IOC Report
FACT64708.msi

Files

File Path

Type

Category

Malicious

FACT64708.msi

Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {99C5E16F-1B9A-4372-8446-788EB651135D}, Number of Words: 10, Subject: window1, Author: window1, Name of Creating Application: Advanced Installer 18.1 build 4fb1edbd, Template: ;1033, Comments: window1, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200

initial sample

C:\Windows\Installer\MSI5A28.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI5AF4.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI5B53.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI5BB2.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI5D1B.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

modified

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\json[1].json

JSON data

dropped

C:\Windows\Installer\3e573a.msi

Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {99C5E16F-1B9A-4372-8446-788EB651135D}, Number of Words: 10, Subject: window1, Author: window1, Name of Creating Application: Advanced Installer 18.1 build 4fb1edbd, Template: ;1033, Comments: window1, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200

dropped

C:\Windows\Installer\MSI5CBC.tmp

data

dropped

C:\Windows\Installer\SourceHash{391D3F83-F57B-4C37-B67D-2C3B478539D3}

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Installer\inprogressinstallinfo.ipi

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

dropped

C:\Windows\Temp\~DF0B319199736319C6.TMP

data

dropped

C:\Windows\Temp\~DF15E57EF7A6220754.TMP

data

dropped

There are 4 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding EC16BF9ACD034E20C79A272C76FEE245

Details

Is windows:	true
Is dropped:	false
PID:	6920
Target ID:	2
Parent PID:	6800
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding EC16BF9ACD034E20C79A272C76FEE245
Size:	59904
MD5:	12C17B5A5C2A7B97342C362CA467E9A2
Time:	12:28:30
Date:	26/05/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd80000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\FACT64708.msi"

Details

Is windows:	true
Is dropped:	false
PID:	6836
Target ID:	0
Parent PID:	3528
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\FACT64708.msi"
Size:	66048
MD5:	4767B71A318E201188A0D0A420C8B608
Time:	12:28:28
Date:	26/05/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7394b0000
Modulesize:	90112
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Details

Is windows:	true
Is dropped:	false
PID:	6800
Target ID:	1
Parent PID:	576
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	C:\Windows\system32\msiexec.exe /V
Size:	66048
MD5:	4767B71A318E201188A0D0A420C8B608
Time:	12:28:29
Date:	26/05/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7394b0000
Modulesize:	90112
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

IP

Malicious

https://ipinfo.io/missingauth

unknown

https://www.advancedinstaller.com

unknown

https://www.thawte.com/cps0/

unknown

https://www.thawte.com/repository0W

unknown

https://ipinfo.io/json

34.117.59.81

Details

Name:	https://ipinfo.io/json
IP:	34.117.59.81
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Domains

Name

IP

Malicious

ipinfo.io

34.117.59.81

Details

Name:	ipinfo.io
IP:	34.117.59.81
TargetID:	2
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

IP

Domain

Country

Malicious

34.117.59.81

ipinfo.io

United States

Details

IP:	34.117.59.81
TargetID:	2
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	139070
ASN name:	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Private:	false
Domain:	ipinfo.io

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

89.44.9.236

unknown

Romania

Details

IP:	89.44.9.236
TargetID:	2
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	Romania
Countrycode:	ROU
ASN number:	9009
ASN name:	M247GB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000

Sequence

Memdumps

Base Address

Regiontype

Protect

Malicious

27084A4E000

heap

page read and write

27084A4C000

heap

page read and write

9DC5B7D000

stack

page read and write

27084A5B000

heap

page read and write

9DC5CF9000

stack

page read and write

9DC5C7E000

stack

page read and write

27084BF0000

heap

page read and write

27084BD0000

heap

page read and write

27084A08000

heap

page read and write

27084D80000

heap

page read and write

27084A4C000

heap

page read and write

27084A6C000

heap

page read and write

27084D8E000

heap

page read and write

27084A44000

heap

page read and write

27085880000

trusted library allocation

page read and write

27084A10000

heap

page read and write

27084C60000

trusted library allocation

page read and write

27084980000

heap

page read and write

27084D89000

heap

page read and write

27084CC0000

trusted library allocation

page read and write

27084A00000

heap

page read and write

9DC5BF9000

stack

page read and write

27084D85000

heap

page read and write

27084D90000

trusted library allocation

page read and write

27084D20000

trusted library allocation

page read and write

27084D00000

trusted library allocation

page read and write

9DC57EB000

stack

page read and write

27084D30000

trusted library allocation

page read and write

27084A5C000

heap

page read and write

27084990000

trusted library allocation

page read and write

27084A4C000

heap

page read and write

27084C50000

trusted library allocation

page read and write

27085A90000

trusted library allocation

page read and write

27084D10000

heap

page readonly

There are 24 hidden memdumps, click here to show them.