9dc3892fc00d68bc321da5fbc6e34778b6ddf5e4b816ee035c3a77737d7b8974

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08/02/2023, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F_A_C_T_U_R_A_4564965414654_65189421864_5616876516_651894561.msi
Size

257.6MB
MD5

1cf1c7e4cff1647135670de48f5513b6
SHA1

676d620cb584c3781815fdb6050776764b8e1e14
SHA256

97377415c200eaff9efc22bfa8cba4c29ad46f73d9d5cc3b83d65af15c244adc
SHA512

539fcdc2fdaf0b66e87abbe7b3d1293d0bb4f75e22fd895b383d0db78aeea98825cc900d43a70a627e09cce9d0850fe60e2b4a6d0ba809368a935e0e209dac5d
SSDEEP

98304:l599CEQd17rmueYIhvBcM/7ks3D6O26rkT9XxsGo6cYdA:lZCjryh5cCFTd2RT9N

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1376	MsiExec.exe
1376	MsiExec.exe
1376	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI17E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1837.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c088c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE45.tmp	msiexec.exe
File created	C:\Windows\Installer\6c088c.ipi	msiexec.exe
File created	C:\Windows\Installer\6c088a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c088a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
980	msiexec.exe
980	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	108	msiexec.exe
Token: SeRestorePrivilege	980	msiexec.exe
Token: SeTakeOwnershipPrivilege	980	msiexec.exe
Token: SeSecurityPrivilege	980	msiexec.exe
Token: SeCreateTokenPrivilege	108	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	108	msiexec.exe
Token: SeLockMemoryPrivilege	108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	108	msiexec.exe
Token: SeMachineAccountPrivilege	108	msiexec.exe
Token: SeTcbPrivilege	108	msiexec.exe
Token: SeSecurityPrivilege	108	msiexec.exe
Token: SeTakeOwnershipPrivilege	108	msiexec.exe
Token: SeLoadDriverPrivilege	108	msiexec.exe
Token: SeSystemProfilePrivilege	108	msiexec.exe
Token: SeSystemtimePrivilege	108	msiexec.exe
Token: SeProfSingleProcessPrivilege	108	msiexec.exe
Token: SeIncBasePriorityPrivilege	108	msiexec.exe
Token: SeCreatePagefilePrivilege	108	msiexec.exe
Token: SeCreatePermanentPrivilege	108	msiexec.exe
Token: SeBackupPrivilege	108	msiexec.exe
Token: SeRestorePrivilege	108	msiexec.exe
Token: SeShutdownPrivilege	108	msiexec.exe
Token: SeDebugPrivilege	108	msiexec.exe
Token: SeAuditPrivilege	108	msiexec.exe
Token: SeSystemEnvironmentPrivilege	108	msiexec.exe
Token: SeChangeNotifyPrivilege	108	msiexec.exe
Token: SeRemoteShutdownPrivilege	108	msiexec.exe
Token: SeUndockPrivilege	108	msiexec.exe
Token: SeSyncAgentPrivilege	108	msiexec.exe
Token: SeEnableDelegationPrivilege	108	msiexec.exe
Token: SeManageVolumePrivilege	108	msiexec.exe
Token: SeImpersonatePrivilege	108	msiexec.exe
Token: SeCreateGlobalPrivilege	108	msiexec.exe
Token: SeRestorePrivilege	980	msiexec.exe
Token: SeTakeOwnershipPrivilege	980	msiexec.exe
Token: SeRestorePrivilege	980	msiexec.exe
Token: SeTakeOwnershipPrivilege	980	msiexec.exe
Token: SeRestorePrivilege	980	msiexec.exe
Token: SeTakeOwnershipPrivilege	980	msiexec.exe
Token: SeRestorePrivilege	980	msiexec.exe
Token: SeTakeOwnershipPrivilege	980	msiexec.exe
Token: SeRestorePrivilege	980	msiexec.exe
Token: SeTakeOwnershipPrivilege	980	msiexec.exe
Token: SeRestorePrivilege	980	msiexec.exe
Token: SeTakeOwnershipPrivilege	980	msiexec.exe
Token: SeRestorePrivilege	980	msiexec.exe
Token: SeTakeOwnershipPrivilege	980	msiexec.exe
Token: SeRestorePrivilege	980	msiexec.exe
Token: SeTakeOwnershipPrivilege	980	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
108	msiexec.exe
108	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 1376	980	msiexec.exe	28
PID 980 wrote to memory of 1376	980	msiexec.exe	28
PID 980 wrote to memory of 1376	980	msiexec.exe	28
PID 980 wrote to memory of 1376	980	msiexec.exe	28
PID 980 wrote to memory of 1376	980	msiexec.exe	28
PID 980 wrote to memory of 1376	980	msiexec.exe	28
PID 980 wrote to memory of 1376	980	msiexec.exe	28

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\F_A_C_T_U_R_A_4564965414654_65189421864_5616876516_651894561.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:108

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 53FCC91586BBE985D79FA0D9DC24A4B6
  2⤵
  - Loads dropped DLL
  PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI1837.tmp

Filesize
254.8MB

MD5
1632a73fc216de0622fe448cd1a5759b

SHA1
a98ef1eec4dd5b6c98c4e3a26cbb9a3f991d73d5

SHA256
c3db892021a9d6fe461a1dcc4888f52d948c80a5153053be0b9613fd414200c3

SHA512
91ea63d87b7ddfc1b8daf11e14426d14da855ec19265e044602a213331335fefa0439cf13f13702444def41f94471d2cacfb7a3c1fb453d85cd868f5002be1eb

Download Submit
C:\Windows\Installer\MSICCE.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSIE45.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
\Windows\Installer\MSI1837.tmp

Filesize
254.8MB

MD5
1632a73fc216de0622fe448cd1a5759b

SHA1
a98ef1eec4dd5b6c98c4e3a26cbb9a3f991d73d5

SHA256
c3db892021a9d6fe461a1dcc4888f52d948c80a5153053be0b9613fd414200c3

SHA512
91ea63d87b7ddfc1b8daf11e14426d14da855ec19265e044602a213331335fefa0439cf13f13702444def41f94471d2cacfb7a3c1fb453d85cd868f5002be1eb

Download Submit
\Windows\Installer\MSICCE.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
\Windows\Installer\MSIE45.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
memory/108-54-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1376-57-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download