formbook | 9de1892b227f07e8896b3dfa4d1f8b450bf2af962b1ec34f3075acc7a4187259

General

Target

SecuriteInfo.com.Gen.Variant.Androm.29.9877.8691.msi
Size

252KB
MD5

e329a2ae51067a9ae8a508fb7dd34ca8
SHA1

e2371038a5cac558e52297cb808ead02c2150c36
SHA256

9de1892b227f07e8896b3dfa4d1f8b450bf2af962b1ec34f3075acc7a4187259
SHA512

e76add738078a81d9465e0e9f40638dc385b9909428d684d5048ae3c6549de040012d8a2310f05e10e94cef4528d3e08490a96774dbb848003ef31f70886febc

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3520-128-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3744-135-0x0000000000570000-0x000000000059E000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

MSI432B.tmpMSI432B.tmp

pid process

3204 MSI432B.tmp
3520 MSI432B.tmp
Loads dropped DLL 1 IoCs

Processes:

MSI432B.tmp

pid process

3204 MSI432B.tmp

pid	process
3204	MSI432B.tmp
3520	MSI432B.tmp

pid	process
3204	MSI432B.tmp

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MSI432B.tmpMSI432B.tmpraserver.exe

description	pid	process	target process
PID 3204 set thread context of 3520	3204	MSI432B.tmp	MSI432B.tmp
PID 3520 set thread context of 3052	3520	MSI432B.tmp	Explorer.EXE
PID 3744 set thread context of 3052	3744	raserver.exe	Explorer.EXE

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f744173.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f744173.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42CB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI432B.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Windows\Installer\MSI432B.tmp	nsis_installer_1
C:\Windows\Installer\MSI432B.tmp	nsis_installer_2
C:\Windows\Installer\MSI432B.tmp	nsis_installer_1
C:\Windows\Installer\MSI432B.tmp	nsis_installer_2
C:\Windows\Installer\MSI432B.tmp	nsis_installer_1
C:\Windows\Installer\MSI432B.tmp	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

msiexec.exeMSI432B.tmpraserver.exe

pid	process
348	msiexec.exe
348	msiexec.exe
3520	MSI432B.tmp
3520	MSI432B.tmp
3520	MSI432B.tmp
3520	MSI432B.tmp
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe
3744	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MSI432B.tmpMSI432B.tmpraserver.exe

pid process

3204 MSI432B.tmp
3520 MSI432B.tmp
3520 MSI432B.tmp
3520 MSI432B.tmp
3744 raserver.exe
3744 raserver.exe

pid	process
3052	Explorer.EXE

pid	process
3204	MSI432B.tmp
3520	MSI432B.tmp
3520	MSI432B.tmp
3520	MSI432B.tmp
3744	raserver.exe
3744	raserver.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exeMSI432B.tmpraserver.exeExplorer.EXE

description	pid	process
Token: SeShutdownPrivilege	3172	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3172	msiexec.exe
Token: SeSecurityPrivilege	348	msiexec.exe
Token: SeCreateTokenPrivilege	3172	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3172	msiexec.exe
Token: SeLockMemoryPrivilege	3172	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3172	msiexec.exe
Token: SeMachineAccountPrivilege	3172	msiexec.exe
Token: SeTcbPrivilege	3172	msiexec.exe
Token: SeSecurityPrivilege	3172	msiexec.exe
Token: SeTakeOwnershipPrivilege	3172	msiexec.exe
Token: SeLoadDriverPrivilege	3172	msiexec.exe
Token: SeSystemProfilePrivilege	3172	msiexec.exe
Token: SeSystemtimePrivilege	3172	msiexec.exe
Token: SeProfSingleProcessPrivilege	3172	msiexec.exe
Token: SeIncBasePriorityPrivilege	3172	msiexec.exe
Token: SeCreatePagefilePrivilege	3172	msiexec.exe
Token: SeCreatePermanentPrivilege	3172	msiexec.exe
Token: SeBackupPrivilege	3172	msiexec.exe
Token: SeRestorePrivilege	3172	msiexec.exe
Token: SeShutdownPrivilege	3172	msiexec.exe
Token: SeDebugPrivilege	3172	msiexec.exe
Token: SeAuditPrivilege	3172	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3172	msiexec.exe
Token: SeChangeNotifyPrivilege	3172	msiexec.exe
Token: SeRemoteShutdownPrivilege	3172	msiexec.exe
Token: SeUndockPrivilege	3172	msiexec.exe
Token: SeSyncAgentPrivilege	3172	msiexec.exe
Token: SeEnableDelegationPrivilege	3172	msiexec.exe
Token: SeManageVolumePrivilege	3172	msiexec.exe
Token: SeImpersonatePrivilege	3172	msiexec.exe
Token: SeCreateGlobalPrivilege	3172	msiexec.exe
Token: SeBackupPrivilege	1336	vssvc.exe
Token: SeRestorePrivilege	1336	vssvc.exe
Token: SeAuditPrivilege	1336	vssvc.exe
Token: SeBackupPrivilege	348	msiexec.exe
Token: SeRestorePrivilege	348	msiexec.exe
Token: SeRestorePrivilege	348	msiexec.exe
Token: SeTakeOwnershipPrivilege	348	msiexec.exe
Token: SeRestorePrivilege	348	msiexec.exe
Token: SeTakeOwnershipPrivilege	348	msiexec.exe
Token: SeRestorePrivilege	348	msiexec.exe
Token: SeTakeOwnershipPrivilege	348	msiexec.exe
Token: SeRestorePrivilege	348	msiexec.exe
Token: SeTakeOwnershipPrivilege	348	msiexec.exe
Token: SeBackupPrivilege	3528	srtasks.exe
Token: SeRestorePrivilege	3528	srtasks.exe
Token: SeSecurityPrivilege	3528	srtasks.exe
Token: SeTakeOwnershipPrivilege	3528	srtasks.exe
Token: SeRestorePrivilege	348	msiexec.exe
Token: SeTakeOwnershipPrivilege	348	msiexec.exe
Token: SeRestorePrivilege	348	msiexec.exe
Token: SeTakeOwnershipPrivilege	348	msiexec.exe
Token: SeDebugPrivilege	3520	MSI432B.tmp
Token: SeBackupPrivilege	3528	srtasks.exe
Token: SeRestorePrivilege	3528	srtasks.exe
Token: SeSecurityPrivilege	3528	srtasks.exe
Token: SeTakeOwnershipPrivilege	3528	srtasks.exe
Token: SeDebugPrivilege	3744	raserver.exe
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3172 msiexec.exe
3172 msiexec.exe

pid	process
3172	msiexec.exe
3172	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeMSI432B.tmpExplorer.EXEraserver.exe

description	pid	process	target process
PID 348 wrote to memory of 3528	348	msiexec.exe	srtasks.exe
PID 348 wrote to memory of 3528	348	msiexec.exe	srtasks.exe
PID 348 wrote to memory of 3204	348	msiexec.exe	MSI432B.tmp
PID 348 wrote to memory of 3204	348	msiexec.exe	MSI432B.tmp
PID 348 wrote to memory of 3204	348	msiexec.exe	MSI432B.tmp
PID 3204 wrote to memory of 3520	3204	MSI432B.tmp	MSI432B.tmp
PID 3204 wrote to memory of 3520	3204	MSI432B.tmp	MSI432B.tmp
PID 3204 wrote to memory of 3520	3204	MSI432B.tmp	MSI432B.tmp
PID 3204 wrote to memory of 3520	3204	MSI432B.tmp	MSI432B.tmp
PID 3052 wrote to memory of 3744	3052	Explorer.EXE	raserver.exe
PID 3052 wrote to memory of 3744	3052	Explorer.EXE	raserver.exe
PID 3052 wrote to memory of 3744	3052	Explorer.EXE	raserver.exe
PID 3744 wrote to memory of 3736	3744	raserver.exe	cmd.exe
PID 3744 wrote to memory of 3736	3744	raserver.exe	cmd.exe
PID 3744 wrote to memory of 3736	3744	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.9877.8691.msi
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3172
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Installer\MSI432B.tmp"
    3⤵
    PID:3736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\Installer\MSI432B.tmp
  "C:\Windows\Installer\MSI432B.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\Installer\MSI432B.tmp
    "C:\Windows\Installer\MSI432B.tmp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI432B.tmp

