Windows Analysis Report
g6lWBM64S4.msi

Overview

General Information

Sample name:	g6lWBM64S4.msi renamed because original name is a hash value
Original sample name:	60b60873d6cfa59a1b467931ffe7efdc0575b02255c549502de50ad05d8f3b89.msi
Analysis ID:	1592153
MD5:	40e97f78a0784d68c57e746ee36a76e0
SHA1:	b8918d64b00b3b0e6b85800bba3a976860a1c3e3
SHA256:	60b60873d6cfa59a1b467931ffe7efdc0575b02255c549502de50ad05d8f3b89
Tags:	bankerjanelaratlatammsisituacaonssprj-comtrojanuser-johnk3r
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Uses shutdown.exe to shutdown or reboot the system

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Shutdown

Sigma detected: Suspicious MsiExec Embedding Parent

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses reg.exe to modify the Windows registry

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: g6lWBM64S4.msi

Virustotal: Detection: 8%

Perma Link

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: g6lWBM64S4.msi, 54d8d3.msi.1.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.16.1:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /molde/calvao1.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: situacaonssprj.com
Source: global traffic	HTTP traffic detected: GET /molde/arvore.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: situacaonssprj.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /molde/calvao1.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: situacaonssprj.com
Source: global traffic	HTTP traffic detected: GET /molde/arvore.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: situacaonssprj.com

Source: global traffic

DNS traffic detected: DNS query: situacaonssprj.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 15 Jan 2025 19:44:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Wed, 15 Jan 2025 19:44:17 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C91A9Pp1OATyhLqfs4ZFPavNNTE%2Fdwavft3LccoPO%2BlZpLsb6jl3cr84mTDEa7U9eLch1Qib3%2FMo3oPpM%2FfDz5QL6zJycTNbgdSrHSxMZ8nuQ0jV%2FnyEYC5IQvnhS%2BGc2Sapb9Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90285bad2bf77293-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2030&min_rtt=2028&rtt_var=766&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=783&delivery_rate=1423695&cwnd=158&unsent_bytes=0&cid=6f14c267eda6f7a6&ts=168&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 15 Jan 2025 19:44:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Wed, 15 Jan 2025 19:44:17 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t96YoDLpMA1glPSt1BxA%2BgO1hvZZK3BHstwpqVpZSxp9lsF5863oWjExGzFGllSbg4uZLTof9%2FR815E8ROibZHT8hS6tpTvjQ7dQRxd2MpiE7EJ7EtyLoyMivAp97DpoLsz8%2F4E%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90285bb19c008ce0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1791&min_rtt=1786&rtt_var=680&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=782&delivery_rate=1598248&cwnd=215&unsent_bytes=0&cid=e7f7855e4b8fee5f&ts=165&x=0"

Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://collect.installeranalytics.com
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://collect.installeranalytics.com
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: EGvKWow.png.2.dr, kBiTrog.png.2.dr	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

Uses shutdown.exe to shutdown or reboot the system

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\54d8d3.msi			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F90.tmp			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1F90.tmp

Jump to behavior

Sample file is different than original file name gathered from version info

Source: g6lWBM64S4.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs g6lWBM64S4.msi
Source: g6lWBM64S4.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs g6lWBM64S4.msi
Source: g6lWBM64S4.msi	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs g6lWBM64S4.msi
Source: g6lWBM64S4.msi	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs g6lWBM64S4.msi

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"

Source: classification engine

Classification label: mal52.rans.winMSI@13/11@1/1

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\EGvKWow\

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\goldex.ses

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload

Jump to behavior

Source: g6lWBM64S4.msi

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\g6lWBM64S4.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15
Source: C:\Windows\SysWOW64\shutdown.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: shutdownext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: sspicli.dll	Jump to behavior

Source: EGvKWow.lnk.2.dr

LNK file: ..\..\..\..\..\..\..\EGvKWow\kBiTrog.exe

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\AdvinstAnalytics\67871a621816c20044ac2e86\1.0.0\tracking.ini

Jump to behavior

Source: g6lWBM64S4.msi

Static file information: File size 2361856 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: g6lWBM64S4.msi, 54d8d3.msi.1.dr

Drops PE files

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI1F90.tmp

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI1F90.tmp

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGvKWow.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGvKWow.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kBiTrog			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kBiTrog			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe

Dropped PE file which has not been started: C:\Windows\Installer\MSI1F90.tmp

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\msiexec.exe TID: 1908

Thread sleep time: -30000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: 54d8d3.msi.1.dr

