Overview

overview

9

Static

static

1

factboleta...ge.msi

windows7-x64

9

factboleta...ge.msi

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    factboletaeletricge.msi

  • Size

    18.7MB

  • MD5

    4cbfb798bb6076378fc96c9c4b1a80fc

  • SHA1

    5fadac688f773244af547411b22d44d757c4c829

  • SHA256

    0f962b19b3405722d618ca44beea3240f8c809723b9f7735828db59d061fcd42

  • SHA512

    55a254aa2b30604bf66d7f2feeecd395c8624b4b9892898f7e9689e85ec4772c386989d91b72cb681ab614e59f2174ae705fd39ae892cb10f431d9f67aa3b15f

  • SSDEEP

    393216:ZavYmPEVSlMJHe3qS4Lt0aXQ5VFVxdPqsvV34kX:gNcLe3qFZ0mQdd9VIkX

Score
9/10
upx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 7 IoCs
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 9 IoCs
  • Loads dropped DLL 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\factboletaeletricge.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1936
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C152710F990020C0E1272751297DCEB7
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSIADA.tmp
    Filesize

    738KB

    MD5

    36cd2870d577ff917ba93c9f50f86374

    SHA1

    e51baf257f5a3c3cd7b68690e36945fa3284e710

    SHA256

    8d3e94c47af3da706a9fe9e4428b2fefd5e9e6c7145e96927fffdf3dd5e472b8

    SHA512

    426fe493a25e99ca9630ad4706ca5ac062445391ab2087793637339f3742a5e1af2cedb4682babc0c4e7f9e06fed0b4ed543ddeb6f4e6f75c50349c0354aceda

    Download Submit
  • C:\Windows\Installer\MSIEE4.tmp
    Filesize

    16.5MB

    MD5

    2e2a5db0e8e5a8a65f89d11330de872e

    SHA1

    116dd648183dca8e9f6d1e345962924aaab7fccd

    SHA256

    6bcd4341830d410f5e274fedfc44f6b1b1df574337492ced997af85e1433e617

    SHA512

    6cda7a7ba89aeb75824e99112178f17b3cfe63966abd9bf8a5b363f05ade184711f0cfbf7aacc50f6926808bc1b2d6b081b13f6ef553320e6dfea7df3e7622e8

    Download Submit
  • \??\c:\programdata\ssleay32.dll
    Filesize

    106KB

    MD5

    931c97553b3319f21b9ef249aa3cd244

    SHA1

    42c6611da2154bb6e0911993cf97071908b48bf2

    SHA256

    7e643c188a1ee3b0251b7dfcab000b7c48fd840eff35189e8a45901852e3910a

    SHA512

    790141b758aa68c6384aaf6f85b09f9bc641a300a4e7fa05a74c3f89af090fbbfdcfe3dce24842a8d0c75b874839d505692c1951ed66f57e9840c559820514d3

    Download Submit
  • \ProgramData\libeay32.dll
    Filesize

    482KB

    MD5

    c2703965b8ba0ecf8c5d8a043976facc

    SHA1

    c578c694d4fe5c15acc3b7aa60e9874d0ded3d54

    SHA256

    e28e34fbdaff077669586dcdb4e10f0ba2ca6c9973ed4d372a5c3ec3b8ad20e7

    SHA512

    cb729665206594928a90b29e5c7592120345e92a605122ec6aea564250c4d5d48e1d39c8803820eccde7920aa4d9af99fb3748671de076476d833710b9491d61

    Download Submit
  • memory/2620-28-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2620-33-0x0000000002890000-0x000000000497C000-memory.dmp
    Filesize

    32.9MB

    Download
  • memory/2620-32-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2620-38-0x0000000010000000-0x0000000010149000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2620-39-0x0000000010000000-0x0000000010149000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2620-30-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2620-42-0x0000000005C60000-0x0000000005CAC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2620-60-0x0000000005C60000-0x0000000005CAC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2620-59-0x0000000010000000-0x0000000010149000-memory.dmp
    Filesize

    1.3MB

    Download