Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 50AE91573DE534A9A96FD2BF23C4165F C

Details

Is windows:	true
Is dropped:	false
PID:	6732
Target ID:	3
Parent PID:	6688
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 50AE91573DE534A9A96FD2BF23C4165F C
Size:	59904
MD5:	9D09DC1EDA745A5F87553048E57620CF
Time:	15:52:59
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x2b0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi"

Details

Is windows:	true
Is dropped:	false
PID:	280
Target ID:	0
Parent PID:	4004
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi"
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	15:52:58
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6fb150000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Details

Is windows:	true
Is dropped:	false
PID:	6688
Target ID:	2
Parent PID:	632
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	C:\Windows\system32\msiexec.exe /V
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	15:52:58
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6fb150000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://play.google.com/?hl=en&tab=w8

unknown

https://www.google.com/intl/en/about/products?tab=wh

unknown

https://www.google.com/imghp?hl=en&tab=wi

unknown

https://sectigo.com/CPS0

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0

unknown

http://ocsp.sectigo.com0

unknown

https://www.thawte.com/cps0/

unknown

http://minisoftupdate.com/download/set.msi/qnf(1

unknown

http://www.google.com/history/optout?hl=en

unknown

https://drive.google.com/?tab=wo

unknown

https://www.thawte.com/repository0W

unknown

http://maps.google.com/maps?hl=en&tab=wl

unknown

http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#

unknown

https://www.advancedinstaller.com

unknown

https://news.google.com/?tab=wn

unknown

http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#

unknown

https://mail.google.com/mail/?tab=wm

unknown

http://ocsp.sectigo.com0#

unknown

http://schema.org/WebPage

unknown

https://www.youtube.com/?tab=w1

unknown

http://www.google.com/

142.250.185.196

There are 12 hidden URLs, click here to show them.

Domains

Name

Malicious

www.google.com

142.250.185.196

Details

Name:	www.google.com
IP:	142.250.185.196
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Queries Google from non browser process on port 80	Networking
Sigma detected: Msiexec Initiated Connection	System Summary
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found strings which match to known social media urls	Networking
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

142.250.185.196

www.google.com

United States

Details

IP:	142.250.185.196
TargetID:	3
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	www.google.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Msiexec Initiated Connection	System Summary

