IOC Report
KL027.msi

Files

File Path

Type

Category

Malicious

KL027.msi

Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Template: ;1033, Last Saved By: ciprian, Revision Number: {F02FAAA2-A115-4256-8A34-700EBBCA224D}, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Number of Words: 2, Name of Creating Application: letvpndesktop, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200

initial sample

Details

Filetype:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Template: ;1033, Last Saved By: ciprian, Revision Number: {F02FAAA2-A115-4256-8A34-700EBBCA224D}, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Number of Words: 2, Name of Creating Application: letvpndesktop, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy:	7.988764056833537
Filename:	KL027.msi
Filesize:	55966720
MD5:	877af3069bc2925f5b886a96fc3ca471
SHA1:	e72343f6c04fecd9cc0dd441071586152b147ecf
SHA256:	2ae7e0a629003e3aaade78a51b247c5e2f85a96e07a0ef9720dde29bbd886189
SHA512:	bdf0e44f1c94187750da4f457d3c331da0b977520b1a0e98c0331a1a6286892caeb9e15e346ba08f7024e3a2fc58c76ced2f3890c46e715498673ea080a728fc
SSDEEP:	1572864:vmGx0lFZc5KssedqDOq4pdra+T5qQXr6dmzXv0lPdNb:vzejcMedkOzhFqQXr6EzoPdF
Preview:	........................>...................V...................................x.......}...~...................................................................................g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z..

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\MSI236B.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\MSI236B.tmp
Category:	dropped
Dump:	MSI236B.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\System32\msiexec.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.4696654484377945
Encrypted:	false
Ssdeep:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
Size:	602432
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\MSI23E9.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\MSI23E9.tmp
Category:	dropped
Dump:	MSI23E9.tmp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Windows\System32\msiexec.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.4696654484377945
Encrypted:	false
Ssdeep:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
Size:	602432
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\MSI2438.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\MSI2438.tmp
Category:	dropped
Dump:	MSI2438.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Windows\System32\msiexec.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.4696654484377945
Encrypted:	false
Ssdeep:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
Size:	602432
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\MSI2497.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\MSI2497.tmp
Category:	dropped
Dump:	MSI2497.tmp.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Windows\System32\msiexec.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.4696654484377945
Encrypted:	false
Ssdeep:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
Size:	602432
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\MSI24B7.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\MSI24B7.tmp
Category:	dropped
Dump:	MSI24B7.tmp.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Windows\System32\msiexec.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.4696654484377945
Encrypted:	false
Ssdeep:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
Size:	602432
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\MSI24D8.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\MSI24D8.tmp
Category:	dropped
Dump:	MSI24D8.tmp.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Windows\System32\msiexec.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.4696654484377945
Encrypted:	false
Ssdeep:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
Size:	602432
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\MSI25A4.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\MSI25A4.tmp
Category:	dropped
Dump:	MSI25A4.tmp.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Windows\System32\msiexec.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.4696654484377945
Encrypted:	false
Ssdeep:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
Size:	602432
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\viewer.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\viewer.exe
Category:	dropped
Dump:	viewer.exe.2.dr
ID:	dr_7
Target ID:	2
Process:	C:\Windows\SysWOW64\msiexec.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.534588738111638
Encrypted:	false
Ssdeep:	12288:tbiQnSDqYisDEiD3jbTFiuiSiO+kP53nUNlQ:tbvnSDqJsDEiD3PTFTFiS53UNW
Size:	429568
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Processes

Path

Cmdline

Malicious

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\KL027.msi"

Details

Is windows:	true
Is dropped:	false
PID:	6572
Target ID:	0
Parent PID:	2580
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\KL027.msi"
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	07:41:07
Date:	21/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff60b6d0000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Details

Is windows:	true
Is dropped:	false
PID:	4480
Target ID:	1
Parent PID:	620
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	C:\Windows\system32\msiexec.exe /V
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	07:41:07
Date:	21/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff60b6d0000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 499EA3959C85834165A9E8DE49DEC93F C

Details

Is windows:	true
Is dropped:	false
PID:	432
Target ID:	2
Parent PID:	4480
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 499EA3959C85834165A9E8DE49DEC93F C
Size:	59904
MD5:	9D09DC1EDA745A5F87553048E57620CF
Time:	07:41:08
Date:	21/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x6b0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection