formbook | a7338368a74ea858b07c282d8a0bbff371f6154c9140d34d74311e0d3e1f15c0

General

Target

ghy87ck.msi
Size

240KB
MD5

9c65bfe1486bdf4451757715342f481a
SHA1

80196fcf884163d6daba116ae6ced64797ea5675
SHA256

a7338368a74ea858b07c282d8a0bbff371f6154c9140d34d74311e0d3e1f15c0
SHA512

f18d2ded359b3835d2b75f08af4ad389cc872d5efc478c06bdd4a19d980bdf8276522eb9db516387fb599985f295569dda14eace871fafbf4dc7f92610982031

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.craftsman-vail.com/cca/

Decoy

whenpigsflyhigh.com

artistiklounge.com

tinytrendstique.com

projektpartner-ag.com

charvelevh.com

easycompliances.net

zengheqiye.com

professionalmallorca.com

bonzerstudio.com

nelivo.com

yangxeric.com

aredntech.com

twincitieshousingmarket.com

allshadesunscreen.com

xiang-life.net

qmcp00011.com

lindsayeandmarkv.com

fbcsbvsbvsjbvjs.com

saveonthrivelife.com

newdpo.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1236-125-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/688-131-0x0000000000F00000-0x0000000000F2E000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

MSIBE85.tmpMSIBE85.tmp

pid process

3356 MSIBE85.tmp
1236 MSIBE85.tmp
Loads dropped DLL 1 IoCs

Processes:

MSIBE85.tmp

pid process

3356 MSIBE85.tmp

pid	process
3356	MSIBE85.tmp
1236	MSIBE85.tmp

pid	process
3356	MSIBE85.tmp

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MSIBE85.tmpMSIBE85.tmpnetsh.exe

description	pid	process	target process
PID 3356 set thread context of 1236	3356	MSIBE85.tmp	MSIBE85.tmp
PID 1236 set thread context of 3020	1236	MSIBE85.tmp	Explorer.EXE
PID 688 set thread context of 3020	688	netsh.exe	Explorer.EXE

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE85.tmp	msiexec.exe
File created	C:\Windows\Installer\f74bbc4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74bbc4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Windows\Installer\MSIBE85.tmp	nsis_installer_1
C:\Windows\Installer\MSIBE85.tmp	nsis_installer_2
C:\Windows\Installer\MSIBE85.tmp	nsis_installer_1
C:\Windows\Installer\MSIBE85.tmp	nsis_installer_2
C:\Windows\Installer\MSIBE85.tmp	nsis_installer_1
C:\Windows\Installer\MSIBE85.tmp	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

msiexec.exeMSIBE85.tmpnetsh.exe

pid	process
3964	msiexec.exe
3964	msiexec.exe
1236	MSIBE85.tmp
1236	MSIBE85.tmp
1236	MSIBE85.tmp
1236	MSIBE85.tmp
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe
688	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MSIBE85.tmpMSIBE85.tmpnetsh.exe

pid process

3356 MSIBE85.tmp
1236 MSIBE85.tmp
1236 MSIBE85.tmp
1236 MSIBE85.tmp
688 netsh.exe
688 netsh.exe

pid	process
3020	Explorer.EXE

pid	process
3356	MSIBE85.tmp
1236	MSIBE85.tmp
1236	MSIBE85.tmp
1236	MSIBE85.tmp
688	netsh.exe
688	netsh.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeMSIBE85.tmpnetsh.exesrtasks.exeExplorer.EXE

