SeTakeOwnershipPrivilege	3192	msiexec.exe
Token: SeRestorePrivilege	3192	msiexec.exe
Token: SeTakeOwnershipPrivilege	3192	msiexec.exe
Token: SeRestorePrivilege	3192	msiexec.exe
Token: SeTakeOwnershipPrivilege	3192	msiexec.exe
Token: SeRestorePrivilege	3192	msiexec.exe
Token: SeTakeOwnershipPrivilege	3192	msiexec.exe
Token: SeDebugPrivilege	2128	MSID190.tmp
Token: SeDebugPrivilege	2096	svchost.exe
Token: SeBackupPrivilege	2320	srtasks.exe
Token: SeRestorePrivilege	2320	srtasks.exe
Token: SeSecurityPrivilege	2320	srtasks.exe
Token: SeTakeOwnershipPrivilege	2320	srtasks.exe
Token: SeBackupPrivilege	2320	srtasks.exe
Token: SeRestorePrivilege	2320	srtasks.exe
Token: SeSecurityPrivilege	2320	srtasks.exe
Token: SeTakeOwnershipPrivilege	2320	srtasks.exe
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

784 msiexec.exe
784 msiexec.exe

pid	process
784	msiexec.exe
784	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeMSID190.tmpExplorer.EXEsvchost.exe

description	pid	process	target process
PID 3192 wrote to memory of 2320	3192	msiexec.exe	srtasks.exe
PID 3192 wrote to memory of 2320	3192	msiexec.exe	srtasks.exe
PID 3192 wrote to memory of 3620	3192	msiexec.exe	MSID190.tmp
PID 3192 wrote to memory of 3620	3192	msiexec.exe	MSID190.tmp
PID 3192 wrote to memory of 3620	3192	msiexec.exe	MSID190.tmp
PID 3620 wrote to memory of 2128	3620	MSID190.tmp	MSID190.tmp
PID 3620 wrote to memory of 2128	3620	MSID190.tmp	MSID190.tmp
PID 3620 wrote to memory of 2128	3620	MSID190.tmp	MSID190.tmp
PID 3620 wrote to memory of 2128	3620	MSID190.tmp	MSID190.tmp
PID 3052 wrote to memory of 2096	3052	Explorer.EXE	svchost.exe
PID 3052 wrote to memory of 2096	3052	Explorer.EXE	svchost.exe
PID 3052 wrote to memory of 2096	3052	Explorer.EXE	svchost.exe
PID 2096 wrote to memory of 4028	2096	svchost.exe	cmd.exe
PID 2096 wrote to memory of 4028	2096	svchost.exe	cmd.exe
PID 2096 wrote to memory of 4028	2096	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.12612.8788.msi
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:784

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Installer\MSID190.tmp"
3⤵
PID:4028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\Installer\MSID190.tmp
"C:\Windows\Installer\MSID190.tmp"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\Installer\MSID190.tmp
"C:\Windows\Installer\MSID190.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSID190.tmp
MD5
caccaec6ca54e341eb266b3b98978178

SHA1
e02d383072613e1e65a8991adc941b65a82f8be7

SHA256
20b92c186a1abf1b15f080ae6c7ec6e995c712158df4869827ecc8e1df9e9479

SHA512
838e18e94b8b6523feb2263475a238fceae6cb8703b69eb05a1ee3a8052389daf91b898fef692e51173c7fee7840b046663a808d556a75d6b62c431cb835cf0e

Download Submit
C:\Windows\Installer\MSID190.tmp
MD5
caccaec6ca54e341eb266b3b98978178

SHA1
e02d383072613e1e65a8991adc941b65a82f8be7

SHA256
20b92c186a1abf1b15f080ae6c7ec6e995c712158df4869827ecc8e1df9e9479

SHA512
838e18e94b8b6523feb2263475a238fceae6cb8703b69eb05a1ee3a8052389daf91b898fef692e51173c7fee7840b046663a808d556a75d6b62c431cb835cf0e

Download Submit
C:\Windows\Installer\MSID190.tmp
MD5
caccaec6ca54e341eb266b3b98978178

SHA1
e02d383072613e1e65a8991adc941b65a82f8be7

SHA256
20b92c186a1abf1b15f080ae6c7ec6e995c712158df4869827ecc8e1df9e9479

SHA512
838e18e94b8b6523feb2263475a238fceae6cb8703b69eb05a1ee3a8052389daf91b898fef692e51173c7fee7840b046663a808d556a75d6b62c431cb835cf0e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
597a4fcd965bdf6ac13d429d0d4a2dbf

SHA1
56b4dde0d1ddd8de2629ded45144c463ad5ff4b3

SHA256
ee5c7c20a96ecf14ab08f03b36f2b38815e0f96caeef9647e6321b287db4e72b

SHA512
74b3b1540dedc6d6683290d5e09b70605668270c7525d89b17cde76f06f50fee90980e3ff7c9a7de3722ce4458a7dc62b9a3123460c54b46f9dc5f6e0c658e7a

Download Submit
\??\Volume{d05cfc4a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{bbb9897c-3a1a-47a3-ad8a-f0110bf1a785}_OnDiskSnapshotProp
MD5
1a78dc4cfaa1277962e5c88e690b84fc

SHA1
80aa752a8fc68fc7bc51f76572a369bbdd46fbf9

SHA256
e59b21ff1dbe46f5a68b6f7eebb7f5f9ce7fb77fd3bf3af1e3fca7fbb754ba43

SHA512
6845535cefa941d563dc681893207fbed997ee82a45d8e9f4721d871c0cca34950a6370cbfca756780061accc7ce7a8e00399584d24bada5b83101cb81d5f855

Download Submit
\Users\Admin\AppData\Local\Temp\nsgD43F.tmp\0djwv1e4o91gu5.dll
MD5
b8efcf07411a1081f73080bd83f3bf1e

SHA1
b534be3372f363f2ae50be8fa8fd94fec8c0dae2

SHA256
7faeba7a3e10c3eccd92d119327a0d7e8b0aa99c7ca956326bff1c83ce011440

SHA512
3ba6a145c27d62f4d8cfea644945a86d1321e61e0677bae217cc5003f4fad486e56481354f8fd7c46aceea69c6f1824b8efbe17461e319a48940d8b63a53f79c

Download Submit
memory/2096-130-0x0000000000000000-mapping.dmp

Download
memory/2096-132-0x0000000000160000-0x000000000018E000-memory.dmp

Filesize
184KB

Download
memory/2096-131-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/2096-137-0x0000000000910000-0x00000000009A3000-memory.dmp

Filesize
588KB

Download
memory/2096-134-0x0000000002E50000-0x0000000003170000-memory.dmp

Filesize
3.1MB

Download
memory/2128-124-0x000000000041EB70-mapping.dmp

Download
memory/2128-126-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2128-127-0x0000000000940000-0x0000000000C60000-memory.dmp

Filesize
3.1MB

Download
memory/2128-128-0x00000000008D0000-0x00000000008E4000-memory.dmp

Filesize
80KB

Download
memory/2320-118-0x0000000000000000-mapping.dmp

Download
memory/3052-129-0x0000000006520000-0x0000000006681000-memory.dmp

Filesize
1.4MB

Download
memory/3052-138-0x0000000006A90000-0x0000000006C06000-memory.dmp

Filesize
1.5MB

Download
memory/3620-123-0x0000000002290000-0x0000000002292000-memory.dmp

Filesize
8KB

Download
memory/3620-119-0x0000000000000000-mapping.dmp

Download
memory/4028-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads