b55c4aec48d0564b8f003d74531e627273219c73c274d239ede65e79a3df943a

Analysis

max time kernel
371s
max time network
390s
platform
windows10-2004_x64
resource
win10v2004-20221111-es
resource tags

arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
15/01/2023, 22:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Factura63c47.msi
Size

6.6MB
MD5

2187f88f99a58bbe6d8d76447ddec93e
SHA1

86b0b6e867b97f68b666fd2d93b42b8308d7426e
SHA256

7aed2f04618c60642965a3544d5927aa58b4092c1cce70c3a9ed55f161bb4a0a
SHA512

bc7bfad3a1f2e86a4e56adb2caf78f2123dd256cfcb37f6143ab0ff090b5391cbb5df3515dba1bfb53bce61bc6044b0c64681c3657781eff670bdf6f9b712a53
SSDEEP

98304:NYEtM2Af5tdoOS8mcA18WgQLKk9jEOy0pqQdA43Ak+jVktqMh8+pBwThNVCjHRrG:9M5tyr8mak9c0p243MlQwTLVCxZw

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 20 IoCs

flow	pid	Process
10	940	MsiExec.exe
12	940	MsiExec.exe
14	940	MsiExec.exe
30	940	MsiExec.exe
46	940	MsiExec.exe
54	940	MsiExec.exe
61	940	MsiExec.exe
64	940	MsiExec.exe
65	940	MsiExec.exe
67	940	MsiExec.exe
68	940	MsiExec.exe
69	940	MsiExec.exe
70	940	MsiExec.exe
74	940	MsiExec.exe
76	940	MsiExec.exe
78	940	MsiExec.exe
79	940	MsiExec.exe
80	940	MsiExec.exe
81	940	MsiExec.exe
82	940	MsiExec.exe

Loads dropped DLL 6 IoCs

pid	Process
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ipinfo.io
10	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
940	MsiExec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e566a38.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{00744C43-C865-4A83-BD0D-79DEE55274B8}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7019.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e566a38.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B03.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D85.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E12.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E33.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6FF9.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4996	msiexec.exe
4996	msiexec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5008	msiexec.exe
Token: SeSecurityPrivilege	4996	msiexec.exe
Token: SeCreateTokenPrivilege	5008	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5008	msiexec.exe
Token: SeLockMemoryPrivilege	5008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5008	msiexec.exe
Token: SeMachineAccountPrivilege	5008	msiexec.exe
Token: SeTcbPrivilege	5008	msiexec.exe
Token: SeSecurityPrivilege	5008	msiexec.exe
Token: SeTakeOwnershipPrivilege	5008	msiexec.exe
Token: SeLoadDriverPrivilege	5008	msiexec.exe
Token: SeSystemProfilePrivilege	5008	msiexec.exe
Token: SeSystemtimePrivilege	5008	msiexec.exe
Token: SeProfSingleProcessPrivilege	5008	msiexec.exe
Token: SeIncBasePriorityPrivilege	5008	msiexec.exe
Token: SeCreatePagefilePrivilege	5008	msiexec.exe
Token: SeCreatePermanentPrivilege	5008	msiexec.exe
Token: SeBackupPrivilege	5008	msiexec.exe
Token: SeRestorePrivilege	5008	msiexec.exe
Token: SeShutdownPrivilege	5008	msiexec.exe
Token: SeDebugPrivilege	5008	msiexec.exe
Token: SeAuditPrivilege	5008	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5008	msiexec.exe
Token: SeChangeNotifyPrivilege	5008	msiexec.exe
Token: SeRemoteShutdownPrivilege	5008	msiexec.exe
Token: SeUndockPrivilege	5008	msiexec.exe
Token: SeSyncAgentPrivilege	5008	msiexec.exe
Token: SeEnableDelegationPrivilege	5008	msiexec.exe
Token: SeManageVolumePrivilege	5008	msiexec.exe
Token: SeImpersonatePrivilege	5008	msiexec.exe
Token: SeCreateGlobalPrivilege	5008	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5008	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 940	4996	msiexec.exe	82
PID 4996 wrote to memory of 940	4996	msiexec.exe	82
PID 4996 wrote to memory of 940	4996	msiexec.exe	82

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Factura63c47.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 64BD5D340C32602B6C8756D3EB4F344E
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI6B03.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI6B03.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI6D85.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI6D85.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI6E12.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI6E12.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI6E33.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI6E33.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI7019.tmp

Filesize
6.0MB

MD5
990647e9ac8084a66c48c1e08f33cbf0

SHA1
27b1c4b90d8eba3181da7c115783e5126e496691

SHA256
7e7c825fb357e8ac5efdf015add8e190df1ecb104ea12a55c7eca9f359db3c28

SHA512
938410beba22efcf47427649409fce514b6f5cf7800804acc5b36186440cd4366b41d6f45eace0ec426d63262457c26edb84eef747dd554cbc17c807873a419c

Download Submit
C:\Windows\Installer\MSI7019.tmp

Filesize
6.0MB

MD5
990647e9ac8084a66c48c1e08f33cbf0

SHA1
27b1c4b90d8eba3181da7c115783e5126e496691

SHA256
7e7c825fb357e8ac5efdf015add8e190df1ecb104ea12a55c7eca9f359db3c28

SHA512
938410beba22efcf47427649409fce514b6f5cf7800804acc5b36186440cd4366b41d6f45eace0ec426d63262457c26edb84eef747dd554cbc17c807873a419c

Download Submit
C:\Windows\Installer\MSI7019.tmp

Filesize
6.0MB

MD5
990647e9ac8084a66c48c1e08f33cbf0

SHA1
27b1c4b90d8eba3181da7c115783e5126e496691

SHA256
7e7c825fb357e8ac5efdf015add8e190df1ecb104ea12a55c7eca9f359db3c28

SHA512
938410beba22efcf47427649409fce514b6f5cf7800804acc5b36186440cd4366b41d6f45eace0ec426d63262457c26edb84eef747dd554cbc17c807873a419c

Download Submit
memory/940-144-0x0000000002900000-0x00000000036E3000-memory.dmp

Filesize
13.9MB

Download
memory/940-146-0x0000000002900000-0x00000000036E3000-memory.dmp

Filesize
13.9MB

Download
memory/940-147-0x0000000002900000-0x00000000036E3000-memory.dmp

Filesize
13.9MB

Download