Resubmissions
14-09-2022 05:09
220914-fs6n4adahk 814-09-2022 05:09
220914-fs459shcf2 811-08-2022 20:58
220811-zr9h5sefg3 802-08-2022 11:13
220802-nbqkjsebg7 8Analysis
-
max time kernel
813s -
max time network
1224s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2022 05:09
Static task
static1
Behavioral task
behavioral1
Sample
bad-piggies-1-3-0-en-win.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
bad-piggies-1-3-0-en-win.exe
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
bad-piggies-1-3-0-en-win.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
bad-piggies-1-3-0-en-win.exe
-
Size
26.9MB
-
MD5
e7cfb590d467514eae6071e3fe264c4d
-
SHA1
d5ba530239e3a9fb3af41468db606c6d10503d65
-
SHA256
d069cc98d81da2a127a958a0f27929c2f4d28df190423231bd4403d0a2d5738e
-
SHA512
bf9a2f7df2421f5c4530d62fe6f524b75d7d893d3e930005e67433ffafc998fe099379a10eaf93bf6dbc3e548213c5e61ad14820c88c4f5bb5ccbba0bff95849
-
SSDEEP
393216:IJo5AaSO3UpcWKhef0O12q6EgdzmGcpeT4oRW2Jsyhjo25XBEIDoSfaANuZxXa+7:U9aSOi9Khef0cJGjwT2HrsnXa7MnmXw
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 4068 msiexec.exe 7 4068 msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 4528 bad-piggies-1-3-0-en-win.exe 4528 bad-piggies-1-3-0-en-win.exe 4456 MsiExec.exe 4456 MsiExec.exe 4456 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{76E4BDEC-5F44-4919-933C-F0929931D9AB}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9E143675-9FB2-4ED7-BFD4-E7D6840A7E42}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7FEDE517-2936-47B8-893C-4D8348B4113D}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FD85F9FF-124F-4E26-8DFF-20B912190BFD}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{04375A74-2BCB-4357-9B66-B4FEACACFE62}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C0641E49-9C24-43E4-A243-B0BD548E33CD}.catalogItem svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4068 msiexec.exe Token: SeIncreaseQuotaPrivilege 4068 msiexec.exe Token: SeSecurityPrivilege 408 msiexec.exe Token: SeCreateTokenPrivilege 4068 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4068 msiexec.exe Token: SeLockMemoryPrivilege 4068 msiexec.exe Token: SeIncreaseQuotaPrivilege 4068 msiexec.exe Token: SeMachineAccountPrivilege 4068 msiexec.exe Token: SeTcbPrivilege 4068 msiexec.exe Token: SeSecurityPrivilege 4068 msiexec.exe Token: SeTakeOwnershipPrivilege 4068 msiexec.exe Token: SeLoadDriverPrivilege 4068 msiexec.exe Token: SeSystemProfilePrivilege 4068 msiexec.exe Token: SeSystemtimePrivilege 4068 msiexec.exe Token: SeProfSingleProcessPrivilege 4068 msiexec.exe Token: SeIncBasePriorityPrivilege 4068 msiexec.exe Token: SeCreatePagefilePrivilege 4068 msiexec.exe Token: SeCreatePermanentPrivilege 4068 msiexec.exe Token: SeBackupPrivilege 4068 msiexec.exe Token: SeRestorePrivilege 4068 msiexec.exe Token: SeShutdownPrivilege 4068 msiexec.exe Token: SeDebugPrivilege 4068 msiexec.exe Token: SeAuditPrivilege 4068 msiexec.exe Token: SeSystemEnvironmentPrivilege 4068 msiexec.exe Token: SeChangeNotifyPrivilege 4068 msiexec.exe Token: SeRemoteShutdownPrivilege 4068 msiexec.exe Token: SeUndockPrivilege 4068 msiexec.exe Token: SeSyncAgentPrivilege 4068 msiexec.exe Token: SeEnableDelegationPrivilege 4068 msiexec.exe Token: SeManageVolumePrivilege 4068 msiexec.exe Token: SeImpersonatePrivilege 4068 msiexec.exe Token: SeCreateGlobalPrivilege 4068 msiexec.exe Token: SeCreateTokenPrivilege 4068 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4068 msiexec.exe Token: SeLockMemoryPrivilege 4068 msiexec.exe Token: SeIncreaseQuotaPrivilege 4068 msiexec.exe Token: SeMachineAccountPrivilege 4068 msiexec.exe Token: SeTcbPrivilege 4068 msiexec.exe Token: SeSecurityPrivilege 4068 msiexec.exe Token: SeTakeOwnershipPrivilege 4068 msiexec.exe Token: SeLoadDriverPrivilege 4068 msiexec.exe Token: SeSystemProfilePrivilege 4068 msiexec.exe Token: SeSystemtimePrivilege 4068 msiexec.exe Token: SeProfSingleProcessPrivilege 4068 msiexec.exe Token: SeIncBasePriorityPrivilege 4068 msiexec.exe Token: SeCreatePagefilePrivilege 4068 msiexec.exe Token: SeCreatePermanentPrivilege 4068 msiexec.exe Token: SeBackupPrivilege 4068 msiexec.exe Token: SeRestorePrivilege 4068 msiexec.exe Token: SeShutdownPrivilege 4068 msiexec.exe Token: SeDebugPrivilege 4068 msiexec.exe Token: SeAuditPrivilege 4068 msiexec.exe Token: SeSystemEnvironmentPrivilege 4068 msiexec.exe Token: SeChangeNotifyPrivilege 4068 msiexec.exe Token: SeRemoteShutdownPrivilege 4068 msiexec.exe Token: SeUndockPrivilege 4068 msiexec.exe Token: SeSyncAgentPrivilege 4068 msiexec.exe Token: SeEnableDelegationPrivilege 4068 msiexec.exe Token: SeManageVolumePrivilege 4068 msiexec.exe Token: SeImpersonatePrivilege 4068 msiexec.exe Token: SeCreateGlobalPrivilege 4068 msiexec.exe Token: SeCreateTokenPrivilege 4068 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4068 msiexec.exe Token: SeLockMemoryPrivilege 4068 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4528 bad-piggies-1-3-0-en-win.exe 4068 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4528 wrote to memory of 4068 4528 bad-piggies-1-3-0-en-win.exe 76 PID 4528 wrote to memory of 4068 4528 bad-piggies-1-3-0-en-win.exe 76 PID 408 wrote to memory of 4456 408 msiexec.exe 79 PID 408 wrote to memory of 4456 408 msiexec.exe 79 PID 408 wrote to memory of 4456 408 msiexec.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\bad-piggies-1-3-0-en-win.exe"C:\Users\Admin\AppData\Local\Temp\bad-piggies-1-3-0-en-win.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\system32\msiexec.exe/i "C:\Users\Admin\AppData\Roaming\Rovio Entertainment Ltd\Bad Piggies 1.3.0.0\install\9D1A059\Installer.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\bad-piggies-1-3-0-en-win.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4068
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 10E7EDD344D4DE5E465526C8F9167E76 C2⤵