description	pid	process
Token: SeShutdownPrivilege	992	msiexec.exe
Token: SeIncreaseQuotaPrivilege	992	msiexec.exe
Token: SeSecurityPrivilege	3964	msiexec.exe
Token: SeCreateTokenPrivilege	992	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	992	msiexec.exe
Token: SeLockMemoryPrivilege	992	msiexec.exe
Token: SeIncreaseQuotaPrivilege	992	msiexec.exe
Token: SeMachineAccountPrivilege	992	msiexec.exe
Token: SeTcbPrivilege	992	msiexec.exe
Token: SeSecurityPrivilege	992	msiexec.exe
Token: SeTakeOwnershipPrivilege	992	msiexec.exe
Token: SeLoadDriverPrivilege	992	msiexec.exe
Token: SeSystemProfilePrivilege	992	msiexec.exe
Token: SeSystemtimePrivilege	992	msiexec.exe
Token: SeProfSingleProcessPrivilege	992	msiexec.exe
Token: SeIncBasePriorityPrivilege	992	msiexec.exe
Token: SeCreatePagefilePrivilege	992	msiexec.exe
Token: SeCreatePermanentPrivilege	992	msiexec.exe
Token: SeBackupPrivilege	992	msiexec.exe
Token: SeRestorePrivilege	992	msiexec.exe
Token: SeShutdownPrivilege	992	msiexec.exe
Token: SeDebugPrivilege	992	msiexec.exe
Token: SeAuditPrivilege	992	msiexec.exe
Token: SeSystemEnvironmentPrivilege	992	msiexec.exe
Token: SeChangeNotifyPrivilege	992	msiexec.exe
Token: SeRemoteShutdownPrivilege	992	msiexec.exe
Token: SeUndockPrivilege	992	msiexec.exe
Token: SeSyncAgentPrivilege	992	msiexec.exe
Token: SeEnableDelegationPrivilege	992	msiexec.exe
Token: SeManageVolumePrivilege	992	msiexec.exe
Token: SeImpersonatePrivilege	992	msiexec.exe
Token: SeCreateGlobalPrivilege	992	msiexec.exe
Token: SeBackupPrivilege	3756	vssvc.exe
Token: SeRestorePrivilege	3756	vssvc.exe
Token: SeAuditPrivilege	3756	vssvc.exe
Token: SeBackupPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeDebugPrivilege	1236	MSIBE85.tmp
Token: SeDebugPrivilege	688	netsh.exe
Token: SeBackupPrivilege	2660	srtasks.exe
Token: SeRestorePrivilege	2660	srtasks.exe
Token: SeSecurityPrivilege	2660	srtasks.exe
Token: SeTakeOwnershipPrivilege	2660	srtasks.exe
Token: SeBackupPrivilege	2660	srtasks.exe
Token: SeRestorePrivilege	2660	srtasks.exe
Token: SeSecurityPrivilege	2660	srtasks.exe
Token: SeTakeOwnershipPrivilege	2660	srtasks.exe
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

992 msiexec.exe
992 msiexec.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE

pid	process
992	msiexec.exe
992	msiexec.exe

pid	process
3020	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeMSIBE85.tmpExplorer.EXEnetsh.exe

description	pid	process	target process
PID 3964 wrote to memory of 2660	3964	msiexec.exe	srtasks.exe
PID 3964 wrote to memory of 2660	3964	msiexec.exe	srtasks.exe
PID 3964 wrote to memory of 3356	3964	msiexec.exe	MSIBE85.tmp
PID 3964 wrote to memory of 3356	3964	msiexec.exe	MSIBE85.tmp
PID 3964 wrote to memory of 3356	3964	msiexec.exe	MSIBE85.tmp
PID 3356 wrote to memory of 1236	3356	MSIBE85.tmp	MSIBE85.tmp
PID 3356 wrote to memory of 1236	3356	MSIBE85.tmp	MSIBE85.tmp
PID 3356 wrote to memory of 1236	3356	MSIBE85.tmp	MSIBE85.tmp
PID 3356 wrote to memory of 1236	3356	MSIBE85.tmp	MSIBE85.tmp
PID 3020 wrote to memory of 688	3020	Explorer.EXE	netsh.exe
PID 3020 wrote to memory of 688	3020	Explorer.EXE	netsh.exe
PID 3020 wrote to memory of 688	3020	Explorer.EXE	netsh.exe
PID 688 wrote to memory of 1320	688	netsh.exe	cmd.exe
PID 688 wrote to memory of 1320	688	netsh.exe	cmd.exe
PID 688 wrote to memory of 1320	688	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ghy87ck.msi
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:992

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Installer\MSIBE85.tmp"
3⤵
PID:1320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\Installer\MSIBE85.tmp
"C:\Windows\Installer\MSIBE85.tmp"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\Installer\MSIBE85.tmp
"C:\Windows\Installer\MSIBE85.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIBE85.tmp
MD5
78df6987b12a77a4d38c4d08665ebe18

