Edit tour

Windows Analysis Report
Fatrr_wakMkxp.msi

Overview

General Information

Sample Name:	Fatrr_wakMkxp.msi
Analysis ID:	896111
MD5:	27d8c23579018eff34ce61459e18f7f1
SHA1:	ad64565c41d3a3581621238ac4c65411e7cc30bc
SHA256:	5995f2e1327a4a820695aa97f9e18926ecc900f1a036d8b11573c572d0fd47fd
Tags:	msi
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Drops PE files to the windows directory (C:\Windows)

Creates files inside the system directory

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Creates a start menu entry (Start Menu\Programs\Startup)

Stores files to the Windows start menu directory

Checks for available system drives (often done to infect USB drives)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 5740 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Fatrr_wakMkxp.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 6940 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 3872 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 366E9C1149556BC0F11E4B9E382385C6 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Snort Signatures

ETPRO MALWARE TakeMyFile User-Agent - Source IP: 192.168.2.6 - Destination IP: 54.198.235.9

Timestamp:	192.168.2.654.198.235.949711802849814 06/29/23-09:12:32.141900
SID:	2849814
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE TakeMyFile Installer Checkin - Source IP: 192.168.2.6 - Destination IP: 54.198.235.9

Timestamp:	192.168.2.654.198.235.949711802849813 06/29/23-09:12:32.141900
SID:	2849813
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST / HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64)Host: collect.installeranalytics.comContent-Length: 167Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: collect.installeranalytics.com

Source: Fatrr_wakMkxp.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs Fatrr_wakMkxp.msi
Source: Fatrr_wakMkxp.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs Fatrr_wakMkxp.msi
Source: Fatrr_wakMkxp.msi	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs Fatrr_wakMkxp.msi
Source: Fatrr_wakMkxp.msi	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs Fatrr_wakMkxp.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIE100.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\3ddde4.msi

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Fatrr_wakMkxp.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 366E9C1149556BC0F11E4B9E382385C6
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 366E9C1149556BC0F11E4B9E382385C6	Jump to behavior

Source: identity_helper.lnk.2.dr

LNK file: ..\..\..\..\..\..\..\..\Public\Documents\identity_helper.exe

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Local\AdvinstAnalytics

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF5991F4C5103D2B15.TMP

Jump to behavior

Source: shiE3EE.tmp.2.dr

Binary string: o\Device\NameResTrk\RecordNrtCloneOpenPacketW

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\AdvinstAnalytics\649bc0e995075a1a74755442\7.7.6.4\tracking.ini

Jump to behavior

Source: classification engine

Classification label: mal48.winMSI@4/27@1/1

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Fatrr_wakMkxp.msi

Static file information: File size 2252288 > 1048576

Source:	Binary string: wininet.pdb source: shiE3EE.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: Fatrr_wakMkxp.msi, 3ddde4.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: Fatrr_wakMkxp.msi, 3ddde4.msi.1.dr, MSIE395.tmp.1.dr
Source:	Binary string: d3d12.pdbUGP source: shiE4AB.tmp.2.dr
Source:	Binary string: d3d12.pdb source: shiE4AB.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: Fatrr_wakMkxp.msi, 3ddde4.msi.1.dr, MSIE395.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: Fatrr_wakMkxp.msi, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSI79.tmp.1.dr
Source:	Binary string: wininet.pdbUGP source: shiE3EE.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: Fatrr_wakMkxp.msi, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSI79.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIEAFA.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIEAFA.tmp.1.dr

Source: shiE4AB.tmp.2.dr	Static PE information: section name: .text_hf
Source: shiE4AB.tmp.2.dr	Static PE information: section name: .didat
Source: shiE4AB.tmp.2.dr	Static PE information: section name: .DDIData
Source: shiE3EE.tmp.2.dr	Static PE information: section name: .wpp_sf
Source: shiE3EE.tmp.2.dr	Static PE information: section name: .didat

Source: shiE3EE.tmp.2.dr

Static PE information: 0x84CD8294 [Wed Aug 8 17:47:00 2040 UTC]