MD5
d8a19f13154e81e9d526077422655453

SHA1
573e6aed1534203b36f9a8e5121c125b02e11b0f

SHA256
b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853

SHA512
193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae

Download Submit
C:\Windows\Installer\MSI432B.tmp

MD5
d8a19f13154e81e9d526077422655453

SHA1
573e6aed1534203b36f9a8e5121c125b02e11b0f

SHA256
b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853

SHA512
193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae

Download Submit
C:\Windows\Installer\MSI432B.tmp

MD5
d8a19f13154e81e9d526077422655453

SHA1
573e6aed1534203b36f9a8e5121c125b02e11b0f

SHA256
b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853

SHA512
193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5
f69927642f4fd62866696d4f6b581790

SHA1
8036cd0677d04d02088580f8397611b24fcb5e15

SHA256
0c9cb2d2f96acabe91bdd040f4f677226a795c8994fe92ddc9996b10aae8d25f

SHA512
613c0f27129b9baa6833fb0bdd3803a0e1b8c4a61e6e4fb97de82829fcafeb435dea9d2e42913e1a40a333cdcc1d9c68f32fee42217b3986ce1b4ac5801a32f3

Download Submit
\??\Volume{266d1ca4-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{93580094-de29-4fcb-b2ce-21191f83b157}_OnDiskSnapshotProp

MD5
547e9e4200c6277aae5d0df8d09eea22

SHA1
ba6d074b70698c524f7463ef4ec17ca1a09f1194

SHA256
fe9d5c57604f8f5b2df434dcf1142d7060d6a7c87e4158f2851b8e28ae2644bb

SHA512
48065332d41c399b1ac2744a8b4846999c6c3a9f525484c396385cf2b504d69679b1eea731e3bbcceadd5571d69f38065ef5e37b6995302b93a7f46182bafd91

Download Submit
\Users\Admin\AppData\Local\Temp\nso44DF.tmp\3dd73lht.dll

MD5
df8beafa8d4250032a73e261c80e35e3

SHA1
3ced0abd9f02d24d79ede5052f661108b01df997

SHA256
a57717b0b91bb128761a4363d12cacd45431c7e512d5a8d307b40cf30e6a26da

SHA512
bf9fd7009e3c4919b2b230748c8f3795423b4e7e57d82d531a31682916dfb589c2df2b20320a51b532e21dec98ce597a4a80589ec5fa442417274661e1c9d1ce

Download Submit
memory/3052-131-0x0000000002AD0000-0x0000000002BB6000-memory.dmp

Filesize
920KB

Download
memory/3052-138-0x0000000006540000-0x0000000006668000-memory.dmp

Filesize
1.2MB

Download
memory/3204-119-0x0000000000000000-mapping.dmp

Download
memory/3204-127-0x00000000023A0000-0x00000000023A2000-memory.dmp

Filesize
8KB

Download
memory/3520-128-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3520-129-0x0000000000A50000-0x0000000000D70000-memory.dmp

Filesize
3.1MB

Download
memory/3520-130-0x00000000009F0000-0x0000000000A04000-memory.dmp

Filesize
80KB

Download
memory/3520-123-0x000000000041EBB0-mapping.dmp

Download
memory/3528-118-0x0000000000000000-mapping.dmp

Download
memory/3736-133-0x0000000000000000-mapping.dmp

Download
memory/3744-132-0x0000000000000000-mapping.dmp

Download
memory/3744-134-0x00000000009E0000-0x00000000009FF000-memory.dmp

Filesize
124KB

Download
memory/3744-135-0x0000000000570000-0x000000000059E000-memory.dmp

Filesize
184KB

Download
memory/3744-136-0x00000000042B0000-0x00000000045D0000-memory.dmp

Filesize
3.1MB

Download
memory/3744-137-0x0000000004130000-0x00000000041C3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads