Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    08-12-2021 19:11

General

  • Target

    Factura4240.GvxnX8qNAA.663.msi

  • Size

    952KB

  • MD5

    ba7c5960ab872f68adeae83b71439f05

  • SHA1

    0e6a95bf7b43202ce3bd66b456006c17ce48dea2

  • SHA256

    2080af3b41c2c57263933820398f0d3f838408366990e9f0c6cdafce0b73a0e9

  • SHA512

    c5016633ff8496bf33c35b21618621b9060a68c0476fb1748742d20225427bb5803054f9ea67e5063086293fb31d96b18533cac7e3c28918cd425b4d700450f4

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 7 IoCs
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 11 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Factura4240.GvxnX8qNAA.663.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:800
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A7B1051527C0460E3CCEE9F52942E17D
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:588
      • C:\Users\Public\vu27dp\opY5.exe
        "C:\Users\Public\vu27dp\opY5.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:848

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\vu27dp\YbCPXGxmpx.dll

    MD5

    fc28931fac6e98a99e628fc3b2507c94

    SHA1

    dfc173d935409f890afc150fd08ac1326d0c901d

    SHA256

    4ef647c476ae369564eafc292e68d68eb9cbd0fe59fa7c1bbe51c2bad35454b1

    SHA512

    c12b7ca8ae01318252b3faa2cf626790c80f5660bca9efe892d1a8aa4f863a14ebb6b577298097e07183e0687efc7837712ce9a39810fe9de6583d68fb107745

  • C:\Users\Public\vu27dp\opY5.ahk

    MD5

    27fe3892e41e095380ad0d1c0edfa43c

    SHA1

    ebdde859a53e1bbc278d4d56815b1940d91556bc

    SHA256

    95be72f0c4c79f34415758e9e247bc29ebac057a9b909d5b195aa0c437ea4d35

    SHA512

    23a51e0f580aab02f42b034577df9daa4e920116db752e238aeb05dfe6c1a2ad924a181d12dc495ffb9b84708bc01caa43240d252999c054f41bd543be6c32eb

  • C:\Users\Public\vu27dp\opY5.exe

    MD5

    01f601da6304451e0bc17cf004c97c43

    SHA1

    1aa363861d1cfc45056068de0710289ebbfcb886

    SHA256

    945adada6cf6698b949359d9b395a5f905989d0d1eb84f537de492ecc1263148

    SHA512

    cc74c0b016ab1f53069f6ffbe1e35373090a64ad5630cefbb70e72febdd00fb2d885838e5b9836382bf4b160998a08d7ce149071c73b10aa4320bca00805cb6b

  • C:\Windows\Installer\MSIBC1E.tmp

    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

  • C:\Windows\Installer\MSIBDD4.tmp

    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

  • C:\Windows\Installer\MSIBE42.tmp

    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

  • C:\Windows\Installer\MSIC9D8.tmp

    MD5

    06bf05c1b207c1340db60571ee6ef552

    SHA1

    64b9ad03c6827a320633336c5e53c974d950ef67

    SHA256

    2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

    SHA512

    a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

  • C:\Windows\Installer\MSICAE3.tmp

    MD5

    06bf05c1b207c1340db60571ee6ef552

    SHA1

    64b9ad03c6827a320633336c5e53c974d950ef67

    SHA256

    2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

    SHA512

    a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

  • \Users\Public\vu27dp\YbCPXGxmpx.dll

    MD5

    fc28931fac6e98a99e628fc3b2507c94

    SHA1

    dfc173d935409f890afc150fd08ac1326d0c901d

    SHA256

    4ef647c476ae369564eafc292e68d68eb9cbd0fe59fa7c1bbe51c2bad35454b1

    SHA512

    c12b7ca8ae01318252b3faa2cf626790c80f5660bca9efe892d1a8aa4f863a14ebb6b577298097e07183e0687efc7837712ce9a39810fe9de6583d68fb107745

  • \Users\Public\vu27dp\opY5.exe

    MD5

    01f601da6304451e0bc17cf004c97c43

    SHA1

    1aa363861d1cfc45056068de0710289ebbfcb886

    SHA256

    945adada6cf6698b949359d9b395a5f905989d0d1eb84f537de492ecc1263148

    SHA512

    cc74c0b016ab1f53069f6ffbe1e35373090a64ad5630cefbb70e72febdd00fb2d885838e5b9836382bf4b160998a08d7ce149071c73b10aa4320bca00805cb6b

  • \Windows\Installer\MSIBC1E.tmp

    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

  • \Windows\Installer\MSIBDD4.tmp

    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

  • \Windows\Installer\MSIBE42.tmp

    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

  • \Windows\Installer\MSIC9D8.tmp

    MD5

    06bf05c1b207c1340db60571ee6ef552

    SHA1

    64b9ad03c6827a320633336c5e53c974d950ef67

    SHA256

    2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

    SHA512

    a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

  • \Windows\Installer\MSICAE3.tmp

    MD5

    06bf05c1b207c1340db60571ee6ef552

    SHA1

    64b9ad03c6827a320633336c5e53c974d950ef67

    SHA256

    2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

    SHA512

    a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

  • memory/588-57-0x0000000075761000-0x0000000075763000-memory.dmp

    Filesize

    8KB

  • memory/588-56-0x0000000000000000-mapping.dmp

  • memory/800-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

    Filesize

    8KB

  • memory/848-69-0x0000000000000000-mapping.dmp

  • memory/848-75-0x00000000031B0000-0x00000000040C8000-memory.dmp

    Filesize

    15.1MB

  • memory/848-76-0x00000000031B0000-0x00000000040C8000-memory.dmp

    Filesize

    15.1MB

  • memory/848-77-0x00000000031B0000-0x00000000040C8000-memory.dmp

    Filesize

    15.1MB

  • memory/848-78-0x00000000031B0000-0x00000000040C8000-memory.dmp

    Filesize

    15.1MB

  • memory/848-79-0x00000000000C0000-0x00000000000C1000-memory.dmp

    Filesize

    4KB