Overview

overview

8

Static

static

1

FACT641ab.msi

windows7-x64

8

FACT641ab.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    50s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2023, 08:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FACT641ab.msi

  • Size

    5.5MB

  • MD5

    32b29de93b7fd2a52da9b5ede896ca31

  • SHA1

    17aa23016bbbdbc6ea3466abcde03320bd441461

  • SHA256

    f341fae5d857a9a7171570142632c0ee5de5b8c6b5f38bed57979a046910882e

  • SHA512

    e6615899174e347531afb405707aa0bbaaeda84d70a9bcad8d66a72475923a621bf454055c601759655dac641ee1fd26d92fff379f3ba7637586bc2e674db382

  • SSDEEP

    98304:UYnB7YHduKT/GkUgUZpBoMfDM6NpQm9CKcgxqEarrkIzvDDulI+lEj+28+xwitMg:vB7YHduKqhrM6Qm9pHgrkKDD9Xc+ui

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\FACT641ab.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:284
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 4EDF2374DCAC24D086A7E19FFCD0D920
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:972

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    e71c8443ae0bc2e282c73faead0a6dd3

    SHA1

    0c110c1b01e68edfacaeae64781a37b1995fa94b

    SHA256

    95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

    SHA512

    b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    69e6c14203aeefc6ea8a76b2e676767e

    SHA1

    80ce5e5cbd4c8fbcd72f58b56e3c3c4c3197090d

    SHA256

    7fb32131b76dac9c3b62c0269f1cf8bc2576d374af24d6ce5c88d974ade7e955

    SHA512

    55f98234cca979bd7f57c8011078acc85cfdc2d624064ecebc07288b7ce28be5fcf1907f08fd2a82d95123b5625569192c9b662cb8534e90195ecafdb2ccb71e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab630A.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar6504.tmp
    Filesize

    161KB

    MD5

    be2bec6e8c5653136d3e72fe53c98aa3

    SHA1

    a8182d6db17c14671c3d5766c72e58d87c0810de

    SHA256

    1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

    SHA512

    0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

    Download Submit

  • C:\Windows\Installer\MSI2109.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI22A0.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI230E.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI230E.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI2A60.tmp
    Filesize

    5.0MB

    MD5

    678fa1f615e4dcb5a968d5cc83c28c14

    SHA1

    a8bf90090d16faa5a2faa7f8d5fe693e69574df7

    SHA256

    41fee8131732585dc18113213c7fb469fd089dfdb18e5dadb9cb84b02e5d233f

    SHA512

    bf2d4cccf9c379cf5835ba6992f6c875a5e539c24d6ce22dbbb6542810609e63ff1b015b6e4c688c30e6f90552b345a6dbfd8336913ce20c8a1d4085971a0565

    Download Submit

  • \Windows\Installer\MSI2109.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • \Windows\Installer\MSI22A0.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • \Windows\Installer\MSI230E.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • \Windows\Installer\MSI2A60.tmp
    Filesize

    5.0MB

    MD5

    678fa1f615e4dcb5a968d5cc83c28c14

    SHA1

    a8bf90090d16faa5a2faa7f8d5fe693e69574df7

    SHA256

    41fee8131732585dc18113213c7fb469fd089dfdb18e5dadb9cb84b02e5d233f

    SHA512

    bf2d4cccf9c379cf5835ba6992f6c875a5e539c24d6ce22dbbb6542810609e63ff1b015b6e4c688c30e6f90552b345a6dbfd8336913ce20c8a1d4085971a0565

    Download Submit

  • memory/972-76-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-88-0x0000000000510000-0x0000000000511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-78-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-79-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-81-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-82-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-84-0x0000000000500000-0x0000000000501000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-85-0x0000000000500000-0x0000000000501000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-87-0x0000000000510000-0x0000000000511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-75-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-89-0x0000000002510000-0x0000000002F17000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/972-91-0x0000000000560000-0x0000000000561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-74-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-73-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-72-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-71-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-176-0x0000000000560000-0x0000000000561000-memory.dmp

    Filesize

    4KB

    Download