9dc3892fc00d68bc321da5fbc6e34778b6ddf5e4b816ee035c3a77737d7b8974

Analysis

max time kernel
63s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2023, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F_A_C_T_U_R_A_4564965414654_65189421864_5616876516_651894561.msi
Size

257.6MB
MD5

1cf1c7e4cff1647135670de48f5513b6
SHA1

676d620cb584c3781815fdb6050776764b8e1e14
SHA256

97377415c200eaff9efc22bfa8cba4c29ad46f73d9d5cc3b83d65af15c244adc
SHA512

539fcdc2fdaf0b66e87abbe7b3d1293d0bb4f75e22fd895b383d0db78aeea98825cc900d43a70a627e09cce9d0850fe60e2b4a6d0ba809368a935e0e209dac5d
SSDEEP

98304:l599CEQd17rmueYIhvBcM/7ks3D6O26rkT9XxsGo6cYdA:lZCjryh5cCFTd2RT9N

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4036	MsiExec.exe
4036	MsiExec.exe
4036	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7864.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{816DCF7B-8E75-4CE6-B00E-BD31F1284AE7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6779.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI717C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7815.tmp	msiexec.exe
File created	C:\Windows\Installer\e56617e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56617e.msi	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4288	msiexec.exe
4288	msiexec.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4552	msiexec.exe
Token: SeSecurityPrivilege	4288	msiexec.exe
Token: SeCreateTokenPrivilege	4552	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4552	msiexec.exe
Token: SeLockMemoryPrivilege	4552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4552	msiexec.exe
Token: SeMachineAccountPrivilege	4552	msiexec.exe
Token: SeTcbPrivilege	4552	msiexec.exe
Token: SeSecurityPrivilege	4552	msiexec.exe
Token: SeTakeOwnershipPrivilege	4552	msiexec.exe
Token: SeLoadDriverPrivilege	4552	msiexec.exe
Token: SeSystemProfilePrivilege	4552	msiexec.exe
Token: SeSystemtimePrivilege	4552	msiexec.exe
Token: SeProfSingleProcessPrivilege	4552	msiexec.exe
Token: SeIncBasePriorityPrivilege	4552	msiexec.exe
Token: SeCreatePagefilePrivilege	4552	msiexec.exe
Token: SeCreatePermanentPrivilege	4552	msiexec.exe
Token: SeBackupPrivilege	4552	msiexec.exe
Token: SeRestorePrivilege	4552	msiexec.exe
Token: SeShutdownPrivilege	4552	msiexec.exe
Token: SeDebugPrivilege	4552	msiexec.exe
Token: SeAuditPrivilege	4552	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4552	msiexec.exe
Token: SeChangeNotifyPrivilege	4552	msiexec.exe
Token: SeRemoteShutdownPrivilege	4552	msiexec.exe
Token: SeUndockPrivilege	4552	msiexec.exe
Token: SeSyncAgentPrivilege	4552	msiexec.exe
Token: SeEnableDelegationPrivilege	4552	msiexec.exe
Token: SeManageVolumePrivilege	4552	msiexec.exe
Token: SeImpersonatePrivilege	4552	msiexec.exe
Token: SeCreateGlobalPrivilege	4552	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4552	msiexec.exe
4552	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 4036	4288	msiexec.exe	82
PID 4288 wrote to memory of 4036	4288	msiexec.exe	82
PID 4288 wrote to memory of 4036	4288	msiexec.exe	82

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\F_A_C_T_U_R_A_4564965414654_65189421864_5616876516_651894561.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4552

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5EF315CE680B795AF68CF229BE2CD533
  2⤵
  - Loads dropped DLL
  PID:4036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI6779.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI6779.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI717C.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI717C.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI7864.tmp

Filesize
254.8MB

MD5
1632a73fc216de0622fe448cd1a5759b

SHA1
a98ef1eec4dd5b6c98c4e3a26cbb9a3f991d73d5

SHA256
c3db892021a9d6fe461a1dcc4888f52d948c80a5153053be0b9613fd414200c3

SHA512
91ea63d87b7ddfc1b8daf11e14426d14da855ec19265e044602a213331335fefa0439cf13f13702444def41f94471d2cacfb7a3c1fb453d85cd868f5002be1eb

Download Submit
C:\Windows\Installer\MSI7864.tmp

Filesize
254.8MB

MD5
1632a73fc216de0622fe448cd1a5759b

SHA1
a98ef1eec4dd5b6c98c4e3a26cbb9a3f991d73d5

SHA256
c3db892021a9d6fe461a1dcc4888f52d948c80a5153053be0b9613fd414200c3

SHA512
91ea63d87b7ddfc1b8daf11e14426d14da855ec19265e044602a213331335fefa0439cf13f13702444def41f94471d2cacfb7a3c1fb453d85cd868f5002be1eb

Download Submit