Overview

overview

7

Static

static

1

Fact_p_d_f...6e.msi

windows7-x64

7

Fact_p_d_f...6e.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    161s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2024 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fact_p_d_f0f2a15e8346e.msi

  • Size

    13.9MB

  • MD5

    499dc2cc8da0538636d189cc9aa693d7

  • SHA1

    3b62bbbfb760a9521dd5084028adf63bfe0819b8

  • SHA256

    b8afd6640de8feed1774e8db3d428c0f1bca023324bb7de9a5eb99db2ea84e26

  • SHA512

    fcd32114c9bac17fe1bb535901a2108d7e9a9d1ee9f32f0597b87625efdc860b0790ba9e0a4fac952f8835955ad689e6f93f8d33b08dacc12bca7866eb7b4bd5

  • SSDEEP

    196608:LDops1caVIW/WQ2p4TJbV12OVfZmh1ONCnBsc99G57CslWPzpnMffxfbJjj:LMm+W/WaJp12OVWWCnTg7hWN8Ljj

Score
7/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 11 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Blocklisted process makes network request 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Fact_p_d_f0f2a15e8346e.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3148
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 35A30527EF56F32E4C0098B31DF0F768
      2⤵
      • Loads dropped DLL
      • Blocklisted process makes network request
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ssleay32.dll
    Filesize

    106KB

    MD5

    931c97553b3319f21b9ef249aa3cd244

    SHA1

    42c6611da2154bb6e0911993cf97071908b48bf2

    SHA256

    7e643c188a1ee3b0251b7dfcab000b7c48fd840eff35189e8a45901852e3910a

    SHA512

    790141b758aa68c6384aaf6f85b09f9bc641a300a4e7fa05a74c3f89af090fbbfdcfe3dce24842a8d0c75b874839d505692c1951ed66f57e9840c559820514d3

    Download Submit

  • C:\Windows\Installer\MSI843E.tmp
    Filesize

    721KB

    MD5

    5a1f2196056c0a06b79a77ae981c7761

    SHA1

    a880ae54395658f129e24732800e207ecd0b5603

    SHA256

    52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

    SHA512

    9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

    Download Submit

  • C:\Windows\Installer\MSIB797.tmp
    Filesize

    1.1MB

    MD5

    25e52c5776a81e0c5ccb9bdd4c808c90

    SHA1

    e42104ef61ae4760a41552292091eb6a5089ced4

    SHA256

    0831dbcb3799c9e36ea586582e8ef907dcefeb2045351d6774c7ad0ef02a9af2

    SHA512

    746570c011e501505ec9d09077519bca1a485b0cac66229be6f4715a91ee52d5cc857de26ad8d7a33806ddfa580d2ba9f77759e3764ea761d327fe2f1e881292

    Download Submit

  • C:\Windows\Installer\MSIB797.tmp
    Filesize

    183KB

    MD5

    a114ba6501374390c9a33c3f6dfd6056

    SHA1

    2d33637066466eb4e107e76822e6f5b73acfec4d

    SHA256

    db8d0e33bf13287ce1ebea4be2b0d36ccc275b9d94509705955c07416f5cd0c1

    SHA512

    e1df6d5b49ae7d9203dcd10bbab52e2afc6e9259cd03d81d41fda467e032da5041508ac71a2b5f78299766f209933b9d1a7b57083520e1edcd3d30fd304c7256

    Download Submit

  • C:\Windows\Installer\MSIC70B.tmp
    Filesize

    11.0MB

    MD5

    15a536317e1241ed81d6deadc5afc0c4

    SHA1

    54b5dbd3619ce44d61d79c7ae2bf09c7109fc94c

    SHA256

    6e1434e0f8cd402f8acb0aade942c86d6b62cd6aa3927053f25fdf57ed384b47

    SHA512

    d641e93a9488badbcb15dc16903a11b4a838d4d00146ec2a070817b4e68d4e4571af655577cd9a4e35a002ff1d00f8f2d27a9d6c46af4de355a4340f8853d09c

    Download Submit

  • \??\c:\programdata\libeay32.dll
    Filesize

    482KB

    MD5

    c2703965b8ba0ecf8c5d8a043976facc

    SHA1

    c578c694d4fe5c15acc3b7aa60e9874d0ded3d54

    SHA256

    e28e34fbdaff077669586dcdb4e10f0ba2ca6c9973ed4d372a5c3ec3b8ad20e7

    SHA512

    cb729665206594928a90b29e5c7592120345e92a605122ec6aea564250c4d5d48e1d39c8803820eccde7920aa4d9af99fb3748671de076476d833710b9491d61

    Download Submit

  • memory/1396-44-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1396-41-0x00000000028B0000-0x00000000028B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1396-42-0x00000000028C0000-0x00000000028C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1396-43-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1396-45-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1396-47-0x00000000029E0000-0x0000000003D7A000-memory.dmp

    Filesize

    19.6MB

    Download

  • memory/1396-46-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1396-40-0x00000000028A0000-0x00000000028A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1396-52-0x0000000010000000-0x0000000010149000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1396-39-0x00000000029E0000-0x0000000003D7A000-memory.dmp

    Filesize

    19.6MB

    Download

  • memory/1396-56-0x00000000043E0000-0x000000000442C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1396-57-0x0000000010000000-0x0000000010149000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1396-59-0x00000000029E0000-0x0000000003D7A000-memory.dmp

    Filesize

    19.6MB

    Download