Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Order.msi

Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: ServiceUeh, Author: SoftHg, Keywords: Installer, Comments: This installer database contains the logic and data required to install ServiceUeh., Template: Intel;8201, Revision Number: {AF26AC5E-9451-47ED-BC01-6E2EB89EC5B7}, Create Time/Date: Sun Oct 13 10:22:04 2024, Last Saved Time/Date: Sun Oct 13 10:22:04 2024, Number of Pages: 500, Number of Words: 8, Name of Creating Application: Windows Installer XML Toolset (3.14.0.5721), Security: 2

initial sample

Details

Filetype:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: ServiceUeh, Author: SoftHg, Keywords: Installer, Comments: This installer database contains the logic and data required to install ServiceUeh., Template: Intel;8201, Revision Number: {AF26AC5E-9451-47ED-BC01-6E2EB89EC5B7}, Create Time/Date: Sun Oct 13 10:22:04 2024, Last Saved Time/Date: Sun Oct 13 10:22:04 2024, Number of Pages: 500, Number of Words: 8, Name of Creating Application: Windows Installer XML Toolset (3.14.0.5721), Security: 2
Entropy:	7.919265164946531
Filename:	Order.msi
Filesize:	2457600
MD5:	e4b3da739e2551b9c1cb4e75bc68403b
SHA1:	d55afdb6e72ff9f1d1b40bc10c0cb403704e2109
SHA256:	8bca64cef3675b17eaacdb500994368a8f075fcd382522889222b70d679b4a04
SHA512:	26c6ce2c5b40484b03c9c7097508d6c2dfb44453dca99a01b8a40563e718e4ef0adcea4f6930325ea4b5eaffdb4f2cc70c28e9f3facd429118db9bac5a25aa78
SSDEEP:	49152:5iZxgIRBwOuY+QsaCJcP2VNGa2yucDJTM4ZBD/NKTCKWw7yDi:5dIzVb+dcPu3VF5ZBD/NFKP8i
Preview:	........................>......................................................................................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Sample is a Windows installer	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Installer\641f68.msi

dropped

Details

File:	C:\Windows\Installer\641f68.msi
Category:	dropped
Dump:	641f68.msi.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\System32\msiexec.exe
Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: ServiceUeh, Author: SoftHg, Keywords: Installer, Comments: This installer database contains the logic and data required to install ServiceUeh., Template: Intel;8201, Revision Number: {AF26AC5E-9451-47ED-BC01-6E2EB89EC5B7}, Create Time/Date: Sun Oct 13 10:22:04 2024, Last Saved Time/Date: Sun Oct 13 10:22:04 2024, Number of Pages: 500, Number of Words: 8, Name of Creating Application: Windows Installer XML Toolset (3.14.0.5721), Security: 2
Entropy:	7.919265164946531
Encrypted:	false
Ssdeep:	49152:5iZxgIRBwOuY+QsaCJcP2VNGa2yucDJTM4ZBD/NKTCKWw7yDi:5dIzVb+dcPu3VF5ZBD/NFKP8i
Size:	2457600
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Yara detected CryptOne packer	Stealing of Sensitive Information, Remote Access Functionality
Creates files inside the system directory	System Summary	Masquerading

C:\Windows\Installer\MSI20EF.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Windows\Installer\MSI20EF.tmp
Category:	modified
Dump:	MSI20EF.tmp.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\System32\msiexec.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	7.936021448488127
Encrypted:	false
Ssdeep:	49152:jiZxgIRBwOuY+QsaCJcP2VNGa2yucDJTM4ZBD/NKTCKWw7yD:jdIzVb+dcPu3VF5ZBD/NFKP8
Size:	2428928
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Yara detected CryptOne packer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Creates files inside the system directory	System Summary	Masquerading
Deletes files inside the Windows folder	System Summary	File Deletion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

dropped

Details

File:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
Category:	dropped
Dump:	ngen.log.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\System32\msiexec.exe
Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Entropy:	5.362987618595579
Encrypted:	false
Ssdeep:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauo:zTtbmkExhMJCIpEF
Size:	360001
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Order.msi"

Details

Is windows:	true
Is dropped:	false
PID:	2912
Target ID:	0
Parent PID:	4004
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Order.msi"
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	05:55:01
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7f0d10000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Details

Is windows:	true
Is dropped:	false
PID:	4552
Target ID:	2
Parent PID:	632
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	C:\Windows\system32\msiexec.exe /V
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	05:55:01
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7f0d10000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D409B1A5B3A8068FDFADD1A7B085FD25

Details

Is windows:	true
Is dropped:	false
PID:	6636
Target ID:	3
Parent PID:	4552
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding D409B1A5B3A8068FDFADD1A7B085FD25
Size:	59904
MD5:	9D09DC1EDA745A5F87553048E57620CF
Time:	05:55:02
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x230000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Order.msi

Files

Processes

Registry

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOrder.msi

Files

Processes

Registry

IOC Report
Order.msi