Overview

overview

9

Static

static

Fact63867.msi

windows7-x64

9

Fact63867.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    417s
  • max time network
    409s
  • platform
    windows7_x64
  • resource
    win7-20220812-es
  • resource tags

    arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    29-11-2022 21:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fact63867.msi

  • Size

    6.2MB

  • MD5

    ed4a51080ca004ea566ac94a3c73e89d

  • SHA1

    6928d42a8324c0d93be8655d32c9c5712c8ffcd9

  • SHA256

    b324bf2765637c425eea72826c3a1524873fc8b2dc7c06cf9f5b3312bde8861a

  • SHA512

    9e5c2f08639edd4bf3a05463a031a4e60a51854bf4f3ed213a1b5e06878e28a7dc951a8039fa35b3024ea8b6c15b833c439ac81908828545a062a0a152e7d14f

  • SSDEEP

    98304:5YItM2AfnWKKLLS4MDCMPXbGSfK/8JzDuXcVCfDH22JG3w392SscX7e8iN:pMnlKLO4OLO2DuXcVyvKy2

Score
9/10
collectionevasionpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 14 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 13 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Fact63867.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1328
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding FC29856E33815918B1DB031232572417
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Users\Admin\AppData\Roaming\ubJq6elBW\CI9.5.exe
        "C:\Users\Admin\AppData\Roaming\ubJq6elBW\CI9.5.exe" "C:\Users\Admin\AppData\Roaming\ubJq6elBW\CI9.5.ahk"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies Internet Explorer settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:996
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • outlook_win_path
    PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ubJq6elBW\CI9.5.ahk
    Filesize

    183B

    MD5

    a78489926d3672d229eab3f9c8c23bae

    SHA1

    783d99204ddc7a1c3bba7e9f48ccd65c5f56fc9b

    SHA256

    07e6a2c9a716ffebc7af7c2cda06419e085cd079e2ffb0821b2049a066f2fed2

    SHA512

    9620d904b963e345dc91ec378c7f5b6590d6f728e80f97c851427a20b91bf878e3dbbde8d0fbf129f83ffc9b748ee3265c39d294feb14bc260a84ba09a80b74f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ubJq6elBW\CI9.5.exe
    Filesize

    889KB

    MD5

    03c469798bf1827d989f09f346ce95f7

    SHA1

    05e491bc1b8fbfbfdca24b565f2464137f30691e

    SHA256

    de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

    SHA512

    d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ubJq6elBW\lqfcokdmym.zkl
    Filesize

    11.1MB

    MD5

    e285914e9a3566935297e68dce21f06b

    SHA1

    eef34022b4077139c770b7b132843ad4c5125878

    SHA256

    36d8e17d5ffb53127544b18a4b1770cac29d4eebe7b5af7968e8d760ddca0529

    SHA512

    33b8750cae07a61b43e913ead9a57f31ce63a12c99bf9f7eaa872ebd262957841463765fd8d0d8ab93e351b8da034b2bcdbb0a0329e7a9fdaa565fd2a3e5cd95

    Download Submit
  • C:\Windows\Installer\MSI1DED.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit
  • C:\Windows\Installer\MSI27FC.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit
  • C:\Windows\Installer\MSI286B.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit
  • C:\Windows\Installer\MSI37E7.tmp
    Filesize

    5.6MB

    MD5

    afb959b80485c54d9826079f19f082fb

    SHA1

    1ccd9c54b0cbcf2430bf7e6da9b3848702cf0b2c

    SHA256

    50c6fd23e092687df69dfd82ed40e14fe55e667a47e8dd2884ab936de75d7a4f

    SHA512

    c0165196d2ca411dc15e34cb9d30bd09a14a0049c78d6c6e647ea55d5de6f84f3c2813db56e5fe19f26c901690d55145835d317826bbe7aded898515a4f690c8

    Download Submit
  • \Users\Admin\AppData\Local\Temp\4207d22d.dll
    Filesize

    8KB

    MD5

    d8f4ab8284f0fda871d6834e24bc6f37

    SHA1

    641948e44a1dcfd0ef68910768eb4b1ea6b49d10

    SHA256

    c09d0790e550694350b94ca6b077c54f983c135fab8990df5a75462804150912

    SHA512

    f65a916041846718306567d33273c3d0f41e0b26589cf6db46ec6c788ba0d87a708c94979d3bd0609142badca9e7129690b92169a07dcf7cd8c66698827d2fa0

    Download Submit
  • \Users\Admin\AppData\Roaming\ubJq6elBW\CI9.5.exe
    Filesize

    889KB

    MD5

    03c469798bf1827d989f09f346ce95f7

    SHA1

    05e491bc1b8fbfbfdca24b565f2464137f30691e

    SHA256

    de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

    SHA512

    d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

    Download Submit
  • \Users\Admin\AppData\Roaming\ubJq6elBW\lqfcokdmym.zkl
    Filesize