Binary or memory string: 01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer [Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberReleaseIdCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute Server Failed to create IWbemLocator object. Error code: \\Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code:

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.1	situacaonssprj.com	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
situacaonssprj.com	104.21.16.1	true
bg.microsoft.map.fastly.net	199.232.210.172	true
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://situacaonssprj.com/molde/arvore.png	false	Avira URL Cloud: safe	unknown
https://situacaonssprj.com/molde/calvao1.png	false	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: g6lWBM64S4.msi

Virustotal: Detection: 8%

Perma Link

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: g6lWBM64S4.msi, 54d8d3.msi.1.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.16.1:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /molde/calvao1.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: situacaonssprj.com
Source: global traffic	HTTP traffic detected: GET /molde/arvore.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: situacaonssprj.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /molde/calvao1.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: situacaonssprj.com
Source: global traffic	HTTP traffic detected: GET /molde/arvore.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: situacaonssprj.com

Source: global traffic

DNS traffic detected: DNS query: situacaonssprj.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 15 Jan 2025 19:44:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Wed, 15 Jan 2025 19:44:17 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C91A9Pp1OATyhLqfs4ZFPavNNTE%2Fdwavft3LccoPO%2BlZpLsb6jl3cr84mTDEa7U9eLch1Qib3%2FMo3oPpM%2FfDz5QL6zJycTNbgdSrHSxMZ8nuQ0jV%2FnyEYC5IQvnhS%2BGc2Sapb9Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90285bad2bf77293-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2030&min_rtt=2028&rtt_var=766&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=783&delivery_rate=1423695&cwnd=158&unsent_bytes=0&cid=6f14c267eda6f7a6&ts=168&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 15 Jan 2025 19:44:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Wed, 15 Jan 2025 19:44:17 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t96YoDLpMA1glPSt1BxA%2BgO1hvZZK3BHstwpqVpZSxp9lsF5863oWjExGzFGllSbg4uZLTof9%2FR815E8ROibZHT8hS6tpTvjQ7dQRxd2MpiE7EJ7EtyLoyMivAp97DpoLsz8%2F4E%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90285bb19c008ce0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1791&min_rtt=1786&rtt_var=680&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=782&delivery_rate=1598248&cwnd=215&unsent_bytes=0&cid=e7f7855e4b8fee5f&ts=165&x=0"

Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://collect.installeranalytics.com
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://collect.installeranalytics.com
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: EGvKWow.png.2.dr, kBiTrog.png.2.dr	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

Uses shutdown.exe to shutdown or reboot the system

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\54d8d3.msi			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F90.tmp			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1F90.tmp

Jump to behavior

Sample file is different than original file name gathered from version info

Source: g6lWBM64S4.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs g6lWBM64S4.msi
Source: g6lWBM64S4.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs g6lWBM64S4.msi
Source: g6lWBM64S4.msi	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs g6lWBM64S4.msi
Source: g6lWBM64S4.msi	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs g6lWBM64S4.msi

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"

Source: classification engine

Classification label: mal52.rans.winMSI@13/11@1/1

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\EGvKWow\

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\goldex.ses

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload

Jump to behavior

Source: g6lWBM64S4.msi

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\g6lWBM64S4.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15
Source: C:\Windows\SysWOW64\shutdown.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: shutdownext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: sspicli.dll	Jump to behavior

Source: EGvKWow.lnk.2.dr

LNK file: ..\..\..\..\..\..\..\EGvKWow\kBiTrog.exe

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\AdvinstAnalytics\67871a621816c20044ac2e86\1.0.0\tracking.ini

Jump to behavior

Source: g6lWBM64S4.msi

Static file information: File size 2361856 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: g6lWBM64S4.msi, 54d8d3.msi.1.dr

Drops PE files

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI1F90.tmp

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI1F90.tmp

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGvKWow.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGvKWow.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kBiTrog			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kBiTrog			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe

Dropped PE file which has not been started: C:\Windows\Installer\MSI1F90.tmp

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\msiexec.exe TID: 1908

Thread sleep time: -30000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: 54d8d3.msi.1.dr

