Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08/02/2023, 08:36
Static task
static1
Behavioral task
behavioral1
Sample
F_A_C_T_U_R_A_4564965414654_65189421864_5616876516_651894561.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
F_A_C_T_U_R_A_4564965414654_65189421864_5616876516_651894561.msi
Resource
win10v2004-20221111-en
General
-
Target
F_A_C_T_U_R_A_4564965414654_65189421864_5616876516_651894561.msi
-
Size
257.6MB
-
MD5
1cf1c7e4cff1647135670de48f5513b6
-
SHA1
676d620cb584c3781815fdb6050776764b8e1e14
-
SHA256
97377415c200eaff9efc22bfa8cba4c29ad46f73d9d5cc3b83d65af15c244adc
-
SHA512
539fcdc2fdaf0b66e87abbe7b3d1293d0bb4f75e22fd895b383d0db78aeea98825cc900d43a70a627e09cce9d0850fe60e2b4a6d0ba809368a935e0e209dac5d
-
SSDEEP
98304:l599CEQd17rmueYIhvBcM/7ks3D6O26rkT9XxsGo6cYdA:lZCjryh5cCFTd2RT9N
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 1376 MsiExec.exe 1376 MsiExec.exe 1376 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI17E7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1837.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c088c.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSICCE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE45.tmp msiexec.exe File created C:\Windows\Installer\6c088c.ipi msiexec.exe File created C:\Windows\Installer\6c088a.msi msiexec.exe File opened for modification C:\Windows\Installer\6c088a.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 980 msiexec.exe 980 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 108 msiexec.exe Token: SeIncreaseQuotaPrivilege 108 msiexec.exe Token: SeRestorePrivilege 980 msiexec.exe Token: SeTakeOwnershipPrivilege 980 msiexec.exe Token: SeSecurityPrivilege 980 msiexec.exe Token: SeCreateTokenPrivilege 108 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 108 msiexec.exe Token: SeLockMemoryPrivilege 108 msiexec.exe Token: SeIncreaseQuotaPrivilege 108 msiexec.exe Token: SeMachineAccountPrivilege 108 msiexec.exe Token: SeTcbPrivilege 108 msiexec.exe Token: SeSecurityPrivilege 108 msiexec.exe Token: SeTakeOwnershipPrivilege 108 msiexec.exe Token: SeLoadDriverPrivilege 108 msiexec.exe Token: SeSystemProfilePrivilege 108 msiexec.exe Token: SeSystemtimePrivilege 108 msiexec.exe Token: SeProfSingleProcessPrivilege 108 msiexec.exe Token: SeIncBasePriorityPrivilege 108 msiexec.exe Token: SeCreatePagefilePrivilege 108 msiexec.exe Token: SeCreatePermanentPrivilege 108 msiexec.exe Token: SeBackupPrivilege 108 msiexec.exe Token: SeRestorePrivilege 108 msiexec.exe Token: SeShutdownPrivilege 108 msiexec.exe Token: SeDebugPrivilege 108 msiexec.exe Token: SeAuditPrivilege 108 msiexec.exe Token: SeSystemEnvironmentPrivilege 108 msiexec.exe Token: SeChangeNotifyPrivilege 108 msiexec.exe Token: SeRemoteShutdownPrivilege 108 msiexec.exe Token: SeUndockPrivilege 108 msiexec.exe Token: SeSyncAgentPrivilege 108 msiexec.exe Token: SeEnableDelegationPrivilege 108 msiexec.exe Token: SeManageVolumePrivilege 108 msiexec.exe Token: SeImpersonatePrivilege 108 msiexec.exe Token: SeCreateGlobalPrivilege 108 msiexec.exe Token: SeRestorePrivilege 980 msiexec.exe Token: SeTakeOwnershipPrivilege 980 msiexec.exe Token: SeRestorePrivilege 980 msiexec.exe Token: SeTakeOwnershipPrivilege 980 msiexec.exe Token: SeRestorePrivilege 980 msiexec.exe Token: SeTakeOwnershipPrivilege 980 msiexec.exe Token: SeRestorePrivilege 980 msiexec.exe Token: SeTakeOwnershipPrivilege 980 msiexec.exe Token: SeRestorePrivilege 980 msiexec.exe Token: SeTakeOwnershipPrivilege 980 msiexec.exe Token: SeRestorePrivilege 980 msiexec.exe Token: SeTakeOwnershipPrivilege 980 msiexec.exe Token: SeRestorePrivilege 980 msiexec.exe Token: SeTakeOwnershipPrivilege 980 msiexec.exe Token: SeRestorePrivilege 980 msiexec.exe Token: SeTakeOwnershipPrivilege 980 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 108 msiexec.exe 108 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 980 wrote to memory of 1376 980 msiexec.exe 28 PID 980 wrote to memory of 1376 980 msiexec.exe 28 PID 980 wrote to memory of 1376 980 msiexec.exe 28 PID 980 wrote to memory of 1376 980 msiexec.exe 28 PID 980 wrote to memory of 1376 980 msiexec.exe 28 PID 980 wrote to memory of 1376 980 msiexec.exe 28 PID 980 wrote to memory of 1376 980 msiexec.exe 28
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\F_A_C_T_U_R_A_4564965414654_65189421864_5616876516_651894561.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:108
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 53FCC91586BBE985D79FA0D9DC24A4B62⤵
- Loads dropped DLL
PID:1376
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254.8MB
MD51632a73fc216de0622fe448cd1a5759b
SHA1a98ef1eec4dd5b6c98c4e3a26cbb9a3f991d73d5
SHA256c3db892021a9d6fe461a1dcc4888f52d948c80a5153053be0b9613fd414200c3
SHA51291ea63d87b7ddfc1b8daf11e14426d14da855ec19265e044602a213331335fefa0439cf13f13702444def41f94471d2cacfb7a3c1fb453d85cd868f5002be1eb
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
254.8MB
MD51632a73fc216de0622fe448cd1a5759b
SHA1a98ef1eec4dd5b6c98c4e3a26cbb9a3f991d73d5
SHA256c3db892021a9d6fe461a1dcc4888f52d948c80a5153053be0b9613fd414200c3
SHA51291ea63d87b7ddfc1b8daf11e14426d14da855ec19265e044602a213331335fefa0439cf13f13702444def41f94471d2cacfb7a3c1fb453d85cd868f5002be1eb
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127