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE100.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEAFA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE269.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE2F6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI79.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shiE4AB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE80B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE395.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE365.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shiE3EE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE77E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB69.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE100.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEAFA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE269.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE2F6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI79.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE80B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE395.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE365.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE77E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB69.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\identity_helper.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zino.ps1			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\identity_helper.lnk			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe TID: 5540

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEAFA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE2F6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiE4AB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE80B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE365.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiE3EE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE77E.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: MSIE395.tmp.1.dr

Binary or memory string: 01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer [Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberReleaseIdCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute Server Failed to create IWbemLocator object. Error code: \\Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code:

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	3 Windows Management Instrumentation	2 Registry Run Keys / Startup Folder	1 Process Injection	21 Masquerading	OS Credential Dumping	21 Security Software Discovery	1 Replication Through Removable Media	Data from Local System	Exfiltration Over Other Network Medium	2 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Timestomp	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	32 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Fatrr_wakMkxp.msi	5%	ReversingLabs
Fatrr_wakMkxp.msi	5%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\shiE3EE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shiE4AB.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI79.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE100.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE269.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE2F6.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE365.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE395.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE77E.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE80B.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIEAFA.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIEB69.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://html4/loose.dtd	0%	Avira URL Cloud	safe
https://HTTP/1.1	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
collect.installeranalytics.com	54.198.235.9	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://collect.installeranalytics.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	shiE3EE.tmp.2.dr	false	Avira URL Cloud: safe	low
https://www.advancedinstaller.com	Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	false		high
https://HTTP/1.1	shiE3EE.tmp.2.dr	false	Avira URL Cloud: safe	low
http://collect.installeranalytics.com	Fatrr_wakMkxp.msi, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSI79.tmp.1.dr	false		high
https://www.thawte.com/cps0/	Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	false		high
http://.css	shiE3EE.tmp.2.dr	false	Avira URL Cloud: safe	low
http://.jpg	shiE3EE.tmp.2.dr	false	Avira URL Cloud: safe	low
https://www.thawte.com/repository0W	Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	false		high
https://collect.installeranalytics.com	Fatrr_wakMkxp.msi, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSI79.tmp.1.dr	false		high
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	Fatrr_wakMkxp.msi, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSI79.tmp.1.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.198.235.9	collect.installeranalytics.com	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	896111
Start date and time:	2023-06-29 09:11:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Fatrr_wakMkxp.msi
Detection:	MAL
Classification:	mal48.winMSI@4/27@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe
Excluded IPs from analysis (whitelisted): 142.251.36.170, 142.251.36.202, 142.251.36.234, 142.251.37.10, 172.217.16.170
Excluded domains from analysis (whitelisted): fiebasestorage.googleapis.com

Simulations

Behavior and APIs

Time	Type	Description
09:12:16	API Interceptor	3x Sleep call for process: msiexec.exe modified
09:12:25	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\identity_helper.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.198.235.9	Fatrr_UewhcWF.msi	Get hash	malicious	Unknown	Browse	collect.installeranalytics.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
collect.installeranalytics.com	Fatrr_UewhcWF.msi	Get hash	malicious	Unknown	Browse	54.198.235.9
	54zEUp34e1.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	54zEUp34e1.exe	Get hash	malicious	Unknown	Browse	54.198.235.9
	ECnCJ4QWok.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	ECnCJ4QWok.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	IcEL4U66yX.exe	Get hash	malicious	Unknown	Browse	54.198.235.9
	IcEL4U66yX.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	hWiWP9kOC9.exe	Get hash	malicious	PrivateLoader	Browse	54.198.235.9
	hWiWP9kOC9.exe	Get hash	malicious	Unknown	Browse	54.198.235.9
	S4iK1tSHGc.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	S4iK1tSHGc.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	WCYoS776qm.exe	Get hash	malicious	Nymaim	Browse	54.198.235.9
	a1rzxoicOg.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	a1rzxoicOg.exe	Get hash	malicious	Unknown	Browse	54.198.235.9
	8UvPumbygi.exe	Get hash	malicious	Nymaim	Browse	54.198.235.9
	8UvPumbygi.exe	Get hash	malicious	Nymaim	Browse	52.73.64.126
	Levelogger-4.6.2-Installer.exe	Get hash	malicious	Unknown	Browse	54.225.226.3
	21REzKeOgq.exe	Get hash	malicious	Nymaim	Browse	54.204.22.198
	21REzKeOgq.exe	Get hash	malicious	Nymaim	Browse	3.222.139.61
	V1lIaJpTZP.exe	Get hash	malicious	MinerDownloader, Nymaim, RedLine, Vidar, Xmrig	Browse	54.204.22.198

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	http://www.baidu.com/link?url=6b0x2vBMoi19gcvmLERCKZXmU7WzFg5ZY5UJRWTvWvpXNRf5rzJAbvuTny4JSJ3e	Get hash	malicious	Unknown	Browse	3.94.218.138
	https://trello.com/1/cards/6472186672e129dd4e4e04ba/attachments/64724be54a21719e16eef32e/download/Meta_Ads_Manager.exe	Get hash	malicious	Unknown	Browse	3.94.72.89
	WH4sXnS5bA.exe	Get hash	malicious	Unknown	Browse	3.94.72.89
	https://bio.site/sanskd4?hjntgi8v	Get hash	malicious	Unknown	Browse	54.236.68.122
	http://marcus1644.hocoos.com/	Get hash	malicious	Unknown	Browse	3.94.218.138
	https://principal.na1.adobesign.com/public/esign?tsid=CBFCIBAA3AAABLblqZhD9IJKKjdmtXT9i8IvIGEoAoh9aCd_p3MTUjzZb0YqnNn6lGq6e3CFngjLgNDRH-1VZxYxPqrpKK6ev_T3uHL28&	Get hash	malicious	Unknown	Browse	52.71.63.230
	https://catsystem.wufoo.com/forms/z12966vp1lumcy6/	Get hash	malicious	Unknown	Browse	54.227.163.251
	https://www.bing.com/ck/a?!&&p=6434192ee04e6ee3JmltdHM9MTY4NzM5MjAwMCZpZ3VpZD0yNmUxYjczNC03MDJiLTZhZTMtMDgwNi1hNDBjNzExMDZiOTQmaW5zaWQ9NTE2NQ&ptn=3&hsh=3&fclid=26e1b734-702b-6ae3-0806-a40c71106b94&u=a1aHR0cHM6Ly93d3cubmFjaG90ZWxzLmNvbS8#Y2xlaXRuZXJAdGVuYXNrYS5jb20=	Get hash	malicious	HTMLPhisher	Browse	34.204.41.25
	https://walli.shanga.co/image/view/?id=1375	Get hash	malicious	Unknown	Browse	52.7.7.171
	https://www.affaritaliani.it/	Get hash	malicious	Unknown	Browse	54.204.174.60
	Fatrr_UewhcWF.msi	Get hash	malicious	Unknown	Browse	54.198.235.9
	PXPz45kM78.elf	Get hash	malicious	Mirai	Browse	100.25.20.79
	eOF9g6JYAX.elf	Get hash	malicious	Unknown	Browse	54.211.50.102
	fDtncWP2T2.elf	Get hash	malicious	Unknown	Browse	34.232.174.101
	rM1MLEPWb4.elf	Get hash	malicious	Mirai	Browse	18.209.137.146
	https://chipotle.app.link/?$3p=e_et&$fallback_url=https://quattropublicidades.com.br/owa/aa/brian.herman@viewtrade.com	Get hash	malicious	Unknown	Browse	44.210.162.14
	3EYm3kgcui.exe	Get hash	malicious	AsyncRAT	Browse	3.88.20.74
	Invoice.xlsx	Get hash	malicious	HTMLPhisher	Browse	3.233.147.185
	Invoice.xlsx	Get hash	malicious	HTMLPhisher	Browse	3.233.152.246
	https://ct.turing.com/?ti=XnKxebcpeDwvWdbRVlUADzrVRSEAbsLtZmQpeGyzdrlemfqvIS&rd=http%3A%2F%2Fhatbaemama.com/marvel/XnKxebcpeDwvWdbRVlUADzrVRSEAbsLtZmQpeGyzdrlemfqvIS/bW5ld3NvbWVAZ2NnYW1pbmcuY29t	Get hash	malicious	Unknown	Browse	54.144.133.96

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\shiE3EE.tmp	Fatrr_UewhcWF.msi	Get hash	malicious	Unknown	Browse
	54zEUp34e1.exe	Get hash	malicious	Unknown	Browse
	54zEUp34e1.exe	Get hash	malicious	Unknown	Browse
	ECnCJ4QWok.exe	Get hash	malicious	Unknown	Browse
	ECnCJ4QWok.exe	Get hash	malicious	Unknown	Browse
	IcEL4U66yX.exe	Get hash	malicious	Unknown	Browse
	IcEL4U66yX.exe	Get hash	malicious	Unknown	Browse
	hWiWP9kOC9.exe	Get hash	malicious	PrivateLoader	Browse
	hWiWP9kOC9.exe	Get hash	malicious	Unknown	Browse
	S4iK1tSHGc.exe	Get hash	malicious	Unknown	Browse
	S4iK1tSHGc.exe	Get hash	malicious	Unknown	Browse
	WCYoS776qm.exe	Get hash	malicious	Nymaim	Browse
	a1rzxoicOg.exe	Get hash	malicious	Unknown	Browse
	a1rzxoicOg.exe	Get hash	malicious	Unknown	Browse
	8UvPumbygi.exe	Get hash	malicious	Nymaim	Browse
	8UvPumbygi.exe	Get hash	malicious	Nymaim	Browse
	Levelogger-4.6.2-Installer.exe	Get hash	malicious	Unknown	Browse
	21REzKeOgq.exe	Get hash	malicious	Nymaim	Browse
	21REzKeOgq.exe	Get hash	malicious	Nymaim	Browse
	https://tinyurl.com/2abosd8k	Get hash	malicious	Unknown	Browse

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: Traffic	Snort IDS: 2849814 ETPRO MALWARE TakeMyFile User-Agent 192.168.2.6:49711 -> 54.198.235.9:80
Source: Traffic	Snort IDS: 2849813 ETPRO MALWARE TakeMyFile Installer Checkin 192.168.2.6:49711 -> 54.198.235.9:80

Source: shiE3EE.tmp.2.dr	String found in binary or memory: http://.css
Source: shiE3EE.tmp.2.dr	String found in binary or memory: http://.jpg
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Fatrr_wakMkxp.msi, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://collect.installeranalytics.com
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shiE3EE.tmp.2.dr	String found in binary or memory: http://html4/loose.dtd
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: shiE3EE.tmp.2.dr	String found in binary or memory: https://HTTP/1.1
Source: Fatrr_wakMkxp.msi, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: https://collect.installeranalytics.com
Source: Fatrr_wakMkxp.msi, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: Fatrr_wakMkxp.msi, MSIE269.tmp.1.dr, MSIE365.tmp.1.dr, MSIE100.tmp.1.dr, MSIEB69.tmp.1.dr, 3ddde4.msi.1.dr, MSIE2F6.tmp.1.dr, MSIE80B.tmp.1.dr, MSIE77E.tmp.1.dr, MSIEAFA.tmp.1.dr, MSIE395.tmp.1.dr, MSI79.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	4.0081320258334
Encrypted:	false
SSDEEP:	3:1EyEMyvn:1BEN
MD5:	6BC190DD42A169DFA14515484427FC8E
SHA1:	B53BD614A834416E4A20292AA291A6D2FC221A5E
SHA-256:	B3395B660EB1EDB00FF91ECE4596E3ABE99FA558B149200F50AABF2CB77F5087
SHA-512:	5B7011ED628B673217695809A38A800E9C8A42CEB0C54AB6F8BC39DBA0745297A4FBD66D6B09188FCC952C08217152844DFC3ADA7CF468C3AAFCEC379C0B16B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[General]..Active = true..

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {110F24C8-EE59-4BBD-9263-668DE75D4081}, Number of Words: 10, Subject: IANI INSIHERWOO, Author: IANI INSIHERWOO, Name of Creating Application: Advanced Installer 18.3 build e2a0201b, Template: ;1046, Comments: IANI INSIHERWOO, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2252288
Entropy (8bit):	6.488906903454377
Encrypted:	false
SSDEEP:	49152:w/VDxGSFVtaN4AyK8tKk5ojmrhCMz5vk3ukDln/hFRFNUEekBIWsRkn4frUMXjDA:qxM4AeKknz5vqu0sRe4frUMXjTY
MD5:	27D8C23579018EFF34CE61459E18F7F1
SHA1:	AD64565C41D3A3581621238AC4C65411E7CC30BC
SHA-256:	5995F2E1327A4A820695AA97F9E18926ECC900F1A036D8B11573C572D0FD47FD
SHA-512:	6B7D2F4ABEC942AB2E53612B2A9EFB562B286D88DDB629EA4FA971A364119DB8EFD883BB746BE84CD73E1B3DA63A82BA6188B57BDC86A8C937247BCCA5D192EF
Malicious:	false
Preview:	......................>...................#...................................................................................................................J...K...L...M...N...O...P...Q...R...S...T...U...............................................................................................................................................................................................................................................................................................................................c...............%...7........................................................................................... ...!..."...#...$.../...0...'...(...)...*...+...,...-...........1...5...2...3...4...8...6...@...C...9...:...;...<...=...>...?...R...A...B...H...D...E...F...G...q...I...b...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......d...u...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...v.......w...x...y...z...

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.654.198.235.949711802849814 06/29/23-09:12:32.141900	TCP	2849814	ETPRO MALWARE TakeMyFile User-Agent	49711	80	192.168.2.6	54.198.235.9
192.168.2.654.198.235.949711802849813 06/29/23-09:12:32.141900	TCP	2849813	ETPRO MALWARE TakeMyFile Installer Checkin	49711	80	192.168.2.6	54.198.235.9

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 29, 2023 09:12:22.599138975 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:22.743721008 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:22.743931055 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:22.744097948 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:22.744224072 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:22.888964891 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:22.888995886 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:22.893744946 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:22.893811941 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:22.908423901 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:22.908689022 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.053363085 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:23.058007956 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:23.058157921 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.061031103 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.061081886 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.205655098 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:23.209997892 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:23.210094929 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.212035894 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.212068081 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.356630087 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:23.361252069 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:23.361337900 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.363569975 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.363610983 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.508203983 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:23.677093029 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:23.677195072 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.679141998 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.679191113 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.823868036 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:23.828052044 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:23.828166008 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.830219984 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.830250025 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.974687099 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:23.978843927 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:23.978904963 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.980468035 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:23.980504990 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.124917030 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:24.129103899 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:24.129262924 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.131448984 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.131491899 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.276138067 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:24.280221939 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:24.280396938 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.304454088 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.304508924 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.449124098 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:24.497173071 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:24.497262001 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.499382019 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.499423027 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.644035101 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:24.648010015 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:24.648070097 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.709417105 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.709465981 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.854089022 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:24.858303070 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:24.858413935 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.860522985 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:24.860573053 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.005717993 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:25.009401083 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:25.009614944 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.011497974 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.011548042 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.156207085 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:25.160713911 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:25.160924911 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.163140059 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.163197994 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.307801962 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:25.312741995 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:25.312961102 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.314994097 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.315053940 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.459520102 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:25.464030981 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:25.464302063 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.466587067 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.466643095 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.611366034 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:25.616415977 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:25.616543055 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.618115902 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.618150949 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.762722015 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:25.977701902 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:25.977878094 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.979614019 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:25.979669094 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:26.124430895 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:26.144462109 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:26.144542933 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:26.147082090 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:26.147118092 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:26.291666985 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:26.312097073 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:26.312238932 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:26.492394924 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:26.492394924 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:26.637156963 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:26.653212070 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:26.653352022 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:26.772605896 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:26.774967909 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:26.919516087 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:27.036645889 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:27.036850929 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:27.115964890 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:27.116199017 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:27.260730982 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:27.266004086 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:27.266143084 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:27.270143032 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:27.270546913 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:27.415059090 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:27.419230938 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:27.419456959 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:28.159878969 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:28.160922050 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:28.305524111 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:28.309272051 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:28.309345007 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:28.311434031 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:28.311471939 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:28.456073046 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:28.461035967 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:28.461596966 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:28.463573933 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:28.463614941 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:28.608151913 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:28.612556934 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:28.612663031 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:28.619282007 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:28.619339943 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:28.764111042 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:28.768834114 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:28.769134998 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.296303988 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.296359062 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.441066027 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:30.445123911 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:30.445353031 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.448096991 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.448240042 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.592868090 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:30.597773075 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:30.597942114 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.612315893 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.612315893 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.756921053 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:30.760802031 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:30.760911942 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.762387991 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.762432098 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.907049894 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:30.912590981 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:30.912683010 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.914988995 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:30.915040016 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.059660912 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.063843966 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.064059019 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.066152096 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.066175938 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.210701942 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.215243101 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.215404034 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.219666958 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.219713926 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.364417076 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.369254112 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.369508982 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.380455017 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.380501986 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.525120974 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.529424906 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.529556036 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.534956932 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.534956932 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.680074930 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.684124947 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.684242964 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.685992956 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.685992956 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.830946922 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.834897041 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.834988117 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.836307049 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.837394953 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.981978893 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.988282919 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:31.988435984 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.990396976 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:31.990425110 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:32.134974957 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:32.139602900 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:32.139734030 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:32.141900063 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:32.141900063 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:32.286854982 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:32.298681974 CEST	80	49711	54.198.235.9	192.168.2.6
Jun 29, 2023 09:12:32.298883915 CEST	49711	80	192.168.2.6	54.198.235.9
Jun 29, 2023 09:12:32.522074938 CEST	49711	80	192.168.2.6	54.198.235.9

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 29, 2023 09:12:22.564824104 CEST	65198	53	192.168.2.6	8.8.8.8
Jun 29, 2023 09:12:22.587354898 CEST	53	65198	8.8.8.8	192.168.2.6

Target ID:	0
Start time:	09:12:11
Start date:	29/06/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Fatrr_wakMkxp.msi"
Imagebase:	0x7ff65e700000
File size:	66'048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	2
Start time:	09:12:13
Start date:	29/06/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 366E9C1149556BC0F11E4B9E382385C6
Imagebase:	0xfa0000
File size:	59'904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Fatrr_wakMkxp.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\AdvinstAnalytics\649bc0e995075a1a74755442\7.7.6.4\tracking.ini

C:\Users\user\AppData\Local\AdvinstAnalytics\649bc0e995075a1a74755442\7.7.6.4\{A48D7727-831E-442E-97DA-BEA1F4086C9A}.session

C:\Users\user\AppData\Local\Temp\shiE3EE.tmp

C:\Users\user\AppData\Local\Temp\shiE4AB.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\identity_helper.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zino.ps1

C:\Windows\Installer\3ddde4.msi

C:\Windows\Installer\MSI79.tmp

C:\Windows\Installer\MSIE100.tmp

C:\Windows\Installer\MSIE269.tmp

C:\Windows\Installer\MSIE2F6.tmp

C:\Windows\Installer\MSIE365.tmp

C:\Windows\Installer\MSIE395.tmp

C:\Windows\Installer\MSIE77E.tmp

C:\Windows\Installer\MSIE80B.tmp

C:\Windows\Installer\MSIEAFA.tmp

C:\Windows\Installer\MSIEB69.tmp

C:\Windows\Installer\MSIEC64.tmp

C:\Windows\Installer\SourceHash{63FC12FA-28FE-46D0-A887-FDF850492E2A}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF19F35B293638B6CC.TMP

C:\Windows\Temp\~DF25B2F3C222B44E1F.TMP

Windows Analysis Report
Fatrr_wakMkxp.msi

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre