Analysis
-
max time kernel
50s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22/03/2023, 08:21
Static task
static1
Behavioral task
behavioral1
Sample
FACT641ab.msi
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
FACT641ab.msi
Resource
win10v2004-20230220-en
General
-
Target
FACT641ab.msi
-
Size
5.5MB
-
MD5
32b29de93b7fd2a52da9b5ede896ca31
-
SHA1
17aa23016bbbdbc6ea3466abcde03320bd441461
-
SHA256
f341fae5d857a9a7171570142632c0ee5de5b8c6b5f38bed57979a046910882e
-
SHA512
e6615899174e347531afb405707aa0bbaaeda84d70a9bcad8d66a72475923a621bf454055c601759655dac641ee1fd26d92fff379f3ba7637586bc2e674db382
-
SSDEEP
98304:UYnB7YHduKT/GkUgUZpBoMfDM6NpQm9CKcgxqEarrkIzvDDulI+lEj+28+xwitMg:vB7YHduKqhrM6Qm9pHgrkKDD9Xc+ui
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 4 972 MsiExec.exe 6 972 MsiExec.exe 8 972 MsiExec.exe 10 972 MsiExec.exe 12 972 MsiExec.exe 13 972 MsiExec.exe -
Loads dropped DLL 4 IoCs
pid Process 972 MsiExec.exe 972 MsiExec.exe 972 MsiExec.exe 972 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ipinfo.io 4 ipinfo.io -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI230E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2A20.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI22A0.tmp msiexec.exe File created C:\Windows\Installer\6c1d73.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI2A60.tmp msiexec.exe File created C:\Windows\Installer\6c1d71.msi msiexec.exe File opened for modification C:\Windows\Installer\6c1d71.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2109.tmp msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 908 msiexec.exe 908 msiexec.exe 972 MsiExec.exe 972 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 284 msiexec.exe Token: SeIncreaseQuotaPrivilege 284 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe Token: SeSecurityPrivilege 908 msiexec.exe Token: SeCreateTokenPrivilege 284 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 284 msiexec.exe Token: SeLockMemoryPrivilege 284 msiexec.exe Token: SeIncreaseQuotaPrivilege 284 msiexec.exe Token: SeMachineAccountPrivilege 284 msiexec.exe Token: SeTcbPrivilege 284 msiexec.exe Token: SeSecurityPrivilege 284 msiexec.exe Token: SeTakeOwnershipPrivilege 284 msiexec.exe Token: SeLoadDriverPrivilege 284 msiexec.exe Token: SeSystemProfilePrivilege 284 msiexec.exe Token: SeSystemtimePrivilege 284 msiexec.exe Token: SeProfSingleProcessPrivilege 284 msiexec.exe Token: SeIncBasePriorityPrivilege 284 msiexec.exe Token: SeCreatePagefilePrivilege 284 msiexec.exe Token: SeCreatePermanentPrivilege 284 msiexec.exe Token: SeBackupPrivilege 284 msiexec.exe Token: SeRestorePrivilege 284 msiexec.exe Token: SeShutdownPrivilege 284 msiexec.exe Token: SeDebugPrivilege 284 msiexec.exe Token: SeAuditPrivilege 284 msiexec.exe Token: SeSystemEnvironmentPrivilege 284 msiexec.exe Token: SeChangeNotifyPrivilege 284 msiexec.exe Token: SeRemoteShutdownPrivilege 284 msiexec.exe Token: SeUndockPrivilege 284 msiexec.exe Token: SeSyncAgentPrivilege 284 msiexec.exe Token: SeEnableDelegationPrivilege 284 msiexec.exe Token: SeManageVolumePrivilege 284 msiexec.exe Token: SeImpersonatePrivilege 284 msiexec.exe Token: SeCreateGlobalPrivilege 284 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 284 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 908 wrote to memory of 972 908 msiexec.exe 29 PID 908 wrote to memory of 972 908 msiexec.exe 29 PID 908 wrote to memory of 972 908 msiexec.exe 29 PID 908 wrote to memory of 972 908 msiexec.exe 29 PID 908 wrote to memory of 972 908 msiexec.exe 29 PID 908 wrote to memory of 972 908 msiexec.exe 29 PID 908 wrote to memory of 972 908 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\FACT641ab.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:284
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4EDF2374DCAC24D086A7E19FFCD0D9202⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:972
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD569e6c14203aeefc6ea8a76b2e676767e
SHA180ce5e5cbd4c8fbcd72f58b56e3c3c4c3197090d
SHA2567fb32131b76dac9c3b62c0269f1cf8bc2576d374af24d6ce5c88d974ade7e955
SHA51255f98234cca979bd7f57c8011078acc85cfdc2d624064ecebc07288b7ce28be5fcf1907f08fd2a82d95123b5625569192c9b662cb8534e90195ecafdb2ccb71e
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
5.0MB
MD5678fa1f615e4dcb5a968d5cc83c28c14
SHA1a8bf90090d16faa5a2faa7f8d5fe693e69574df7
SHA25641fee8131732585dc18113213c7fb469fd089dfdb18e5dadb9cb84b02e5d233f
SHA512bf2d4cccf9c379cf5835ba6992f6c875a5e539c24d6ce22dbbb6542810609e63ff1b015b6e4c688c30e6f90552b345a6dbfd8336913ce20c8a1d4085971a0565
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
5.0MB
MD5678fa1f615e4dcb5a968d5cc83c28c14
SHA1a8bf90090d16faa5a2faa7f8d5fe693e69574df7
SHA25641fee8131732585dc18113213c7fb469fd089dfdb18e5dadb9cb84b02e5d233f
SHA512bf2d4cccf9c379cf5835ba6992f6c875a5e539c24d6ce22dbbb6542810609e63ff1b015b6e4c688c30e6f90552b345a6dbfd8336913ce20c8a1d4085971a0565