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349

Blob

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349
Value name:	Blob
Value data:	04 00 00 00 01 00 00 00 10 00 00 00 49 79 04 B0 EB 87 19 AC 47 B0 BC 11 51 9B 74 D0 0F 00 00 00 01 00 00 00 14 00 00 00 3E 8E 64 87 F8 FD 27 D3 22 A2 69 A7 1E DA AC 5D 57 81 12 86 09 00 00 00 01 00 00 00 54 00 00 00 30 52 06 08 2B 06 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03 06 0A 2B 06 01 04 01 82 37 0A 03 04 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05 05 07 03 06 06 08 2B 06 01 05 05 07 03 07 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 08 53 00 00 00 01 00 00 00 43 00 00 00 30 41 30 22 06 0C 2B 06 01 04 01 B2 31 01 02 01 05 01 30 12 30 10 06 0A 2B 06 01 04 01 82 37 3C 01 01 03 02 00 C0 30 1B 06 05 67 81 0C 01 03 30 12 30 10 06 0A 2B 06 01 04 01 82 37 3C 01 01 03 02 00 C0 62 00 00 00 01 00 00 00 20 00 00 00 D7 A7 A0 FB 5D 7E 27 31 D7 71 E9 48 4E BC DE F7 1D 5F 0C 3E 0A 29 48 78 2B C8 3E E0 EA 69 9E F4 0B 00 00 00 01 00 00 00 1C 00 00 00 53 00 65 00 63 00 74 00 69 00 67 00 6F 00 20 00 28 00 41 00 41 00 41 00 29 00 00 00 14 00 00 00 01 00 00 00 14 00 00 00 A0 11 0A 23 3E 96 F1 07 EC E2 AF 29 EF 82 A5 7F D0 30 A4 B4 1D 00 00 00 01 00 00 00 10 00 00 00 2E 0D 68 75 87 4A 44 C8 20 91 2E 85 E9 64 CF DB 03 00 00 00 01 00 00 00 14 00 00 00 D1 EB 23 A4 6D 17 D6 8F D9 25 64 C2 F1 F1 60 17 64 D8 E3 49 19 00 00 00 01 00 00 00 10 00 00 00 2A A1 C0 5E 2A E6 06 F1 98 C2 C5 E9 37 C9 7A A2 20 00 00 00 01 00 00 00 36 04 00 00 30 82 04 32 30 82 03 1A A0 03 02 01 02 02 01 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 7B 31 0B 30 09 06 03 55 04 06 13 02 47 42 31 1B 30 19 06 03 55 04 08 0C 12 47 72 65 61 74 65 72 20 4D 61 6E 63 68 65 73 74 65 72 31 10 30 0E 06 03 55 04 07 0C 07 53 61 6C 66 6F 72 64 31 1A 30 18 06 03 55 04 0A 0C 11 43 6F 6D 6F 64 6F 20 43 41 20 4C 69 6D 69 74 65 64 31 21 30 1F 06 03 55 04 03 0C 18 41 41 41 20 43 65 72 74 69 66 69 63 61 74 65 20 53 65 72 76 69 63 65 73 30 1E 17 0D 30 34 30 31 30 31 30 30 30 30 30 30 5A 17 0D 32 38 31 32 33 31 32 33 35 39 35 39 5A 30 7B 31 0B 30 09 06 03 55 04 06 13 02 47 42 31 1B 30 19 06 03 55 04 08 0C 12 47 72 65 61 74 65 72 20 4D 61 6E 63 68 65 73 74 65 72 31 10 30 0E 06 03 55 04 07 0C 07 53 61 6C 66 6F 72 64 31 1A 30 18 06 03 55 04 0A 0C 11 43 6F 6D 6F 64 6F 20 43 41 20 4C 69 6D 69 74 65 64 31 21 30 1F 06 03 55 04 03 0C 18 41 41 41 20 43 65 72 74 69 66 69 63 61 74 65 20 53 65 72 76 69 63 65 73 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 BE 40 9D F4 6E E1 EA 76 87 1C 4D 45 44 8E BE 46 C8 83 06 9D C1 2A FE 18 1F 8E E4 02 FA F3 AB 5D 50 8A 16 31 0B 9A 06 D0 C5 70 22 CD 49 2D 54 63 CC B6 6E 68 46 0B 53 EA CB 4C 24 C0 BC 72 4E EA F1 15 AE F4 54 9A 12 0A C3 7A B2 33 60 E2 DA 89 55 F3 22 58 F3 DE DC CF EF 83 86 A2 8C 94 4F 9F 68 F2 98 90 46 84 27 C7 76 BF E3 CC 35 2C 8B 5E 07 64 65 82 C0 48 B0 A8 91 F9 61 9F 76 20 50 A8 91 C7 66 B5 EB 78 62 03 56 F0 8A 1A 13 EA 31 A3 1E A0 99 FD 38 F6 F6 27 32 58 6F 07 F5 6B B8 FB 14 2B AF B7 AA CC D6 63 5F 73 8C DA 05 99 A8 38 A8 CB 17 78 36 51 AC E9 9E F4 78 3A 8D CF 0F D9 42 E2 98 0C AB 2F 9F 0E 01 DE EF 9F 99 49 F1 2D DF AC 74 4D 1B 98 B5 47 C5 E5 29 D1 F9 90 18 C7 62 9C BE 83 C7 26 7B 3E 8A 25 C7 C0 DD 9D E6 35 68 10 20 9D 8F D8 DE D2 C3 84 9C 0D 5E E8 2F C9 02 03 01 00 01 A3 81 C0 30 81 BD 30 1D 06 03 55 1D 0E 04 16 04 14 A0 11 0A 23 3E 96 F1 07 EC E2 AF 29 EF 82 A5 7F D0 30 A4 B4 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 06 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 7B 06 03 55 1D 1F 04 74 30 72 30 38 A0 36 A0 34 86 32 68 74 74 70 3A 2F 2F 63 72 6C 2E 63 6F 6D 6F 64 6F 63 61 2E 63 6F 6D 2F 41 41 41 43 65 72 74 69 66 69 63 61 74 65 53 65 72 76 69 63 65 73 2E 63 72 6C 30 36 A0 34 A0 32 86 30 68 74 74 70 3A 2F 2F 63 72 6C 2E 63 6F 6D 6F 64 6F 2E 6E 65 74 2F 41 41 41 43 65 72 74 69 66 69 63 61 74 65 53 65 72 76 69 63 65 73 2E 63 72 6C 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 08 56 FC 02 F0 9B E8 FF A4 FA D6 7B C6 44 80 CE 4F C4 C5 F6 00 58 CC A6 B6 BC 14 49 68 04 76 E8 E6 EE 5D EC 02 0F 60 D6 8D 50 18 4F 26 4E 01 E3 E6 B0 A5 EE BF BC 74 54 41 BF FD FC 12 B8 C7 4F 5A F4 89 60 05 7F 60 B7 05 4A F3 F6 F1 C2 BF C4 B9 74 86 B6 2D 7D 6B CC D2 F3 46 DD 2F C6 E0 6A C3 C3 34 03 2C 7D 96 DD 5A C2 0E A7 0A 99 C1 05 8B AB 0C 2F F3 5C 3A CF 6C 37 55 09 87 DE 53 40 6C 58 EF FC B6 AB 65 6E 04 F6 1B DC 3C E0 5A 15 C6 9E D9 F1 59 48 30 21 65 03 6C EC E9 21 73 EC 9B 03 A1 E0 37 AD A0 15 18 8F FA BA 02 CE A7 2C A9 10 13 2C D4 E5 08 26 AB 22 97 60 F8 90 5E 74 D4 A2 9A 53 BD F2 A9 68 E0 A2 6E C2 D7 6C B1 A3 0F 9E BF EB 68 E7 56 F2 AE F2 E3 2B 38 3A 09 81 B5 6B 85 D7 BE 2D ED 3F 1A B7 B2 63 E2 F5 62 2C 82 D4 6A 00 41 50 F1 39 83 9F 95 E9 36 96 98 6E