SHA1
639595a07bd375349f8371e577252087ffe37247

SHA256
b6e96276c116a1100b52ca6fcb369e22b4faa30bbfd48df68942fae3feffb15e

SHA512
1dea3c04f5bc59171e58ed0a0215b953d38ddb34b9d652735d268b5fce391e65fb45048f69a3da528d20cc06fb9ec1976420f8a842ecd551b24067c637d07d05

Download Submit
C:\Windows\Installer\MSIBE85.tmp
MD5
78df6987b12a77a4d38c4d08665ebe18

SHA1
639595a07bd375349f8371e577252087ffe37247

SHA256
b6e96276c116a1100b52ca6fcb369e22b4faa30bbfd48df68942fae3feffb15e

SHA512
1dea3c04f5bc59171e58ed0a0215b953d38ddb34b9d652735d268b5fce391e65fb45048f69a3da528d20cc06fb9ec1976420f8a842ecd551b24067c637d07d05

Download Submit
C:\Windows\Installer\MSIBE85.tmp
MD5
78df6987b12a77a4d38c4d08665ebe18

SHA1
639595a07bd375349f8371e577252087ffe37247

SHA256
b6e96276c116a1100b52ca6fcb369e22b4faa30bbfd48df68942fae3feffb15e

SHA512
1dea3c04f5bc59171e58ed0a0215b953d38ddb34b9d652735d268b5fce391e65fb45048f69a3da528d20cc06fb9ec1976420f8a842ecd551b24067c637d07d05

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
399c31f21fd14d60e52c160080f47c6d

SHA1
abfdee8fba2538ef3fabf3e7f9b596c6e688ae86

SHA256
8f14ca30db284063093e161a9fa1b6c305bdd2be8d2c40314e24fe3c789e127d

SHA512
f8976a6742859d1d9e003b10fc6b0589402700a6fe9ab5594f30623d376ad9c20bf13b12726fa4818c7440d402c348064eed75052bd0fa5d133feb7611096862

Download Submit
\??\Volume{d05cfc4a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{15eb5528-b87d-4ce4-8d11-cd67f93369fe}_OnDiskSnapshotProp
MD5
a214a82209c8e032282527ce00c983a8

SHA1
0610ca9edcb682b7a2f3162db2604e781f9f263d

SHA256
5414ad6c1eb23fdf2f70b2d2d52a7e7fb20b87d345903185febba591aadeca54

SHA512
58b335cd793ffdf598639226ff5fa201f4889f27d01f90c48964fdb923ebc5d87975b4e7925ad30a8e687d8bda8fc1d162dee97d7a693d2174dbc0be20f6441a

Download Submit
\Users\Admin\AppData\Local\Temp\kiyeu.dll
MD5
2ba17e14d1ab840f5ca03ee92996928e

SHA1
eb6be7539a81e28c1a20a82316694ff0d36c25cb

SHA256
db10c9636a7d7aec652d7aea8ab16143793b6a1da1c41f8486babc271e9be69d

SHA512
e12ba3e4e1bc3125fa452408be9d7c56aae497799b1986b93106d473979c795fd47a960f14756070580e045286bc197a1d35787adf796b648b39f68b33501627

Download Submit
memory/688-136-0x0000000001640000-0x00000000016D3000-memory.dmp

Filesize
588KB

Download
memory/688-129-0x0000000000000000-mapping.dmp

Download
memory/688-130-0x0000000001730000-0x000000000174E000-memory.dmp

Filesize
120KB

Download
memory/688-131-0x0000000000F00000-0x0000000000F2E000-memory.dmp

Filesize
184KB

Download
memory/688-132-0x00000000038F0000-0x0000000003C10000-memory.dmp

Filesize
3.1MB

Download
memory/1236-123-0x000000000041EB70-mapping.dmp

Download
memory/1236-126-0x00000000009B0000-0x0000000000CD0000-memory.dmp

Filesize
3.1MB

Download
memory/1236-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1236-127-0x0000000000E30000-0x0000000000E44000-memory.dmp

Filesize
80KB

Download
memory/1320-133-0x0000000000000000-mapping.dmp

Download
memory/2660-118-0x0000000000000000-mapping.dmp

Download
memory/3020-128-0x0000000006C40000-0x0000000006D55000-memory.dmp

Filesize
1.1MB

Download
memory/3020-137-0x0000000003090000-0x000000000314C000-memory.dmp

Filesize
752KB

Download
memory/3356-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads