Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-12-2021 19:11
Static task
static1
Behavioral task
behavioral1
Sample
Factura4240.GvxnX8qNAA.663.msi
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Factura4240.GvxnX8qNAA.663.msi
Resource
win10-en-20211208
General
-
Target
Factura4240.GvxnX8qNAA.663.msi
-
Size
952KB
-
MD5
ba7c5960ab872f68adeae83b71439f05
-
SHA1
0e6a95bf7b43202ce3bd66b456006c17ce48dea2
-
SHA256
2080af3b41c2c57263933820398f0d3f838408366990e9f0c6cdafce0b73a0e9
-
SHA512
c5016633ff8496bf33c35b21618621b9060a68c0476fb1748742d20225427bb5803054f9ea67e5063086293fb31d96b18533cac7e3c28918cd425b4d700450f4
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 4 588 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
opY5.exepid process 848 opY5.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
opY5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion opY5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion opY5.exe -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exeopY5.exepid process 588 MsiExec.exe 588 MsiExec.exe 588 MsiExec.exe 588 MsiExec.exe 588 MsiExec.exe 588 MsiExec.exe 848 opY5.exe -
Processes:
resource yara_rule C:\Users\Public\vu27dp\YbCPXGxmpx.dll themida \Users\Public\vu27dp\YbCPXGxmpx.dll themida behavioral1/memory/848-75-0x00000000031B0000-0x00000000040C8000-memory.dmp themida behavioral1/memory/848-76-0x00000000031B0000-0x00000000040C8000-memory.dmp themida behavioral1/memory/848-77-0x00000000031B0000-0x00000000040C8000-memory.dmp themida behavioral1/memory/848-78-0x00000000031B0000-0x00000000040C8000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
MsiExec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\v24h = "C:\\Users\\Public\\vu27dp\\opY5.exe" MsiExec.exe -
Processes:
opY5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA opY5.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ipinfo.io -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\f75ba79.msi msiexec.exe File created C:\Windows\Installer\f75ba7b.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC96A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC9D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICAE3.tmp msiexec.exe File opened for modification C:\Windows\Installer\f75ba7b.ipi msiexec.exe File created C:\Windows\Installer\f75ba79.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIBC1E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBDD4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBE42.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
opY5.exepid process 848 opY5.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
msiexec.exeopY5.exepid process 1916 msiexec.exe 1916 msiexec.exe 848 opY5.exe -
Suspicious use of AdjustPrivilegeToken 54 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 800 msiexec.exe Token: SeIncreaseQuotaPrivilege 800 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeSecurityPrivilege 1916 msiexec.exe Token: SeCreateTokenPrivilege 800 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 800 msiexec.exe Token: SeLockMemoryPrivilege 800 msiexec.exe Token: SeIncreaseQuotaPrivilege 800 msiexec.exe Token: SeMachineAccountPrivilege 800 msiexec.exe Token: SeTcbPrivilege 800 msiexec.exe Token: SeSecurityPrivilege 800 msiexec.exe Token: SeTakeOwnershipPrivilege 800 msiexec.exe Token: SeLoadDriverPrivilege 800 msiexec.exe Token: SeSystemProfilePrivilege 800 msiexec.exe Token: SeSystemtimePrivilege 800 msiexec.exe Token: SeProfSingleProcessPrivilege 800 msiexec.exe Token: SeIncBasePriorityPrivilege 800 msiexec.exe Token: SeCreatePagefilePrivilege 800 msiexec.exe Token: SeCreatePermanentPrivilege 800 msiexec.exe Token: SeBackupPrivilege 800 msiexec.exe Token: SeRestorePrivilege 800 msiexec.exe Token: SeShutdownPrivilege 800 msiexec.exe Token: SeDebugPrivilege 800 msiexec.exe Token: SeAuditPrivilege 800 msiexec.exe Token: SeSystemEnvironmentPrivilege 800 msiexec.exe Token: SeChangeNotifyPrivilege 800 msiexec.exe Token: SeRemoteShutdownPrivilege 800 msiexec.exe Token: SeUndockPrivilege 800 msiexec.exe Token: SeSyncAgentPrivilege 800 msiexec.exe Token: SeEnableDelegationPrivilege 800 msiexec.exe Token: SeManageVolumePrivilege 800 msiexec.exe Token: SeImpersonatePrivilege 800 msiexec.exe Token: SeCreateGlobalPrivilege 800 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msiexec.exeopY5.exepid process 800 msiexec.exe 800 msiexec.exe 848 opY5.exe 848 opY5.exe 848 opY5.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
opY5.exepid process 848 opY5.exe 848 opY5.exe 848 opY5.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 1916 wrote to memory of 588 1916 msiexec.exe MsiExec.exe PID 1916 wrote to memory of 588 1916 msiexec.exe MsiExec.exe PID 1916 wrote to memory of 588 1916 msiexec.exe MsiExec.exe PID 1916 wrote to memory of 588 1916 msiexec.exe MsiExec.exe PID 1916 wrote to memory of 588 1916 msiexec.exe MsiExec.exe PID 1916 wrote to memory of 588 1916 msiexec.exe MsiExec.exe PID 1916 wrote to memory of 588 1916 msiexec.exe MsiExec.exe PID 588 wrote to memory of 848 588 MsiExec.exe opY5.exe PID 588 wrote to memory of 848 588 MsiExec.exe opY5.exe PID 588 wrote to memory of 848 588 MsiExec.exe opY5.exe PID 588 wrote to memory of 848 588 MsiExec.exe opY5.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Factura4240.GvxnX8qNAA.663.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:800
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7B1051527C0460E3CCEE9F52942E17D2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Users\Public\vu27dp\opY5.exe"C:\Users\Public\vu27dp\opY5.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:848
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fc28931fac6e98a99e628fc3b2507c94
SHA1dfc173d935409f890afc150fd08ac1326d0c901d
SHA2564ef647c476ae369564eafc292e68d68eb9cbd0fe59fa7c1bbe51c2bad35454b1
SHA512c12b7ca8ae01318252b3faa2cf626790c80f5660bca9efe892d1a8aa4f863a14ebb6b577298097e07183e0687efc7837712ce9a39810fe9de6583d68fb107745
-
MD5
27fe3892e41e095380ad0d1c0edfa43c
SHA1ebdde859a53e1bbc278d4d56815b1940d91556bc
SHA25695be72f0c4c79f34415758e9e247bc29ebac057a9b909d5b195aa0c437ea4d35
SHA51223a51e0f580aab02f42b034577df9daa4e920116db752e238aeb05dfe6c1a2ad924a181d12dc495ffb9b84708bc01caa43240d252999c054f41bd543be6c32eb
-
MD5
01f601da6304451e0bc17cf004c97c43
SHA11aa363861d1cfc45056068de0710289ebbfcb886
SHA256945adada6cf6698b949359d9b395a5f905989d0d1eb84f537de492ecc1263148
SHA512cc74c0b016ab1f53069f6ffbe1e35373090a64ad5630cefbb70e72febdd00fb2d885838e5b9836382bf4b160998a08d7ce149071c73b10aa4320bca00805cb6b
-
MD5
d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
MD5
d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
MD5
d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
MD5
06bf05c1b207c1340db60571ee6ef552
SHA164b9ad03c6827a320633336c5e53c974d950ef67
SHA2562ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901
SHA512a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81
-
MD5
06bf05c1b207c1340db60571ee6ef552
SHA164b9ad03c6827a320633336c5e53c974d950ef67
SHA2562ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901
SHA512a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81
-
MD5
fc28931fac6e98a99e628fc3b2507c94
SHA1dfc173d935409f890afc150fd08ac1326d0c901d
SHA2564ef647c476ae369564eafc292e68d68eb9cbd0fe59fa7c1bbe51c2bad35454b1
SHA512c12b7ca8ae01318252b3faa2cf626790c80f5660bca9efe892d1a8aa4f863a14ebb6b577298097e07183e0687efc7837712ce9a39810fe9de6583d68fb107745
-
MD5
01f601da6304451e0bc17cf004c97c43
SHA11aa363861d1cfc45056068de0710289ebbfcb886
SHA256945adada6cf6698b949359d9b395a5f905989d0d1eb84f537de492ecc1263148
SHA512cc74c0b016ab1f53069f6ffbe1e35373090a64ad5630cefbb70e72febdd00fb2d885838e5b9836382bf4b160998a08d7ce149071c73b10aa4320bca00805cb6b
-
MD5
d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
MD5
d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
MD5
d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
MD5
06bf05c1b207c1340db60571ee6ef552
SHA164b9ad03c6827a320633336c5e53c974d950ef67
SHA2562ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901
SHA512a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81
-
MD5
06bf05c1b207c1340db60571ee6ef552
SHA164b9ad03c6827a320633336c5e53c974d950ef67
SHA2562ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901
SHA512a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81