Overview

overview

7

Static

static

1

Fact_p_d_f...6e.msi

windows7-x64

7

Fact_p_d_f...6e.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    17-01-2024 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fact_p_d_f0f2a15e8346e.msi

  • Size

    13.9MB

  • MD5

    499dc2cc8da0538636d189cc9aa693d7

  • SHA1

    3b62bbbfb760a9521dd5084028adf63bfe0819b8

  • SHA256

    b8afd6640de8feed1774e8db3d428c0f1bca023324bb7de9a5eb99db2ea84e26

  • SHA512

    fcd32114c9bac17fe1bb535901a2108d7e9a9d1ee9f32f0597b87625efdc860b0790ba9e0a4fac952f8835955ad689e6f93f8d33b08dacc12bca7866eb7b4bd5

  • SSDEEP

    196608:LDops1caVIW/WQ2p4TJbV12OVfZmh1ONCnBsc99G57CslWPzpnMffxfbJjj:LMm+W/WaJp12OVWWCnTg7hWN8Ljj

Score
7/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 7 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Blocklisted process makes network request 11 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Fact_p_d_f0f2a15e8346e.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2896
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A5E138A733F4C4A4AD34E9DB153227E9
      2⤵
      • Loads dropped DLL
      • Blocklisted process makes network request
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    62fe3445a072804d10bef10553846f08

    SHA1

    573068ebc4cab8219ba47725802b4845af84fa75

    SHA256

    b7aab40889d4a49b906e9895ce7b3feec0738c2b90bee1e7bd142f052fc6e244

    SHA512

    6d5ec43e87a7543b856fadcdb28b1f181ede432de42d04ed51fb2def8bb1fe922da83f1d714f437ba048e81153837abf91bff61626b6f3c706389a2810577abc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabA1FC.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarA28B.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Windows\Installer\MSI52C2.tmp
    Filesize

    721KB

    MD5

    5a1f2196056c0a06b79a77ae981c7761

    SHA1

    a880ae54395658f129e24732800e207ecd0b5603

    SHA256

    52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

    SHA512

    9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

    Download Submit

  • C:\Windows\Installer\MSI55FE.tmp
    Filesize

    1.1MB

    MD5

    25e52c5776a81e0c5ccb9bdd4c808c90

    SHA1

    e42104ef61ae4760a41552292091eb6a5089ced4

    SHA256

    0831dbcb3799c9e36ea586582e8ef907dcefeb2045351d6774c7ad0ef02a9af2

    SHA512

    746570c011e501505ec9d09077519bca1a485b0cac66229be6f4715a91ee52d5cc857de26ad8d7a33806ddfa580d2ba9f77759e3764ea761d327fe2f1e881292

    Download Submit

  • C:\Windows\Installer\MSI6464.tmp
    Filesize

    8.5MB

    MD5

    2fcbde43cfd0813f0f9a9f773b9efa45

    SHA1

    205bffec199b0fc1f6b2542948b4bc1e89389152

    SHA256

    98bf7c68dc599e7029e699d689f3d1d8ea49749a1a6300c9c177e00832c27ed7

    SHA512

    4ad3bdb709484d533359a8a8a3e3fed4c79e328c34d2375febd3a6012be4bbd2be05a6c2d55efdb5086e7c7c64986182f5809b248e953459d21108d18f629011

    Download Submit

  • \ProgramData\libeay32.dll
    Filesize

    482KB

    MD5

    c2703965b8ba0ecf8c5d8a043976facc

    SHA1

    c578c694d4fe5c15acc3b7aa60e9874d0ded3d54

    SHA256

    e28e34fbdaff077669586dcdb4e10f0ba2ca6c9973ed4d372a5c3ec3b8ad20e7

    SHA512

    cb729665206594928a90b29e5c7592120345e92a605122ec6aea564250c4d5d48e1d39c8803820eccde7920aa4d9af99fb3748671de076476d833710b9491d61

    Download Submit

  • \ProgramData\ssleay32.dll
    Filesize

    106KB

    MD5

    931c97553b3319f21b9ef249aa3cd244

    SHA1

    42c6611da2154bb6e0911993cf97071908b48bf2

    SHA256

    7e643c188a1ee3b0251b7dfcab000b7c48fd840eff35189e8a45901852e3910a

    SHA512

    790141b758aa68c6384aaf6f85b09f9bc641a300a4e7fa05a74c3f89af090fbbfdcfe3dce24842a8d0c75b874839d505692c1951ed66f57e9840c559820514d3

    Download Submit

  • \Windows\Installer\MSI6464.tmp
    Filesize

    5.5MB

    MD5

    60fc92a7293a930a41b29b1225efce68

    SHA1

    1e27227e54a9d0c9c8730d0ac2e64638c00e17f4

    SHA256

    28c03fdaf9edffcb7a93863db896b5e36a1601917083d88367a23f72314e0057

    SHA512

    e79b42496dcc093d024d379000941df7e9b052d2dcc03b10b10975dc48018d93c532b341c0ffb36820704dc64927c17c7c74d5169c3063c52c98721856cdae4a

    Download Submit

  • memory/2848-58-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-50-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-40-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-41-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-45-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-55-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-53-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-37-0x0000000002610000-0x00000000039AA000-memory.dmp

    Filesize

    19.6MB

    Download

  • memory/2848-65-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-63-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-60-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-38-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-48-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-43-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-33-0x0000000002610000-0x00000000039AA000-memory.dmp

    Filesize

    19.6MB

    Download

  • memory/2848-70-0x0000000010000000-0x0000000010149000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2848-73-0x0000000001F50000-0x0000000001F9C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2848-35-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-74-0x0000000002610000-0x00000000039AA000-memory.dmp

    Filesize

    19.6MB

    Download

  • memory/2848-34-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-31-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-29-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-139-0x0000000010000000-0x0000000010149000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2848-155-0x0000000002610000-0x00000000039AA000-memory.dmp

    Filesize

    19.6MB

    Download