Signature Hits	Behavior Group	Mitre Attack
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349

Blob

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349
Value name:	Blob
Value data:	5C 00 00 00 01 00 00 00 04 00 00 00 00 08 00 00 19 00 00 00 01 00 00 00 10 00 00 00 2A A1 C0 5E 2A E6 06 F1 98 C2 C5 E9 37 C9 7A A2 03 00 00 00 01 00 00 00 14 00 00 00 D1 EB 23 A4 6D 17 D6 8F D9 25 64 C2 F1 F1 60 17 64 D8 E3 49 1D 00 00 00 01 00 00 00 10 00 00 00 2E 0D 68 75 87 4A 44 C8 20 91 2E 85 E9 64 CF DB 14 00 00 00 01 00 00 00 14 00 00 00 A0 11 0A 23 3E 96 F1 07 EC E2 AF 29 EF 82 A5 7F D0 30 A4 B4 0B 00 00 00 01 00 00 00 1C 00 00 00 53 00 65 00 63 00 74 00 69 00 67 00 6F 00 20 00 28 00 41 00 41 00 41 00 29 00 00 00 62 00 00 00 01 00 00 00 20 00 00 00 D7 A7 A0 FB 5D 7E 27 31 D7 71 E9 48 4E BC DE F7 1D 5F 0C 3E 0A 29 48 78 2B C8 3E E0 EA 69 9E F4 53 00 00 00 01 00 00 00 43 00 00 00 30 41 30 22 06 0C 2B 06 01 04 01 B2 31 01 02 01 05 01 30 12 30 10 06 0A 2B 06 01 04 01 82 37 3C 01 01 03 02 00 C0 30 1B 06 05 67 81 0C 01 03 30 12 30 10 06 0A 2B 06 01 04 01 82 37 3C 01 01 03 02 00 C0 09 00 00 00 01 00 00 00 54 00 00 00 30 52 06 08 2B 06 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03 06 0A 2B 06 01 04 01 82 37 0A 03 04 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05 05 07 03 06 06 08 2B 06 01 05 05 07 03 07 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 08 0F 00 00 00 01 00 00 00 14 00 00 00 3E 8E 64 87 F8 FD 27 D3 22 A2 69 A7 1E DA AC 5D 57 81 12 86 04 00 00 00 01 00 00 00 10 00 00 00 49 79 04 B0 EB 87 19 AC 47 B0 BC 11 51 9B 74 D0 20 00 00 00 01 00 00 00 36 04 00 00 30 82 04 32 30 82 03 1A A0 03 02 01 02 02 01 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 7B 31 0B 30 09 06 03 55 04 06 13 02 47 42 31 1B 30 19 06 03 55 04 08 0C 12 47 72 65 61 74 65 72 20 4D 61 6E 63 68 65 73 74 65 72 31 10 30 0E 06 03 55 04 07 0C 07 53 61 6C 66 6F 72 64 31 1A 30 18 06 03 55 04 0A 0C 11 43 6F 6D 6F 64 6F 20 43 41 20 4C 69 6D 69 74 65 64 31 21 30 1F 06 03 55 04 03 0C 18 41 41 41 20 43 65 72 74 69 66 69 63 61 74 65 20 53 65 72 76 69 63 65 73 30 1E 17 0D 30 34 30 31 30 31 30 30 30 30 30 30 5A 17 0D 32 38 31 32 33 31 32 33 35 39 35 39 5A 30 7B 31 0B 30 09 06 03 55 04 06 13 02 47 42 31 1B 30 19 06 03 55 04 08 0C 12 47 72 65 61 74 65 72 20 4D 61 6E 63 68 65 73 74 65 72 31 10 30 0E 06 03 55 04 07 0C 07 53 61 6C 66 6F 72 64 31 1A 30 18 06 03 55 04 0A 0C 11 43 6F 6D 6F 64 6F 20 43 41 20 4C 69 6D 69 74 65 64 31 21 30 1F 06 03 55 04 03 0C 18 41 41 41 20 43 65 72 74 69 66 69 63 61 74 65 20 53 65 72 76 69 63 65 73 