Analysis
-
max time kernel
500s -
max time network
509s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-es -
resource tags
-
submitted
29-11-2022 21:25
General
-
Target
Fact63867.msi
-
Size
6.2MB
-
MD5
ed4a51080ca004ea566ac94a3c73e89d
-
SHA1
6928d42a8324c0d93be8655d32c9c5712c8ffcd9
-
SHA256
b324bf2765637c425eea72826c3a1524873fc8b2dc7c06cf9f5b3312bde8861a
-
SHA512
9e5c2f08639edd4bf3a05463a031a4e60a51854bf4f3ed213a1b5e06878e28a7dc951a8039fa35b3024ea8b6c15b833c439ac81908828545a062a0a152e7d14f
-
SSDEEP
98304:5YItM2AfnWKKLLS4MDCMPXbGSfK/8JzDuXcVCfDH22JG3w392SscX7e8iN:pMnlKLO4OLO2DuXcVyvKy2
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Fact63867.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 440F16839D9E89DAC9334566062ED8302⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI9CE1.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
C:\Windows\Installer\MSI9CE1.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
C:\Windows\Installer\MSI9FFF.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
C:\Windows\Installer\MSI9FFF.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
C:\Windows\Installer\MSIA0BB.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
C:\Windows\Installer\MSIA0BB.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
C:\Windows\Installer\MSIA149.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
C:\Windows\Installer\MSIA149.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
C:\Windows\Installer\MSIA4E5.tmpFilesize
5.6MB
MD5afb959b80485c54d9826079f19f082fb
SHA11ccd9c54b0cbcf2430bf7e6da9b3848702cf0b2c
SHA25650c6fd23e092687df69dfd82ed40e14fe55e667a47e8dd2884ab936de75d7a4f
SHA512c0165196d2ca411dc15e34cb9d30bd09a14a0049c78d6c6e647ea55d5de6f84f3c2813db56e5fe19f26c901690d55145835d317826bbe7aded898515a4f690c8
-
C:\Windows\Installer\MSIA4E5.tmpFilesize
5.6MB
MD5afb959b80485c54d9826079f19f082fb
SHA11ccd9c54b0cbcf2430bf7e6da9b3848702cf0b2c
SHA25650c6fd23e092687df69dfd82ed40e14fe55e667a47e8dd2884ab936de75d7a4f
SHA512c0165196d2ca411dc15e34cb9d30bd09a14a0049c78d6c6e647ea55d5de6f84f3c2813db56e5fe19f26c901690d55145835d317826bbe7aded898515a4f690c8
-
C:\Windows\Installer\MSIA4E5.tmpFilesize
5.6MB
MD5afb959b80485c54d9826079f19f082fb
SHA11ccd9c54b0cbcf2430bf7e6da9b3848702cf0b2c
SHA25650c6fd23e092687df69dfd82ed40e14fe55e667a47e8dd2884ab936de75d7a4f
SHA512c0165196d2ca411dc15e34cb9d30bd09a14a0049c78d6c6e647ea55d5de6f84f3c2813db56e5fe19f26c901690d55145835d317826bbe7aded898515a4f690c8
-
memory/3456-132-0x0000000000000000-mapping.dmp
-
memory/3456-144-0x0000000003470000-0x0000000004128000-memory.dmpFilesize
12.7MB
-
memory/3456-147-0x0000000003470000-0x0000000004128000-memory.dmpFilesize
12.7MB
-
memory/3456-148-0x0000000003470000-0x0000000004128000-memory.dmpFilesize
12.7MB