Overview

overview

8

Static

static

1

FACT63e38.msi

windows10-1703-x64

8

FACT63e38.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    83s
  • max time network
    139s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-es
  • resource tags

    arch:x64arch:x86image:win10-20220901-eslocale:es-esos:windows10-1703-x64systemwindows
  • submitted
    08-02-2023 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FACT63e38.msi

  • Size

    7.2MB

  • MD5

    d2257b6ad231fe4c31cae810117439df

  • SHA1

    9ab0e4e89c8d23821f23dba317d4fdd769a6c045

  • SHA256

    cc5960106ff148a98cb9bdfc8745a78e23f45b9718aced3ccc92b1666e1c2681

  • SHA512

    8a40eacd426eeb788b4202ecdf4471932af2ba7192b35f37d1f076c313413623ee079cb78cbd0630586c4c92b81d4e808cbb1fe95548096bd02cf9f45b17c643

  • SSDEEP

    98304:eYroXAWTb4fZxwIdtkO3TfZctulgj+jV4GPrNaVtETimSc53Q5aVkuCDioRA+Plv:NoFcx7DDetuLj55nTimSc534neo5l7

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\FACT63e38.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2868
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 9F506BD4427413312B2026D0DBC13CA0
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1864
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4384

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\MSIA722.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • C:\Windows\Installer\MSIC624.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • C:\Windows\Installer\MSID057.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • C:\Windows\Installer\MSID2A9.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • C:\Windows\Installer\MSID7CC.tmp
      Filesize

      6.6MB

      MD5

      bcad5eff498a55b71e4a171a3bc7fae3

      SHA1

      df0b5fa0baa2601393b8826a63483d45174524ba

      SHA256

      d6b729eb535624209387355cd8992c1deb90c56a15a52c4a8005071b3ed3c63f

      SHA512

      93a4cbc5d9101cc54ea9b45b0244b3ab6f0188f6987d52715e6b2a49bbae44f06a02a43e09725be5714747b7d2d339cb12641f98632899591c28cadc1e58b53a

      Download Submit

    • \Windows\Installer\MSIA722.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • \Windows\Installer\MSIC624.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • \Windows\Installer\MSID057.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • \Windows\Installer\MSID2A9.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • \Windows\Installer\MSID7CC.tmp
      Filesize

      6.6MB

      MD5

      bcad5eff498a55b71e4a171a3bc7fae3

      SHA1

      df0b5fa0baa2601393b8826a63483d45174524ba

      SHA256

      d6b729eb535624209387355cd8992c1deb90c56a15a52c4a8005071b3ed3c63f

      SHA512

      93a4cbc5d9101cc54ea9b45b0244b3ab6f0188f6987d52715e6b2a49bbae44f06a02a43e09725be5714747b7d2d339cb12641f98632899591c28cadc1e58b53a

      Download Submit

    • \Windows\Installer\MSID7CC.tmp
      Filesize

      6.6MB

      MD5

      bcad5eff498a55b71e4a171a3bc7fae3

      SHA1

      df0b5fa0baa2601393b8826a63483d45174524ba

      SHA256

      d6b729eb535624209387355cd8992c1deb90c56a15a52c4a8005071b3ed3c63f

      SHA512

      93a4cbc5d9101cc54ea9b45b0244b3ab6f0188f6987d52715e6b2a49bbae44f06a02a43e09725be5714747b7d2d339cb12641f98632899591c28cadc1e58b53a

      Download Submit

    • memory/1864-161-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-167-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-134-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-135-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-136-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-138-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-137-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-139-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-140-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-141-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-142-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-143-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-144-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-145-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-146-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-147-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-148-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-149-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-150-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-151-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-152-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-153-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-154-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-156-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-155-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-157-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-158-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-159-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-160-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-131-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-162-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-163-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-164-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-165-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-166-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-133-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-168-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-169-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-170-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-173-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-174-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-175-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-176-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-177-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-179-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-180-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-178-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-181-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-182-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-183-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-184-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-185-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-186-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-188-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-191-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-192-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-194-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-193-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-130-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-128-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-127-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-126-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-125-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-124-0x0000000000000000-mapping.dmp

      Download

    • memory/1864-187-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1864-262-0x00000000053E0000-0x00000000063C4000-memory.dmp

      Filesize

      15.9MB

      Download

    • memory/1864-263-0x00000000053E0000-0x00000000063C4000-memory.dmp

      Filesize

      15.9MB

      Download

    • memory/1864-266-0x00000000053E0000-0x00000000063C4000-memory.dmp

      Filesize

      15.9MB

      Download

    • memory/1864-298-0x00000000053E0000-0x00000000063C4000-memory.dmp

      Filesize

      15.9MB

      Download