- Loads dropped DLL
PID:4456
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5c21c03a2f0b88b9b76b1e43c6477be8b
SHA10bf4c242a4530b6994d5eb6d03212c668f4596c7
SHA25665247f299c9f78c9041087df2e043e469295146645120c721629f9e048a3e378
SHA512b678e34e2bb6b049bee1827d7b7b78c4ed6204b4ef7c23a12c43c5c0c566d9cbfd0bd177016bca79d63b1394bf0dcc1b32e98b423a2d23b5d5e3a4f05775add1
-
Filesize
70KB
MD5c21c03a2f0b88b9b76b1e43c6477be8b
SHA10bf4c242a4530b6994d5eb6d03212c668f4596c7
SHA25665247f299c9f78c9041087df2e043e469295146645120c721629f9e048a3e378
SHA512b678e34e2bb6b049bee1827d7b7b78c4ed6204b4ef7c23a12c43c5c0c566d9cbfd0bd177016bca79d63b1394bf0dcc1b32e98b423a2d23b5d5e3a4f05775add1
-
Filesize
70KB
MD5c21c03a2f0b88b9b76b1e43c6477be8b
SHA10bf4c242a4530b6994d5eb6d03212c668f4596c7
SHA25665247f299c9f78c9041087df2e043e469295146645120c721629f9e048a3e378
SHA512b678e34e2bb6b049bee1827d7b7b78c4ed6204b4ef7c23a12c43c5c0c566d9cbfd0bd177016bca79d63b1394bf0dcc1b32e98b423a2d23b5d5e3a4f05775add1
-
Filesize
70KB
MD5c21c03a2f0b88b9b76b1e43c6477be8b
SHA10bf4c242a4530b6994d5eb6d03212c668f4596c7
SHA25665247f299c9f78c9041087df2e043e469295146645120c721629f9e048a3e378
SHA512b678e34e2bb6b049bee1827d7b7b78c4ed6204b4ef7c23a12c43c5c0c566d9cbfd0bd177016bca79d63b1394bf0dcc1b32e98b423a2d23b5d5e3a4f05775add1
-
Filesize
70KB
MD5c21c03a2f0b88b9b76b1e43c6477be8b
SHA10bf4c242a4530b6994d5eb6d03212c668f4596c7
SHA25665247f299c9f78c9041087df2e043e469295146645120c721629f9e048a3e378
SHA512b678e34e2bb6b049bee1827d7b7b78c4ed6204b4ef7c23a12c43c5c0c566d9cbfd0bd177016bca79d63b1394bf0dcc1b32e98b423a2d23b5d5e3a4f05775add1
-
Filesize
70KB
MD5c21c03a2f0b88b9b76b1e43c6477be8b
SHA10bf4c242a4530b6994d5eb6d03212c668f4596c7
SHA25665247f299c9f78c9041087df2e043e469295146645120c721629f9e048a3e378
SHA512b678e34e2bb6b049bee1827d7b7b78c4ed6204b4ef7c23a12c43c5c0c566d9cbfd0bd177016bca79d63b1394bf0dcc1b32e98b423a2d23b5d5e3a4f05775add1
-
C:\Users\Admin\AppData\Roaming\Rovio Entertainment Ltd\Bad Piggies 1.3.0.0\install\9D1A059\Installer.msi
Filesize963KB
MD528f5b2639aa751eb175fe3ccf989ecd5
SHA138f98d6a25660fc3d4c28b48537d38e792e4eaa6
SHA256a3683613d47a5d9e64725c34dd5c8ccf27134a834c8403df8d9ec1f92acdc128
SHA51205e6d0c880412580e9132def3ebc556acd22a8726e60e9ddc197e5bb47d7aac11f9b10ec4b511195391189158b234835ed88eb5b125cf39ffde75304f2abd388
-
Filesize
120KB
MD57fe03d84ca384aa478bcdf4ba3558983
SHA1e7bf3412cb9747a4bf92639a9290a70642f0fd6d
SHA25625c027fa14602412c0692c619e5e6b696a5ddaa4577364989a098fb7605feb6f
SHA5126d71103cd23c791fe82dab15ae4786a2ec13a98dfcb3120a4f22a6eaf31d07a58d54c8d501e1ecc52cd4031dfd484eb5cbaa6138476166050ca123f381aa3e35
-
Filesize
120KB
MD57fe03d84ca384aa478bcdf4ba3558983
SHA1e7bf3412cb9747a4bf92639a9290a70642f0fd6d
SHA25625c027fa14602412c0692c619e5e6b696a5ddaa4577364989a098fb7605feb6f
SHA5126d71103cd23c791fe82dab15ae4786a2ec13a98dfcb3120a4f22a6eaf31d07a58d54c8d501e1ecc52cd4031dfd484eb5cbaa6138476166050ca123f381aa3e35