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 BE 40 9D F4 6E E1 EA 76 87 1C 4D 45 44 8E BE 46 C8 83 06 9D C1 2A FE 18 1F 8E E4 02 FA F3 AB 5D 50 8A 16 31 0B 9A 06 D0 C5 70 22 CD 49 2D 54 63 CC B6 6E 68 46 0B 53 EA CB 4C 24 C0 BC 72 4E EA F1 15 AE F4 54 9A 12 0A C3 7A B2 33 60 E2 DA 89 55 F3 22 58 F3 DE DC CF EF 83 86 A2 8C 94 4F 9F 68 F2 98 90 46 84 27 C7 76 BF E3 CC 35 2C 8B 5E 07 64 65 82 C0 48 B0 A8 91 F9 61 9F 76 20 50 A8 91 C7 66 B5 EB 78 62 03 56 F0 8A 1A 13 EA 31 A3 1E A0 99 FD 38 F6 F6 27 32 58 6F 07 F5 6B B8 FB 14 2B AF B7 AA CC D6 63 5F 73 8C DA 05 99 A8 38 A8 CB 17 78 36 51 AC E9 9E F4 78 3A 8D CF 0F D9 42 E2 98 0C AB 2F 9F 0E 01 DE EF 9F 99 49 F1 2D DF AC 74 4D 1B 98 B5 47 C5 E5 29 D1 F9 90 18 C7 62 9C BE 83 C7 26 7B 3E 8A 25 C7 C0 DD 9D E6 35 68 10 20 9D 8F D8 DE D2 C3 84 9C 0D 5E E8 2F C9 02 03 01 00 01 A3 81 C0 30 81 BD 30 1D 06 03 55 1D 0E 04 16 04 14 A0 11 0A 23 3E 96 F1 07 EC E2 AF 29 EF 82 A5 7F D0 30 A4 B4 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 06 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 7B 06 03 55 1D 1F 04 74 30 72 30 38 A0 36 A0 34 86 32 68 74 74 70 3A 2F 2F 63 72 6C 2E 63 6F 6D 6F 64 6F 63 61 2E 63 6F 6D 2F 41 41 41 43 65 72 74 69 66 69 63 61 74 65 53 65 72 76 69 63 65 73 2E 63 72 6C 30 36 A0 34 A0 32 86 30 68 74 74 70 3A 2F 2F 63 72 6C 2E 63 6F 6D 6F 64 6F 2E 6E 65 74 2F 41 41 41 43 65 72 74 69 66 69 63 61 74 65 53 65 72 76 69 63 65 73 2E 63 72 6C 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 08 56 FC 02 F0 9B E8 FF A4 FA D6 7B C6 44 80 CE 4F C4 C5 F6 00 58 CC A6 B6 BC 14 49 68 04 76 E8 E6 EE 5D EC 02 0F 60 D6 8D 50 18 4F 26 4E 01 E3 E6 B0 A5 EE BF BC 74 54 41 BF FD FC 12 B8 C7 4F 5A F4 89 60 05 7F 60 B7 05 4A F3 F6 F1 C2 BF C4 B9 74 86 B6 2D 7D 6B CC D2 F3 46 DD 2F C6 E0 6A C3 C3 34 03 2C 7D 96 DD 5A C2 0E A7 0A 99 C1 05 8B AB 0C 2F F3 5C 3A CF 6C 37 55 09 87 DE 53 40 6C 58 EF FC B6 AB 65 6E 04 F6 1B DC 3C E0 5A 15 C6 9E D9 F1 59 48 30 21 65 03 6C EC E9 21 73 EC 9B 03 A1 E0 37 AD A0 15 18 8F FA BA 02 CE A7 2C A9 10 13 2C D4 E5 08 26 AB 22 97 60 F8 90 5E 74 D4 A2 9A 53 BD F2 A9 68 E0 A2 6E C2 D7 6C B1 A3 0F 9E BF EB 68 E7 56 F2 AE F2 E3 2B 38 3A 09 81 B5 6B 85 D7 BE 2D ED 3F 1A B7 B2 63 E2 F5 62 2C 82 D4 6A 00 41 50 F1 39 83 9F 95 E9 36 96 98 6E

Signature Hits	Behavior Group	Mitre Attack
Adds / modifies Windows certificates	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Files

Processes

URLs

Domains

IPs

Registry

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Files

Processes

URLs

Domains

IPs

Registry

IOC Report
SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi