Overview

overview

9

Static

static

Factura424...63.msi

windows7_x64

9

Factura424...63.msi

windows10_x64

9

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    08-12-2021 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Factura4240.GvxnX8qNAA.663.msi

  • Size

    952KB

  • MD5

    ba7c5960ab872f68adeae83b71439f05

  • SHA1

    0e6a95bf7b43202ce3bd66b456006c17ce48dea2

  • SHA256

    2080af3b41c2c57263933820398f0d3f838408366990e9f0c6cdafce0b73a0e9

  • SHA512

    c5016633ff8496bf33c35b21618621b9060a68c0476fb1748742d20225427bb5803054f9ea67e5063086293fb31d96b18533cac7e3c28918cd425b4d700450f4

Score
9/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 8 IoCs
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 13 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Factura4240.GvxnX8qNAA.663.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3592
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1FE1380AAE77F0A03D77EDE8C5A150CC
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Users\Public\vu27dp\iaE1.exe
        "C:\Users\Public\vu27dp\iaE1.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4388

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\vu27dp\YbCPXGxmpx.dll
    MD5

    fc28931fac6e98a99e628fc3b2507c94

    SHA1

    dfc173d935409f890afc150fd08ac1326d0c901d

    SHA256

    4ef647c476ae369564eafc292e68d68eb9cbd0fe59fa7c1bbe51c2bad35454b1

    SHA512

    c12b7ca8ae01318252b3faa2cf626790c80f5660bca9efe892d1a8aa4f863a14ebb6b577298097e07183e0687efc7837712ce9a39810fe9de6583d68fb107745

    Download Submit

  • C:\Users\Public\vu27dp\iaE1.ahk
    MD5

    27fe3892e41e095380ad0d1c0edfa43c

    SHA1

    ebdde859a53e1bbc278d4d56815b1940d91556bc

    SHA256

    95be72f0c4c79f34415758e9e247bc29ebac057a9b909d5b195aa0c437ea4d35

    SHA512

    23a51e0f580aab02f42b034577df9daa4e920116db752e238aeb05dfe6c1a2ad924a181d12dc495ffb9b84708bc01caa43240d252999c054f41bd543be6c32eb

    Download Submit

  • C:\Users\Public\vu27dp\iaE1.exe
    MD5

    01f601da6304451e0bc17cf004c97c43

    SHA1

    1aa363861d1cfc45056068de0710289ebbfcb886

    SHA256

    945adada6cf6698b949359d9b395a5f905989d0d1eb84f537de492ecc1263148

    SHA512

    cc74c0b016ab1f53069f6ffbe1e35373090a64ad5630cefbb70e72febdd00fb2d885838e5b9836382bf4b160998a08d7ce149071c73b10aa4320bca00805cb6b

    Download Submit

  • C:\Windows\Installer\MSIA171.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit

  • C:\Windows\Installer\MSIA460.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit

  • C:\Windows\Installer\MSIA4DE.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit

  • C:\Windows\Installer\MSIA57B.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit

  • C:\Windows\Installer\MSIA9E2.tmp
    MD5

    06bf05c1b207c1340db60571ee6ef552

    SHA1

    64b9ad03c6827a320633336c5e53c974d950ef67

    SHA256

    2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

    SHA512

    a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

    Download Submit

  • C:\Windows\Installer\MSIAD30.tmp
    MD5

    06bf05c1b207c1340db60571ee6ef552

    SHA1

    64b9ad03c6827a320633336c5e53c974d950ef67

    SHA256

    2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

    SHA512

    a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

    Download Submit

  • \Users\Public\vu27dp\YbCPXGxmpx.dll
    MD5

    fc28931fac6e98a99e628fc3b2507c94

    SHA1

    dfc173d935409f890afc150fd08ac1326d0c901d

    SHA256

    4ef647c476ae369564eafc292e68d68eb9cbd0fe59fa7c1bbe51c2bad35454b1

    SHA512

    c12b7ca8ae01318252b3faa2cf626790c80f5660bca9efe892d1a8aa4f863a14ebb6b577298097e07183e0687efc7837712ce9a39810fe9de6583d68fb107745

    Download Submit

  • \Users\Public\vu27dp\YbCPXGxmpx.dll
    MD5

    fc28931fac6e98a99e628fc3b2507c94

    SHA1

    dfc173d935409f890afc150fd08ac1326d0c901d

    SHA256

    4ef647c476ae369564eafc292e68d68eb9cbd0fe59fa7c1bbe51c2bad35454b1

    SHA512

    c12b7ca8ae01318252b3faa2cf626790c80f5660bca9efe892d1a8aa4f863a14ebb6b577298097e07183e0687efc7837712ce9a39810fe9de6583d68fb107745

    Download Submit

  • \Windows\Installer\MSIA171.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit

  • \Windows\Installer\MSIA460.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit

  • \Windows\Installer\MSIA4DE.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit

  • \Windows\Installer\MSIA57B.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit

  • \Windows\Installer\MSIA9E2.tmp
    MD5

    06bf05c1b207c1340db60571ee6ef552

    SHA1

    64b9ad03c6827a320633336c5e53c974d950ef67

    SHA256

    2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

    SHA512

    a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

    Download Submit

  • \Windows\Installer\MSIAD30.tmp
    MD5

    06bf05c1b207c1340db60571ee6ef552

    SHA1

    64b9ad03c6827a320633336c5e53c974d950ef67

    SHA256

    2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

    SHA512

    a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

    Download Submit

  • memory/2148-120-0x0000000000E00000-0x0000000000E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2148-119-0x0000000000000000-mapping.dmp

    Download

  • memory/2148-121-0x0000000000E00000-0x0000000000E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3592-115-0x0000013A303F0000-0x0000013A303F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3592-116-0x0000013A303F0000-0x0000013A303F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4104-118-0x000001B89A750000-0x000001B89A752000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4104-117-0x000001B89A750000-0x000001B89A752000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4388-134-0x0000000000000000-mapping.dmp

    Download

  • memory/4388-140-0x00000000049A0000-0x00000000058B8000-memory.dmp

    Filesize

    15.1MB

    Download

  • memory/4388-141-0x00000000049A0000-0x00000000058B8000-memory.dmp

    Filesize

    15.1MB

    Download

  • memory/4388-142-0x00000000049A0000-0x00000000058B8000-memory.dmp

    Filesize

    15.1MB

    Download

  • memory/4388-143-0x00000000049A0000-0x00000000058B8000-memory.dmp

    Filesize

    15.1MB

    Download

  • memory/4388-144-0x0000000000140000-0x00000000001EE000-memory.dmp

    Filesize

    696KB

    Download