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

ID:	1592153
Product:	CloudBasic
Start time:	20:43:06
Start date:	15.01.2025
Sample:	g6lWBM64S4.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	40e97f78a0784d68c57e746ee36a76e0
SHA1:	b8918d64b00b3b0e6b85800bba3a976860a1c3e3
SHA256:	60b60873d6cfa59a1b467931ffe7efdc0575b02255c549502de50ad05d8f3b89
Filetype:	Windows SDK Setup Transform Script (63028/2) 47.91%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\AdvinstAnalytics\67871a621816c20044ac2e86\1.0.0\tracking.ini	ASCII text, with CRLF line terminators	EC3584F3DB838942EC3669DB02DC908E	8DCEB96874D5C6425EBB81BFEE587244C89416DA	77C7C10B4C860D5DDF4E057E713383E61E9F21BCF0EC4CFBBC16193F2E28F340
C:\Users\user\AppData\Local\AdvinstAnalytics\67871a621816c20044ac2e86\1.0.0\{E3E53D21-CD36-4CDD-840F-84D7E898228C}.session	ASCII text, with CRLF line terminators	D3470F0F4F835329919E8942D131FED9	E947D1381593C29E9AC4F51DFCFDC71C0007EB43	1FEDE82C3B6DBD49E6B7DD8637B7267E152C31B6EBCBD93DA53530E282DF65CA
C:\Users\user\AppData\Local\Temp\goldex.ses	ASCII text, with CRLF line terminators	A067F5EC97BA51B576825B69BC855E58	907D296538A45D5B593512881D721C7D347B8E04	CF3E339D25C3C023C9417FFC5D8E73F1DA828B18FEECAF14FDB9C24D04E49BA0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGvKWow.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Jan 15 18:44:02 2025, mtime=Wed Jan 15 18:44:02 2025, atime=Wed Jan 15 18:44:02 2025, length=4520, window=hide	7BE6248FC7180828FD31231887B88007	04E0323B8367CE365CB531B1614EA48E26075396	142166B70590F7D7DC350394827A8E1B8CE25A17A6ED4DD6E498017EBCF8D435
C:\Users\user\EGvKWow\EGvKWow.png	HTML document, ASCII text, with very long lines (394)	E3B668779426227199C1AA26CFD88198	CD2D0B0CF4A164732ECE2D9D13F0983FBEB55AD1	397DAAAE612398CB8160B42229464573C7AD5E15746F665A7E2918020EBC0A0C
C:\Users\user\EGvKWow\Luo Painter.dll (copy)	HTML document, ASCII text, with very long lines (394)	E3B668779426227199C1AA26CFD88198	CD2D0B0CF4A164732ECE2D9D13F0983FBEB55AD1	397DAAAE612398CB8160B42229464573C7AD5E15746F665A7E2918020EBC0A0C
C:\Users\user\EGvKWow\kBiTrog.exe (copy)	HTML document, ASCII text, with very long lines (394)	FE8A4971275803E7A83234AE1C0F6FBB	D837E8FC9E69BFBB42BB90CF6F05776C1A877FC7	D566B2BAEE8AC6BE2140662F1CEE4A32547A28601CD3FCE39A62EA68B29D5B17
C:\Users\user\EGvKWow\kBiTrog.png	HTML document, ASCII text, with very long lines (394)	FE8A4971275803E7A83234AE1C0F6FBB	D837E8FC9E69BFBB42BB90CF6F05776C1A877FC7	D566B2BAEE8AC6BE2140662F1CEE4A32547A28601CD3FCE39A62EA68B29D5B17
C:\Windows\Installer\54d8d3.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {E0B8551D-748E-4EB1-A05B-5BD8DF540DF9}, Number of Words: 10, Subject: UJUCERYERTY, Author: YEAYRIEMNRYTA, Name of Creating Application: Advanced Installer 18.3 build e2a0201b, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o UJUCERYERTY., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200	40E97F78A0784D68C57E746EE36A76E0	B8918D64B00B3B0E6B85800BBA3A976860A1C3E3	60B60873D6CFA59A1B467931FFE7EFDC0575B02255C549502DE50AD05D8F3B89
C:\Windows\Installer\MSI1F90.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	573F5E653258BF622AE1C0AD118880A2	E243C761983908D14BAF6C7C0879301C8437415D	371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	7E3F4F06EA319FDD14458876126F6AD4	8AB9DE03715F9639517ED7921E1118CD374ED6F3	504EE58BC4392D4A3B994B4FAD9D569564EA1D894ABE281596CE48466E846C1E

Windows Analysis Report
g6lWBM64S4.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report g6lWBM64S4.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
g6lWBM64S4.msi