    11.1MB

    MD5

    e285914e9a3566935297e68dce21f06b

    SHA1

    eef34022b4077139c770b7b132843ad4c5125878

    SHA256

    36d8e17d5ffb53127544b18a4b1770cac29d4eebe7b5af7968e8d760ddca0529

    SHA512

    33b8750cae07a61b43e913ead9a57f31ce63a12c99bf9f7eaa872ebd262957841463765fd8d0d8ab93e351b8da034b2bcdbb0a0329e7a9fdaa565fd2a3e5cd95

    Download Submit
  • \Windows\Installer\MSI1DED.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit
  • \Windows\Installer\MSI27FC.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit
  • \Windows\Installer\MSI286B.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit
  • \Windows\Installer\MSI37E7.tmp
    Filesize

    5.6MB

    MD5

    afb959b80485c54d9826079f19f082fb

    SHA1

    1ccd9c54b0cbcf2430bf7e6da9b3848702cf0b2c

    SHA256

    50c6fd23e092687df69dfd82ed40e14fe55e667a47e8dd2884ab936de75d7a4f

    SHA512

    c0165196d2ca411dc15e34cb9d30bd09a14a0049c78d6c6e647ea55d5de6f84f3c2813db56e5fe19f26c901690d55145835d317826bbe7aded898515a4f690c8

    Download Submit
  • memory/548-115-0x0000000072921000-0x0000000072923000-memory.dmp
    Filesize

    8KB

    Download
  • memory/548-116-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/548-117-0x000000007390D000-0x0000000073918000-memory.dmp
    Filesize

    44KB

    Download
  • memory/548-119-0x000000006CC31000-0x000000006CC33000-memory.dmp
    Filesize

    8KB

    Download
  • memory/548-120-0x000000006C441000-0x000000006C443000-memory.dmp
    Filesize

    8KB

    Download
  • memory/592-66-0x0000000002600000-0x000000000324A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/592-70-0x00000000025C0000-0x0000000003278000-memory.dmp
    Filesize

    12.7MB

    Download
  • memory/592-73-0x00000000025C0000-0x0000000003278000-memory.dmp
    Filesize

    12.7MB

    Download
  • memory/592-72-0x0000000002600000-0x000000000324A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/592-71-0x0000000002600000-0x000000000324A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/592-56-0x0000000000000000-mapping.dmp
    Download
  • memory/592-57-0x0000000075A81000-0x0000000075A83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/592-67-0x00000000025C0000-0x0000000003278000-memory.dmp
    Filesize

    12.7MB

    Download
  • memory/592-69-0x0000000002600000-0x000000000324A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/592-114-0x00000000025C0000-0x0000000003278000-memory.dmp
    Filesize

    12.7MB

    Download
  • memory/592-113-0x0000000002600000-0x000000000324A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/996-83-0x0000000003160000-0x0000000004E3A000-memory.dmp
    Filesize

    28.9MB

    Download
  • memory/996-112-0x00000000777F0000-0x0000000077970000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/996-89-0x0000000003160000-0x0000000004E3A000-memory.dmp
    Filesize

    28.9MB

    Download
  • memory/996-90-0x0000000003160000-0x0000000004E3A000-memory.dmp
    Filesize

    28.9MB

    Download
  • memory/996-91-0x0000000003160000-0x0000000004E3A000-memory.dmp
    Filesize

    28.9MB

    Download
  • memory/996-93-0x0000000061E00000-0x0000000061EC1000-memory.dmp
    Filesize

    772KB

    Download
  • memory/996-87-0x0000000003160000-0x0000000004E3A000-memory.dmp
    Filesize

    28.9MB

    Download
  • memory/996-88-0x0000000003160000-0x0000000004E3A000-memory.dmp
    Filesize

    28.9MB

    Download
  • memory/996-86-0x0000000003160000-0x0000000004E3A000-memory.dmp
    Filesize

    28.9MB

    Download
  • memory/996-85-0x0000000003160000-0x0000000004E3A000-memory.dmp
    Filesize

    28.9MB

    Download
  • memory/996-84-0x0000000003160000-0x0000000004E3A000-memory.dmp
    Filesize

    28.9MB

    Download
  • memory/996-75-0x0000000000000000-mapping.dmp
    Download
  • memory/996-81-0x00000000777F0000-0x0000000077970000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/996-82-0x0000000003160000-0x0000000004E3A000-memory.dmp
    Filesize

    28.9MB

    Download
  • memory/1328-54-0x000007FEFC031000-0x000007FEFC033000-memory.dmp
    Filesize

    8KB

    Download