Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

0cjB1Kh8zU.msi

Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {06EC4DEC-49D2-42F0-B4E3-AF9C7D0F65E8}, Number of Words: 10, Subject: ACB BNR M L, Author: ACB BNR M L, Name of Creating Application: Advanced Installer 18.3 build e2a0201b, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necACB BNR M L essrios para instalar o ACB BNR M L., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200

initial sample

C:\Users\user\AppData\Local\AdvinstAnalytics\6683aaa585f1fb8548fe6d24\8.7.8.9\tracking.ini

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\AdvinstAnalytics\6683aaa585f1fb8548fe6d24\8.7.8.9\{FA5B8B9A-3776-46FC-AA1F-39AC224FF43F}.session

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\shi8051.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\shi81E8.tmp

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\tampa.ses

ASCII text, with CRLF line terminators

dropped

C:\Users\user\IOAsNN\VNgnVm\IOAsNN.png

HTML document, ASCII text, with very long lines (394)

dropped

C:\Users\user\IOAsNN\VNgnVm\IOAsNN.zip (copy)

HTML document, ASCII text, with very long lines (394)

dropped

C:\Windows\Installer\3a7d63.msi

dropped

C:\Windows\Installer\MSI7ECA.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI7F87.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI7FB7.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI8006.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI8026.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI8BFE.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI8C4E.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI8CFA.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI8D2A.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI8D99.tmp

data

modified

C:\Windows\Installer\MSIA2F6.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\SourceHash{5FABA36A-ECA6-4633-964F-369C3AFA2A7A}

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Installer\inprogressinstallinfo.ipi

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

dropped

C:\Windows\Temp\~DF28E8959115D03820.TMP

data

dropped

C:\Windows\Temp\~DF4B5EBF01DD2BB8C3.TMP

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Temp\~DF4E607DEED9B2AAB9.TMP

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Temp\~DF57940C5C110C965D.TMP

data

dropped

C:\Windows\Temp\~DF73CECE7117D5E336.TMP

data

dropped

C:\Windows\Temp\~DFA32313B41CC028EE.TMP

data

dropped

\Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON

data

dropped

There are 20 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\0cjB1Kh8zU.msi"

Details

Is windows:	true
Is dropped:	false
PID:	3472
Target ID:	0
Parent PID:	4004
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\0cjB1Kh8zU.msi"
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	18:51:56
Date:	02/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6de740000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\System32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Details

Is windows:	true
Is dropped:	false
PID:	1208
Target ID:	2
Parent PID:	632
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	C:\Windows\system32\msiexec.exe /V
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	18:51:56
Date:	02/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6de740000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 11E696952DD6B03AAA33864004BDDF5F

Details

Is windows:	true
Is dropped:	false
PID:	5692
Target ID:	3
Parent PID:	1208
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 11E696952DD6B03AAA33864004BDDF5F
Size:	59904
MD5:	9D09DC1EDA745A5F87553048E57620CF
Time:	18:51:57
Date:	02/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x540000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

URLs

Name

Malicious

http://collect.installeranalytics.com/

54.165.254.88

http://html4/loose.dtd

unknown

https://ELcXBm.processosdigital.com/caju1.png

unknown

https://www.thawte.com/cps0/

unknown

https://www.thawte.com/repository0W

unknown

https://www.advancedinstaller.com

unknown

http://collect.installeranalytics.com

unknown

http://.css

unknown

http://.jpg

unknown

https://elcxbm.processosdigital.com/caju1.png

172.67.149.157

https://collect.installeranalytics.com

unknown

https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

collect.installeranalytics.com

54.165.254.88

Details

Name:	collect.installeranalytics.com
IP:	54.165.254.88
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

bg.microsoft.map.fastly.net

199.232.214.172

elcxbm.processosdigital.com

172.67.149.157

Details

Name:	elcxbm.processosdigital.com
IP:	172.67.149.157
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

54.165.254.88

collect.installeranalytics.com

United States

Details

IP:	54.165.254.88
TargetID:	3
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	14618
ASN name:	AMAZON-AESUS
Private:	false
Domain:	collect.installeranalytics.com

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking

172.67.149.157

elcxbm.processosdigital.com

United States

Details

IP:	172.67.149.157
TargetID:	3
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	elcxbm.processosdigital.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings

JITDebug

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached

{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} {000214E6-0000-0000-C000-000000000046} 0xFFFF

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe

JScriptSetScriptStateStarted

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
0cjB1Kh8zU.msi

Files

Processes

URLs

Domains

IPs

Registry

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report0cjB1Kh8zU.msi

Files

Processes

URLs

Domains

IPs

Registry

IOC Report
0cjB1Kh8zU.msi