Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

FACT641ab.msi

windows7-x64

8

FACT641ab.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2023, 08:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FACT641ab.msi

  • Size

    5.5MB

  • MD5

    32b29de93b7fd2a52da9b5ede896ca31

  • SHA1

    17aa23016bbbdbc6ea3466abcde03320bd441461

  • SHA256

    f341fae5d857a9a7171570142632c0ee5de5b8c6b5f38bed57979a046910882e

  • SHA512

    e6615899174e347531afb405707aa0bbaaeda84d70a9bcad8d66a72475923a621bf454055c601759655dac641ee1fd26d92fff379f3ba7637586bc2e674db382

  • SSDEEP

    98304:UYnB7YHduKT/GkUgUZpBoMfDM6NpQm9CKcgxqEarrkIzvDDulI+lEj+28+xwitMg:vB7YHduKqhrM6Qm9pHgrkKDD9Xc+ui

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\FACT641ab.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2016
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 3EC842E7CA382D8E238D158B3A461481
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:408

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSI70B0.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI70B0.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI7322.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI7322.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI73EE.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI73EE.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI73EE.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI741E.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI741E.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI750B.tmp
    Filesize

    5.0MB

    MD5

    678fa1f615e4dcb5a968d5cc83c28c14

    SHA1

    a8bf90090d16faa5a2faa7f8d5fe693e69574df7

    SHA256

    41fee8131732585dc18113213c7fb469fd089dfdb18e5dadb9cb84b02e5d233f

    SHA512

    bf2d4cccf9c379cf5835ba6992f6c875a5e539c24d6ce22dbbb6542810609e63ff1b015b6e4c688c30e6f90552b345a6dbfd8336913ce20c8a1d4085971a0565

    Download Submit

  • C:\Windows\Installer\MSI750B.tmp
    Filesize

    5.0MB

    MD5

    678fa1f615e4dcb5a968d5cc83c28c14

    SHA1

    a8bf90090d16faa5a2faa7f8d5fe693e69574df7

    SHA256

    41fee8131732585dc18113213c7fb469fd089dfdb18e5dadb9cb84b02e5d233f

    SHA512

    bf2d4cccf9c379cf5835ba6992f6c875a5e539c24d6ce22dbbb6542810609e63ff1b015b6e4c688c30e6f90552b345a6dbfd8336913ce20c8a1d4085971a0565

    Download Submit

  • C:\Windows\Installer\MSI750B.tmp
    Filesize

    5.0MB

    MD5

    678fa1f615e4dcb5a968d5cc83c28c14

    SHA1

    a8bf90090d16faa5a2faa7f8d5fe693e69574df7

    SHA256

    41fee8131732585dc18113213c7fb469fd089dfdb18e5dadb9cb84b02e5d233f

    SHA512

    bf2d4cccf9c379cf5835ba6992f6c875a5e539c24d6ce22dbbb6542810609e63ff1b015b6e4c688c30e6f90552b345a6dbfd8336913ce20c8a1d4085971a0565

    Download Submit

  • memory/408-156-0x00000000036C0000-0x00000000036C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-157-0x00000000037D0000-0x00000000037D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-158-0x00000000037E0000-0x00000000037E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-159-0x0000000003810000-0x0000000003811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-160-0x0000000003820000-0x0000000003821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-161-0x0000000003830000-0x0000000003831000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-162-0x0000000002CB0000-0x00000000036B7000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/408-164-0x0000000003990000-0x0000000003991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-172-0x0000000003990000-0x0000000003991000-memory.dmp

    Filesize

    4KB

    Download